Privacy Policy

Introduction

Pulse Analytics ("Pulse", "we", "us", or "our") operates the Pulse iOS application, a personal health data analytics platform that reads Apple Health metrics and delivers AI-powered analysis. This Privacy Policy sets out the basis on which we collect, use, disclose, and safeguard personal data in connection with your use of the Pulse service.

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and all applicable national implementing legislation. Health and fitness data constitutes special category personal data under Article 9 GDPR and is afforded the highest level of protection we are able to provide.

We do not sell your personal data, use it for advertising purposes, or disclose it to third parties except to the limited extent necessary to operate the Pulse service, as described in this policy.

Data Controller

Pulse Analytics is the data controller within the meaning of Article 4(7) GDPR. As data controller, we determine the purposes and means by which your personal data is processed and bear full responsibility for ensuring that such processing is conducted lawfully, fairly, and transparently.

All data protection enquiries, requests to exercise your rights under GDPR, or concerns regarding our data practices should be directed to our privacy team:

Information We Collect

We collect and process only the personal data required to deliver the Pulse service. The categories of personal data we process are set out below. We do not collect data for advertising purposes and we do not sell personal data to any third party.

Health & Fitness Data (Apple HealthKit)

Pulse reads health and fitness metrics from Apple Health. With your explicit permission, Pulse may also write nutrition data (calories, macronutrients, water intake) to Apple Health when you log meals.

• Resting heart rate
• Heart rate variability (HRV)
• Blood oxygen saturation (SpO2)
• Respiratory rate
• Step count
• Walking and running distance
• Flights climbed
• Exercise minutes (active minutes)
• Active energy burned (active calories)
• VO2 max
• Body weight
• Sleep duration and sleep stage data

Other Personal Data

• Chat messages — Text you submit via the AI analyst chat interface
• Food imagery — Photographs you submit for nutritional analysis; processed in transit only and not retained in our systems
• Meal and nutrition logs — Food descriptions, estimated calorie counts, and macronutrient breakdowns you record or confirm
• Profile information — Display name, in-app preferences, and nutrition goals you configure
• Personalization preferences — Learned habits and behavioural patterns used to tailor AI responses, collected on an opt-in basis only

Legal Basis for Processing

Each processing activity carried out by Pulse rests upon a lawful basis identified under GDPR. The applicable bases are set out below.

• Consent — Articles 6(1)(a) and 9(2)(a): You provide explicit consent to the processing of your health and fitness data during the onboarding flow. This consent is specific, informed, and freely given. Withdrawal may be effected at any time through the app settings or by contacting us.
• Performance of a contract — Article 6(1)(b): Processing of non-health personal data (including chat messages, meal logs, and profile information) is necessary to perform the Pulse service in accordance with our Terms of Service.
• Legitimate interests — Article 6(1)(f): We may process limited operational data, such as system error logs, where we have a legitimate interest in maintaining the reliability and security of the service, provided that interest is not overridden by your fundamental rights and freedoms.

How We Process Your Information

Health Metrics & Stored Data

Health metrics are synchronised incrementally from Apple Health to our cloud database, hosted within the European Union. Strict per-user data isolation is enforced at the database level, ensuring that no user may access the data of any other user under any circumstances.

AI Analysis (Text Chat)

Chat messages and a summarised health context are transmitted to a third-party AI language model via our AI processing service. All AI processing routes operate under a contractually enforced Zero Data Retention (ZDR) policy — neither the processing service nor the underlying AI language model retains your prompts, health context, or responses after the request is fulfilled.

Food Image Analysis

Food photographs you submit are transmitted to a third-party AI vision model under the same Zero Data Retention policy. Images exist solely in transit — they are not written to our database, linked to your account, or retained by any third party following completion of the analysis request.

Personalisation

Where you have opted in to AI personalisation, Pulse stores a set of learned preferences and behavioural patterns to inform future AI responses. This processing is entirely optional and may be disabled at any time from the Profile tab, upon which all personalisation data is immediately and permanently deleted.

AI Processing & Zero Data Retention

All AI processing routes within Pulse — including text-based health analysis and food image analysis — are subject to a contractually mandated Zero Data Retention (ZDR) policy. Zero Data Retention means that AI service providers are contractually prohibited from storing, logging, or using any submitted data — including prompts, health context, images, or model responses — for any purpose once the processing request is complete.

Under ZDR, your personal data and health information are not used for AI model training, fine-tuning, evaluation, or any other secondary purpose. Each request is processed in isolation and nothing is retained on the provider's infrastructure after the response is returned.

If you have questions about our AI processing arrangements, please contact us at noor@maykana.ly.

Data Storage & International Transfers

Primary Storage

Your health metrics, meal logs, chat history, and profile data are stored on servers hosted within the European Union by our cloud infrastructure provider. All data at rest is encrypted, and per-user isolation is enforced at the database level.

