Legal
Privacy policy
Last updated: 2026-04-20 · Version 1.0 · version history
Placeholder. Pulsus legal team to replace this copy by 2026-05-15. Structure + links are final; body text is provisional.
1. Who we are
Pulsus (“we”, “us”, “the app”) is operated by Pulsus Labs, a company registered in the United States. Contact: privacy@pulsus.co. EU representative and UK representative details, KVKK VERBİS registration number, and DPO designation are listed on our contact page once finalised.
2. What data we collect — with a camera carve-out
Account basics — email address, hashed password, chosen locale, chosen theme, and any name you voluntarily enter in onboarding.
Measurement aggregates — BPM, RMSSD, SDNN, stress score, recovery score, and session timestamp. These are computed on your device from the rPPG camera signal.
Camera frames (on-device only). To measure your pulse and HRV, the Pulsus app temporarily accesses your device's front camera. Raw video frames are processed ephemerally in browser or app memory by our rPPG engine to estimate heart rate and HRV. Raw video is never stored, never uploaded to our servers, and never transmitted to any third party. Only the derived aggregate metrics are transmitted to our servers, and only if you are signed in.
AI coach messages — only if you use the coach. Retained in a 90-day rolling window (see §7).
Billing references — Stripe customer ID and subscription ID only; full card details never touch our servers.
Technical data — IP address prefix for security + fraud prevention (not precise geolocation), user agent, viewport size.
Analytics events — only if your Analytics cookie bucket is on. See our cookie policy.
3. Purposes and legal bases
- Providing the service — GDPR Art. 6(1)(b) contract performance; KVKK m.5/2(c) sözleşmenin kurulması; equivalent under PIPL, DPDP, APPI.
- Biometric processing (HRV derivation) — GDPR Art. 9(2)(a) explicit consent; KVKK m.6/2 açık rıza; PIPL separate consent. Captured at camera-permission grant + onboarding reveal.
- Legal obligations — tax records (7 years), fraud prevention — GDPR Art. 6(1)(c); KVKK m.5/2(ç).
- Marketing — GDPR Art. 6(1)(a) consent, only when the Ads / Conversion bucket is on.
4. Automated decision-making and profiling
The stress score and persona archetype are computed algorithmically. They are not used to make legal or similarly significant decisions; they only tune the coach's responses and ritual suggestions. You have the right to meaningful information about the logic and to request human review — see our AI coach policy.
5. Who we share with
We share limited data only with the subprocessors named on our subprocessor list, each bound by a DPA. We do not sell personal information in the sense CCPA, CPRA, GDPR or KVKK define that term.
6. International transfers
Data flows from the EU / UK / Turkey to the US are governed by the 2021 EU Standard Contractual Clauses, the UK International Data Transfer Agreement, and the KVKK Standart Sözleşme. China PIPL certification route is used only if we onboard users in the PRC.
7. Retention
| Data class | Retention |
|---|---|
| Raw video frames | 0 seconds — ephemeral on-device |
| Measurements | 24 months rolling, user-deletable |
| AI coach chat | 90 days rolling |
| Account basics | Life-of-account + 30 days post-deletion |
| Billing records | 7 years (tax / AML) |
| PostHog analytics | 14 months |
| Support tickets | 36 months |
| Security logs | 12 months |
8. Your rights
Wherever you are, you can: access, correct, or delete your data; export a machine-readable copy; withdraw any consent; complain to your supervisory authority. Use /legal/data-export and /legal/delete-account, or email privacy@pulsus.co. California residents — see our California notice. Turkey residents — KVKK Aydınlatma Metni.
9. Children
Pulsus is for people aged 16 and above — see our children's privacy notice.
10. Security
HTTPS everywhere, hashed passwords (argon2id), database encryption at rest, principle-of-least-privilege access, SOC 2 roadmap in progress. Detailed TOMs available on request for business customers.
11. Changes to this policy
Material changes: at least 30 days' advance notice to EU and UK users; reasonable notice via email or in-app banner elsewhere. The version history records every change.
12. Supervisory authorities
- EU — any lead or concerned DPA (ICO, CNIL, Datatilsynet, AEPD, etc.)
- UK — Information Commissioner's Office (ICO)
- Turkey — Kişisel Verileri Koruma Kurulu (KVKK)
- California — California Privacy Protection Agency (CPPA)
- Australia — Office of the Australian Information Commissioner (OAIC)
- Japan — Personal Information Protection Commission (PPC)
13. Contact
privacy@pulsus.co for any privacy request. kvkk@pulsus.co for KVKK-specific başvuru.