Privacy Policy
Last updated: 2026-05-20
For our EU and UK visitors: PulseAugur is operated from the United States. The "Legal basis" and "International data transfers" sections below describe the GDPR / UK-GDPR posture; the "Your rights" section explains how to exercise access, portability, and erasure rights.
PulseAugur ("we", "the app") is an AI-news aggregator. This page explains what data the app and the backend service handle on your behalf, why, and how you can remove it.
What we collect
When you install the app, the system stores the following on our backend so the service can work:
- Anonymous device identifier. The app generates a random UUID on first
launch and stores it in the iOS keychain. We use it on every request as
the
X-Device-Idheader to keep your alert preferences, follow list, and ranking signals associated with your install. It is not derived from any hardware ID, advertising ID, or your Apple ID. - Push tokens. If you enable notifications, we store your Expo push token and (on iOS) your APNs device token so we can deliver alerts. The tokens are scoped to the app and revoked automatically if you delete it.
- Alert preferences and custom alerts. When you opt into a notification kind (frontier release, citation spike, custom search), we save the preference and any saved-search filter JSON you create.
- Follow list. When you follow an entity (a company, model name, or topic), we save it so your Brief tab is personalized.
- Ranking signals. When you open a cluster or tap an external link, we log the cluster id, source, and timestamp so the per-device re-ranker can learn your preferences. We never log the cluster summary text or the URL of the article body.
- Aggregate analytics. We record anonymous, device-hashed events (tab views, cluster opens, external-link clicks, entity-filter taps) so we can answer "is the app being used?" without identifying you. The device id is one-way-hashed on the device before it ever leaves it; we cannot recover your raw device id from the analytics table. Event payloads contain only IDs, timestamps, and lookup keys — never cluster summaries, quoted text, or anything you typed.
What the website (pulseaugur.com) collects
The website runs a small, first-party page-view beacon — no cookies,
no third-party analytics, no fingerprinting. When you load a page, a
tiny script (/static/pa.js) sends a single request to our own server
recording:
- The path you visited (e.g.
/cluster/35871-…) and the page title. - The referring URL — the full address of the page that linked to
us, including its path and query string (with any URL fragment
removed and capped at 500 characters). For example, if you arrived
from a Hacker News thread we record the full
https://news.ycombinator.com/item?id=12345; if you arrived from a search engine, the URL may include the search keyword in the query string. We also keep a derived host-only field (news.ycombinator.com) for aggregate reporting. - Your browser's reported viewport size, screen size, time zone, and preferred language — used to understand whether to invest in mobile-first or desktop-first improvements.
- Your country, as reported to us by Cloudflare. We do not receive city, latitude, or longitude.
- A truncated form of your IP address — the last octet is zeroed
(e.g.
73.45.12.99becomes73.45.12.0). The full IP never leaves the request scope and is never written to storage. - An anonymous visitor identifier derived from a weekly-rotating secret + your truncated IP + your User-Agent. The identifier looks like a UUID and is irreversible. It changes every Sunday at 00:00 UTC (the start of each week), so within one week the same browser appears as the same anonymous visitor, and across any Sunday boundary it appears as a different one. The earlier week's secret is destroyed at rotation, so there is no way — even for us — to link your activity across week boundaries from this data alone. We chose weekly (rather than daily) so we can measure "how many distinct readers visited in the past 7 days" as a product-quality signal, without enabling longer-term tracking.
The website beacon does not set any cookies, does not write to localStorage, and does not fingerprint your browser. Declared bots (search engine and AI crawlers) are excluded from this dataset server-side.
Outbound link clicks (cluster pages)
When you click an external link on a story cluster page, we record:
- the time of the click,
- the cluster identifier (which story you were on),
- a classification of the destination (one of: search engine, social network, AI vendor, research publisher, news outlet, or "other"). We never store the specific URL you clicked — only the broad class is persisted, and the raw value is discarded server-side after classification.
- the same salted, weekly-rotated visitor identifier we use for pageviews,
- your country (from Cloudflare) and the truncated IP (
/24for IPv4,/48for IPv6).
