Privacy Policy

Last Updated: November 20, 2025

1. Introduction

Welcome to PulseBook! We take your privacy and data security seriously.

This Privacy Policy explains how PulseBook ("we", "us" or "our"), located in London, United Kingdom, collects, uses, stores and protects your information when using:

  • The website www.pulsebook.health (the "Website")
  • AI chatbot on Telegram
  • All related services (together - the "Services")

IMPORTANT LEGAL STATEMENT:

  • We are NOT a medical institution. PulseBook provides an AI assistant for informational purposes only and does NOT replace professional medical advice, diagnosis or treatment.
  • For users from the USA: PulseBook is NOT a HIPAA covered entity. We do not provide medical services and do not process Protected Health Information (PHI) as defined by HIPAA.
  • For users from EU/UK: We fully comply with GDPR (General Data Protection Regulation) and UK Data Protection Act 2018.

For Google OAuth users: We only request basic profile information (name, email) for account authentication. We do not access any other Google account data.

By using our Services, you agree to the terms of this Privacy Policy and our Terms of Use.

2. Who We Are

Data Controller: PulseBook (self-employed)

Location: London, United Kingdom

Email for privacy questions: support@pulsebook.health

Website: www.pulsebook.health

3. What Information We Collect

3.1. Information When Registering via Google OAuth

When you register through Google, we receive the following data:

  • Email address - to identify your account and communicate with you
  • Name - to personalize your experience
  • Google User ID - for secure authorization

Important: We do NOT have access to your Google password. We do NOT store your Google credentials. Authorization is done entirely through the secure OAuth 2.0 protocol.

3.2. Medical Information

When you use our AI chatbot, we collect:

  • Chat history - your questions and AI assistant responses
  • Medical data - symptoms, medical history, medications (if you provide them)
  • Uploaded files - test results, prescriptions, medical documents (if you upload them)

Important: All this information is used ONLY for the AI assistant to work and to improve service quality. We do NOT share your medical data with third parties (except as described in section 5).

3.3. Automatically Collected Information

When you use our Services, we automatically collect:

  • IP address - for security and fraud prevention
  • Device type and browser - to optimize website performance
  • Date and time of access - for usage analytics
  • Cookies and similar technologies - to improve experience (details in section 11)

3.4. Payment Information

If you subscribe through Stripe:

  • We do NOT store your bank card details
  • All payment information is processed directly through Stripe (PCI DSS compliant)
  • We only receive payment confirmation and subscription status

3.5. Google OAuth Authorization

Required disclosure for Google OAuth users:

PulseBook uses Google OAuth only for secure authentication. We request only your basic profile information (name, email, Google User ID). We do NOT access any other Google services such as Gmail, Google Drive or Calendar. You may revoke our access to your Google account at any time via your Google Account settings. This information is used exclusively for account creation, login and security purposes.

4. How We Use Your Information

We use collected information for the following purposes:

4.1. Providing Services

  • Creating and managing your account
  • Providing access to the AI chatbot
  • Processing your requests through OpenAI and Google Gemini
  • Saving chat history for your access
  • Processing uploaded files (test results, prescriptions)

4.2. Improving Services

  • Usage analysis to improve the AI assistant
  • Fixing bugs and technical issues
  • Developing new features

4.3. Communication

  • Sending important notifications about your account
  • Informing about changes in Services
  • Responding to your questions and support requests
  • Marketing messages (only with your consent, you can unsubscribe anytime)

4.4. Security and Legal Compliance

  • Preventing fraud and abuse
  • Protecting user rights and safety
  • Complying with legal obligations

4.5. Payments and Subscriptions

  • Processing payments through Stripe
  • Managing your subscription
  • Billing and refunds

5. How We Share Your Information with Third Parties

We do NOT sell or rent your personal information. We share data with third parties only in the following cases:

5.1. Service Providers (necessary for operation)

OpenAI (ChatGPT API)

  • What we share: Text of your chat messages
  • Why: To generate AI assistant responses
  • Location: USA
  • Privacy Policy: https://openai.com/privacy

