Privacy Policy
Last updated: January 29, 2026
TL;DR — Your Data is Yours
- • Your health data never leaves your device — we literally cannot see it
- • All biometric data is processed locally using on-device AI
- • We only collect your email and shipping address for your order
- • Optional cloud sync? End-to-end encrypted — we can't read it even then
- • We NEVER use your data to train AI models
- • No Google Analytics, no tracking cookies, no advertising pixels
- • You can export or delete your data anytime
1. Our Privacy Philosophy
At Pulsyn, privacy isn't a feature — it's the reason we exist. We built the Rune 1 smart ring because we believed health technology shouldn't require surrendering your most personal data to a corporation.
Most health wearables collect your biometric data, send it to their servers, and use it to train models, sell insights, or lock you into subscriptions. We think that's wrong. Your body produces data that belongs to you.
That's why we designed our systems so that we cannot access your health data, even if we wanted to. That's not a promise — it's an architectural decision baked into every layer of Pulsyn.
2. Core Privacy Principles
End-to-End Encryption
All health data is encrypted on your device. Not even we can access it.
Zero Data Training
Your data is never used to train AI models or shared with third parties.
You Own Your Data
Export, delete, or transfer your data anytime. No questions asked.
3. What Data We Collect
We collect the minimum data necessary to fulfill your order and communicate with you. This does NOT include your health or biometric data.
Order Information
- Email address — For order confirmations, shipping updates, and product announcements
- Shipping address — To deliver your Rune 1 ring
- Payment information — Processed securely by Stripe or BTCPay Server (we never store card numbers or crypto wallet addresses)
- Order details — Ring size, color preference, and order status
Account Information
- Email address — For account access and important notifications
- Password — Hashed using Argon2id (winner of the Password Hashing Competition), never stored in plain text
- Optional profile info — Name and preferences you choose to provide
Technical Information
- Device type and operating system (iOS or Android version)
- App version and anonymized crash reports
- IP address (for security and fraud prevention only, not linked to health data)
4. Your Health Data Stays On Your Device
This is the most important section of this policy.
Pulsyn does NOT collect your health or biometric data. Your Rune 1 ring communicates directly with your phone via Bluetooth. All processing happens on your device. We never see it.
What Your Ring Collects (To Your Device Only)
- Heart rate and heart rate variability (HRV)
- Blood oxygen saturation (SpO2)
- Skin temperature variations
- Sleep stages and patterns
- Activity, steps, and workout data
- Stress and recovery scores
- Menstrual cycle tracking (if enabled)
- Any AI-generated health insights
All of this data is processed entirely on your device using our on-device AI. It never leaves your phone unless you explicitly choose to enable cloud sync.
Optional Cloud Sync (Pro Tier)
If you choose to enable cloud backup for syncing across devices, your health data is:
- Encrypted on your device before transmission using AES-256-GCM
- Zero-knowledge architecture — we store encrypted blobs we literally cannot read
- Decryption keys never leave your device — derived from your password
- Stored in Finland — one of the strongest privacy jurisdictions in the world
Zero Training Commitment
We will never use your biometric data to train AI models. Not our models, not third-party models, not anonymized aggregates. Your health data exists solely to serve you.
5. How We Use Your Data
The limited data we collect is used exclusively for:
- Order fulfillment — Processing, shipping, and delivering your Rune 1
- Communication — Order status updates, shipping notifications, and important product announcements
- Customer support — Responding to your questions and resolving issues
- Security — Fraud prevention and protecting your account
- Product improvement — Aggregated, anonymized purchase data to understand demand (never health data)
We do not sell, rent, or trade your personal information to third parties. Ever.
6. Legal Basis for Processing (GDPR)
For users in the European Union, we process your personal data based on the following legal grounds:
| Legal Basis | What It Covers |
|---|---|
| Contract | Order fulfillment, shipping, account management |
| Legitimate Interest | Customer support, fraud prevention, security monitoring |
| Consent | Marketing communications (optional, easily withdrawn) |
| Legal Obligation | Tax records, warranty compliance, regulatory requirements |
7. Third-Party Services
We use a small number of trusted services to operate our business. Each processes only the minimum data required. None of them ever receive your health data.
| Service | Purpose | Data Processed | Location |
|---|---|---|---|
| Stripe | Card payments | Payment info (tokenized) | US (Privacy) |
| BTCPay Server | Crypto payments | Transaction data | Self-hosted |
| Resend | Transactional email | Email address | US (Privacy) |
| Supabase | Auth & encrypted sync | Email, encrypted blobs | EU (Privacy) |
| Umami | Website analytics | Anonymous page views | Self-hosted |
| Apple Health | Health integration | User-initiated sync | On-device (Privacy) |
| Google Fit | Health integration | User-initiated sync | On-device (Privacy) |
Apple Health and Google Fit integrations are user-initiated. You choose what to share, and the data syncs directly on your device — it doesn't pass through our servers.