International Transfers

AI processing may involve the temporary transit of data through infrastructure located outside the European Economic Area. We address this in two ways: first, all AI processing is subject to Zero Data Retention, meaning no personal data is stored by the provider after processing; and second, we rely on Standard Contractual Clauses (SCCs) approved under Article 46 GDPR as the transfer safeguard for any data leaving the EEA.

Nutrition Lookups

When you search for or scan food items, Pulse may query third-party nutrition databases. Only the food name or product barcode is transmitted to these services — no personal data, health information, or account identifiers are included in such requests.

Data Security

We implement technical and organisational measures commensurate with the sensitivity of the personal data we process, in particular the special category health data within our systems. These measures include:

• Encryption in transit: All data transmitted between your device and our infrastructure is encrypted using TLS over HTTPS
• Per-user database isolation: Row-level security policies are enforced on all database tables, ensuring that each user's data is logically isolated and inaccessible to any other user, including in the event of application-layer vulnerabilities
• Zero Data Retention for AI processing: All AI processing routes operate under contractually mandated ZDR — no prompts, health context, images, or responses are retained by AI service providers after completion of a request
• No third-party tracking or advertising: The Pulse application contains no third-party analytics SDKs, advertising networks, or behavioural tracking libraries
• Data minimisation: We collect and process only the personal data strictly necessary to provide the service
• Secure authentication: User identity is managed via email and password authentication through Supabase Auth. Passwords are hashed and never stored in plaintext. Pulse does not have access to your raw password.

Data Retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required to comply with legal obligations. The following retention periods apply:

• Health samples and meal logs — Retained for the duration of your account, to support trend analysis and longitudinal comparisons
• Chat messages — Retained to support conversation continuity; individual conversations may be deleted within the app at any time
• AI personalisation data — Deleted immediately and permanently upon disabling the Personalised AI feature in your profile settings
• Food photographs — Never written to persistent storage; photographs exist solely during the duration of the analysis request
• Account deletion — Upon deletion of your account via the Profile tab, all associated personal data — including health samples, chat messages, meal logs, personalisation data, and profile information — is permanently and irreversibly erased from our systems

Your Rights Under GDPR

As a data subject, you are entitled to the following rights in respect of your personal data. To exercise any right, submit a written request to noor@maykana.ly. We will respond without undue delay and in any event within one calendar month of receiving your request.

• Right of Access (Article 15) You may request confirmation of whether we process personal data about you and, if so, a copy of that data together with information about the purposes, categories, recipients, and retention periods applicable to that processing.
• Right to Rectification (Article 16) You may request correction of inaccurate personal data we hold about you. Profile information may be updated directly via the Profile tab in the Pulse app without need to contact us.
• Right to Erasure (Article 17) You may request the permanent deletion of your personal data where there is no overriding legal ground for its continued retention. Account deletion — and the erasure of all associated data — may be initiated directly from the Profile tab in Pulse at any time.
• Right to Restriction of Processing (Article 18) You may request that we restrict our processing of your personal data in certain circumstances, such as while we investigate a disputed accuracy claim or assess an objection you have raised.
• Right to Data Portability (Article 20) Where processing is based on your consent or on a contract, you may request receipt of your personal data in a structured, commonly used, machine-readable format, or direct transmission to another controller where technically feasible.
• Right to Object (Article 21) Where we rely on legitimate interests as our legal basis, you have the right to object to that processing on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to Withdraw Consent Where processing is based on your consent, you may withdraw that consent at any time through the app settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

You also have the right to lodge a complaint with the supervisory authority competent for your place of habitual residence, place of work, or place of the alleged infringement. A list of EU national supervisory authorities is available via the European Data Protection Board.

Third-Party Service Providers

We engage the following third-party service providers to operate the Pulse service. We disclose personal data to each provider only to the minimum extent necessary for the specified purpose. We do not disclose personal or health data to nutrition lookup services.

Children's Privacy

The Pulse service is not directed at, and is not intended for use by, individuals under the age of 16. We do not knowingly collect or process personal data relating to children under 16. Use of the service requires an Apple account and explicit consent to health data processing, both of which presuppose legal capacity to contract.

If you have reason to believe that we have inadvertently collected personal data from a child under 16, please notify us immediately at noor@maykana.ly. We will investigate and, where confirmed, delete such data without undue delay.

Changes to This Policy

We may revise this Privacy Policy periodically to reflect changes in our data processing practices, the services we offer, or applicable data protection legislation. The effective date at the top of this page indicates when the policy was last updated.

Where proposed changes are material — meaning they substantively affect your rights or the manner in which we process your personal data — we will provide advance notice via an in-app notification before the revised policy takes effect. Your continued use of Pulse following that notification constitutes acceptance of the updated policy.

Prior versions of this policy are available on request by contacting noor@maykana.ly.

Contact

For any questions or concerns regarding this Privacy Policy, to submit a data subject rights request, or to raise a complaint about how we handle your personal data, please contact our privacy team in writing:

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority in your EU member state. A directory of national data protection authorities is maintained by the European Data Protection Board.