Legal · GDPR · CCPA

Privacy Policy

Effective: April 25, 2026 — Version 1.0

This Privacy Policy applies to all users of Pulsentric, including residents of the European Economic Area (GDPR) and the State of California (CCPA/CPRA).

1. Data Collection

Pulsentric collects the following categories of personal information:

  • Wallet Addresses — Public on-chain identifiers voluntarily provided by users (e.g., MetaMask, Phantom). Treated as pseudonymous identifiers under GDPR Art. 4.
  • Email Addresses — Collected via Supabase Auth at signup. Used for account access, transactional emails (Resend), and security notifications.
  • Payment Data — Card data is processed entirely by Stripe (PCI-DSS Level 1) and is never stored on Pulsentric's servers. Pulsentric retains only the Stripe customer_id for subscription management.
  • Telemetry & Analytics — Anonymous and pseudonymous usage data via PostHog (person_profiles: identified_only). Includes pageviews, click events, and session duration.
  • Technical Data — Browser type, OS, IP address (rate-limit / fraud-prevention only — NOT stored beyond 24h).

2. Data Usage (Lawful Basis under GDPR)

  • Contract performance (Art. 6.1.b) — Account management, subscription billing, delivery of the Service.
  • Legitimate interests (Art. 6.1.f) — Fraud prevention, rate limiting, security monitoring, product improvement.
  • Consent (Art. 6.1.a) — Marketing emails (only if explicitly opted in), non-essential analytics cookies (PostHog).
  • Legal obligation (Art. 6.1.c) — Tax, accounting, anti-money-laundering (AML) compliance.

3. Third-Party Processors (Sub-processors)

Pulsentric engages the following sub-processors to deliver its services:

ProcessorPurposeRegion
SupabaseAuth + DatabaseEU/US (Frankfurt / N. Virginia)
StripePaymentsUS, EU
ResendTransactional EmailUS
UpstashRedis cache, queuesEU/US
VercelHosting, Edge NetworkGlobal
AlchemyBlockchain RPCUS
GoPlus SecurityToken risk auditGlobal
DexScreener / CoinGeckoMarket dataGlobal
PostHogAnalyticsEU (Frankfurt)
SentryError monitoringUS

For non-EEA transfers, Pulsentric relies on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-U.S. Data Privacy Framework.

4. User Rights (GDPR + CCPA)

For EU/EEA residents (GDPR Articles 15-22)

  • Right to access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / “Right to be Forgotten” (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20) — export account data in JSON.
  • Right to object (Art. 21)
  • Right to withdraw consent at any time
  • Right to lodge a complaint with a supervisory authority (Italian Garante, or local DPA)

For California residents (CCPA/CPRA)

  • Right to know what personal information is collected.
  • Right to delete personal information.
  • Right to correct inaccurate personal information.
  • Right to opt-out of “sale” or “sharing” of personal information.
  • “Do Not Sell or Share My Personal Information” — Pulsentric does NOT sell personal information to third parties for monetary or other valuable consideration. Sharing for cross-context behavioral advertising is also disabled by default.
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising CCPA rights.

To exercise any of these rights, contact privacy@pulsentric.com. Pulsentric will respond within 30 days (GDPR) / 45 days (CCPA).

5. Data Retention

  • Account data — retained while the account is active + 30 days after deletion (then permanently purged).
  • Payment records — retained for 10 years (Italian/EU tax-law obligation).
  • Logs (Sentry, system_errors) — 7 days rolling.
  • Telemetry (PostHog) — 12 months.
  • IP addresses (rate limiting) — 24 hours.

6. Children's Privacy

The Service is not intended for individuals under 18. Pulsentric does not knowingly collect data from minors. Contact privacy@pulsentric.com to request deletion of any data inadvertently collected from a minor.

7. Cookies

See /cookies for the full Cookie Policy. Strictly necessary cookies (Stripe session, Supabase Auth) are loaded by default. Analytics cookies (PostHog) only after explicit consent.

8. Data Breach Notification

In the event of a personal-data breach affecting EU/EEA residents, Pulsentric will notify the competent supervisory authority within 72 hours and affected users without undue delay, in accordance with GDPR Art. 33-34.

9. Changes to this Policy

Material changes will be communicated via email and dashboard banner at least 30 days before they take effect.

10. Contact

  • Data Protection Officer (DPO): privacy@pulsentric.com
  • Postal address: [Pulsentric S.r.l. — leave bracketed placeholder for the actual address]
← Back to home