Privacy Policy

Privacy Policy
Pulse Last updated: April 26, 2026

1. Introduction

Welcome to Pulse. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have under applicable law — including the General Data Protection Regulation (GDPR).

This policy applies to the Pulse mobile app (iOS and Android) and any related web applications (collectively, the "Service").

2. Who We Are

Pulse is the data controller responsible for your personal data. If you have any questions about this policy or how we handle your data, you can contact us at:

Varju Ádám Dávid Budapest, Hungary Email: adam@pulse---social.com 

3. Data We Collect

We collect the following categories of personal data:

a) Account Information

• Name and username (your public handle on the platform)

• Email address

• Account credentials (password stored in hashed form)

b) Usage, Analytics & Diagnostics Data

• Features you interact with and how often

• Session duration and in-app behaviour, collected via PostHog

• Device type, operating system, and app version

• A vendor-assigned device identifier (iOS identifierForVendor, or equivalent on Android), stored on our servers to manage push notification tokens

• API call metadata (request URLs, response codes, and latency) captured during your session via PostHog's network telemetry

  
  

Session Replay: We use PostHog's session replay feature to record your interactions within the app — including screen states and navigation flows — to diagnose usability issues. All text inputs and images are masked before transmission. Session recordings are linked to your account UUID, not your name. This processing requires your consent and you can opt out at any time in the app's Privacy Settings.

c) Location Data (where you grant permission)

• Approximate GPS coordinates (to ~100 metres accuracy) are collected when you grant location permission.

• When you upload a photo or video, your current location at the time of upload is stored as metadata attached to that media file on our servers, and is retained for as long as the media exists. This happens automatically when location permission has been granted — there is no separate opt-in per upload. You can prevent this by revoking location permission in your device settings.

• Location is not otherwise stored beyond your active session.

d) Payment Information — Ticket Buyers

We do not store your payment card details. All payment processing for ticket purchases is handled by Stripe. We receive and retain: payment intent identifiers, ticket price, platform fee, and subscription tier. Stripe's Privacy Policy governs the processing of your card data.

e) Payment Information — Event Organisers

If you create paid events on Pulse, you are enrolled in Stripe Connect to receive payouts. This process requires identity verification conducted by Stripe (which may include your legal name, address, and government-issued ID), and optionally the collection of your IBAN for bank transfers. Stripe processes and stores this information under its own Privacy Policy. Pulse retains: your Stripe Connect account identifier, payout eligibility status, and a full transaction ledger (amounts, fees, payout references, and timestamps) for each event. In-app marketplace trade history (buyer and seller identities, items, and prices) is also retained.

f) Event Attendance

When you attend an event, a check-in record is created containing: the event ID, timestamp of check-in, the identity of the person who scanned your ticket, and device metadata collected at the time of scan. This data is used to verify attendance, prevent fraud, and resolve disputes.

g) Push Notifications

We use Firebase Cloud Messaging (Google) to send push notifications to your device. To do this, we store a push notification token (assigned by Firebase) and your device identifier on our servers. These are retained for as long as push notifications are enabled on your account.

4. Legal Basis for Processing (GDPR)

We process your personal data on the following legal grounds under Article 6 GDPR:

PurposeLegal BasisCreating and managing your accountPerformance of a contract (Art. 6(1)(b))Providing and improving the ServiceLegitimate interests (Art. 6(1)(f))Processing ticket paymentsPerformance of a contract (Art. 6(1)(b))Organiser identity verification and payoutsPerformance of a contract (Art. 6(1)(b))Transactional service emails (auth, receipts)Performance of a contract (Art. 6(1)(b))Location tagging on media uploadsConsent (Art. 6(1)(a))Session replayConsent (Art. 6(1)(a))Analytics, diagnostics, and network telemetryLegitimate interests (Art. 6(1)(f))Push notificationsConsent (Art. 6(1)(a))Event attendance and check-in recordsPerformance of a contract / Legitimate interests (Art. 6(1)(b) and (f))Compliance with legal obligationsLegal obligation (Art. 6(1)(c))

5. How We Use Your Data

We use your data to:

• Create and manage your account

• Deliver and personalise the Pulse experience

• Process ticket purchases and organiser payouts via Stripe

• Tag uploaded media with location metadata (with your permission)

• Record session replays (with your consent) to diagnose UX issues

• Analyse usage patterns and API performance to improve the Service

• Send push notifications to your device

• Record event attendance and prevent ticket fraud

• Send important service communications (password reset, receipts)

• Detect, investigate, and prevent fraud or abuse

• Comply with legal obligations

We do not sell your personal data to third parties.

6. Third Parties We Work With

We share data with the following trusted third parties, solely to operate the Service:

• Stripe — payment processing for ticket buyers and organiser payouts (including identity verification via Stripe Connect)

• PostHog — product analytics, session replay, and network telemetry. Your email address is associated with your analytics profile in PostHog to link usage data to your account. See Section 10 for a note on data routing by platform.

• Firebase / Google — push notification delivery via Firebase Cloud Messaging

• Supabase — backend infrastructure, database hosting, and transactional authentication emails (password reset, magic links)

• Cloud infrastructure providers — hosting and storage

All third-party processors are bound by data processing agreements and are required to handle your data in compliance with GDPR.

7. Data Retention

We retain your personal data only for as long as necessary:

Data typeRetention periodAccount and profile dataDuration of account + 30 days after deletionAnalytics and diagnostics dataUp to 24 monthsSession replay recordingsUp to 24 months (subject to PostHog dashboard configuration)Location metadata on uploaded mediaRetained with the media filePush notification tokens and device IDsUntil notifications are disabled or account is deletedTicket purchase recordsAs required by tax/accounting law (typically 7 years)Organiser transaction ledger and trade historyAs required by tax/accounting law (typically 7 years)Event attendance check-in recordsDuration of account + 30 days after deletion

8. Your Rights Under GDPR

If you are based in the European Economic Area, you have the following rights:

• Right of access — request a copy of the personal data we hold about you

• Right to rectification — ask us to correct inaccurate or incomplete data

• Right to erasure — request deletion of your data ("right to be forgotten")

• Right to restriction — ask us to pause processing your data in certain circumstances

• Right to data portability — receive your data in a machine-readable format

• Right to object — object to processing based on legitimate interests

• Right to withdraw consent — where we rely on consent (location tagging, session replay, push notifications), you can withdraw at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@[yourdomain].com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Hungary, this is the NAIH — Nemzeti Adatvédelmi és Információszabadság Hatóság (www.naih.hu).

9. Data Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or disclosure. These include encryption in transit (TLS) and at rest, access controls, and regular security reviews.

No system is completely secure. If you believe your account has been compromised, please contact us immediately.

10. International Data Transfers

Your data may be stored or processed outside the European Economic Area. Where this occurs, we ensure appropriate safeguards are in place — such as Standard Contractual Clauses approved by the European Commission.

Specifically: analytics data from iOS devices is routed to PostHog's EU-region servers. Analytics data from Android devices is currently sent to PostHog's US-region servers. We are working to align both platforms to EU-only data routing.

11. Children's Privacy

Pulse is not intended for users under the age of 16. We recommend that minors do not use the Service without parental guidance. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you via the app or by email before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of the Service after any update constitutes acceptance of the revised policy.

13. Contact Us

For any questions, requests, or concerns regarding this Privacy Policy:

Email: adam@pulse---social.com  Address: Varju Ádám Dávid, Budapest, Hungary