Blossom FI ("Blossom," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our patient financing platform, website, and related services. Please read this policy carefully.

1. Scope and Applicability

This Privacy Policy applies to information we collect through our website (blossom.com and related domains), our patient financing platform, applications, and any other services that link to this policy. It applies to both patients who apply for financing and healthcare providers who offer Blossom financing to their patients. By using our services, you consent to the practices described in this policy.

2. Information We Collect

We collect only the information necessary to provide our services, comply with legal obligations, and operate our business. We do not collect information beyond what is required for these purposes.

2.1 Information from Patients

• Identity information: Full name, date of birth, government-issued ID information, and Social Security number (or equivalent tax identifier where applicable).
• Contact information: Email address, phone number, and mailing address.
• Financial information: Income, employment status, bank account information (for payments), and other financial data required to evaluate creditworthiness and process financing applications.
• Application and transaction data: Treatment amounts, provider information, financing terms selected, and payment history.

2.2 Information from Healthcare Providers

• Business information: Practice or business name, tax identification number (EIN), business address, and type of healthcare services provided.
• Contact information: Names and contact details of authorized representatives.
• Financial information: Bank account details for receiving payments, merchant processing information.
• Operational data: Transaction volumes, patient referral data (non-identifying where possible), and integration or API usage data.

2.3 Automatically Collected Information

• Device and browser data: IP address, device type, operating system, browser type, and unique device identifiers.
• Usage data: Pages visited, time spent, click paths, and referring URLs. We use this to improve our services, troubleshoot issues, and maintain security.
• Cookies and similar technologies: See Section 8 for details on our use of cookies.

2.4 Information from Third Parties

We may receive information from credit bureaus, identity verification services, our lending partners, and healthcare providers (e.g., when a provider submits a patient for financing). We use this information solely to process applications and provide our services.

3. How We Use Your Information

We use the information we collect exclusively for the following necessary business purposes:

• Financing services: To evaluate eligibility, process applications, facilitate credit decisions, disburse funds, collect payments, and service accounts.
• Provider services: To onboard providers, process payments, reconcile transactions, and support provider use of our platform.
• Communications: To respond to inquiries, send account-related notices, and provide customer support. We do not use your information for unrelated marketing without your consent.
• Legal and regulatory compliance: To comply with applicable laws, regulations, and legal process, including anti-money laundering (AML), know-your-customer (KYC), and consumer protection requirements.
• Fraud prevention and security: To detect, prevent, and investigate fraud, identity theft, and other misuse of our platform.
• Service improvement: To analyze aggregated, de-identified usage data to improve our platform, user experience, and security.

4. Sharing Information for Financing Approvals and Operations

To provide patient financing, we must share certain information with third parties. We share only the minimum information necessary for each purpose and require recipients to protect your data and use it only for the specified purpose.

4.1 Lending Partners and Bank Partners

We share applicant information (including name, date of birth, Social Security number, income, employment, and financial data) with our lending partners and bank partners who fund or facilitate financing. These partners use this information to evaluate creditworthiness, make approval decisions, fund approved applications, and service accounts. They are regulated financial institutions subject to their own privacy and security obligations.

4.2 Credit Bureaus

We may obtain credit reports from one or more credit bureaus (e.g., Experian, Equifax, TransUnion) as part of the application process. We may also report account opening, payment history, and account status to credit bureaus. This is standard practice for consumer credit and may affect your credit score. By applying for financing, you authorize us to obtain and share this information.

4.3 Identity Verification and Fraud Prevention

We share limited information with identity verification and fraud prevention service providers to confirm identity, detect fraud, and comply with AML/KYC requirements.

4.4 Payment Processors

We share payment-related information with payment processors and banks to facilitate disbursements to providers and collect payments from patients.

4.5 Healthcare Providers

We share application status, approval information, and transaction details with the healthcare provider whose patient applied for financing, to the extent necessary for the provider to deliver care and receive payment.

4.6 Service Providers

We engage service providers for hosting, analytics, customer support, and other operational functions. These providers access information only as needed to perform their services and are contractually required to protect your information and not use it for their own purposes.

4.7 Legal and Regulatory

We may disclose information when required by law, court order, or government request, or when necessary to protect our rights, your safety, or the safety of others.

