Privacy Policy

Effective date: October 2025
Company: Theory & Bloom LLC ("Theory & Bloom," "we," "us," or "our")
Email: info@theoryandbloom.com

This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you visit theoryandbloom.com, interact with our services, or communicate with us. It is designed to comply with applicable U.S. federal laws and Maryland law, including the Maryland Online Data Privacy Act of 2024 ("MODPA") and the Maryland Personal Information Protection Act ("MPIPA"). If you are located outside the U.S., additional rights may apply (e.g., GDPR).

1. Scope & Who This Policy Covers

This Policy applies to personal information processed by Theory & Bloom in connection with:

  • Our website, forms, and portals;

  • Client services (branding, design, marketing, content, audits, consulting);

  • Email, SMS, and social communications; and

  • Events, webinars, discovery calls, and other offline interactions.

This Policy does not cover third-party sites or services that link to/from our website. Their privacy practices are governed by their own policies.

2. Personal Information We Collect

Information you provide

  • Identification and contact details (name, title, employer, email, phone, address)

  • Account credentials (if you create a portal or resource login)

  • Business profile and project intake details

  • Payment and billing information (processed by our payment providers; we do not store full card numbers)

  • Communications and content you submit (messages, uploads, testimonials, survey responses)

Information we collect automatically

  • Usage data (pages viewed, referring/exit pages, date/time, clicks, session duration)

  • Device/technical data (IP address, cookie IDs, browser type, operating system, screen size)

  • Approximate geolocation (derived from IP)

Information from third parties

  • Marketing and advertising partners (campaign analytics; audience insights)

  • Social platforms (engagement, public profile information per your settings)

  • Service providers (payment processors; scheduling; form and email tools)

We treat certain categories as Sensitive Personal Data that will only be processed as allowed by law and with additional safeguards, such as precise geolocation, biometric/health/genetic data, citizenship/immigration status, religious beliefs, sexual orientation, and data from a known child.

3. How We Use Personal Information

We use personal information to:

  • Provide and improve our services and website;

  • Operate accounts, portals, and content hubs;

  • Process payments and prevent fraud;

  • Communicate with you (support, transactional messages, marketing where permitted);

  • Personalize content and measure campaign performance;

  • Conduct research, analytics, reporting, and audits;

  • Comply with legal obligations and enforce agreements;

  • Protect our users, systems, and business interests.

We do not use Sensitive Personal Data for targeted advertising or to make automated decisions producing legal or similarly significant effects without appropriate safeguards and legal basis.

4. Our Legal Bases (if you are in the EEA/UK/other regions with similar laws)

  • Contract (Art. 6(1)(b) GDPR): to provide services you request.

  • Legitimate interests (Art. 6(1)(f)): to secure, improve, and market our services, balanced against your rights.

  • Consent (Art. 6(1)(a)): for email/SMS marketing, cookies, or other optional processing.

  • Legal obligation (Art. 6(1)(c)): compliance with applicable law.

  • Vital interests/Public interest where applicable.

You can withdraw consent at any time where consent is the basis.

5. Cookies & Similar Technologies

We use first- and third-party cookies, pixels, and local storage to: (a) enable core site functionality; (b) analyze traffic and performance; and (c) personalize content/ads where permitted. You can manage preferences through our cookie banner and your browser settings. Disabling cookies may impact functionality.

6. Targeted Advertising, Analytics & “Sale”/“Sharing” of Data

We may work with adtech and analytics partners (e.g., Meta, Google) that collect information via our site to provide measurement and interest-based advertising. Depending on your jurisdiction’s definitions, this activity could be considered a “sale,” “share,” or “targeted advertising.”

Your choices:

  • Use the “Do Not Sell or Share My Personal Information / Opt Out of Targeted Ads” link in our footer to opt out of targeted advertising and certain data transfers.

  • Adjust cookie preferences through our banner.

  • Use platform-level opt-outs (e.g., Google Ad Settings; your device’s ad settings).

We do not knowingly sell personal data about children.

7. Your Privacy Rights

Depending on where you live, you may have rights to:

  • Access the personal information we hold about you;

  • Correct inaccurate information;

  • Delete personal information;

  • Portability (receive a copy in a portable format);

  • Opt out of targeted advertising, the “sale” or “sharing” of personal information, and certain profiling;

  • Limit the use and disclosure of sensitive data (and in some regions, require opt-in for processing sensitive data);

  • Appeal our decision if we deny your request.

How to exercise your rights

Submit a request at info@theoryandbloom.com. We may verify your identity and respond within applicable timelines. Authorized agents may submit requests where allowed by law.

8. Children’s Privacy

Our services are intended for business users and are not directed to children. We do not knowingly collect personal data from users under the age of 18 in Maryland or under 13 under U.S. federal law. If you believe a child has provided personal data, contact us to delete it. If we offer any online feature reasonably likely to be accessed by minors in Maryland, we will apply high privacy by default, conduct Data Protection Impact Assessments where required, and take steps to avoid using minors’ data in ways that are materially detrimental to their well-being.

9. How We Share Personal Information

We disclose personal information to:

  • Service providers/processors who perform services on our behalf under contracts requiring confidentiality and reasonable security (e.g., hosting, email, analytics, payments, scheduling, forms, CRM, helpdesk).

