Legal
Privacy Policy
Last updated: 2026-04-16
1. Data controller
The data controller responsible for the processing of your personal data when you use the Impulse AI app and related services ("Impulse") is Digiteers AS (org.nr 916 203 950), a company registered in Norway. For questions, contact privacy@impulseai.app.
2. Data we collect
The table below describes the categories of data we collect, whether it is linked to your identity, and whether it is used for tracking.
| Category | Data | Linked to you? | Used for tracking? |
|---|---|---|---|
| Account information | Email, name (via Sign in with Apple) | Yes | No |
| User content | Impulses, session notes, check-in responses | Yes | No |
| AI-generated content | Insights, guidance, summaries | Yes | No |
| Audio data | Voice input for impulse capture (processed locally) | No | No |
| Preferences | Language, optional personalisation (life phase, goals) | Yes | No |
| Usage identifier | Anonymous user ID for authentication | Yes | No |
This table aligns with our App Store Privacy Nutrition Labels and PrivacyInfo.xcprivacy manifest.
3. Purposes of processing
We process your personal data for the following purposes:
- Delivering and personalising the Impulse experience
- Generating AI-driven insights and session guidance via Anthropic Claude
- Authenticating your account
- Improving app quality and reliability
4. AI processing
Your text content is sent to Anthropic (Claude AI) for impulse classification, session guidance, and pattern analysis. Anthropic does not use your data to train its models.
Short snippets of your content are also sent to Voyage AI to generate vector embeddings used for semantic search and pattern detection within the app. Voyage does not retain this content beyond the embedding call, and the resulting vectors are mathematical representations that cannot be reversed into the original text.
AI-generated insights are intended solely for personal reflection. They do not constitute professional psychological, medical, or therapeutic advice.
5. Error monitoring & analytics
Crash reporting (Sentry)
We use Sentry to detect and fix app crashes and errors. Sentry collects technical data when an error occurs: device type, operating system version, app version, error messages, and stack traces. This data is linked to your anonymous user ID but does not include your personal content (impulses, sessions, or notes). Sentry is only active in production builds. Data is processed in the USA under Standard Contractual Clauses (SCCs).
App analytics (TelemetryDeck)
We use TelemetryDeck for privacy-first analytics. TelemetryDeck does not collect personally identifiable information and is fully GDPR-compliant without requiring user consent. It tracks anonymous usage signals (for example, app launched or feature used) to help us improve the app experience. TelemetryDeck is based in Germany and processes all data within the EU.
6. Sub-processors
We use the following third-party providers to deliver the service:
| Provider | Country | Role |
|---|---|---|
| Supabase | USA / EU | Database and authentication |
| Railway | USA | API hosting |
| Anthropic | USA | AI processing (Claude) |
| Voyage AI | USA | Vector embeddings for semantic search (content is ephemeral and not retained) |
| Vercel | USA | Website hosting |
| Apple | USA | Authentication (Sign in with Apple) including server-to-server notifications about account status changes, and in-app purchases via the App Store |
| Sentry | USA | Error monitoring and crash reporting |
| TelemetryDeck | Germany (EU) | Privacy-first app analytics |
Data transfers to the USA are made under Standard Contractual Clauses (SCCs) in accordance with GDPR requirements.
7. Legal basis (GDPR Art. 6)
- Contract (Art. 6(1)(b)): Processing necessary to deliver the service you signed up for.
- Legitimate interest (Art. 6(1)(f)): Anonymised analytics for product improvement.
- Consent (Art. 6(1)(a)): Optional personalisation features and microphone access.
8. Data retention & deletion
Active accounts
Your personal data is stored for as long as your account is active.
Account deletion — 30-day grace period
When you delete your account (Profile → Delete account), the deletion is scheduled with a 30-day grace period. During this window you can cancel the deletion at any time from the Profile screen. Signing back in to your account during the grace period is also treated as an implicit cancellation. We interpret a new sign-in as “I’ve changed my mind.” After the 30 days, all personal data is permanently deleted via cascading database removal: impulses, sessions, insights, preferences, and profile.
Subscription cancellation (important)
Deleting your Impulse AI account does not automatically cancel any active App Store subscription. Apple is the system of record for in-app purchases, and we cannot cancel subscriptions from our side. To stop recurring charges, cancel your subscription via Settings → Apple ID → Subscriptions on your iPhone before deleting your account. The delete-account dialog inside the app provides a shortcut to this Settings screen.
Financial records (legal retention exception)
To comply with Norwegian bookkeeping legislation (bokføringsloven § 13) and EU accounting retention requirements, anonymised transaction records are retained for 5 years after account deletion. These records contain only: amount, currency, purchase date, platform (iOS/Android), and the platform transaction ID. They do not contain your name, email, user ID, or any other identifier that can be used to re-identify you. They exist solely for tax and audit compliance.
Audit records
Metadata about account deletion events (timestamp, reason code such as “user-initiated” or “Apple notification”, and a reference to the original user ID) is retained to demonstrate GDPR compliance and provide an audit trail for regulatory inquiries. Audit rows contain no personal content (no impulses, sessions, or profile data).
The legal basis for these retention exceptions is GDPR Art. 6(1)(c): processing necessary for compliance with legal obligations (tax/accounting law and GDPR Art. 30 record-keeping).
9. Your rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your account and all associated data (Profile → Delete account). Deletion takes effect 30 days after the request, giving you time to reconsider. See section 8 for details on retention exceptions.
- Data portability: request an export of your data
- Withdraw consent for optional data processing at any time
- Lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet)
To exercise any of these rights, contact privacy@impulseai.app.
10. Children
Impulse is not intended for children under 16. We do not knowingly collect personal information from anyone under 16 years of age.
11. Tracking
We do not track you across apps or websites. We do not use advertising identifiers, and we do not share data with advertising networks.
12. Changes to this policy
If we make material changes to this privacy policy, we will notify you within the app before the changes take effect.
13. Contact
For privacy questions or data requests:
privacy@impulseai.app
For general support:
support@impulseai.app