8. International Data Transfers
Your encrypted health data (if you enable cloud sync) is stored on servers in Finland, a jurisdiction with exceptional privacy protections:
- GDPR Compliance — Full adherence to the EU's General Data Protection Regulation
- 24-Hour Breach Notification — Legal requirement to notify affected individuals within 24 hours
- Constitutional Privacy — Privacy is constitutionally protected under Finnish law
- No Mass Surveillance — Strong protections against government overreach
When we use US-based processors (Stripe, Resend), we ensure adequate protection through Standard Contractual Clauses (SCCs) and Data Processing Agreements. These services never receive your health data.
9. Data Storage & Security
We implement multiple layers of security to protect your data:
Encryption Standards
- AES-256-GCM — Military-grade authenticated encryption for all health data. Galois/Counter Mode ensures both confidentiality and integrity.
- Argon2id Password Hashing — Winner of the Password Hashing Competition, recommended by OWASP. Resistant to GPU and side-channel attacks.
- TLS 1.3 — Latest transport layer security for all network communication.
- Zero-Knowledge Architecture — Encryption keys are derived from your password and never leave your device. We cannot decrypt your data even if compelled.
Infrastructure Security
- Encrypted databases with strict access controls
- Regular security audits and penetration testing
- Two-factor authentication (2FA) available for accounts
- Automated breach detection and monitoring
- Employee access strictly limited and logged
10. Data Retention
We retain your data only as long as necessary:
| Data Type | Retention Period | Reason |
|---|---|---|
| Order data | 7 years | Tax and legal requirements |
| Email communications | 3 years | After last contact |
| Support tickets | 2 years | After resolution |
| Analytics data | 26 months | Aggregated, anonymous |
| Health data (default) | Never sent to us | Stays on your device |
| Health data (cloud sync) | Until you delete | Encrypted blobs we can't read |
Account deletion: All associated data is permanently removed within 30 days, except where legal retention is required.
11. Your Rights
You have full control over your data. Here's how to exercise each right:
- Access — Request a copy of all data we hold about you. Email legal@getpulsyn.com with subject "Data Access Request" or export directly from the app.
- Correction — Update any inaccurate information via your account settings or by contacting us.
- Deletion — Request complete deletion of your data. Email legal@getpulsyn.com with subject "Deletion Request" or delete from app settings.
- Portability — Export your data in standard formats (JSON, CSV) directly from the app.
- Opt-out — Unsubscribe from marketing communications using the link in every email or via account settings.
- Object — Object to processing based on legitimate interest by contacting us.
- Complaint — Lodge a complaint with your local data protection authority if you believe your rights have been violated.
We respond to all requests within 30 days. For urgent matters, we aim to respond within 48 hours.
12. Cookies & Analytics
We use Umami, a self-hosted, open-source analytics platform. Umami does not use cookies, does not track individuals across websites, and does not collect personal information. All analytics data is aggregated and anonymous.
Cookies We Use
| Cookie | Purpose | Duration | Required |
|---|---|---|---|
| theme | Dark/light mode preference | 1 year | No |
| session | Shopping cart functionality | Session | Yes |
What We Do NOT Use
- Google Analytics or similar third-party analytics
- Facebook Pixel or social media tracking
- Advertising cookies or retargeting pixels
- Third-party tracking scripts of any kind
- Browser fingerprinting
13. Children's Privacy
Pulsyn's products and services are not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13.
If you believe a child has provided us with personal data, please contact us immediately at legal@getpulsyn.com and we will promptly delete it.
14. Transparency Report
We are committed to transparency about how we handle legal requests and security incidents. We will publish periodic transparency reports covering:
- Government and legal data requests received (and how we responded)
- Security incidents or breaches (none to date)
- Changes to third-party service providers
- Updates to our privacy practices
Important: Due to our zero-knowledge architecture, we cannot provide access to your health data even if legally compelled — we simply don't have the keys to decrypt it.
15. Changes to This Policy
If we make material changes to this privacy policy, we will notify you via email (if you've provided one) and update the "Last updated" date at the top of this page.
Minor clarifications or formatting changes will not trigger notification but will be reflected in the updated date.
We will never reduce your privacy protections without your explicit consent.
16. Contact Us
If you have any questions about this privacy policy, your data, or Pulsyn's privacy practices:
Privacy Inquiries: legal@getpulsyn.com
General Support: support@getpulsyn.com
Response Time: Within 48 hours for privacy matters
Our Commitment to You
Privacy is not an afterthought at Pulsyn — it's the foundation of everything we build. We believe your health data is deeply personal and should remain under your control, always.
Thank you for trusting us with your health journey. We take that responsibility seriously.