Privacy Policy

Effective Date: May 25, 2026
Last Updated: May 25, 2026
IT Act 2000 GDPR CCPA PDPB 2023

YOUR HEALTH DATA BELONGS TO YOU. THIS IS A LEGALLY BINDING DOCUMENT. Please read this Privacy Policy carefully. It explains how PulseOrion Health AI (“PulseOrion,” “we,” “us,” or “our”) collects, uses, stores, processes, shares, and protects your personal data and health information when you access or use the PulseOrion application, website, and related services (collectively, the “Service”).

1. DEFINITIONS AND SCOPE

1.1 Definitions. For the purposes of this Privacy Policy:

“Orion AI” refers to the proprietary artificial intelligence model that powers the Service’s health insights, suggestions, and adaptive programs.

“Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to name, phone number, email address, date of birth, and unique device identifiers.

“Sensitive Personal Data or Information (SPDI)” has the meaning ascribed to it under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and includes health data, biometric data, sexual orientation, and genetic data.

“Health Information” means any data you provide or generate through the Service pertaining to your physical or mental health, including vitals, medications, symptoms, lab reports, cycle data, and AI-generated health insights.

“Data Subject” means any identifiable natural person whose Personal Data is processed by PulseOrion.

“Processing” means any operation or set of operations performed on Personal Data or SPDI, whether by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

1.2 Scope. This Privacy Policy applies to all users of the Service, regardless of geographic location. By accessing or using the Service, you acknowledge that you have read, understood, and agreed to the practices described in this Policy. If you do not agree with any provision herein, you must discontinue use of the Service immediately.

1.3 Legal Framework. This Privacy Policy is designed to comply with, and shall be interpreted in accordance with:

The Information Technology Act, 2000 (India) and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR);
The California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act (CPRA);
The Digital Personal Data Protection Act, 2023 (India) (DPDP Act); and
Any other applicable data protection and privacy laws in the jurisdictions where the Service is accessed.

2. DATA CONTROLLER AND GRIEVANCE OFFICER

2.1 Data Controller. The entity responsible for the collection and processing of your Personal Data and Health Information under this Privacy Policy is:

PulseOrion Health AI
India
Email: privacy@pulseorion.app

2.2 Grievance Officer (India). In compliance with Rule 5(1) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and Section 15 of the Digital Personal Data Protection Act, 2023, the Grievance Officer designated to address complaints and grievances regarding the processing of your Personal Data is:

Grievance Officer
Email: grievance@pulseorion.app
Response Time: Complaints shall be acknowledged within 24 hours and resolved within one (1) month from the date of receipt.

2.3 Data Protection Officer (GDPR). For users within the European Economic Area, inquiries regarding data protection may be directed to: dpo@pulseorion.app.

3. INFORMATION WE COLLECT

We collect the following categories of Personal Data and Health Information from and about you:

3.1 Account Information. When you register for the Service, we collect:

Phone number — used for one-time password (OTP) authentication and account verification;
Full name — to personalize your experience and enable family/connected health features;
Email address — for account recovery, notifications, and communication (if voluntarily provided);
Date of birth, sex — for health metric calculations, age-appropriate insights, and clinical reference ranges;
Blood group, allergies — for emergency preparedness and medication interaction alerts;
Timezone — to ensure accurate timing of medication reminders, alerts, and health tracking;
Biometric authentication data — device-side biometric authentication (fingerprint, face recognition) is used exclusively for local app unlocking. We do not collect or store biometric templates on our servers.

3.2 Health Information You Provide or Generate. The core functionality of the Service involves collecting and processing the following Health Information:

