Privacy Policy

Last updated: May 2026

For legal accuracy this document is maintained only in English. Other language versions, where provided, are convenience translations — the English version is the authoritative one.

What we collect

When you create an account and use PULSE, we collect:

Email address — for authentication, password resets, and account communication
Device fingerprint — a SHA-256 hash derived from your hardware identifiers (disk volume serial, CPU model, Windows machine GUID, and computer name) to enforce per-device slot limits. The raw values are never transmitted — only the hash is sent.
Device metadata — hostname, OS version, and app version (for admin analytics and support)
Country — auto-detected from your IP address via Cloudflare (ISO country code only, not precise location)
Subscription data — tier (Free or Pro), subscription status, billing dates, and payment metadata via Paddle (our Merchant of Record)
Crash reports — when the app crashes, anonymized error reports are sent to Sentry. These contain the stack trace, app version, OS version, and a redacted GPU/CPU model. No personal data, file contents, or game data are included. Crash reporting can be disabled in Settings.

What PULSE stores locally

PULSE stores the following data on your computer at %LOCALAPPDATA%\com.pulse.app\:

Auth session — stored in Windows Credential Manager (not a file), contains access/refresh tokens
Configuration files — optimization settings, game profiles, startup delay preferences
Debug logs (pulse.log) — contains hardware model names, GPU/CPU info, driver versions, and operation timestamps. Rotated at 10 MB, maximum 3 files kept
Optimization backup — snapshot of your system settings before optimization, used for rollback

What we don't collect

We don't collect game data, screenshots, or gameplay information
We don't collect browsing history or keystrokes
We don't sell or share your data with third parties
We don't use tracking pixels or advertising identifiers
PULSE includes opt-out telemetry — anonymous usage statistics (feature usage, page views, session duration) help us improve the app. No personal data, game data, or system identifiers are collected. You can disable telemetry entirely in Settings at any time

Network connections

PULSE connects to the internet only for the following purposes:

Account authentication — connects to Supabase (our auth provider) for login, signup, and session management
Device validation — calls pulse-account-api.valone-010.workers.dev (sends access token + device fingerprint hash)
Update checks — fetches pulse-optimization.com/api/version.json once every 24 hours to check for new releases (sends only the app version as User-Agent)
Crash reports — sends anonymized stack traces to Sentry when an unhandled error occurs (opt-out)
Latency testing — pings standard DNS servers (8.8.8.8, 1.1.1.1) and the game servers you select on the Network page

The app does not phone home for any other reason. There is no background telemetry, no behavioral tracking, and no per-action reporting.

How we use your data

Account authentication and session management
Device slot enforcement (limiting devices per subscription)
Delivering software updates
Aggregate analytics (total users, country distribution — no individual tracking)
No other purpose — we don't profile, analyze, or monetize your data

Data storage

Account data is stored in Supabase (PostgreSQL on AWS). API requests are processed by Cloudflare Workers. All connections use HTTPS/TLS encryption. Device fingerprints are stored as irreversible SHA-256 hashes.

Sub-processors

PULSE uses the following third-party sub-processors to deliver the service. Each has a signed Data Processing Agreement (DPA) where applicable:

Supabase — authentication, PostgreSQL database, and private file storage for email attachments. Region: AWS (multi-region). Supabase Privacy · DPA
Cloudflare — CDN, DNS, Workers (API), Email Routing (inbound mail for support@, business@, hello@, [email protected]), and privacy-friendly Web Analytics. Cloudflare Privacy · DPA
Paddle — payment processing as Merchant of Record (handles card data, tax/VAT collection, and remittance on our behalf). We never see or store card numbers. Paddle Privacy · DPA
Resend — transactional email (account verifications, receipts, support replies) and inbound parsing relay. Resend Privacy · DPA
Sentry — crash reporting (opt-out in app Settings). Receives stack traces, app version, OS version, and redacted hardware identifiers only. No PII or game data. Sentry Privacy · DPA

Email communications

When you contact us at any of our published addresses (support@, business@, hello@, [email protected]), your email is routed through Cloudflare Email Routing to our worker, which stores the message body and any attachments in our private Supabase project so the support team can read and reply. Specifically we store:

Sender email, display name, subject, plain-text and/or HTML body, and the RFC 5322 Message-Id headers used for threading
Any attachments you include — stored as binary objects in a private Supabase Storage bucket (email-attachments) capped at 25 MB per file
Received/read/replied/archived timestamps used internally for inbox status

Email contents are visible only to the admin allow-list (set via the worker's ADMIN_EMAILS secret) — they are not accessible to the public, to other users, or to staff outside the allow-list. We retain emails for as long as needed to provide support, then either archive or delete on request. Email you to ask for deletion or export at any time and we will comply within 30 days. Outgoing mail we send you (account, billing, support replies) is delivered via Resend; their privacy policy governs in-transit handling.

Payment processing

Payments are processed by Paddle (our Merchant of Record). We never see or store your full credit card number. Paddle handles billing, tax/VAT collection, and remittance on our behalf. Paddle's privacy policy applies to payment data.

Data retention

Your account data is retained as long as your account exists. You can request deletion by emailing [email protected]. We will delete your account and associated data within 30 days.

Website analytics

The website uses Cloudflare Web Analytics, a privacy-friendly analytics service that does not use cookies, fingerprinting, or any persistent identifier. It records only aggregate page-view counts, country, and referrer. The website also uses Cloudflare CF-IPCountry headers (server-side, not stored) to auto-select your interface language.

Cookies

The website uses a single first-party cookie for the auth session (set by Supabase). The browser also stores your language and theme preferences in localStorage — these never leave your machine. No third-party tracking cookies, advertising IDs, or fingerprinting scripts are loaded.

You have the right to:

Access your account data — request a copy by emailing support
Correct inaccurate data — update your email or country directly in account settings
Delete your account and all associated data — request via email or in-app
Export your data in a machine-readable format (JSON)
Opt out of crash reporting (in app Settings → Privacy)
Object to processing for any reason — contact support

We respond to requests within 30 days. There is no charge for any of these actions.

Children's privacy

PULSE is not intended for children under 13. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete the account.

Changes

We may update this policy as the product and our legal obligations evolve. Material changes are announced via the in-app changelog and the website. The "Last updated" date at the top of this page always reflects the most recent revision.

Contact

Privacy questions or rights requests? Email [email protected] or join the PULSE Discord.