Google Gemini API

  • What we share: Text of your messages and uploaded images/files
  • Why: To analyze medical documents and images
  • Location: USA
  • Privacy Policy: https://policies.google.com/privacy

Supabase (PostgreSQL Database)

  • What we share: All your data (profile, chats, files)
  • Why: For data storage
  • Location: EU (Frankfurt, Germany)
  • Privacy Policy: https://supabase.com/privacy

Railway (Hosting)

  • What we share: Technical data for server operation
  • Why: For hosting our bot and web service
  • Location: USA
  • Privacy Policy: https://railway.app/legal/privacy

Stripe (Payments)

  • What we share: Minimal information for payment processing (email)
  • Why: To process subscriptions and payments
  • Location: USA (PCI DSS Level 1 certified)
  • Privacy Policy: https://stripe.com/privacy

Google OAuth

  • What we share: Nothing shared with Google after authorization
  • Why: Only for secure authorization
  • Privacy Policy: https://policies.google.com/privacy

5.2. Legal Requirements

We may disclose your information if required:

  • By court order or law enforcement
  • To protect our legal rights
  • To prevent fraud or crimes
  • To protect life and health (in emergencies)

5.3. Business Transfer

If PulseBook is sold, merged with another company or transferred, your data may be transferred to the new owner. We will notify you in advance.

6. International Data Transfers

We are located in the United Kingdom, but use services located in different countries:

  • Supabase: EU (Frankfurt, Germany) - GDPR compliant
  • OpenAI, Google, Railway, Stripe: USA

For users from EU/UK: Data transfer to the USA is based on:

  • Standard Contractual Clauses (SCC) approved by the European Commission
  • Data Privacy Framework certification (for some providers)
  • Your explicit consent when using the Services

7. How We Protect Your Information

We apply industry-standard security measures:

7.1. Technical Measures

  • Encryption: All data is transmitted via HTTPS (TLS/SSL)
  • Database encryption: Data in Supabase is encrypted
  • Secure APIs: All API keys are stored securely (not in code)
  • Regular updates: We update all components to protect against vulnerabilities

7.2. Organizational Measures

  • Limited access: Only the administrator has access to data
  • Monitoring: We track suspicious activity
  • Regular checks: Security system audits

7.3. Your Responsibility

  • Keep your Google account secure
  • Do not share account access with others
  • Immediately inform us of suspicious activity

Important: Despite all security measures, no method of data transmission over the internet is 100% secure. We cannot guarantee absolute security.

8. How Long We Store Your Information

8.1. Active Accounts

  • Profile and authorization data: While your account is active
  • Chat history: While your account is active (you can delete manually)
  • Uploaded files: While your account is active (you can delete manually)

8.2. Deleted Accounts

When deleting an account:

  • Personal data: Deleted IMMEDIATELY and permanently
  • Chat history: Deleted IMMEDIATELY and permanently
  • Files: Deleted IMMEDIATELY and permanently
  • Security logs: May be stored for up to 90 days to prevent fraud
  • Financial records: May be stored for up to 7 years for tax compliance

8.3. Inactive Accounts

If you don't use your account for more than 2 years, we may:

  • Send you a warning email
  • Delete the account 30 days after the warning (if you don't respond)

9. Your Rights (GDPR and International Standards)

Regardless of your country, we provide YOU with the following rights:

9.1. Right of Access

You can request a copy of all your data we store.

How to use: Email support@pulsebook.health with subject "Data Access Request"

9.2. Right to Rectification

You can correct inaccurate or incomplete data.

How to use: Change data in profile settings or contact us

9.3. Right to Erasure ("Right to be Forgotten")

You can request complete deletion of all your data.

How to use: Click "Delete Account" in settings or email support@pulsebook.health

Exceptions: We may retain data if required by law (e.g., tax records)

9.4. Right to Data Portability

You can receive your data in a structured, machine-readable format (JSON).

How to use: Email support@pulsebook.health with subject "Data Portability Request"

9.5. Right to Restrict Processing

You can ask us to temporarily stop processing your data.

