Privacy Policy for Heart Rate Monitor - Pulse
1. Acceptance of PP
1.1. This Privacy Policy explains and lists the transparency information regarding what personal data is collected (Section 3) when you use our Service “Heart Rate Monitor - Pulse” and the services provided through it (together “Service”), how such personal data will be processed (Section 4) and which rights do you have with respect to your personal data (Section 10).
1.2. CALIFORNIA RESIDENTS MAY REVIEW NOTICE AT COLLECTION AND GET INFORMATION ABOUT THEIR RIGHTS IN SECTION 10.4 (CALIFORNIA PRIVACY RIGHTS — CCPA/CPRA).
1.3. By using the Service, you promise us that (i) you have read, understand, and agree to this Privacy Policy and the data processing described, and (ii) you are over 18 years of age. If you do not agree or are unable to make this promise, you shall not use the Service. In this case, you shall (a) delete your account and contact us and request deletion of your data; (b) cancel any active subscriptions; and (c) delete the Service from your devices.
1.4. We do not knowingly process personal data from persons under 18 years of age. If you learn that anyone younger than 18 has provided us with personal data, please contact us at devacc_app@narrativelab.ee.
1.5. If any questions remain unanswered or you would like to exercise your privacy rights, please also contact us at devacc_app@narrativelab.ee.
2. Personal data controller
Narrativelab OÜ (with its legal address at Eesti, Harju maakond, Tallinn, Lasnamäe linnaosa, Valukoja tn 8/2, 11415) is the data controller of your personal data ("we", "us", or "our").
3. Categories & sources of collected personal data
3.1. When you use the Service, we process data:
3.2. Data directly provided by you.
3.2.1. Identifiers: This may include your name, age, weight, height). You provide us with this information when you register for the Service, subscribe to our newsletters, or contact us by any other means.
3.2.2. Registration and service data: You provide us with this category of information when you register for the Service and/or go through the registration process and/or use the Service. This may include age, height, weight, access to camera, heart rate and related data.
3.2.3. Communication with support team: When you contact our support team, you may also provide us with some personal information.
3.3. Data we collect automatically
3.3.1. Device and geolocation data: We collect language settings, Internet Protocol address, time zone, type and model of a device, device settings, OS version, Internet service provider, mobile carrier, hardware ID, and unique device identifiers (including IDFA or GAID).
3.3.2. Log and usage data: We collect information on how you interact with our Service. This may include information about what pages you have viewed, the features and content you interact with, how often you use the Service, how long you are on the Service.
3.3.3. Performance and Diagnostics Data: We collect information related to Services’ performance and diagnostics of Service as result of your use of the Service. This may include crashlytics and diagnostics through logs monitoring.
3.3.4. User acquisition data: We also collect information about how you have found our Service that may include your referring app, URL or advertisement.
3.3.5. Cookies and similar technologies: Our products employ technologies (cookies, SDKs, etc.) to process your data to enhance your user experience, optimize ads, and analyze traffic. These technologies are activated when you interact with our services, visit our website, use our apps, or enable certain features like chats. Disabling these technologies may affect the functionality of certain features, although our products will remain usable.
3.3.6. Meta Pixel: We use Meta Pixel to collect data about your actions on our Service. This data may include which pages you visit, the time you spend on each page, and the actions you take. The data collected is used to measure the effectiveness of our advertising campaigns and to personalize the content and ads presented to you. The information collected through Meta Pixel is transmitted to Facebook. Your browser establishes a direct connection with the Facebook server as soon as you have agreed to the use of tracking technologies requiring your consent. The processing of this data by Facebook takes place within the framework of Facebook’s data policy. To opt-out from Facebook’s interest-based ads follow these instructions from Facebook.
3.4. Data provided by third parties
3.4.1. Subscription data: You need to provide financial account data in order to purchase our Service. We do not collect or store, or have access to full credit card number data, though we may receive some limited information, including subscription terms, subscription ID, data about products or services purchased, date, time and amount of the purchase, the type of payment method used, limited digits of your card number.
3.4.2. Consumption information: When you use our Service and make the purchases at the App Store, we receive the following from Apple, such as Account Tenure, App Account Token (UUID), Consumption Status, Customer Consented, Delivery Status, lifetime Dollars Purchased, lifetime Dollars Refunded, Platform, play Time, Refund Preference, Sample Content Provided, and User Status.
3.5. Please note that we do not collect personal data about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, and genetic and biometric data. We also do not collect any information about criminal convictions and offenses.
