Legal
Privacy Policy
We built StillPulse to help you breathe better. Here is exactly what data we collect, why we need it, and how we protect it.
Last updated: 9 July 2025
In plain terms
StillPulse is designed to work locally on your device. Most of your data never leaves your phone. Cloud features are optional and only activated when you sign in.
1. Who We Are
StillPulse (“we”, “us”, “our”) is the developer of the StillPulse: Adaptive Breathing Android application. If you have questions about this policy, contact us at privacy@stillpulse.app.
2. Data We Collect
2.1 Data you provide
- Email address — collected only if you choose to create an account via email magic link. Guest (anonymous) use requires no account.
- Pre-session check-in responses — optional self-reported tension level (1–5 scale) entered before a session. Stored locally; uploaded to cloud only for signed-in Premium users.
2.2 Data generated during use
- Session records — duration, protocol, breathing phase timeline, sound preset, and session mode. Stored locally in SQLite on your device.
- Session Response score — a 0–100 wellness score derived from your heart-rate data during a session. This describes HR behaviour observed during one practice; it is not a health or stress measurement.
- Heart-rate telemetry — read-only heart-rate samples from Android Health Connect during Premium sessions. Samples are used in real time to modulate audio and compute the Session Response score. Per-second telemetry is stored locally and uploaded with the session record for signed-in Premium users.
- Reminder preferences — local notification times stored only on your device. Push tokens and notification interaction data are never uploaded.
2.3 Data collected automatically
- Supabase authentication tokens — standard JWT tokens used to verify your identity for cloud features. Not shared with third parties.
- Purchase receipts — transaction receipts from Google Play are processed by RevenueCat to verify your Premium entitlement. We do not store raw payment information.
3. How We Use Your Data
- To provide guided breathing sessions, session history, and biofeedback analytics.
- To sync your session history across devices when you are signed in to a Premium account.
- To verify your Premium entitlement via RevenueCat and Google Play.
- To send transactional lifecycle emails (e.g. purchase confirmation) via Resend. We do not send marketing emails without your explicit consent.
- To enforce the daily free session limit for anonymous users via a server-side usage ledger.
4. Health Connect & Health Data
StillPulse requests read-only access to heart-rate data from Android Health Connect. This access is used solely to provide real-time biofeedback audio modulation and to compute your Session Response score.
- Health Connect data is never sold or shared with advertisers.
- Heart-rate samples are not used for advertising, insurance, or any purpose unrelated to your breathing sessions.
- You can revoke Health Connect permission at any time in Android Settings → Health Connect → App permissions.
5. Data Sharing
We do not sell your personal data. We share limited data only with the following service providers, solely to operate the app:
- Supabase — authentication, cloud session storage, and usage ledger. Data is stored in their EU-region infrastructure.
- RevenueCat — subscription management and entitlement verification. Your Supabase user ID is shared as an anonymous app user ID.
- Resend — transactional email delivery for magic-link authentication and purchase lifecycle emails.
6. Data Retention
- Local data(SQLite) persists on your device until you clear the app's storage or uninstall the app.
- Cloud session data is retained for the life of your account and deleted within 30 days of an account deletion request.
- Authentication records are deleted when you delete your account.
7. Your Rights
Depending on your location you may have the right to access, correct, export, or delete your personal data. See our Data Deletion page for instructions on how to submit a request. We will respond within 30 days.
8. Children's Privacy
StillPulse is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us at privacy@stillpulse.app.
9. Security
Session data transmitted to the cloud is encrypted in transit (TLS) and at rest. Cloud session writes are authenticated and authorised through Row Level Security policies on our Supabase database. Only your own data is accessible to your account.
10. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via an in-app notice or email. The “Last updated” date at the top of this page reflects the most recent revision.
11. Contact
For privacy questions, data requests, or concerns: privacy@stillpulse.app