Privacy Policy
Last updated: February 10, 2026
1. Controller
Lieven Sauerwald Theodor-Fontane-Weg 16, 49434 Neuenkirchen, Germany Email: support@devls.tech
This privacy policy explains how we process personal data when you use the Pulse website, dashboard, and API ("Service").
2. Data We Collect
2.1 Account Data
When you create an account we collect:
- Email address (required)
- Name (optional)
- Password (stored as a bcrypt hash — we never store your plaintext password)
- Newsletter preference (opt-in checkbox at registration)
2.2 Payment Data
When you subscribe to a paid plan, our payment processor Stripe, Inc. collects:
- Credit/debit card details or SEPA Direct Debit information
- Billing address
- VAT ID (for business customers)
We do not store your full card number. Stripe processes and stores payment information in accordance with PCI DSS Level 1 standards. We only store:
- Last 4 digits and card brand (e.g., Visa)
- Stripe customer and subscription IDs
- Invoice references and subscription status
See Stripe's Privacy Policy for details on how Stripe handles your data.
2.3 Usage Data
For authenticated users, we log:
- API endpoints called, HTTP method, response status code
- Response time
- User-Agent string (truncated)
- Timestamp
This data is retained for 90 days and used to enforce rate limits, monitor service health, and generate usage statistics visible in your dashboard.
2.4 Contact Form
When you submit the contact form we collect your name, email address, subject, and message text. This data is used solely to respond to your inquiry.
2.5 Alert & Notification Data
If you configure alert rules, we store:
- Alert rule configuration (trigger type, thresholds, receivers)
- Telegram user ID (if you link Telegram for alert delivery)
2.6 Local Browser Storage
The dashboard stores the following in your browser's localStorage (never sent to third parties):
- Authentication token (JWT) to keep you logged in
- AI query history and recent searches for your convenience
You can clear this data at any time through your browser settings.
3. Legal Basis for Processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Account management, service delivery | Performance of contract (Art. 6(1)(b)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) |
| Usage monitoring, rate limiting, security | Legitimate interest (Art. 6(1)(f)) |
| Email notifications (service-related) | Performance of contract (Art. 6(1)(b)) |
| Newsletter | Consent (Art. 6(1)(a)) — you can unsubscribe at any time |
| Legal retention of invoices | Legal obligation (Art. 6(1)(c)) |
4. Cookies and Similar Technologies
We use only essential cookies required for the Service to function. We do not use analytics or advertising cookies.
Essential Cookies
| Name | Purpose | Duration |
|---|---|---|
| session_id | Maintains your login session | Session |
| csrf_token | Protects against cross-site request forgery | Session |
Functional Storage (localStorage)
| Key | Purpose | Duration |
|---|---|---|
| user_token | Authentication (JWT) | Until logout |
| pulse_ask_history | Your AI query history | Until cleared |
| pulse_recent_searches | Recent subject searches | Until cleared |
Because we only use strictly necessary cookies, no cookie consent banner is required under ePrivacy regulations. If we add analytics or marketing cookies in the future, we will implement a consent mechanism first.
5. Third-Party Processors
We share personal data only with the following processors, all of which have appropriate data processing agreements in place:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe, Inc. | Payment processing | USA | EU Standard Contractual Clauses (SCCs), PCI DSS Level 1 |
| Amazon Web Services (SES) | Transactional email delivery | EU (Ireland, eu-west-1) | GDPR DPA, ISO 27001, SOC 2 |
| Google Fonts | Font delivery (Inter) | USA | No personal data collected; fonts requested by browser |
| RapidAPI | API marketplace distribution | USA | Only for API-tier users who subscribe via RapidAPI |
We do not sell or share your personal data with advertisers or data brokers.
6. Emails We Send
We send transactional emails via Amazon SES for:
- Email verification and password reset links
- Payment receipts and failed payment notifications
- Subscription changes (upgrade, downgrade, cancellation)
- Alert notifications (based on your configured rules)
- Contact form confirmations
If you opted in, we may also send occasional newsletter/product updates. Every such email contains an unsubscribe link.
7. Data Retention
| Data | Retention period |
|---|---|
| Account data | While active + 30 days after deletion request |
| API usage logs | 90 days |
| Payment records and invoices | 10 years (§ 147 AO, German fiscal code) |
| Email sending log | 90 days |
| Contact form submissions | Until inquiry is resolved, max 6 months |
| Telegram user ID | Until you unlink or delete your account |
8. International Data Transfers
Your data is primarily processed in the EU (AWS eu-central-1 and eu-west-1). Where data is transferred to the USA (Stripe, RapidAPI), we rely on EU Standard Contractual Clauses (SCCs) as the transfer mechanism under GDPR Chapter V.
9. Your Rights
Under GDPR, you have the right to:
- Access (Art. 15) — Request a copy of your personal data
- Rectification (Art. 16) — Correct inaccurate data
- Erasure (Art. 17) — Request deletion of your data (subject to legal retention obligations)
- Restriction (Art. 18) — Restrict processing in certain circumstances
- Data portability (Art. 20) — Receive your data in a structured, machine-readable format
- Object (Art. 21) — Object to processing based on legitimate interest
- Withdraw consent — Where processing is based on consent, withdraw at any time without affecting prior processing
To exercise any of these rights, email support@devls.tech. We will respond within 30 days.
Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. The competent authority for our location is:
Die Landesbeauftragte für den Datenschutz Niedersachsen Prinzenstraße 5, 30159 Hannover, Germany https://www.lfd.niedersachsen.de
10. Data Security
We implement appropriate technical and organizational measures including:
- Encryption in transit (TLS/HTTPS) and at rest
- Password hashing (bcrypt)
- Server-side session management
- Rate limiting and IP-based abuse protection
- Access controls and authentication for all infrastructure
11. Children
Pulse is not intended for users under 16 years of age. We do not knowingly collect personal data from children.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email to registered users at least 14 days before they take effect. The "Last updated" date at the top indicates the most recent revision.
13. Contact
For privacy-related questions, data subject requests, or complaints:
Email: support@devls.tech Contact form: pulse.devls.tech/contact Postal: Lieven Sauerwald, Theodor-Fontane-Weg 16, 49434 Neuenkirchen, Germany