Vitals	Heart rate, blood pressure (systolic/diastolic), blood glucose levels, body temperature, oxygen saturation (SpO2), respiratory rate, and other physiological metrics you manually log or sync from wearable devices.
Medications & Supplements	Medication names, dosages, schedules, adherence logs, prescription images, diagnosis information, prescribing physician details, and supplement intake records.
Lab Reports	Images and PDFs of laboratory reports uploaded by you. Orion AI extracts markers, values, reference ranges, and trends from these reports. This includes but is not limited to: HbA1c, lipid profiles, thyroid panels, liver function tests, kidney function tests, complete blood counts, vitamin levels, and hormonal assays.
Symptoms & Conditions	Self-reported symptom logs, severity ratings, duration, timestamps, and AI-analyzed condition assessments. Medical diagnoses you choose to record.
Cycle & Fertility Data	Menstrual cycle phase tracking, flow intensity, associated symptoms (cramps, mood, energy), fertility window predictions, and contraceptive tracking.
Fitness & Activity Data	Step counts, workout types, duration, intensity, sleep duration, sleep stages (deep, light, REM), and activity patterns.
Skin Care	Products used, routines, application frequency, skin condition logs, and photographs of skin conditions.
Nutrition (where enabled)	Meal logs, water intake, dietary preferences, and calorie tracking.

3.3 Family & Connected Health Information. If you elect to use the connected health features, we collect:

Family member names and relationship — to establish the connection between your account and the family member’s account;
Shared Health Information — vitals, medications, adherence data, alerts, and summaries that you authorize to be shared with connected family members or caregivers;
Caregiver relationships and permissions — the scope of access you grant to caregivers (view-only, alert forwarding, medication management).

3.4 AI-Generated Data. As a core function of the Service, Orion AI generates the following data derived from your Health Information:

Chat and interaction history — your conversations with Orion AI, including questions, responses, health queries, and contextual follow-ups. This data is stored to provide continuity of care and context-aware intelligence;
Health insights and summaries — AI-generated analyses, trend identifications, anomaly detections, and clinical summaries;
Program adaptations — records of program adjustments, dose timing modifications, and adaptive changes made by Orion AI based on your biological responses;
Symptom analysis reports — AI-generated severity assessments, pattern recognitions, and triage recommendations.

3.5 Technical Information Collected Automatically. When you access the Service, we automatically collect:

Device Information	Device model, operating system version, unique device identifiers, app version, mobile network information, and language preferences.
Usage Data	App opens, screen views, feature interactions, session duration, and navigation patterns. This data is aggregated and anonymized wherever possible.
Push Notification Tokens	Firebase Cloud Messaging (FCM) tokens required to deliver medication reminders, health alerts, and program notifications to your device.
Crash Reports	Application crash logs, stack traces, and performance metrics transmitted via Sentry for the purpose of diagnosing and resolving technical issues.
Location Information	Precise GPS location is accessed only when you explicitly initiate an emergency SOS alert or use the emergency card feature. Location is not collected in the background or for any other purpose.
Log Data	Server logs recording API requests, timestamps, IP addresses (anonymized), and HTTP response codes for security monitoring and service optimization.

4. PURPOSES OF PROCESSING

We process your Personal Data and Health Information for the following lawful purposes:

To provide and operate the Service. This includes authenticating your identity, generating health insights via Orion AI, sending medication reminders, managing health programs, facilitating family connectivity, and maintaining your account.
To improve Orion AI. De-identified and aggregated Health Information is used to train, validate, and enhance the accuracy and safety of Orion AI’s clinical reasoning capabilities. Data used for model improvement is stripped of personally identifiable information.
To communicate with you. This includes service-related notifications (medication alerts, health updates, program changes), account-related communications (password resets, security alerts), and, with your separate consent, product updates and feature announcements.
To comply with legal obligations. We may process your data to comply with applicable laws, regulations, court orders, or lawful government requests.
To protect vital interests. In rare circumstances, we may process Health Information to protect your vital interests or those of another person, such as in a medical emergency where you are unable to provide consent.
For security and fraud prevention. To protect the Service, our users, and our infrastructure against unauthorized access, malicious activity, and security breaches.

5. LEGAL BASES FOR PROCESSING (GDPR)

For users in the European Economic Area, we process your Personal Data under the following legal bases:

Consent (Article 6(1)(a))	Where you have explicitly consented to the processing of your Health Information and SPDI for specific purposes, including AI-driven health analysis and program adaptation.
Contract (Article 6(1)(b))	Processing necessary for the performance of the Terms of Service, including account management, health tracking, and notification delivery.
Legal Obligation (Article 6(1)(c))	Processing necessary to comply with applicable legal and regulatory requirements.
Legitimate Interests (Article 6(1)(f))	Processing for service improvement, security monitoring, fraud prevention, and anonymized analytics, where our legitimate interests do not override your fundamental rights and freedoms.
Vital Interests (Article 6(1)(d) and Article 9(2)(c))	Processing of special category data where necessary to protect your vital interests or those of another natural person.