  • Business partners with your direction or consent (e.g., co-marketing).

  • Legal and safety: to comply with law, respond to lawful requests, or protect rights, safety, and security.

  • Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.

We do not permit service providers to use personal information for their own independent purposes and require them to implement appropriate security controls.

10. Data Security

We implement reasonable security procedures and practices appropriate to the nature of the personal information and our business, including technical, organizational, and physical safeguards; vendor due diligence; access controls; encryption in transit; secure development; and incident response.

11. Data Retention

We retain personal information for as long as needed to provide services, comply with legal obligations, resolve disputes, and enforce agreements. We apply documented retention schedules and delete or de-identify data when no longer required, unless a longer period is mandated by law.

12. Maryland-Specific Disclosures (MODPA & MPIPA)

Applicability. If we conduct business in Maryland or target Maryland residents, Maryland’s comprehensive privacy law (MODPA) and data breach law (MPIPA) apply. MODPA took effect on October 1, 2025 and provides Maryland consumers with rights and imposes obligations on businesses regarding collection, use, and disclosure of personal data.

Maryland consumer rights (summary):

  • Confirm whether we process your personal data and access it;

  • Correct inaccuracies;

  • Delete personal data;

  • Obtain a portable copy where feasible;

  • Opt out of targeted advertising, the sale of personal data, and certain profiling;

  • Additional restrictions around sensitive data (e.g., precise geolocation, biometric data, known child’s data), including limitations on processing and requirements to minimize data collection to what is reasonably necessary and proportionate to provide requested services.

Appeals: If we deny a rights request, you may appeal by replying to our decision email. If your appeal is denied, you may contact the Maryland Attorney General. We will explain our reasoning and provide instructions in our response.

Kids & design code (Maryland). If a feature is reasonably likely to be accessed by minors under 18 in Maryland, we will assess risks, set high privacy by default, avoid profiling that presents a material detriment, and refrain from using dark patterns to nudge minors to weaken privacy.

Data breach (MPIPA). If we experience a breach of the security of a system involving Maryland residents’ personal information, we will investigate promptly and, if required, notify affected individuals as soon as reasonably practicable and no later than 45 days after discovery (subject to lawful delay). If we use a service provider that suffers a breach, they must notify us as soon as practicable and no later than 10 days after discovery. We will provide prior notice to the Maryland Office of the Attorney General before consumer notice, including a description of the breach and a sample consumer notice, and include mandated content in consumer notices.

13. International Transfers

If you access our services from outside the U.S., your information may be transferred to and processed in the U.S. and other countries that may not provide the same level of data protection as your jurisdiction. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) for such transfers.

14. Marketing Communications

You can opt out of marketing emails at any time via the unsubscribe link. For SMS, we obtain your express consent where required; message and data rates may apply; you may reply STOP to opt out and HELP for help. Transactional or service-related messages may still be sent where permitted.

15. Your Choices & Controls

  • Opt out of targeted advertising and certain data transfers using our footer link.

  • Manage cookies via our banner and browser settings.

  • Update your contact information by emailing privacy@theoryandbloom.com.

  • Submit privacy rights requests through our web form or email.

16. Third-Party Services We Use (Illustrative)

We may integrate or work with: Google Workspace/Meet, Koalendar or other scheduling tools, Squarespace/website platforms, payment processors (e.g., Stripe/PayPal), CRM/email tools (e.g., Mailchimp/ConvertKit), analytics (e.g., Google Analytics), and social platforms (e.g., Meta, YouTube, TikTok). Each third party’s use of data is governed by its own policy. We contractually require service providers to handle data only on our instructions and with reasonable security.

17. Changes to This Policy

We may update this Policy from time to time. The "Effective date" above shows the latest revision date. Material changes will be highlighted on this page and, where appropriate, we will provide additional notice.

18. Contact Us

Questions or requests? Email info@theoryandbloom.com or write to us at the address above. If you have concerns about our handling of your personal information, you may also contact the Maryland Office of the Attorney General.

Addendum: How to Submit a Maryland Privacy Request

  1. Email info@theoryandbloom.com with the subject line “Maryland Privacy Request.”

  2. Tell us which rights you wish to exercise (access, correct, delete, portability, opt out).

  3. Provide information to help us verify your identity (e.g., email used with us, recent interaction details).

  4. If using an authorized agent, include proof of authorization.

We will confirm receipt, verify your request, and respond within applicable timeframes. If we deny your request, we will explain why and how to appeal.

Addendum: Data Incident Response & Notification (Maryland)

  • Investigation: We promptly investigate potential incidents, assess scope, and take steps to contain and remediate.

  • Attorney General Notice: Before notifying Maryland consumers, we will notify the Maryland OAG and include required details and a sample notice.

  • Consumer Notice Timing/Content: Notice to affected individuals will occur as soon as reasonably practicable and no later than 45 days after discovery, subject to lawful delay, and will include legally required content (categories of data, our contact info, consumer reporting agencies’ contacts, and OAG/FTC contact information).

  • Service Provider Notice: Service providers must notify us as soon as practicable and no later than 10 days after discovering a breach.

  • Methods: Written, electronic (with consent), telephonic, or substitute notice as permitted.

This Policy is provided for transparency and compliance purposes and does not create contractual or legal rights beyond those provided by law. Where this Policy conflicts with applicable law, the law controls.