Privacy Policy
Last updated: 2026
PersonaPulse ("we", "us", "the service") is committed to handling your data lawfully, fairly, and transparently in line with the UK GDPR and ICO guidance. This policy describes what we collect, why, how long we keep it, and the rights you have.
1. Data Controller
The data controller for PersonaPulse is PersonaPulse App. For any privacy question, data-subject request, or complaint, contact support@personapulse.dev.
2. Data We Collect
- Account: email address and authentication tokens.
- Usage: messages exchanged with characters, trust progression, and credit balance — used only to power your own experience.
- Billing: a Stripe customer ID and payment event log (amount, date, product). We never see or store your card details.
- Technical: minimal session/diagnostic data needed to keep your account secure and the app running.
3. Lawful Basis for Processing
- Contract (UK GDPR Art. 6(1)(b)): creating your account, delivering chats, processing purchases.
- Legitimate interests (Art. 6(1)(f)): securing the service against fraud and abuse, and basic product analytics.
- Legal obligation (Art. 6(1)(c)): retaining payment records as required by tax and accounting law.
- Consent (Art. 6(1)(a)): any optional marketing communication — withdrawable at any time.
4. Chat Logs, Isolation & AI Training
Your chat history is stored under your account and isolated at the database level using Row-Level Security (RLS). Only you, while authenticated, can read your own messages. Staff do not browse chats.
Your conversations are sent to our AI model provider solely to generate the next reply. They are never used to train, fine-tune, or improve any external or third-party AI model, and they are never sold, shared, or licensed to advertisers or data brokers.
5. Payments & Stripe Isolation
All card processing is handled by Stripe, a PCI-DSS Level 1 payment provider. Card numbers, CVCs, and full bank details never touch our servers — we only receive a Stripe customer reference and a record of the transaction. Stripe acts as an independent data controller for payment data under its own privacy policy.
6. Analytics
We use minimal, privacy-respecting product analytics to understand which features are used and to detect outages. We do not run advertising trackers, we do not build behavioural ad profiles, and we do not share analytics data with advertising networks.
7. Data Retention
- Account & chat history: retained while your account is active. Deleted within 30 days of an account-deletion request.
- Payment records: retained for up to 7 years where required by UK tax and accounting law.
- Security & diagnostic logs: retained for up to 90 days.
8. Your Rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion ("right to erasure") of your account and chat history.
- Restrict or object to certain processing.
- Request a portable copy of your data.
- Withdraw any consent you previously gave.
To exercise any of these rights — including instant account deletion — email support@personapulse.dev. We aim to respond within 30 days.
9. International Transfers
Some processors (such as our AI provider and Stripe) may operate outside the UK/EEA. Where this happens we rely on appropriate safeguards such as Standard Contractual Clauses or the UK International Data Transfer Addendum.
10. Complaints
If you are unhappy with how we handle your data you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk. We'd appreciate the chance to address your concern first at support@personapulse.dev.
11. Children
PersonaPulse is strictly for adults aged 18 or over. We do not knowingly collect data from anyone under 18. If you believe an under-18 has created an account, contact us and we will delete it.