Heartful Science LogoHeartful Science

Privacy Policy

We take the protection of your personal data seriously and treat it confidentially in accordance with statutory data protection regulations and this privacy policy.

Note: This statement has been prepared with care but does not replace a legal review. A final legal assessment will be provided by our lawyer.

Controller

Controller within the meaning of the GDPR is:

PulseDataInsight UG (haftungsbeschränkt)
Wellingsbütteler Landstrasse 194
22337 Hamburg
E-Mail: kontakt@pulsedatainsight.de

Overview of processing activities

We process personal data only to provide our service, fulfil contracts and meet legal obligations. The following sections describe what data we process and why.

Hosting

Our application is hosted in the European Union. When you access the site, our hosting provider processes technically necessary connection data (IP address, date/time, requested URL, user agent). This data is used solely to provide the service and to prevent attacks.

Registration and login (Supabase)

We use Supabase as our authentication and database provider. Processing takes place within the EU.

Data processed

  • email address
  • password (hashed and salted, never stored in plain text)
  • session tokens and login timestamps
  • technical login metadata (e.g. IP address for abuse detection)

Legal basis is Art. 6 (1) lit. b GDPR (performance of a contract).

Payment processing (Stripe)

We use Stripe Payments Europe Ltd. for payment processing. When you book a paid service, you enter payment data directly with Stripe. We do not store any card or bank account details ourselves.

Transfer to third countries

Stripe processes payment data in part in the USA via its parent company Stripe, Inc. Stripe is certified under the EU-US Data Privacy Framework. Details in Stripe's privacy policy:

https://stripe.com/de/privacy

Legal basis is Art. 6 (1) lit. b GDPR (performance of a contract) and Art. 6 (1) lit. f GDPR (legitimate interest in secure payment processing).

Cookies

We use only technically necessary cookies. Specifically:

  • Supabase session cookie to maintain your login (essential)
  • language preference (essential for language switching)
  • Stripe Checkout cookies, only active during the payment flow (essential for secure payment processing)

We do not use any tracking or analytics cookies. Therefore no consent banner is required.

Demo chat with AMY

On our landing page you can try AMY without registration. Your inputs are transmitted to Anthropic PBC (USA) to generate the response. Anthropic is certified under the EU-US Data Privacy Framework. We recommend not entering personal or health-related data in the demo. Details in Anthropic's privacy policy:

https://www.anthropic.com/legal/privacy

Legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in operating a product demo).

Contact form

When you send us a message via the contact form, we store your name, email address, message, language preference and submission timestamp in our database to handle your request. No automatic email is sent; messages are processed internally only.

Legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in handling your inquiry); for contract-related inquiries also Art. 6 (1) lit. b GDPR.

Server log files

For security and stability reasons, our hosting provider stores connection data briefly in server log files. These are deleted automatically after a short time and not merged with other data.

Transfer to third countries

Where we use service providers outside the EU (Stripe, Anthropic), the transfer is based on the EU-US Data Privacy Framework or the EU Standard Contractual Clauses.

Your rights

You have the following rights at any time:

  • right of access (Art. 15 GDPR)
  • right to rectification (Art. 16 GDPR)
  • right to erasure (Art. 17 GDPR)
  • right to restriction of processing (Art. 18 GDPR)
  • right to data portability (Art. 20 GDPR)
  • right to object (Art. 21 GDPR)
  • right to withdraw consent (Art. 7 (3) GDPR)
  • right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

An informal message to the contact address listed in the imprint is sufficient to exercise your rights.

Retention period

We store personal data only as long as necessary for the stated purposes or as required by statutory retention obligations. Account data is removed on request or after account deletion. Contract and accounting data is retained according to statutory periods (6 or 10 years).

Data security

We use TLS encryption for all connections, store passwords only hashed and salted, and operate our infrastructure in data centres with established security standards.

Changes to this policy

We update this privacy policy when legal requirements or our processing activities change. The current version is always available on this page.