6. DATA STORAGE AND SECURITY

6.1 Storage Infrastructure. Your Personal Data and Health Information are stored using the following infrastructure:

Primary Database. PostgreSQL database hosted via Supabase, encrypted at rest using AES-256 encryption. Data is replicated across multiple availability zones for redundancy.
Authentication. Firebase Authentication (Google Cloud Platform) for OTP verification, token generation, and session management.
Encrypted Local Storage. Authentication tokens, FCM tokens, and sensitive preferences are stored locally on your device using FlutterSecureStorage, which leverages the operating system’s native encrypted storage (Keychain on iOS, EncryptedSharedPreferences on Android).
File Storage. Uploaded lab reports and prescription images are stored in encrypted cloud storage buckets with server-side encryption enabled.

6.2 Security Measures. We implement and maintain the following technical and organizational security measures:

Encryption in Transit. All data transmitted between the PulseOrion application and our servers is encrypted using TLS 1.3 protocol;
Encryption at Rest. Data stored in our PostgreSQL database is encrypted at rest using AES-256 encryption;
Access Controls. Strict role-based access controls (RBAC) govern employee and contractor access to production data. Access is granted on a least-privilege basis and logged;
Token-Based Authentication. API authentication uses short-lived JWT tokens with automatic expiry (60 minutes) and refresh token rotation;
Rate Limiting. Sensitive endpoints (authentication, password reset) are rate-limited to prevent brute-force attacks;
Regular Audits. Our codebase and infrastructure undergo regular security audits, dependency vulnerability scanning, and penetration testing;
Incident Response. We maintain a documented security incident response plan to promptly address data breaches, unauthorized access, or security incidents. You will be notified of any breach affecting your Personal Data within 72 hours as required under applicable law.

6.3 Third-Party Processors. We engage the following third-party data processors who are contractually obligated to protect your data under data processing agreements (DPAs) compliant with GDPR Article 28:

Supabase Inc.	Database hosting (PostgreSQL). Certified SOC 2 Type II, GDPR-compliant.
Google Cloud (Firebase)	Authentication, push notifications (FCM), analytics. Certified SOC 2/3, ISO 27001, GDPR-compliant.
RevenueCat Inc.	Subscription management and payment processing. Certified SOC 2 Type II.
Functional Software Inc. (Sentry)	Crash reporting and error tracking. Certified SOC 2 Type II, GDPR-compliant.

7. DATA SHARING AND DISCLOSURE

7.1 No Sale of Data. PulseOrion does not sell, rent, trade, or license your Personal Data or Health Information to third parties for any purpose, including advertising, marketing, or research, without your explicit consent. This includes any transfer of data for valuable consideration as defined under the CCPA.

7.2 Permitted Disclosures. We may disclose your data only in the following limited circumstances:

With your explicit consent. When you voluntarily share data with family members, caregivers, or healthcare providers through the Service’s connected health features;
To authorized service providers. Third-party processors listed in Section 6.3 above, who process data solely on our behalf and under our written instructions, subject to contractual data protection obligations;
To comply with legal process. When required to do so by applicable law, regulation, court order, subpoena, or other valid legal request, provided we make reasonable efforts to notify you prior to disclosure unless prohibited by law;
To protect rights and safety. When we believe in good faith that disclosure is necessary to protect the rights, property, or personal safety of PulseOrion, our users, or the public, including to prevent imminent serious harm or death;
In the context of business transfers. In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your data may be transferred as part of that transaction, subject to the successor entity assuming the commitments in this Privacy Policy.

7.3 International Transfers. Your data may be processed and stored on servers located in India and the United States. For users in the European Economic Area, we ensure adequate safeguards for international data transfers through the use of Standard Contractual Clauses (SCCs) adopted by the European Commission, or other valid transfer mechanisms as recognized under GDPR Chapter V.

