Privacy Policy

Last updated: April 13, 2026

Privacy Policy

Last updated: April 13, 2026

PulseChk ("we," "us," or "our") is a diagnostic assessment engine operated by Stefan Heinz. This Privacy Policy explains how we collect, use, store, and protect personal information when you use the PulseChk platform at pulsechk.app (the "Service").

This policy applies to two categories of users:

  • Providers — coaches, consultants, agencies, and service professionals who create and manage assessments through their PulseChk account.
  • Visitors — individuals who take assessments created by providers and embedded on provider websites.

When you create a PulseChk account, we collect:

  • Account information: Name, email address, and authentication credentials (password hash or OAuth token).
  • Business information: Business name, industry, core offering, target audience, and related details you provide during assessment creation.
  • Branding assets: Logo images and headshot photos you upload.
  • Assessment content: Questions, categories, scoring configurations, tier definitions, and resource links you create or that our AI generates on your behalf.

When a visitor takes an assessment, we collect:

  • Contact information: Name and email address (required). Phone number, company name, and custom field values (if the provider has enabled these fields).
  • Assessment responses: Answers to each question in the assessment.
  • Scores and results: Calculated scores, tier assignments, and AI-generated insights based on responses.
  • GDPR consent status: Whether consent was given, and the timestamp of consent (for visitors in the EU/EEA).

We automatically collect:

  • IP-derived location: Country and city (derived from IP address for GDPR consent determination and analytics). We do not store raw IP addresses long-term.
  • Browser information: User agent string (for logging and debugging).
  • Session data: Assessment start times, completion times, and navigation patterns within an assessment.
  • Cookies: We use minimal cookies — see the Cookies section below.

We use the information we collect to:

  • Operate the Service: Create and deliver assessments, calculate scores, generate personalized result reports, and deliver results via email and PDF.
  • AI processing: Generate assessment questions, personalized insights, and resource recommendations using artificial intelligence (see AI Processing section).
  • Analytics: Provide providers with aggregated analytics about their assessment performance (completion rates, score distributions, dropoff analysis).
  • Communication: Send transactional emails (assessment results to visitors, lead notifications to providers).
  • Security: Detect abuse, enforce rate limits, and maintain platform integrity.
  • Improvement: Analyze usage patterns to improve the Service (always in aggregate, never at the individual level).

PulseChk uses artificial intelligence to power several features:

  • Assessment generation: When a provider creates an assessment, we send their business information (industry, offering, target audience) to Google Gemini to generate tailored questions and scoring categories.
  • Quality assurance: Generated assessments are reviewed by Anthropic Claude to check for quality, bias, and clinical language violations.
  • Personalized insights: After a visitor completes an assessment, we send their scores, category results, and their answers to each question (including any free-text answers they provide) to Google Gemini to generate personalized insights for their results report.
  • Resource recommendations: AI generates suggested resource titles for each scoring tier.

Important safeguards:

  • We do not send visitor contact details — name, email address, or phone number — to AI providers. The information sent for insight generation is limited to the visitor's scores and their assessment answers. (Because free-text answer fields accept anything a visitor types, we recommend visitors not enter personal contact details into free-text answers.)
  • AI inputs are truncated to configurable character limits to minimize data exposure.
  • All AI operations are logged with token usage and cost tracking.
  • AI budget caps prevent runaway usage.

AI providers and their privacy policies:

  • Database: All data is stored in PostgreSQL via Supabase, hosted on AWS infrastructure. Data is encrypted at rest.
  • Multi-tenant isolation: Each provider's data is isolated using PostgreSQL Row Level Security (RLS) policies. Providers can only access their own data.
  • File storage: Uploaded assets (logos, headshots) and generated PDFs are stored in Supabase Storage with access controls.
  • Hosting: The application is hosted on Vercel with automatic HTTPS encryption for all connections.
  • Access controls: Administrative access is restricted to platform administrators. Provider accounts use authentication (password or OAuth via Google) with session-based access.
  • Email provider: We use Resend to send transactional emails.
  • Transactional only: PulseChk sends exactly ONE results email per assessment attempt to the visitor, and ONE lead notification email to the provider. We do not send marketing emails, drip sequences, or newsletters to visitors.
  • Deduplication: Our email system uses atomic check-and-set operations to prevent duplicate emails from being sent.
  • Email content: Results emails contain the visitor's name, assessment title, overall score, category scores, and a link to their full results page. All content is sourced from our database — never from client-submitted data.

PulseChk uses minimal cookies:

  • Authentication session cookie: Required for provider login sessions. This is a functional cookie necessary for the Service to work.
  • Landing view deduplication cookie: A short-lived cookie used to count unique views on assessment landing pages without double-counting. It contains no personal information.

We do not use:

  • Third-party advertising trackers
  • Social media tracking pixels
  • Google Analytics or similar analytics services on assessment pages
  • Any cross-site tracking mechanisms

You have the right to:

  • Access all data associated with your account, including leads, assessment responses, and analytics.
  • Export your lead data via CSV export from the dashboard.
  • Delete individual leads, assessment responses, or your entire account.
  • Modify your account information, business details, and branding at any time.

You have the right to:

  • Access your assessment results at any time via the results page link provided in your results email.
  • Request deletion of your data by contacting the provider who created the assessment, or by contacting us at support@pulsechk.app.
  • Withdraw consent (for EU/EEA visitors) by contacting us. Note that withdrawing consent does not affect the lawfulness of processing performed before withdrawal.

For visitors located in the EU/EEA:

  • Consent: We display a GDPR consent checkbox before collecting personal information. Assessment responses are not collected without explicit consent.
  • Legal basis: Processing is based on consent (Article 6(1)(a) GDPR) for visitor data collection, and legitimate interest (Article 6(1)(f)) for service operation and security.
  • Data controller and processor: The provider is the data controller for their visitors' personal data. PulseChk acts as a data processor on behalf of the provider.
  • Data location: Data is processed and stored in the United States. By using the Service, EU/EEA visitors consent to this transfer.
  • Right to lodge a complaint: You may lodge a complaint with your local data protection authority.
  • Provider data: Retained for the duration of the provider's active account. Upon account termination, data is available for export during a grace period, after which it is permanently deleted.
  • Visitor data: Retained until the provider deletes it, or until the provider's account is terminated.
  • System logs: Standard logs are retained for 90 days. Critical logs (errors, security events) are retained for 365 days.
  • AI usage logs: Retained for cost tracking and debugging purposes for 90 days.

PulseChk integrates with the following third-party services, each with their own privacy policies:

| Service | Purpose | Privacy Policy | |---------|---------|---------------| | Supabase | Database, authentication, file storage | supabase.com/privacy | | Vercel | Application hosting | vercel.com/legal/privacy-policy | | Google AI (Gemini) | AI generation and insights | ai.google.dev/terms | | Anthropic (Claude) | AI quality assurance | anthropic.com/privacy | | Resend | Transactional email delivery | resend.com/legal/privacy-policy | | Upstash | Rate limiting | upstash.com/trust/privacy | | Google OAuth | Provider authentication | policies.google.com/privacy |

PulseChk is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child under 18 has provided us with personal information, please contact us at support@pulsechk.app and we will promptly delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we will notify providers via email.

We encourage you to review this policy periodically to stay informed about how we protect your information.

If you have questions about this Privacy Policy or our data practices, contact us at:

Stefan Heinz Email: support@pulsechk.app Address: 2730 S Wadsworth Blvd, Suite B #1013, Denver CO 80227