Data protection & GDPR
Last updated: 1 July 2026
This page explains how Pulsix meets its obligations under the UK GDPR and EU GDPR, and — more usefully — how you actually exercise your rights in the product. It supplements the privacy policy.
1. Health data is special-category data
Much of what Pulsix stores for you — body composition, blood biomarkers, nutrition, sleep, training load — is special-category data under Article 9 GDPR. We process it on the basis of your explicit consent, given when you choose to log, connect or upload it for the purpose of receiving Pulsix’s analysis and coaching. You can withdraw that consent at any time by deleting the data concerned or your whole account.
2. Your rights — and the self-service that implements them
| Right | How it works in Pulsix |
|---|---|
| Access (Art. 15) & portability (Art. 20) | Self-service: Settings → Privacy → Export my data in the app produces a complete archive of everything Pulsix holds about you — every domain as structured JSON plus your uploaded and generated files. No email, no waiting on us. |
| Erasure (Art. 17) | Self-service: Settings → Privacy → Delete my account permanently deletes your account and all captured data. Deleted data then leaves the encrypted backup cycle as it rotates (up to 35 days). |
| Rectification (Art. 16) | Almost everything you capture is directly editable in the app. Anything you cannot edit yourself, email us and we will correct it. |
| Restriction (Art. 18) & objection (Art. 21) | Email privacy@pulsix.io and we will restrict the processing concerned while we resolve your request. |
| Withdraw consent (Art. 7(3)) | Delete the data concerned, disconnect the integration, revoke a coach’s access, or delete your account — all self-service. |
| Complain (Art. 77) | You can complain to the UK Information Commissioner’s Office (ico.org.uk) or your local EU supervisory authority. We’d appreciate the chance to fix it first. |
For requests we handle by email, we respond within one month as the GDPR requires (and usually much faster).
3. Coach access is consent, not default
Pulsix is two-sided, and the athlete owns the data. A coach sees an athlete’s data only through an explicit, in-product consent grant from that athlete; the athlete can revoke it at any time; and every coach access runs through that consent check and is audited. There is no “admin sees everything” backdoor in the product’s data model — internal break-glass access is restricted, logged and audited.
4. Security measures
- Tenant isolation at the database layer: row-level security policies enforce that queries outside your account context return nothing by default (fail-closed) — isolation does not depend on application code alone.
- Encryption: TLS in transit; encryption at rest for the database, file storage and backups; an additional application-level AES-256-GCM layer for integration tokens and AI chat content.
- Authentication: strong password hashing, optional multi-factor authentication (authenticator apps and passkeys/WebAuthn), session revocation.
- Auditing: security events and coach/admin access are logged to an audit trail.
- Least privilege: separated database roles, encrypted secrets management, and infrastructure kept to the minimum surface needed to run the service.
5. Where data is processed
Primary hosting is AWS London (eu-west-2): database, object storage and backups all stay in-region. Limited data flows to subprocessors outside the UK/EEA (see below) under UK IDTA/Addendum and EU Standard Contractual Clauses.
6. Subprocessors
| Subprocessor | Purpose | Data involved | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, database, file storage, backups | All service data | UK (London, eu-west-2) |
| Stripe | Payment processing and subscription billing | Billing identity and payment data (card details never touch our servers) | EU/US (safeguarded transfer) |
| Anthropic | AI processing for coaching features | The slices of your data needed to answer a request, single-athlete scoped; not used to train models under our API terms | US (safeguarded transfer) |
| SendGrid (Twilio) | Transactional email | Email address and message content (e.g. password resets, billing notices) | US (safeguarded transfer) |
| “Sign in with Google” — only if you choose it | OAuth identity (email, name) | EU/US (safeguarded transfer) |
If we add or replace a subprocessor that touches personal data, we update this page before it takes effect.
7. Data protection by design
The product decisions that matter most for your privacy were made at the architecture stage, not bolted on: fail-closed database isolation from day one, self-service export and erasure as first-class product features, consent-scoped coach access, no advertising or tracking anywhere, and a marketing site that sets no cookies at all.
8. Contact
Data protection contact: privacy@pulsix.io. Pulsix is operated from the United Kingdom.