PULSE · Compliance

Compliance

Last updated · June 2026

For legal accuracy this document is maintained only in English. Other language versions, where provided, are convenience translations — the English version is the authoritative one.

Overview

This page summarizes where PULSE stands on the regulations that apply to it and to your data. It deliberately mirrors — and links to — the Privacy Policy, which remains the authoritative description of what we collect and why. The honest baseline: we collect very little, we sell nothing, and the most privacy-sensitive things PULSE touches never leave your PC.

GDPR & UK GDPR

For users in the EU/EEA and the UK, we act as the data controller for account data. In GDPR terms:

  • Lawful bases — contract performance for accounts, device validation, and billing; legitimate interest for anonymous product analytics (opt-out, no personal data); consent for crash reporting (opt-in, off by default). The detailed mapping is in the Privacy Policy's "Legal basis for processing".
  • Your rights — access, rectification, erasure, portability (JSON export), restriction, and objection. We respond within 30 days, free of charge.
  • International transfers — our sub-processors operate on global infrastructure; each is bound by a data-processing agreement incorporating standard contractual clauses where required (links below).
  • Data minimization in practice — device fingerprints exist only as irreversible SHA-256 hashes, analytics are keyed to a random resettable identifier rather than your identity, and optimization snapshots, logs, and backups stay on your machine.

CCPA / CPRA (California)

  • We do not sell or share personal information in the CCPA/CPRA sense — no advertising networks, no data brokers, no cross-context behavioral advertising. There is consequently no "Do Not Sell Or Share" toggle to need.
  • Your rights — know, delete, correct, and not be discriminated against for exercising any of them. The same channels and 30-day response apply.
  • Signals honored — this website treats the Global Privacy Control (and Do Not Track) signal as a refusal of its anonymous page-view counting.

ePrivacy & device storage

This website sets no cookies at all; the few localStorage keys it uses (theme, language, the analytics opt-out, and an optional anonymous identifier) are enumerated one by one in the Cookie Policy, together with the ePrivacy reasoning for each.

Sub-processors

Every third party that can process user data on our behalf, what it does, and its data-processing agreement. This list is complete — if a vendor is not here, it does not touch your data:

Sub-processor Role Data involved Agreements
Supabase Authentication, database, private storage for support-email attachments Email, hashed device fingerprints, subscription state Privacy · DPA
Cloudflare CDN, DNS, Workers API, inbound email routing, anonymous analytics ingest Request metadata (IP-derived country code), routed support email, anonymous events Privacy · DPA
Paddle Payments as Merchant of Record — billing, tax/VAT, refund execution Payment and billing data — card numbers never reach us at all Privacy · DPA
Resend Transactional email — verifications, receipts, support replies Email address and message content in transit Privacy · DPA
Sentry Crash and error reporting — only if you opt in (off by default) Scrubbed stack traces, app/OS version, redacted hardware model — no PII Privacy · DPA

If we ever add a sub-processor, the Privacy Policy and this table are updated before it handles any user data.

Data retention

  • Account data — kept while your account exists; deleted within 30 days of a deletion request.
  • Anonymous analytics events — raw events kept up to 90 days, then dropped; only aggregate, anonymous monthly summaries persist.
  • Support email — retained while needed to provide support; deleted or exported on request within 30 days.
  • Everything on your PC — snapshots, logs, and backups are yours; uninstalling removes them.

Full retention details live in the Privacy Policy — this is a summary, not a second source of truth.

VAT, taxes & invoices

All purchases are sold by Paddle acting as Merchant of Record. For EU customers this means Paddle — not us — is the seller of record: it determines and collects the correct VAT for your country at checkout, remits it to tax authorities, and issues compliant invoices and receipts. Business customers can enter a VAT ID at checkout for reverse-charge treatment where applicable. Need an invoice re-issued? Use the link in any Paddle receipt or email us.

Exercising your rights

  • Email [email protected] from your account's email address — access, export, correction, deletion, or objection. No form required, no charge, response within 30 days.
  • In the app: Settings → Privacy holds the analytics opt-out, the install-identifier reset, and the crash-reporting consent switch
  • On this site: the analytics opt-out toggle lives on the Privacy and Cookie Policy pages
  • If you believe we have not resolved your concern, you may lodge a complaint with your local supervisory authority — though we would genuinely appreciate the chance to fix it first via the contact page.

Contact

Compliance, privacy, or data-protection questions: [email protected] — or any channel on the contact page.

Related: Privacy Policy · Cookie Policy · Security · Terms of Service