3.6. We also undertake to collect only such amounts and types of personal data strictly required for the purposes mentioned in Section 4 (Purposes & lawful bases for data processing). To the extent necessary for those purposes, we take all reasonable steps to ensure that personal data is reliable, accurate, complete, and current for its intended use.
3.7. California residents may have additional rights regarding Sensitive Personal Information, including the right to request limitation of certain uses and disclosures, as described in Section 10.4.3.
4. Purposes & lawful bases for data processing
4.1. For the processing of your personal data, we rely on the following lawful bases:
4.2. California residents may exercise their applicable opt-out rights as described in Section 10.4.1 and Section 10.4.2.
4.3. We collect and utilize your data primarily to provide the Service and continuously improve it with the help of analytics. Furthermore, we aim to attract new customers to our products. Below, you may find a more comprehensive breakdown of how we use your information.
Reasons for Processing | Types of data | Lawful bases |
To use all Service functions. It is necessary to set up a profile and identify the user. The email address is additionally used to contact the user. | Registration and service data. Age, height, weight | Performance of the contract. Your consent. |
To use the App's functionality and the ability to measure heart rate through camera | Device function. Access to camera. | Performance of the contract. Your consent. |
To use the App's functionality | Health data. Blood pressure, blood oxygen level, pulse, and HRV | Performance of the contract. Your consent. |
For marketing and analytical purposes. To provide, imp | Device and Geolocation Data. Includes language settings, Internet Protocol address, time zone, type and model of a device, device settings, OS version, Internet service provider, mobile carrier, hardware ID, and unique device identifiers (including GAID). | Performance of a contract with you. Necessary for our legitimate interests |
For analytical purposes. To provide, improve, and develop the Website. | Log and Usage Data. Information about how you use our Service and user activity within the Service. | Performance of a contract with you. Necessary for our legitimate interests |
It is required to identify the subscription the user selects, its duration, and expiration. | Subscription data. The transaction data, ID subscriptions, and subscription terms. This is the information we get from the payment system when you buy our subscription. | Performance of the contract. Your consent. |
4.4. We rely on the following legitimate interests:
5. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
5.1. We are not entities that require HIPAA compliance (covered entities, such as health insurance companies, healthcare providers, including pharmacies and healthcare clearinghouses), and not business associates — persons or entities who handle protected health information for a covered entity. Therefore, we are not covered by the HIPAA. Nevertheless, we have obligations to comply with other laws and regulations governing mHealth applications and the protection of users' personal data, such as the Federal Trade Commission Act and FTC’s Health Breach Notification Rule.
6. Third-party services and other disclosures of data
6.1. Apart from our employees, contractors, and affiliated companies (if any), we share information with the range of third parties that helps operate, provide, improve, integrate, customize, support, and market our Service. We require all third parties to respect the security of your personal data and treat it under the law. The types of third parties we share information with include, in particular:
6.2. Service providers: We engage the partners mentioned below to carry out specific services or business functions on our behalf using their technologies and resources, based on our instructions. We do not allow our third-party service providers to use your personal data for their purposes and only permit them to process your personal data for specified reasons defined in this Privacy Policy.
Third Party | Its Service | Purpose of usage | Link to privacy materials of the Third Party |
Apple Inc. | Apple App Store | App publishing | https://www.apple.com/legal/privacy/en-ww/ |
Amplitude, Inc. | Amplitude | Product analytics and event tracking | https://amplitude.com/privacy |
AppsFlyer Ltd. | Appsflyer | Product analytics and event tracking | https://www.appsflyer.com/legal/processing-customer-data/ |
Meta Platforms Inc. | Meta Ads | Marketing management | https://www.facebook.com/privacy/policy/ |
Artia International S.R.L. | IP-API | Product analytics | https://ip-api.com/docs/legal |
Zendesk, Inc. | Zendesk | Customer support | https://www.zendesk.com/company/agreements-and-terms/privacy-notice/ |
OpenAI, Inc. | СhatGPT | Analysis of anonymized user data for app functionality | https://openai.com/policies/row-privacy-policy/ |
Kubios Oy | Kubios | HRV calculation based on anonymized user data | https://www.kubios.com/privacy-policy/ |
Google LLC | Firebase | User authentication and database management | https://policies.google.com/privacy?hl=en-US |
Google LLC | Google Analytics | Product analytics and event tracking | https://policies.google.com/privacy?hl=en-US |
Functional Software, Inc. | Sentry | App development, performance & error monitoring | https://sentry.io/privacy/ |
TikTok Inc. | TikTok | Marketing management | https://www.tiktok.com/legal/privacy-policy |
Snap Inc. | Snapchat | Marketing management | https://values.snap.com/privacy/privacy-policy |
Amazon Web Services, Inc. | AWS | Cloud storage | https://aws.amazon.com/privacy/ |
Microsoft Corporation | Bing | Marketing management | https://www.microsoft.com/en-us/privacy/privacystatement |
Supabase, Inc. | Supabase | Cloud storage and user authorization | https://supabase.com/privacy |
Upstash, Inc. | Upstash | Temporary data storage | https://upstash.com/trust/privacy.pdf |
84codes AB | Cloudamqp | Temporary data storage & server functioning | https://www.cloudamqp.com/legal/privacy_policy.html |
elasticsearch B.V. | Elastic | App development, performance & error monitoring | https://www.elastic.co/legal/privacy-statement |
Fly.io, Inc | App development, performance & error monitoring | https://fly.io/legal/privacy-policy/ |
6.3. Public authorities, including law enforcement agencies: We may use and disclose personal data to enforce our legal rights or Terms of Use, to protect our rights, privacy, safety, or property, and/or that of our affiliates, you or others, and to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, or in other cases provided for by law.
