Legal · California
California privacy notice
Last updated: 2026-04-20 · Version 1.0
Placeholder. Pulsus legal team to replace this copy by 2026-05-15. Structure + links are final; body text is provisional.
Notice at Collection
Pulsus collects the following categories of personal information about California residents, described with the CCPA taxonomy (Cal. Civ. Code §1798.140(v)):
- Identifiers — email address, account ID, device identifier.
- Commercial information — subscription history, coupon redemptions, paid-tier status.
- Internet or electronic network activity — pages visited, referrer, locale, approximate region (from IP prefix).
- Sensitive Personal Information (SPI) — biometric information (derived HRV / BPM / stress score), account credentials. Raw camera frames are never stored.
- Inferences — persona archetype, stress zone, recovery index.
The purposes for collection are listed in our Privacy Policy. We do not sell personal information. We do share information with advertising partners in the sense CCPA defines “share” (cross-context behavioural advertising) only when your Ads / Conversion bucket is on. You can opt out at any time.
Your California rights
- Right to know — request a copy of personal information we collected in the past 12 months.
- Right to delete — request that we delete personal information we hold, subject to the retention carve-outs in the Privacy Policy (tax, fraud).
- Right to correct — fix inaccurate information.
- Right to opt out of sale / share — enable or disable our Ads / Conversion bucket.
- Right to limit use of SPI — request that we stop using your biometric metrics for anything beyond the core product experience (see below).
- Right to non-discrimination — you may exercise these rights without paying a different price or receiving a different quality of service.
Do Not Sell or Share / Limit Use of Sensitive PI
Two controls, one place — Settings → Privacy carries an “Opt out of sale/share” toggle and a “Limit use of Sensitive PI” toggle. Both are also reachable from the cookie banner footer link.
We honour the Global Privacy Control (GPC) header automatically. If your browser sends Sec-GPC: 1, we turn both toggles off without needing you to visit Settings. GPC is mandatory for covered businesses in California, Colorado, Connecticut, Delaware, Iowa, Minnesota, Montana, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee and Texas as of 1 Jan 2026.
How to exercise a right
Email privacy@pulsus.co with “CCPA” in the subject. We will verify your identity (to make sure somebody else can't delete your data), and respond within 45 days. You may also use an authorised agent with a signed letter of authority.
Annual risk assessment (2026)
Because Pulsus processes SPI (biometric data), we complete an annual risk assessment as required by the CPRA 2026 amendments. The current assessment is on file with the California Privacy Protection Agency and a summary is available on written request to the address above.
Metrics (annual threshold)
If in a calendar year we receive more than 10,000 CCPA requests across all jurisdictions, we will publish an annual metrics report per §999.317 at /legal/california/metrics. No metrics threshold has been crossed as of the “last updated” date above.