Privacy Policy

Effective date: October 17, 2025
BluPul, LLC (“BluPul,” “we,” “us,” or “our”)
Website: https://blupul.com

Privacy contact: privacy@blupul.com
Support: support@blupul.com

1. Introduction

We respect your privacy. This Privacy Policy explains what personal data we collect, how we use it, and your rights. It applies to our mobile application BluPul (the “App”) and our websites, including blupul.com and any landing pages (collectively, the “Websites”). Together, the App and Websites are the “Services.”

For purposes of EU and UK data protection laws, BluPul is the data controller unless stated otherwise.

2. Scope

This Policy applies to personal data collected through the Services or when you otherwise interact with us. The Services may link to third-party sites. Their practices are governed by their own policies.

3. Information We Process

3.1 Information you submit

We collect the information you choose to provide.

Account and contact information

  • Name
  • Email address
  • Password or passcode
  • Phone number if provided
  • Content in messages you send us
  • Email verification status

Profile and general information

  • Gender
  • Date of birth or age
  • Height and weight

Health and well-being data

If you use App measurement features or connect HealthKit by granting permission in the App, we may process:

  • Heart rate
  • Heart rate variability
  • Sleep and recovery metrics
  • Readiness, stress, tension, balance, energy and similar wellness indicators

These are derived from RR intervals and other metrics during a measurement or imported from HealthKit when you grant access. You can decline to save any measurement and you can delete saved measurements in the App.

Camera use for PPG

To estimate heart rate, the App uses the camera as a light sensor during a measurement. Images are processed locally on your device and not saved to your camera roll. We do not collect your camera roll contents.

HealthKit integration

If you allow it in iOS, we may read categories such as heart rate, HRV, sleep, workouts, steps or activity, height, weight, date of birth and gender. Apple’s policies apply to data held by Apple. You can disable access anytime in iOS Settings.

Blood test uploads and documents

If you choose to upload lab results or health documents, we will store the files and extracted values so you can track results over time. You decide what to upload. You can delete uploads in the App.

Web forms and onboarding

Some Website landing pages and in-App quizzes personalize your experience. Where possible, these inputs are processed locally and not transmitted unless you submit them. On submission, we collect only the fields shown on the form.

AI features

If you use AI insights, we process your inputs and relevant readings to generate responses. See Section 4 for how we use AI and your choices.

3.2 Information collected automatically

When you use the Services, we may automatically collect:

  • Device information and identifiers, operating system, model, language and time zone
  • IP address and coarse location derived from IP or SIM region
  • Session timestamps, log files, crash logs and in-App events
  • Cookies, SDKs and similar technologies on the Websites and in the App for functionality and analytics, and for marketing only with your consent

Clarifications

  • We do not collect precise GPS location.
  • In-App analytics are used to understand feature usage, performance and errors.
  • App Store purchases are handled by Apple. For web subscriptions, payments may be handled by processors such as Stripe or PayPal. We do not store full card numbers.

3.3 Information from third parties

We may receive data from:

  • App stores and analytics providers
  • Authentication providers if you log in with Apple or Google
  • Marketing partners with your consent where required

We process your personal data under one or more of the following: contract, consent, legitimate interests and legal obligations.

Purposes include

  • Provide and operate the Services, including measurements and sync features (contract)
  • Store and retrieve health data, readings, medications and measurements to track trends over time (contract)
  • Communicate with you, send transactional messages and support (contract, legitimate interest)
  • Improve and test the App and Websites, including analytics and A/B testing (legitimate interest or consent)
  • Personalize content and experience (contract or consent)
  • Send marketing communications where permitted. You can opt out (consent or legitimate interest)
  • Security, fraud prevention and enforcing our Terms (legitimate interest or legal obligation)
  • HR and recruiting where applicable (consent or legitimate interest)

AI processing

  • We use algorithmic and AI systems to generate wellness insights, summarize trends, and surface education.
  • Inputs may include your measurements, profile, uploaded documents and in-App activity relevant to the feature you use.
  • Processing occurs locally on device where possible. When cloud processing is used, data are transmitted securely to our infrastructure.
  • We do not use health data for advertising or sell it.
  • We may use aggregated or de-identified data to evaluate and improve models. You can object to our use of your personal data for model improvement by emailing privacy@blupul.com.

5. Sharing of Information

We do not sell personal data. We do not share HealthKit or health data with third parties for advertising.

We share data only as described:

  • Personnel and service providers. Trusted vendors that support storage, hosting, analytics, authentication, email, push notifications, payments and error logging. They process data under our instructions and safeguards.
  • Authentication. If you use Sign in with Apple or Google, we receive limited profile info as permitted by you.
  • Payments. Apple for in-App purchases, and Stripe or PayPal for web checkout. We receive transaction metadata, not full card numbers.
  • Marketing and analytics. With consent where required, we use privacy-focused analytics and ad platforms to measure campaign performance. We never share health data for advertising.
  • Legal and safety. We may disclose information to comply with law, protect rights and safety, or in connection with corporate transactions.
  • Aggregated or anonymized data. We may share de-identified statistics that do not identify you.

Key processor listing

To be transparent, principal processors include:

  • Supabase (managed Postgres, authentication, object storage). Purpose: secure storage of account data, health records you save, file uploads such as lab reports, logs needed to operate the App.
  • Amazon Web Services or equivalent cloud infrastructure used by our processors. Purpose: hosting and storage.
  • Firebase. Purpose: hosting, device messaging and crash analytics.
  • Email and push providers. Purpose: system notifications and support.
  • Stripe or PayPal. Purpose: web payments.

We maintain data processing agreements with our processors.

HealthKit commitments

  • Health data from HealthKit is used only to provide or improve health and fitness features in the App.
  • We do not use HealthKit data for marketing or advertising.
  • We do not sell HealthKit data.
  • We do not disclose HealthKit data to third parties except to service providers acting on our behalf and only to provide the Services, subject to confidentiality and security.

6. Your Rights

Depending on your location, you may have rights to access, rectify, erase, restrict, object, withdraw consent and data portability. You can opt out of marketing at any time. Contact privacy@blupul.com.

We do not “sell” personal information as defined by the CCPA. Virginia residents can opt out of targeted advertising. We do not engage in profiling that produces legal or similarly significant effects.

7. International Transfers

We may process data in the United States and other countries. Where required, we use safeguards such as Standard Contractual Clauses.

8. Retention

We keep personal data as long as needed to provide the Services, comply with law, resolve disputes and enforce agreements. You may delete your account in the App. Some records may be retained for legal or security reasons.

9. Security

We use administrative, technical and physical safeguards, including encryption where appropriate. No method is completely secure. If a breach affects your data, we will notify you as required by law.

10. Children’s Privacy

The Services are not directed to children under 13, and users in the EEA or UK must be 16 or older. We do not knowingly collect personal data from children below these ages. If you believe we have, contact support@blupul.com and we will delete it.

11. Data Deletion

You can delete individual measurements, documents and uploads in the App. You can delete your account in the App, which removes personal data from active systems. Some data may be retained for limited periods in backups, logs and records required by law. See Backup and Recovery for timelines.

12. Backup and Recovery

We maintain rolling encrypted backups to ensure service continuity and disaster recovery. Backups are retained for up to 35 days, after which they are overwritten on a rolling basis. If you delete content or your account, it will be removed from active systems immediately and from backups within the normal backup rotation cycle.

13. Changes to this Policy

We will update this Policy when necessary and post the latest version on https://blupul.com/privacy.

14. Contact

BluPul, LLC
Privacy: privacy@blupul.com
Support: support@blupul.com