6.4. Third parties as part of a merger and acquisition: As we develop our business, we may buy or sell assets or business offerings. Customers’ information is generally one of the transferred business assets in these types of transactions. We may also share such information with any affiliated company (if any) and may transfer such information in the course of a corporate transaction, such as the sale of our business, a divestiture, merger, consolidation, or asset sale, or in the unlikely event of bankruptcy.
6.5. California residents may exercise their rights to opt out of sharing as described in Section 10.4.1 and Section 10.4.2.
7. Cross-border transfer of personal data
7.1. We may transfer personal data to employees, contractors and third parties from countries other than the country in which the data was originally collected in order to provide the Service and for purposes indicated in this Privacy Policy. If these countries do not have the same data protection laws as the country in which you initially provided the information, we deploy special safeguards.
7.2. In particular, if we transfer personal data from the EEA to countries with not adequate level of data protection, we use one of the following legal bases: (i) Standard Contractual Clauses approved by the European Commission (details available here), or (ii) the European Commission adequacy decisions about certain countries (details available here).
8. Data security & retention policies
8.1. We have implemented appropriate security measures to prevent your data from being accidentally lost, used, accessed unauthorized, altered, or disclosed. In addition, we limit access to your data to employees, agents, contractors, and other third parties who have a business need to know. They will only process your data based on our instructions and are subject to a duty of confidentiality.
8.2. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
8.3. We also use technical data encryption tools like SSL protocols to secure your data.
8.4. We will store your personal data for as long as it is reasonably necessary for achieving the purposes set forth in the Terms of Use and Privacy Policy, which includes the period during which you have an account with the Service. We will also retain and use your personal data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
8.5. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your data, the purposes for which we process your data, and whether we can achieve those purposes through other means, and the applicable legal requirements.
9. Changes to policy
We reserve the right to and may change this privacy notice occasionally. If we make any material changes, we will notify you through our Service, email, or by presenting you with a new version of this privacy notice for you to accept if we, for example, add new processing activities or collect additional personal data from you. Your continued use of the Service after the effective date of an updated version of the Privacy Policy will indicate your acceptance of the Privacy Policy as modified.
10. Your legal rights
10.1. This Section explains legal rights applicable to users that are residents of certain economic areas, countries, or states as set forth below. Except as otherwise provided herein, you may exercise your legal rights by contacting us at devacc_app@narrativelab.ee. To ensure that we properly handle the requests you make regarding your rights, we are required to verify those requests. Depending on the type of request and the product used by you, this may include your name, age, email, date of subscription purchase, date of last activity, date of account creation, or some other Service use data that will reasonably identify you as an owner of the account, etc. We may also ask you for additional proof of identity, if necessary, but we strive to ask less according to the data minimization principle.
10.2. European Economic Area residents
As a data subject, you have the right to interact with its data directly or through a request to us. This section describes these rights and how you can exercise them:
Right | Description |
Right to access | You can request an explanation of the processing of your personal data. |
Right to rectification | You can change the data if it is inaccurate or incomplete. |
Right to erasure | You can send us a request to delete your personal data from our systems. We will remove them unless otherwise provided by law. |
Right to restrict the processing | You may partially or completely prohibit us from processing your personal data. |
Right to data portability | You can request all the data you provided to us and request to transfer data to another controller. |
Right to object | You may object to the processing of your personal data. |
Right to withdraw consent | You can withdraw your consent at any time. |
Right to file a complaint | If your request was not satisfied, you could file a complaint to the regulatory body. |
To exercise your rights, contact us. If your request is not satisfied, you can submit a complaint to your local Data Protection Authority. You may find it here. UK residents enjoy the same rights but may lodge a complaint at the other Authority in the UK – Information Commissioner’s Office. You can contact them at 0303 123 1113 or go online at www.ico.org.uk/concerns. | |
Please note! Depending on the state and legislative requirements, we have from 30 to 60 days to exercise your request, with the right to postpone it for 30 days more. |
If your complaint is not satisfied, you can file a complaint with the Federal Trade Commission.