How to use: Email support@pulsebook.health

9.6. Right to Object

You can object to processing your data for marketing or other purposes.

How to use: Click "Unsubscribe" in the email or contact us

9.7. Right to Withdraw Consent

You can withdraw consent to data processing at any time.

How to use: Email support@pulsebook.health

Important: Withdrawal of consent does not affect the lawfulness of processing before withdrawal

9.8. Right to Complain

For users from UK: You can file a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk

For users from EU: You can file a complaint with your country's supervisory authority

For users from USA (California): You can file a complaint with the California Attorney General

We respond to all requests within 30 days.

10. Special Provisions for Different Jurisdictions

10.1. For Users from the European Union and United Kingdom (GDPR)

Legal basis for processing:

  • Contract: Processing is necessary to provide Services
  • Consent: You gave consent to processing (can be withdrawn)
  • Legitimate interests: To improve Services and security
  • Legal obligation: To comply with laws

EU Representative: Not currently appointed (will be updated if required)

10.2. For Users from the USA

HIPAA Disclaimer (IMPORTANT!):

  • PulseBook is NOT a "covered entity" or "business associate" under HIPAA
  • We do NOT provide medical services
  • We do NOT process Protected Health Information (PHI) as defined by HIPAA
  • Our AI assistant provides information, NOT medical diagnoses
  • You use the Services at your own risk

For California Residents (CCPA/CPRA):

You have additional rights:

  • Right to know: What categories of data we collect
  • Right to delete: Request deletion of your data
  • Right to opt-out of sale: We do NOT sell your data
  • Right to non-discrimination: We don't discriminate for exercising rights

Categories of collected data (CCPA):

  • Identifiers (email, name, Google ID)
  • Commercial information (subscriptions, payments)
  • Internet activity (logs, cookies)
  • Medical information (chats, files) - NOT PHI

We do NOT sell or share data for advertising.

10.3. For Users from Other Countries

We apply GDPR standards to all users regardless of location. This means you get the maximum level of protection.

11. Cookies and Similar Technologies

11.1. What Are Cookies?

Cookies are small text files saved on your device when visiting a website.

11.2. What Cookies Do We Use?

Essential Cookies (always active):

  • Session cookies: To maintain your authorization
  • Security: To protect against attacks (CSRF tokens)

Functional Cookies (optional):

  • Settings: To save your preferences (language, theme)
  • Remember choice: To avoid asking every time

Analytics Cookies (optional):

  • Google Analytics: To understand how the site is used (anonymously)
  • Statistics: To improve Services

We do NOT use advertising cookies.

11.3. How to Manage Cookies?

You can:

  • Manage cookies in browser settings
  • Block all cookies (but this may break site functionality)
  • Delete cookies anytime

Instructions for managing cookies:

  • Chrome: Settings → Privacy and security → Cookies
  • Firefox: Settings → Privacy & Security → Cookies
  • Safari: Preferences → Privacy → Cookies

12. Age Restrictions

PulseBook is intended ONLY for persons 18 years and older.

  • We consciously do NOT collect information from persons under 18
  • If you are under 18, do NOT use our Services
  • If we learn that we collected data from someone under 18, we will immediately delete it

For parents: If you discover that your child under 18 is using PulseBook, immediately contact us at support@pulsebook.health and we will delete all data.

COPPA Compliance (USA): We comply with the Children's Online Privacy Protection Act and do not collect data from children under 13.

13. Links to Third-Party Sites

Our Services may contain links to third-party websites (e.g., medical information sources).

Important:

  • We do NOT control these sites
  • We are NOT responsible for their privacy policies
  • We recommend reading the privacy policy of each site you visit

14. Changes to Privacy Policy

We may update this Privacy Policy from time to time.

How we notify you of changes:

  • Update the "Last Updated" date at the top of the page
  • Send notification to your email (for significant changes)
  • Show notification on the site at next login

Significant changes: If changes affect your rights or how data is used, we will:

  • Notify you 30 days before changes take effect
  • Ask you to confirm consent (if required by law)
  • Provide opportunity to export or delete data

Your continued use of Services after changes means agreement with the new Policy.