5. We Do Not Sell Your Information

Blossom does not sell, rent, or trade your personal information to third parties for monetary consideration or for cross-context behavioral advertising. We have no business model based on selling or monetizing your data. We share information only as described in Section 4—for financing approvals, operations, legal compliance, and service provision. We do not authorize any third party to use your information for their own marketing or unrelated purposes.

If you are a California resident, you have the right to opt out of the "sale" or "sharing" of your personal information. Because we do not sell or share your information for those purposes, there is nothing to opt out of. If our practices change, we will update this policy and provide a mechanism to opt out.

6. Cookies and Similar Technologies

We use cookies, web beacons, and similar technologies to operate our website and platform. These help us:

• Essential cookies: Enable core functionality such as authentication, security, and session management.
• Analytics cookies: Collect aggregated usage data to understand how our site is used and improve performance. We use this data in de-identified form.
• Preference cookies: Remember your settings and preferences.

You can control cookies through your browser settings. Disabling certain cookies may limit some functionality of our website.

7. Data Retention

We retain your information only for as long as necessary to fulfill the purposes described in this policy and to comply with legal obligations. Specific retention periods include:

• Account and transaction data: Retained for the life of your account plus a period thereafter (typically 7 years) to comply with tax, regulatory, and legal requirements.
• Application data: Retained for approved applications per the above; for denied applications, retained for a shorter period for fraud prevention and legal compliance.
• Marketing and communications: Retained until you opt out or request deletion, subject to legal hold requirements.
• Logs and security data: Retained for a limited period necessary for security monitoring and incident response.

After the retention period, we securely delete or anonymize your information where feasible.

8. Security

We implement administrative, technical, and physical safeguards to protect your information, including:

• Encryption of data in transit (TLS/SSL) and at rest where appropriate
• Access controls and authentication requirements
• Regular security assessments and monitoring
• Employee training on data protection
• Contractual requirements for service providers to maintain appropriate security

No method of transmission or storage is 100% secure. We cannot guarantee absolute security but we work to protect your information from unauthorized access, use, or disclosure.

9. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant regulators as required by applicable law. Notifications will be made without unreasonable delay and will include information about the nature of the breach and steps you can take to protect yourself.

10. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your information, subject to exceptions for legal retention, fraud prevention, and other legitimate purposes.
• Opt-out of marketing: Unsubscribe from marketing communications at any time via the link in our emails or by contacting us.
• Data portability: Request a copy of your data in a portable format where technically feasible.

To exercise these rights, please contact us. We will respond within the timeframe required by applicable law. We may need to verify your identity before processing your request.

10.1 California Residents

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect and how it is used, the right to delete, the right to correct, and the right to opt out of sale/sharing. As noted in Section 5, we do not sell or share your information for cross-context behavioral advertising. You also have the right to non-discrimination for exercising your privacy rights.

10.2 Other State Laws

Residents of other states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut) may have similar rights. Contact us to exercise your rights under applicable law.

11. Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately and we will take steps to delete it.

12. Third-Party Links

Our website may contain links to third-party websites (e.g., healthcare providers, partners). We are not responsible for the privacy practices of these sites. We encourage you to read their privacy policies before providing any information.

13. International Data Transfers

Our services are primarily offered in the United States. If you access our services from outside the U.S., your information may be transferred to and processed in the United States, where data protection laws may differ. By using our services, you consent to such transfer. Where required by law, we implement appropriate safeguards (e.g., standard contractual clauses) for international transfers.

14. Healthcare Context

Blossom facilitates financing for healthcare services. We do not provide healthcare and are not a covered entity under HIPAA. However, we take care to handle information responsibly. We do not request or need detailed medical information to process financing applications. Treatment amounts and provider information are shared only as necessary for the financing transaction. Healthcare providers remain responsible for their own HIPAA compliance.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on our website, updating the "Last updated" date, and, where required by law, obtaining your consent or providing additional notice. We encourage you to review this policy periodically.

16. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about our privacy practices, please contact us:

Blossom FI
Contact Us

We will respond to your inquiry within a reasonable timeframe, typically within 30–45 days for formal requests.