Privacy Policy
Last updated: 21 March 2026
Pulse ("we", "us", "our") operates the website onthepulse.app and related services (the "Service"). This policy explains what data we collect, how we use it, who we share it with, and your rights.
1. Data we collect
Account data
When you create an account we collect your email address and display name . Authentication is handled by Firebase Authentication; we store your Firebase user ID to link your account.
Preferences
During onboarding and through your settings you may provide your preferred city , event categories , genres , and notification preferences . These are stored so we can personalise your experience.
Location
With your consent, we use your device location to detect which city you are in and to show nearby events. We reverse-geocode your coordinates via the Google Maps Geocoding API to extract a locality name only — we do not store your precise coordinates or full address.
Activity data
We record events you save, artists you follow, affiliate link clicks, and notification interactions. This data is used to improve recommendations and to track affiliate commissions owed to us by ticketing partners.
Device tokens
If you opt in to push notifications we store a device token (via Firebase Cloud Messaging) along with your platform (iOS, Android, or web) so we can deliver notifications to the correct device.
Analytics
We use PostHog for product analytics. We track events such as page views, searches, and feature usage. Your IP address is hashed (SHA-256) before storage — we never store raw IP addresses. Pro subscribers can opt out of analytics entirely via their account settings.
Payment data
Pulse Pro subscriptions are processed by Stripe . We store your Stripe Customer ID and Subscription ID to manage your subscription. We do not store your card number, expiry date, or CVC — Stripe handles all payment data directly. You can manage your billing via the Stripe Customer Portal.
2. How we use your data
- Provide the Service — show you relevant events, deliver notifications, process your subscription
- Personalise your experience — filter events by your preferred categories, city, and followed artists
- Improve the product — analyse usage patterns (anonymised) to fix bugs and build better features
- Affiliate tracking — when you click a "Buy Tickets" link we append an affiliate parameter so the ticketing partner can attribute the sale to Pulse. We track the click (event ID, source, timestamp) but not your activity on the partner's site
- Communicate with you — send email digests, event notifications, and service updates via Resend and Firebase Cloud Messaging
3. Third-party services
We share data with the following third-party services only to the extent necessary to operate the Service:
| Service | Purpose | Data shared |
|---|---|---|
| Firebase (Google) | Authentication, push notifications | Email, device tokens |
| Stripe | Payment processing | Email, subscription state |
| Resend | Transactional and digest emails | Email address |
| PostHog | Product analytics | Anonymised usage events, hashed IP |
| Sentry | Error monitoring | Error context (may include user ID) |
| Algolia | Event search | Search queries (not tied to user identity) |
| Google Maps | Reverse geocoding | Device coordinates (not stored by us) |
| Ticketing partners | Affiliate link attribution | Click event with affiliate ID (no user PII) |
We do not sell your data to third parties. We do not share your personal data with advertisers. Display ads shown to free-tier users are served by Google AdSense using contextual targeting — we do not provide AdSense with your Pulse account data.
4. Spotify and Apple Music
If you choose to connect your Spotify or Apple Music account, we request read-only access to your top artists and followed artists. We use this data solely to suggest artist subscriptions within Pulse. We never access your playlists, listening history, or personal profile data. You can disconnect these services at any time from your account settings.
5. Cookies
We use essential cookies for authentication and session management. Affiliate links to ticketing partners may set cookies on the partner's domain to attribute sales — this is governed by the partner's own cookie policy. We do not use cookies for advertising targeting on our site.
6. Data retention
- Account data — retained while your account is active. Deleted upon account deletion request.
- Notification logs — retained for 6 months, then automatically deleted.
- Analytics data — retained according to PostHog's data retention policy. IP hashes cannot be reversed to identify you.
- Subscription audit trail — retained indefinitely for legal and financial compliance.
- Device tokens — deleted automatically when they become invalid or when you uninstall the app.
7. Your rights
Under UK GDPR and the Data Protection Act 2018, you have the right to:
- Access your personal data — request a copy of the data we hold about you
- Rectify inaccurate data — update your profile and preferences at any time
- Delete your data — request account deletion and we will remove your personal data and cascade the deletion across all related records
- Object to processing — opt out of analytics (Pro subscribers), unsubscribe from email digests, or disable push notifications
- Port your data — request an export of your data in a machine-readable format
- Withdraw consent — for location access, push notifications, or connected music services, at any time via your device or account settings
To exercise any of these rights, email privacy@onthepulse.app . We will respond within 30 days.
8. Security
We protect your data with:
- Firebase JWT authentication on all API requests
- HTTPS everywhere — all data transmitted over TLS
- CORS restrictions limiting API access to our domains
- No raw IP address storage
- EXIF metadata stripped from any uploaded images
- Secrets managed via Google Cloud Secret Manager — never committed to source code
9. Children
Pulse is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have collected data from a child under 13, please contact us at privacy@onthepulse.app and we will delete it promptly.
10. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you by email or via a notice on the Service before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
If you have questions about this privacy policy or how we handle your data:
- Email: privacy@onthepulse.app
- Website: onthepulse.app