Privacy Policy - PulseID

Introduction

PulseID ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we handle your information when you use our mobile application.

PulseID is designed with privacy at its core. While some media processing may occur on secure remote servers, no data is ever stored—files are immediately deleted after processing.

Our Privacy Commitment

We do NOT collect, store, or transmit your biometric or health data to any external servers.

No data collection: Your heart rate and health data never leaves your device
No cloud storage: We do not store any biometric data on remote servers
No third-party sharing: Your health information is never shared with anyone
No analytics on health data: We do not track or analyze your biometric information

Information We Collect

Account & Subscription

When you create an account or purchase a subscription, we collect your email address and subscription status. Payment processing is handled entirely by Apple—we never receive your payment details.

Health & Biometric Data

With your explicit consent, PulseID accesses heart rate data from:

Apple HealthKit (read-only access to heart rate samples)
Connected Bluetooth heart rate monitors
Apple Watch via WatchConnectivity

This data is accessed solely to display your heart rate on screen and overlay it on photos/videos. The data is processed entirely on your device and is never uploaded, stored, or transmitted externally.

Camera & Photo Library

We request access to:

Camera: To capture photos and videos
Photo Library: To import media and save your creations

Media you create stays on your device unless you choose to share it.

Device Information

We collect device model, operating system version, app version, and platform. This data is used solely to diagnose crashes, reproduce bugs, and monitor app stability—it is never used for advertising or tracking.

Approximate Location

City and country may be derived automatically by our hosting provider (Cloudflare) from your IP address for abuse prevention and service security. We do not collect GPS coordinates.

Consent Records

When you grant access to health data, we store the timestamp of your consent for legal compliance.

How Your Data is Used

Your data is used solely to provide app functionality:

Display real-time heart rate on screen (local)
Photo overlays can be processed locally on your device or on remote servers
Video overlays are processed on remote servers for performance
Sync between your iPhone and Apple Watch (local communication only)

When remote processing is used, your media is transmitted securely, processed immediately, and permanently deleted—nothing is stored on our servers.

Data Storage

Account data: Stored securely on our servers while your account is active.

Health data: Processed on your device only—never stored on our servers.

Media: Videos processed on our servers are immediately deleted after processing.

Legal Basis for Processing (GDPR)

If you are in the European Economic Area, we process your data under the following legal bases:

Consent: Health and biometric data is processed only after you give explicit consent via the in-app permission prompt. You may withdraw consent at any time through your device settings.
Contract: Account and subscription data are processed as necessary to provide the core service you signed up for.
Legitimate interest: Device information, approximate location, and operational telemetry are processed to maintain service stability, diagnose errors, and prevent abuse. This processing is minimal, does not involve sensitive data, and is necessary to keep the app running reliably for all users.

Data Sharing

We do not sell, rent, or trade your personal data. We do not use your data for advertising.

Data Storage & International Transfers

Account data is stored securely on servers in the United States via Cloudflare (encrypted in transit and at rest). If you are located outside the United States, your data will be transferred to and processed in the United States. International transfers are conducted based on Standard Contractual Clauses (SCCs) as approved by the European Commission.

Health and biometric data is processed entirely on your device and is never stored on our servers. When remote media processing is used, files are transmitted securely, processed immediately, and permanently deleted—nothing is stored.

Data Retention

We retain your account data while your account is active. When you delete your account, all personal data is removed immediately. Accounts inactive for 12 months may be automatically deleted along with all associated data.

Third-Party Services

We use RevenueCat to manage subscriptions. RevenueCat receives your subscription status to validate purchases. See RevenueCat's privacy policy.

We do not use analytics, advertising, or tracking services. We do not sell your personal information.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the data we hold about you
Deletion: Delete your account and all associated data by contacting us
Correction: Request updates to any inaccurate personal data
Portability: Request an export of your data in a machine-readable format
Withdraw consent: Revoke health data access at any time through iOS Settings > Privacy & Security > Health. When you revoke access, we stop accessing new health data.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

If you are in the European Economic Area, you also have the right to lodge a complaint with your local data protection authority.

For California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

Know what personal information we collect and how it is used
Request deletion of your personal information
Opt out of the "sale" or "sharing" of personal information — we do not sell or share your data for cross-context behavioral advertising
Not be discriminated against for exercising your privacy rights

To exercise these rights, contact us at [email protected].

For Washington State Residents (My Health My Data Act)

Washington's My Health My Data Act provides additional protections for health data. Under this law:

We obtain your affirmative consent before collecting or sharing health data
We do not sell your health data or use it for advertising
You may withdraw consent and request deletion of your health data at any time by contacting us
We will delete your health data within 30 days of receiving a valid request

Data Breach Notification

In the event of a data breach affecting your personal data, we will notify affected users and relevant authorities in accordance with applicable law, including GDPR (72-hour notification to supervisory authorities) and applicable US state breach notification laws.

Children's Privacy

PulseID is not intended for children under 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children under this age.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the app. Continued use of the app after non-health-related changes constitutes acceptance of the updated policy. Material changes to how we process health and biometric data will require renewed consent.

Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

[email protected]