Privacy Policy

Data Controller

The data controller responsible for your personal data is:

Virtual Media srl
Registration Number: RO21383197
Email: [email protected]

Data We Collect

We collect the following categories of personal data:

Account Data

When you create an account, we collect your email address and display name. This information is necessary to provide you with access to our services.

Usage Data

We collect information about how you use our services, including feature usage patterns and session data. This helps us improve the product and understand how users interact with CodePulse.

Payment Data

When you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your full credit card number, expiration date, or CVC on our servers. Stripe provides us with a tokenized reference and basic billing information (last four digits, card brand, billing address).

Technical Data

We automatically collect certain technical information when you visit our website, including your IP address, browser type and version, operating system, referring URL, and pages visited.

How We Use Your Data

We use your personal data for the following purposes:

• Service provision — To create and manage your account, authenticate you, and deliver the CodePulse service.
• Payment processing — To process subscription payments, manage billing, and fulfill tax obligations.
• Communication — To send you transactional emails (account confirmation, password resets, billing receipts) and, with your consent, product updates and announcements.
• Analytics — To understand usage patterns, improve our service, and identify and fix technical issues.

Gmail Send (Optional)

CodePulse offers an optional feature that lets you send emails from your connected Gmail account directly through the Telegram bot. If you choose to use this feature, the following data handling applies.

What permission we request

CodePulse requests only the https://www.googleapis.com/auth/gmail.send OAuth scope from Google. This scope grants exactly one capability: sending emails on your behalf. It does not grant any ability to read your inbox, modify or delete messages, change settings, manage labels, or access metadata about your existing mail. If your existing Gmail Connector in Anthropic Claude handles reading and drafting, it does so independently — CodePulse never touches that capability.

Where your credentials live

When you complete the consent flow at Google, Google issues your machine an OAuth refresh token. That refresh token is encrypted at rest with AES-256-GCM on your local hard drive — never transmitted to or stored on our servers. The encryption key is generated per-install and stored alongside the encrypted token on the same machine. We have no copy of either.

What we log when you send

Each send produces an audit-log entry on your local machine containing your Telegram user ID, a one-way HMAC-SHA256 hash of the sender email address (the plaintext never enters the log), the recipient count, the message size in bytes, and a duration timestamp. We do not log recipient addresses, subject lines, or message bodies. These audit rows live in your local SQLite database with a 90-day retention window.

Revoking access

You can revoke CodePulse's Gmail send permission at any time by either:

• Typing /disconnect_gmailin Telegram — this deletes the encrypted refresh token from your machine AND calls Google's revocation endpoint to invalidate it server-side.
• Visiting Google Account → Security → Third-party apps with account access and removing CodePulse manually.

Beta phase note

CodePulse's Gmail send capability launches in Google's Test User mode while we complete CASA Tier 2 verification (Cloud Application Security Assessment). During the beta phase, refresh tokens expire after 7 days and you may see a re-authentication prompt approximately weekly. After CASA verification clears, this restriction is lifted and tokens become indefinite. We will announce the transition on our blog and via in-app notification.

Legal Basis

We process your personal data on the following legal grounds under GDPR Article 6(1):

• Consent (Art. 6(1)(a)) — For setting non-essential cookies and sending marketing communications. You may withdraw your consent at any time.
• Contract (Art. 6(1)(b)) — For processing necessary to perform our contract with you, including account creation, authentication, and payment processing.
• Legitimate Interest (Art. 6(1)(f)) — For anonymous analytics to improve our service, and for security measures to protect our systems and users. We have conducted balancing tests to ensure these interests do not override your rights and freedoms.

Data Processors

We share your data with the following third-party processors who act on our behalf:

Each processor is bound by a Data Processing Agreement (DPA) and is required to handle your data in accordance with GDPR requirements.

Data Retention

We retain your personal data for the following periods:

• Account data — Retained until you delete your account. Upon account deletion, your personal data is removed within 30 days, except where we are legally required to retain it.
• Server logs — Retained for 90 days, then automatically deleted.
• Payment records — Retained for 7 years as required by Romanian fiscal legislation.
• Analytics data — Retained for 26 months, then automatically deleted.

Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — You may request correction of inaccurate personal data.
• Right to erasure (Art. 17) — You may request deletion of your personal data, subject to legal retention obligations.
• Right to restriction (Art. 18) — You may request restriction of processing in certain circumstances.
• Right to data portability (Art. 20) — You may request your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — You may object to processing based on legitimate interest at any time.
• Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint — You may lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania ([email protected]).

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

International Transfers

Some of our data processors are located outside the European Economic Area (EEA), primarily in the United States. For these transfers, we rely on EU Standard Contractual Clauses (SCCs) as adopted by the European Commission to ensure an adequate level of data protection.

Where applicable, we also rely on the EU-U.S. Data Privacy Framework certification of our processors. You may request a copy of the relevant safeguards by contacting us.

Children

CodePulse is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe we may have collected data from a child under 16, please contact us at [email protected].

Cookies

We use cookies and similar technologies on our website. For detailed information about the cookies we use, their purposes, and how to manage them, please see our Cookie Policy.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email or by posting a prominent notice on our website prior to the changes taking effect. We encourage you to review this page periodically.

Contact

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: [email protected]