8. DATA RETENTION

8.1 Retention Period. We retain your Personal Data and Health Information for the duration of your account’s active status. Upon account deletion, the following retention and deletion schedule applies:

Active Account Data	Retained for as long as your account remains active. You may request data export at any time.
Post-Deletion — Primary Data	All Personal Data and Health Information permanently deleted within thirty (30) calendar days of account deletion.
Post-Deletion — Backups	Encrypted backup copies permanently purged within ninety (90) calendar days.
Anonymized Data	De-identified, aggregate data used for model improvement may be retained indefinitely after removal of all personally identifiable information.
Legal Holds	Data subject to a valid legal hold, ongoing investigation, or litigation hold shall be retained until the hold is lawfully released.

8.2 Data Export. You may request a portable copy of your data at any time by contacting privacy@pulseorion.app. We will provide your data in a structured, commonly used, machine-readable format within thirty (30) days of your request.

9. YOUR RIGHTS AND CONTROL

9.1 General Rights. You have the following rights regarding your Personal Data and Health Information:

Right of Access. You may request confirmation of whether we process your data and obtain a copy of the data we hold about you;
Right to Rectification. You may request correction of inaccurate or incomplete data;
Right to Erasure (Right to be Forgotten). You may request deletion of your data, subject to certain legal exceptions;
Right to Restrict Processing. You may request restriction of processing in certain circumstances, including where you contest the accuracy of the data or object to processing;
Right to Data Portability. You may receive your data in a structured, machine-readable format and transmit it to another controller;
Right to Object. You may object to processing based on legitimate interests, including processing for analytics and service improvement;
Right to Withdraw Consent. Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;
Right to Opt Out of Analytics. You may disable anonymous usage data collection at any time via the application’s Settings screen.

9.2 Exercising Your Rights. To exercise any of these rights, contact us at privacy@pulseorion.app. We will respond to your request within thirty (30) days, or such shorter period as required by applicable law. We may request additional information to verify your identity before processing your request.

9.3 Account Deletion. You may delete your account and all associated data at any time through the application’s settings. Upon account deletion, your data will be permanently removed in accordance with the retention schedule set forth in Section 8 above.

9.4 California Privacy Rights (CCPA/CPRA). California residents have the following additional rights:

The right to know the categories and specific pieces of personal information we collect, use, disclose, and sell;
The right to request deletion of personal information collected or maintained by us;
The right to opt out of the sale of personal information (PulseOrion does not sell personal information);
The right to non-discrimination for exercising any CCPA rights;
The right to correct inaccurate personal information.

Requests under the CCPA may be submitted to privacy@pulseorion.app. We will verify your identity using the information associated with your account and respond within forty-five (45) days.

9.5 EU Resident Rights. In addition to the rights listed in Section 9.1, EU residents have the right to lodge a complaint with their local supervisory authority (Data Protection Authority) if they believe their data protection rights have been violated.

10. COOKIES, ANALYTICS, AND TRACKING

10.1 In-App Analytics. The PulseOrion application uses Firebase Analytics, a service provided by Google LLC, to collect anonymized usage data including app opens, screen views, feature interactions, and session duration. This data is used exclusively for:

Understanding how users interact with the Service to inform product improvements;
Identifying and troubleshooting technical issues;
Measuring feature adoption and user engagement patterns.

We do not use analytics data for advertising, behavioral profiling, or any commercial purpose beyond operating and improving the Service. You may opt out of analytics data collection at any time via the application’s Settings screen.

10.2 Website Cookies. The PulseOrion website does not use tracking cookies, advertising cookies, or third-party cookies. We may use strictly necessary session cookies for basic operational purposes, which do not require consent under applicable law. No personal data is collected through the website beyond what you voluntarily submit through the waitlist form.

10.3 Do Not Track. Our Service does not respond to Do Not Track (DNT) signals at this time. We adhere to the data minimization principles described in this Policy regardless of DNT signals.

11. CHILDREN’S PRIVACY

11.1 Age Restriction. The Service is not intended for, and may not be used by, individuals under the age of thirteen (13). We do not knowingly collect, maintain, or process Personal Data or Health Information from children under 13.

