Privacy Policy
Effective: April 25, 2026 — Version 1.0
1. Data Collection
Pulsentric collects the following categories of personal information:
- Wallet Addresses — Public on-chain identifiers voluntarily provided by users (e.g., MetaMask, Phantom). Treated as pseudonymous identifiers under GDPR Art. 4.
- Email Addresses — Collected via Supabase Auth at signup. Used for account access, transactional emails (Resend), and security notifications.
- Payment Data — Card data is processed entirely by Stripe (PCI-DSS Level 1) and is never stored on Pulsentric's servers. Pulsentric retains only the Stripe
customer_idfor subscription management. - Telemetry & Analytics — Anonymous and pseudonymous usage data via PostHog (
person_profiles: identified_only). Includes pageviews, click events, and session duration. - Technical Data — Browser type, OS, IP address (rate-limit / fraud-prevention only — NOT stored beyond 24h).
2. Data Usage (Lawful Basis under GDPR)
- Contract performance (Art. 6.1.b) — Account management, subscription billing, delivery of the Service.
- Legitimate interests (Art. 6.1.f) — Fraud prevention, rate limiting, security monitoring, product improvement.
- Consent (Art. 6.1.a) — Marketing emails (only if explicitly opted in), non-essential analytics cookies (PostHog).
- Legal obligation (Art. 6.1.c) — Tax, accounting, anti-money-laundering (AML) compliance.
3. Third-Party Processors (Sub-processors)
Pulsentric engages the following sub-processors to deliver its services:
| Processor | Purpose | Region |
|---|---|---|
| Supabase | Auth + Database | EU/US (Frankfurt / N. Virginia) |
| Stripe | Payments | US, EU |
| Resend | Transactional Email | US |
| Upstash | Redis cache, queues | EU/US |
| Vercel | Hosting, Edge Network | Global |
| Alchemy | Blockchain RPC | US |
| GoPlus Security | Token risk audit | Global |
| DexScreener / CoinGecko | Market data | Global |
| PostHog | Analytics | EU (Frankfurt) |
| Sentry | Error monitoring | US |
For non-EEA transfers, Pulsentric relies on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the EU-U.S. Data Privacy Framework.
4. User Rights (GDPR + CCPA)
For EU/EEA residents (GDPR Articles 15-22)
- Right to access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure / “Right to be Forgotten” (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20) — export account data in JSON.
- Right to object (Art. 21)
- Right to withdraw consent at any time
- Right to lodge a complaint with a supervisory authority (Italian Garante, or local DPA)
For California residents (CCPA/CPRA)
- Right to know what personal information is collected.
- Right to delete personal information.
- Right to correct inaccurate personal information.
- Right to opt-out of “sale” or “sharing” of personal information.
- “Do Not Sell or Share My Personal Information” — Pulsentric does NOT sell personal information to third parties for monetary or other valuable consideration. Sharing for cross-context behavioral advertising is also disabled by default.
- Right to limit use of sensitive personal information.
- Right to non-discrimination for exercising CCPA rights.
To exercise any of these rights, contact privacy@pulsentric.com. Pulsentric will respond within 30 days (GDPR) / 45 days (CCPA).
5. Data Retention
- Account data — retained while the account is active + 30 days after deletion (then permanently purged).
- Payment records — retained for 10 years (Italian/EU tax-law obligation).
- Logs (Sentry, system_errors) — 7 days rolling.
- Telemetry (PostHog) — 12 months.
- IP addresses (rate limiting) — 24 hours.
6. Children's Privacy
The Service is not intended for individuals under 18. Pulsentric does not knowingly collect data from minors. Contact privacy@pulsentric.com to request deletion of any data inadvertently collected from a minor.
7. Cookies
See /cookies for the full Cookie Policy. Strictly necessary cookies (Stripe session, Supabase Auth) are loaded by default. Analytics cookies (PostHog) only after explicit consent.
8. Data Breach Notification
In the event of a personal-data breach affecting EU/EEA residents, Pulsentric will notify the competent supervisory authority within 72 hours and affected users without undue delay, in accordance with GDPR Art. 33-34.
9. Changes to this Policy
Material changes will be communicated via email and dashboard banner at least 30 days before they take effect.
10. Contact
- Data Protection Officer (DPO): privacy@pulsentric.com
- Postal address: [Pulsentric S.r.l. — leave bracketed placeholder for the actual address]