Back to Pulse
Pulse Legal

Pulse Privacy Policy

Effective and last updated: July 2, 2026

This Privacy Policy explains how Vaylo Studios ("we," "us," or "our") collects, uses, and shares information in connection with Pulse (the "Service"). Pulse is designed so that most of your work happens on your own machines: the runner runs locally, AI calls use your own AI subscriptions or keys, and the cloud hub (the "Hub") acts primarily as an authenticated relay and coordination layer. The controller of the personal data described here is Vaylo Studios LLC, a Florida limited liability company. You can reach us about privacy at [email protected].

This policy is specific to Pulse. Your use of other Vaylo Studios products and the website is governed by our general Privacy Policy, which also covers account, billing, and cross-platform data shared with your Vaylo account.

1. Information We Collect

CategoryExamplesWhere it lives
Account informationYour account identifier, email address, plan, and authentication records.Hub (US)
Billing informationStripe customer ID and subscription ID, plan status, and invoice metadata. Card numbers and full payment details are collected and stored by Stripe, not by us.Stripe; Hub stores identifiers only
Strand & workspace metadataStrand names, notes, task status, and related metadata that runners sync to the Hub for coordination.Hub (US)
Encrypted secretsIntegration credentials you choose to store are held encrypted at rest (AES-256-GCM). Keys are decrypted only in memory at request time and are not written to logs or returned to the browser.Hub (encrypted) and/or your local runner vault
Audit & usage logsRecords of actions taken (actor, action, resource, timestamp, IP), API usage counters, and runner connection/session logs.Hub (US)
Technical & usage dataIP address, approximate region, runner version, request metadata, and diagnostic information.Hub (US)
Optional webcam / vision framesIf you enable webcam vision, frames captured on your machine are processed by your own configured AI provider to derive presence/scene signals. These frames are processed on your machine and are not stored on the Hub.Your machine + your AI provider only

Because of Pulse's architecture, the contents of your files, terminals, and AI conversations generally remain on your machines and with the AI providers you configure; the Hub relays commands and stores the account, billing, metadata, encrypted-secret, and log data described above.

2. How We Use Information

  • To provide, operate, secure, and maintain the Service, including relaying commands to your runners.
  • To authenticate you and manage your account and plan.
  • To process subscriptions and payments through Stripe.
  • To enforce usage limits and plan gating, and to detect, prevent, and investigate abuse, fraud, and security incidents.
  • To maintain audit logs and provide operational transparency to you.
  • To provide support and to communicate with you about the Service.
  • To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information, and we do not send your data to AI providers on your behalf beyond what your own configured keys, subscriptions, and runner perform.

3. Legal Bases (where applicable)

Where the GDPR or similar laws apply, we process personal data on the bases of: performance of our contract with you (providing the Service); our legitimate interests (securing and improving the Service, preventing abuse); compliance with legal obligations; and your consent where required (for example, optional features such as webcam vision).

4. How We Share Information

We share information only as needed to run the Service:

  • Stripe, Inc. — payment processing and subscription management.
  • Hosting/infrastructure providers — including Railway, which hosts the Hub in the United States.
  • Your own AI providers — such as Anthropic, OpenAI, Google, or local model runtimes, accessed using your own credentials and subscriptions under their policies.
  • Legal & safety — when required by law, to protect rights and safety, or in connection with a corporate transaction (e.g. merger or acquisition).

Bring-your-own-AI data flow. When you run AI features, the runner on your machine sends your prompts, files, code, and other content directly to the AI provider you have configured, using your own credentials, subscription, or API key. That content is handled under your agreement and the privacy policy of that AI provider, not by us. We do not act as an intermediary for, receive, or store the substance of those AI requests and responses on the Hub; the Hub relays control signals and stores only the account, billing, metadata, encrypted-secret, and log data described above.

5. Data Location & International Transfers

The Hub and its database are hosted in the United States. If you access Pulse from outside the United States, your information will be transferred to and processed in the United States. Where required, we rely on appropriate transfer mechanisms such as the Standard Contractual Clauses.

6. Security

We use technical and organizational measures to protect information, including encryption in transit (TLS) and encryption at rest for stored secrets (AES-256-GCM), row-level access controls, and hashed authentication tokens. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. You are responsible for securing your own machines, credentials, and runner tokens. In the event of a personal-data breach that affects you, we will notify affected users and applicable authorities where and within the time required by law.

7. Data Retention

We retain account, billing, metadata, and log data for as long as your account is active and as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Audit and billing records may be retained for up to 7 years, or longer where required by applicable law. When you delete your account, we delete or de-identify associated personal data within 30 days, except where retention is legally required. Optional webcam frames are not retained on the Hub.

8. Your Rights & Choices

Depending on your location, you may have rights to access, correct, export, restrict, or delete your personal data, and to object to certain processing. Pulse provides self-service endpoints for the most common requests:

  • Access / export: request a copy of your data via GET /api/account/export.
  • Deletion: delete your account and associated data via DELETE /api/account.

You may also contact us at [email protected] to exercise your rights. We will respond within the time required by applicable law. We will not discriminate against you for exercising your rights.

GDPR (EEA/UK)

If you are in the European Economic Area or the United Kingdom, you have the rights described above under the GDPR/UK GDPR, including the right to lodge a complaint with your local supervisory authority.

CCPA/CPRA (California)

If you are a California resident, you have the right to know what personal information we collect, to request access and deletion, to correct inaccurate information, and to opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. You may exercise these rights using the endpoints above or by contacting us at [email protected].

9. Cookies & Local Storage

Pulse uses browser local storage rather than traditional advertising cookies. In particular, your authentication token (a JWT) is stored in your browser's localStorage to keep you signed in, along with UI preferences and session state. We do not use third-party advertising or cross-site tracking cookies.

10. Children's Privacy

Pulse is not intended for and may not be used by anyone under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe a child has provided us personal information, contact us at [email protected] and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date and, for material changes, provide notice by reasonable means. Your continued use of the Service after changes take effect constitutes acceptance.

12. Contact Us

For privacy questions or requests, contact us at [email protected].

See also our Pulse Terms of Service.