11.2 Teen Users (13–18). Individuals between the ages of 13 and 18 may use the Service only with the consent and supervision of a parent or legal guardian. The parent or guardian who provides consent is responsible for the teen’s use of the Service and will exercise the rights described in this Policy on the teen’s behalf.

11.3 Data Deletion Request. If you believe that a child under 13 has provided us with Personal Data or Health Information without parental consent, please contact us immediately at privacy@pulseorion.app. We will delete the data within seventy-two (72) hours of verification.

12. AI AND AUTOMATED DECISION-MAKING

12.1 Nature of AI Processing. Orion AI is a purpose-built health model that employs automated processing of your Health Information to generate insights, suggestions, program adaptations, and alerts. This includes but is not limited to:

Analyzing lab report markers against clinical reference ranges;
Detecting patterns and trends in vital signs and symptom logs;
Adjusting medication timing and program parameters based on biological responses;
Generating personalized health summaries and briefing reports.

12.2 Human Oversight. While Orion AI operates autonomously, all AI-generated outputs are clearly identified as AI-generated. You retain the right to request human review of any AI-generated insight or decision that significantly affects your health management. To request human review, contact legal@pulseorion.app.

12.3 Right to Object (GDPR Article 22). For users in the European Economic Area, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. You may object to automated decision-making by contacting dpo@pulseorion.app. However, please note that restricting automated processing may limit the functionality and efficacy of the Service.

12.4 Model Training. Orion AI models may be trained on de-identified and aggregated data from users. All personally identifiable information is removed prior to training. You may opt out of having your anonymized data used for model training by contacting privacy@pulseorion.app.

13. MEDICAL DISCLAIMER

13.1 No Medical Device. The Service, including Orion AI, is not a regulated medical device under the Food and Drug Administration (FDA), the Central Drugs Standard Control Organization (CDSCO), or any other regulatory body. The Service does not diagnose, treat, cure, mitigate, or prevent any disease or medical condition.

13.2 Informational Purposes Only. All AI-generated insights, summaries, suggestions, alerts, and program adaptations are provided for informational and care-coordination purposes only. They are not a substitute for professional medical judgment, clinical reasoning, diagnosis, or treatment.

13.3 Emergency. If you believe you are experiencing a medical emergency, call your local emergency services immediately. Do not rely on the Service for emergency response. The Service is not designed, intended, or authorized for use in emergency medical situations.

13.4 No Doctor-Patient Relationship. Use of the Service does not create a physician-patient, clinician-patient, or healthcare provider-patient relationship between you and PulseOrion, its operators, or any affiliated healthcare professionals.

14. CHANGES TO THIS POLICY

14.1 Notification of Changes. We reserve the right to amend this Privacy Policy at any time. Material changes will be communicated to you through the following means:

In-app notification upon next launch;
Email notification (if you have provided an email address);
Update to the “Last Updated” date at the top of this Policy.

14.2 Acceptance of Changes. Your continued use of the Service after the effective date of any amendment constitutes your acceptance of the revised Privacy Policy. If you do not agree with the amended Policy, you must discontinue use of the Service and may request deletion of your data as described in Section 9.3.

15. GOVERNING LAW AND JURISDICTION

15.1 Governing Law. This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of India, including the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023.

15.2 Dispute Resolution. Any dispute arising out of or relating to this Privacy Policy shall first be attempted to be resolved through informal negotiation. If the dispute cannot be resolved within thirty (30) days, it shall be submitted to arbitration in India in accordance with the Arbitration and Conciliation Act, 1996. The arbitration shall be conducted in English. The courts in India shall have exclusive jurisdiction over any matters relating to this Privacy Policy.

16. CONTACT INFORMATION

If you have any questions, concerns, complaints, or requests regarding this Privacy Policy or our data practices, please contact us at the following designated points:

General Privacy Inquiries	privacy@pulseorion.app
Grievance Officer (India)	grievance@pulseorion.app
Data Protection Officer (GDPR)	dpo@pulseorion.app
Legal Inquiries	legal@pulseorion.app

India