15. Your Control Over Data

15.1. In account settings you can:

  • View all your personal data
  • Change name and email
  • Delete chat history (partially or completely)
  • Delete uploaded files
  • Export all your data (JSON format)
  • Delete account completely (permanently)

15.2. Marketing Messages:

  • Unsubscribe from newsletters ("Unsubscribe" link at bottom of each email)
  • Manage preferences in settings
  • You will always receive important service notifications (regardless of settings)

15.3. Account Deletion:

What happens when deleting:

  • All personal data deleted IMMEDIATELY
  • Chat history deleted IMMEDIATELY
  • Uploaded files deleted IMMEDIATELY
  • Subscription canceled automatically (refunds upon request)
  • Account recovery IMPOSSIBLE

How to delete: Settings → Account → Delete Account → Confirm

16. Medical Data Security (Special Measures)

Medical information requires special protection. We apply additional measures:

16.1. Technical Measures:

  • Encryption at rest: All medical data encrypted in database
  • Encryption in transit: HTTPS/TLS for all connections
  • Data isolation: Your data isolated from other users
  • Secure deletion: Data deleted permanently (not just marked)

16.2. Organizational Measures:

  • Limited access: Only administrator can view data (for support)
  • Access logging: All data actions are logged
  • Regular audits: System security checks

16.3. When Working with AI:

  • OpenAI: Does NOT use your data for model training (per API policy)
  • Google Gemini: Does NOT store your data after processing
  • Anonymization: We try to minimize personal data in AI requests

17. Data Breach Notifications

In case of a data security breach:

17.1. We commit to:

  • Notify you within 72 hours (GDPR requirement)
  • Describe the nature of the breach
  • Indicate what data was affected
  • Explain measures we took
  • Recommend actions for protection

17.2. Notification Methods:

  • Email to your registered address
  • Notification on site at login
  • Notification in Telegram bot (if applicable)

17.3. Regulator Notification:

In case of significant breach we must notify:

  • UK Information Commissioner's Office (ICO) - for UK users
  • National data protection authorities - for EU users
  • Other regulators - if required by law

18. Contact Information

18.1. General Questions:

Email: support@pulsebook.health

Website: www.pulsebook.health

Response Time: Within 48 hours (business days)

18.2. Privacy Questions:

Email: support@pulsebook.health (subject "Privacy Question")

For GDPR requests: support@pulsebook.health (subject "GDPR Request")

18.3. Data Protection Officer (DPO):

Not currently appointed (not required for small organizations). If needed, information will be updated.

18.4. Regulators:

UK (ICO):

  • Website: https://ico.org.uk
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

EU: Find your country's supervisory authority: https://edpb.europa.eu/about-edpb/board/members_en

19. Additional Terms

19.1. Medical Disclaimer

IMPORTANT STATEMENT:

  • PulseBook does NOT provide medical advice, diagnoses or treatment
  • AI assistant provides information for educational purposes only
  • Information does NOT replace professional medical advice
  • ALWAYS consult with a qualified doctor
  • In emergencies call emergency services (999 in UK, 911 in USA)

19.2. Information Accuracy

  • AI can make mistakes
  • Information may be outdated
  • We don't guarantee accuracy, completeness or relevance
  • You use information at your own risk

19.3. Limitation of Liability

To the maximum extent permitted by law:

  • We are NOT liable for medical consequences of using Services
  • We are NOT liable for decisions made based on AI information
  • You agree to use Services at your own risk

20. Consent and Acceptance

By using PulseBook, you confirm that:

  • You have read and understood this Privacy Policy
  • You are 18 years or older
  • You agree to data processing as described here
  • You understand that PulseBook does NOT provide medical services
  • You agree to the Terms of Use

Thank you for using PulseBook!
We value your trust and are committed to protecting your privacy.
For any questions contact: support@pulsebook.health