Your rights vary depending on the laws that apply to you, but may include:
Right | Description | Area | |
Right to access | You can request an explanation of how your personal data is processed. |
|
|
Right to correct | You can change the data if it needs to be more accurate or complete. |
|
|
Right to delete | You can request to delete your personal data from our systems. |
|
|
Right to portability | You can request all the data you provided to us and request to transfer data to another controller. |
|
|
Right to opt out of sales | The right to opt out of the sale of personal data to third parties. |
|
|
Right to opt out of certain purposes | The right to opt-out of processing for profiling/targeted advertising purposes. |
|
|
Right to opt out of the processing of sensitive data | The right to opt-out of processing of sensitive data. |
| |
Right to opt out of sales and sharing | The right to opt out of the sale of personal information to third parties and the right to opt out of sharing personal information for cross-context behavioral advertising purposes. |
|
|
Right against automated decision-making | A prohibition against a business making decisions about a consumer based solely on an automated process without human input |
|
|
Private right of action | The right to seek civil damages from a controller for statute violations. |
| |
Please note! Some states do not have privacy laws. The rights of residents of such states are governed by U.S. federal law. If your state is missing from the list, please contact us. | |||
10.4. California Privacy Rights (California Residents — CCPA/CPRA)
This Section applies only to residents of California and supplements the rest of this Privacy Policy.
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), California residents may have specific rights regarding their personal information and Sensitive Personal Information (“SPI”).
10.4.1. Right to Opt Out of Sale or Sharing of Personal Information
California residents have the right to opt out of:
For purposes of CCPA/CPRA:
“Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to a third party for monetary or other valuable consideration.
“Sharing” means disclosing, making available, or otherwise communicating personal information to a third party for cross-context behavioral advertising, regardless of whether monetary consideration is involved.
We do not sell, and do not knowingly sell, your personal information for monetary consideration.
Transfers of personal information to our service providers and contractors (listed in Section 6.2) do not constitute a sale or sharing under CCPA/CPRA where such transfers are subject to contractual restrictions required by applicable law.
However, our use of cookies, advertising pixels, SDKs, and similar tracking technologies (including, where applicable, Meta Pixel and Google Ads technologies described in Section 3) may constitute “sharing” of personal information for cross-context behavioral advertising purposes under CCPA/CPRA.
You may opt out of such sharing at any time.
For information regarding technologies that may result in sharing of personal information, please see Section 3.3.5 and Section 6.
10.4.2. How to Submit an Opt-Out Request
You may submit an opt-out request using the following method:
You do not need to create an account to submit an opt-out request.
10.4.3. Right to Limit Use and Disclosure of Sensitive Personal Information
Under CCPA/CPRA, California residents may have the right to direct us to limit the use and disclosure of their Sensitive Personal Information (“SPI”) to purposes reasonably necessary to provide the requested services and to other purposes permitted by law.
Where applicable and depending on the product and features enabled by you, we may process the following category of Sensitive Personal Information (“SPI”):
We process SPI only for the purposes described in Section 4 and, where applicable, for purposes permitted under CCPA/CPRA regulations § 7027, including:
If we use SPI for additional purposes requiring limitation rights under CCPA/CPRA, we will provide an additional mechanism allowing California residents to limit such use.
For information about categories of Sensitive Personal Information that may be processed, please see Section 3.6.
10.4.4. How to Submit a Request to Limit SPI Processing
You may submit a request to limit the use and disclosure of SPI using:
You may limit each category of SPI separately or all categories at once.
10.4.5. California Shine the Light Rights
California residents may request information once per calendar year regarding categories of personal information disclosed to third parties for their direct marketing purposes.
To submit such request, please send an email to devacc_app@narrativelab.ee with the subject line:
“Request for California Shine the Light Privacy Information”
and include your California state of residence and email address.
Only disclosures covered under applicable California law will be included in our response.
11. Contact us
If you have any questions about this Privacy Policy and/or want to exercise your legal rights, you may contact us at devacc_app@narrativelab.ee.
Last updated: 16 June 2026