This lets us tell, in aggregate, "what classes of destination do
PulseAugur readers tend to follow links to." It does not let us, or
anyone, reconstruct an individual's browsing history. The
classification list is fixed and public (see the source at
api/routes/beacon.py:classify_dest_host).
Outbound clicks honor GPC and DNT just like pageviews — when either signal is set on your browser, no outbound-click record is written.
Reading depth (cluster pages)
When you read a story cluster page, we may record how far down the page you got and roughly how long you stayed. Specifically:
- the time of the event,
- the cluster identifier (which story you were on),
- a quartile of how far down you scrolled — one of 25 %, 50 %, 75 %, or 100 %. We do not record a precise scroll position, pixel offset, or per-element view duration.
- a bucket of how long you spent on the page, chosen from one of: under 5 seconds, 5–30 seconds, 30 seconds to 2 minutes, 2–10 minutes, or over 10 minutes. We do not record your exact dwell time.
- the same salted, weekly-rotated visitor identifier we use for pageviews,
- your country (from Cloudflare) and the truncated IP (
/24for IPv4,/48for IPv6).
The deliberately coarse quartile + bucket shape exists so we can answer "is this cluster compelling enough that readers finish it" in aggregate, without learning anything fine-grained about any individual visit. There are no cookies, no localStorage writes, and no fingerprinting tied to this collection.
Reading depth honors GPC and DNT — when either signal is set on your browser, no reading-depth record is written.
Reader feedback flags
If we ship a feature that lets you flag a cluster as having a wrong or missing entity attribution, the flag we record is:
- the time of the flag,
- the cluster identifier,
- the entity identifier (where present — "missing entity" flags may not name a specific entity),
- a kind from a fixed enum:
wrong_entity,missing_entity,wrong_relation, orother. We do not record any free-text comment or justification — the kind is the only operator-facing signal. - the same salted, weekly-rotated visitor identifier we use for pageviews,
- your country and truncated IP as above.
We use these flags in aggregate to fix entity-extraction problems on our side. We do not contact you, profile you, or share these flags with any third party. The flag itself is intentionally a single click — no text input, no upload, no contact details.
Reader flags honor GPC and DNT.
Global Privacy Control / Do Not Track
If your browser sends a Sec-GPC: 1 signal (the Global Privacy
Control standard, used by Firefox, Brave, DuckDuckGo Privacy Browser,
and others) or the older DNT: 1 signal, we honour it as a request
not to record where you came from. The pageview row is still written
— so we can still answer "did anyone read this article" — but every
referrer field (host, kind, and full URL) is set to null for that
visit. The visitor identifier is still computed the same way, since
it never leaves the week it was generated in.
To enable GPC: Firefox Settings → Privacy & Security → "Tell websites not to sell or share my data"; Brave Shields are on by default.
What we do not collect
- No name, email address, phone number, or location.
- No contact list, photo library, or microphone access.
- No third-party tracking SDKs (no Google Analytics, Firebase Analytics, Facebook SDK, advertising IDs, or session-replay tools).
- No browser fingerprinting on the web.
Third parties
We use a small number of vendors to operate the service. Each one only sees what it needs to do its job.
- Expo Push Service (notifications.expo.dev) — receives your Expo push token and the notification payload when we send an alert. Apple, in turn, receives the APNs token to deliver the push to your device.
- Resend (resend.com) — only used if you opt into the daily briefing by email. Receives your email address and the briefing HTML.
- Cloudflare (cloudflare.com) — sits in front of the API as a CDN + WAF. Standard request metadata (IP, User-Agent, requested URL) is visible to Cloudflare for the duration of the request.
- Google Gemini, Anthropic, OpenAI — large-language-model providers we use to summarize and bucket articles. They never see your device id, push token, or any personally identifying data — only the public article text we send them for summarization.
Retention
- Ranking events: kept for 90 days, then deleted.
- Aggregate analytics events: kept for 90 days; aggregate views (DAU, MAU, tab usage) are computed on the fly.
