Version 1.0 · Effective 2026-07-11
Your data
Nonprofit software has a bad habit of holding your donor list hostage. The migration is painful, the export is deliberately incomplete, and the switching cost is the real business model.
We'd rather compete on the product.
You own it
Your data is yours. Every donor record, every gift, every grant, every task, every KPI, every word of your strategic plan. SOBO Consulting LLC does not acquire ownership of your data by hosting it, and we don't claim a license to use it for anything beyond running BloomOS for you.
We do not sell your data. We do not share it with advertisers. We do not use one customer's data to build features, models, or benchmarks for another.
Export it whenever you want
You can export your data at any time, without asking us, from inside BloomOS. Exports come out as CSV, one file per record type, with the relationships between records preserved as ID columns so the data can be reassembled somewhere else.
If you need a full database dump rather than CSVs, email us and we'll produce one. There's no fee and no retention conversation attached to it.
If you cancel
Cancel any time. No exit interview, no retention offer you have to decline three times.
Here's the timeline:
Day 0. You cancel. Your account moves to read-only. You can still sign in, look at everything, and export.
Days 1 through 30. Your data stays exactly where it is. If you change your mind, you reactivate and nothing was lost. This window exists because canceling in a bad month and regretting it in a good one is a normal thing that happens to small organizations.
Day 30. We permanently delete your organization's data from the production database. This is not reversible.
Up to day 37. Your data may still exist in encrypted database backups, because backups run daily and are retained for 7 days. Those roll off on their own schedule. After that, it's gone from our systems entirely.
If you want your data deleted sooner than 30 days, email us and we'll do it. We'll ask you to confirm in writing, because it can't be undone.
Deleting individual records
Deleting a record inside BloomOS (a donor, a gift, a task) removes it from your views immediately. The audit log retains a record that the deletion happened, who did it, and when, because that's what an audit log is for. The log entry doesn't preserve the deleted content, only the fact of the change.
Data about the people you serve
Many BloomOS customers store records about program participants, and for youth-serving organizations that means records about minors. You are the controller of that data. We're the processor. We handle it under the data processing addendum, we apply the same isolation and encryption described in the security overview, and we don't do anything with it except store it and show it back to you.
We don't collect data directly from minors, and BloomOS has no participant-facing login. Everything about a participant is entered by your staff.
If a donor asks you to delete their record
Under California law and similar laws elsewhere, an individual can ask an organization to delete their personal information. Because you're the controller of your donor data, that request comes to you, not to us. BloomOS gives you the tools to find every record connected to a person and delete them. If you need help executing a deletion request and can't do it yourself, email us and we'll help inside 5 business days.
Questions: hello@bloomos.org.