- Website page-view beacon rows: kept up to ~30 days, then dropped automatically via monthly partition rotation (effective retention is between 30 and 60 days depending on where in the monthly cycle a row landed). Daily aggregates (totals per day, country, and page type) are kept for 24 months and contain no per-visitor data.
- Push tokens: kept until the device unregisters or the OS revokes the token (which it does automatically when you uninstall the app).
- Device records (alerts, follow list, custom searches): kept until you delete them via Settings → Manage my data, or until the device record is deleted.
Legal basis (GDPR Art. 6)
For visitors and users in the EU / UK, we rely on the following lawful bases for each processing activity:
- Page-view beacon — legitimate interests (Art. 6(1)(f)). The beacon is first-party, cookieless, pseudonymous, IP-truncated, and used only for audience measurement of our own site. It is intended to fit the CNIL "audience-measurement exemption" posture and similar guidance from other EU data-protection authorities.
- Account creation, sign-in, and subscription management — performance of a contract (Art. 6(1)(b)). Processing your email, name, sign-in identity, and subscription state is necessary to provide the account-tier service you signed up for.
- Briefing email — legitimate interests (Art. 6(1)(f)) for the transactional content; you can opt out at any time in Settings → Notifications.
- Push notifications — consent (Art. 6(1)(a)). iOS / Android require an explicit prompt before we can send notifications, and you can revoke it at any time in the OS settings or in the app.
- Custom alerts and follow lists — legitimate interests (Art. 6(1)(f)). These exist to deliver the feature you opted into; you can remove individual entries or run a full erasure (see "Your rights" below).
International data transfers
The PulseAugur backend runs in the United States on AWS (region
us-east-1), with Cloudflare acting as the global CDN and WAF in
front of it. EU / UK personal data is therefore transferred to the US
to provide the service.
We rely on the European Commission's Standard Contractual Clauses (SCCs) for both vendors:
- AWS SCCs: https://aws.amazon.com/compliance/eu-data-protection/
- Cloudflare SCCs: https://www.cloudflare.com/trust-hub/gdpr/
Both vendors publish current SCC packages and supplementary measures; the links above are the canonical entry points.
Your rights
If you are in the EU / UK / Switzerland (or a comparable jurisdiction), GDPR / UK-GDPR gives you the right to access, rectify, erase, port, restrict, and object to processing of your personal data. PulseAugur honours these rights the same way globally — there is no two-tier privacy practice. Three self-service paths:
- Access + portability. From a signed-in app session:
GET /api/account/export— downloads a JSON file containing every category of personal data tied to your account (theaccountsrow itself, linked auth identities, device list, subscription history, push tokens, custom alerts, bookmarks, reads, briefing-send history, and ranking events). - Erasure of stored content (keep the account). From the
signed-in app: Settings → Manage my data → Delete my content,
or
DELETE /api/accountwith headerX-Confirm: <your account id or device id>. Clears bookmarks, reads, alerts, push tokens, and ranking events; leaves theaccountsrow + sign-in identities intact so you can keep using the app. - Full account erasure. From the signed-in app:
Settings → Manage my data → Erase my account, or
POST /api/account/erasewith headerX-Confirm: <your account id>. Deletes theaccountsrow and every dependent row — the cascade is the same one used by our internal smoke-test-user scrub script and removes all personal data associated with your account.
For rectification, restriction, objection, or anything else, email [email protected] and we'll handle it manually within 30 days (the GDPR statutory window).
You also have the right to lodge a complaint with your local data-protection authority (Art. 77) if you believe we're handling your data unlawfully. A list of EU DPAs is published by the EDPB at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.
Your in-app controls
- Open Settings → Notifications to turn any push kind on or off.
- Open Settings → Manage my data to export everything tied to your account or device id as JSON, delete your data, or fully erase your account.
Children
PulseAugur is not directed at children under 13 and does not knowingly collect data from them. If you believe a child has used the app, contact us and we will delete any associated records.
Changes
If we change this policy, the "Last updated" date at the top of this page will change. Material changes will surface as an in-app notice on next launch.
Contact
Questions or requests can go to [email protected].