This Privacy Policy describes how RangePulse ("we," "us," or "our") collects, uses, stores, and protects information when you use the RangePulse application and related services (collectively, the "Service"). RangePulse is a health vitals tracking application available as a free self-hosted version and a cloud-hosted version ($4.99/month). Data collection differs significantly between them.

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, do not use the Service.

1. Information We Collect

Self-Hosted Version

We collect absolutely nothing from self-hosted installations. No data is transmitted to RangePulse servers or any third party. No telemetry, no phone-home, no analytics. Your data stays on your hardware and we never see it.

Cloud Version

When you use the RangePulse cloud service, we collect the following:

Account Information:

Health Vitals Data:

All health vitals data is stored in Amazon DynamoDB, isolated per user account.

Session Data:

Payment Information:

2. How We Use Your Information

We use collected information solely for the following purposes:

We do not use your health data for advertising, profiling, marketing, research, or any purpose other than providing the Service to you.

We do not sell, rent, lease, or trade your personal data or health data to any third party, under any circumstances. We have never sold user data and have no intention of doing so.

3. Data Storage and Security

Cloud version data is stored on Amazon Web Services (AWS) infrastructure in the us-east-1 (N. Virginia) region. Specific measures include:

While we implement industry-standard security measures, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security, but we commit to promptly addressing any vulnerabilities discovered in our systems.

4. Health Data

RangePulse is not a medical device. The Service is a personal health data tracking tool. It is not intended to diagnose, treat, cure, or prevent any disease or medical condition. Nothing in the Service constitutes medical advice.

RangePulse is not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). We are not a healthcare provider, health plan, or healthcare clearinghouse. The health data you enter is self-reported and user-entered; it is not clinically validated data from a medical device or healthcare provider system.

As a defensive measure, we maintain an AWS Business Associate Agreement (BAA) and apply security practices consistent with protecting sensitive personal information. However, the existence of a BAA does not make RangePulse a HIPAA-covered entity or business associate.

The clinical PDF reports generated by RangePulse are formatted summaries of your self-entered data. They are intended as a convenience for sharing your tracked vitals with your healthcare provider. They do not constitute medical records, clinical assessments, or diagnostic reports.

You are solely responsible for the accuracy of the health data you enter. RangePulse does not validate, verify, or clinically review any user-entered data.

5. Third-Party Services

The cloud version relies on the following third-party service providers. These providers may process your data only as necessary to provide their services to us:

We do not use any third-party analytics, advertising, tracking, or social media services. We do not embed third-party scripts that collect user data beyond the services listed above.

6. Data Export and Deletion

Data Export: You may export all of your health data at any time in CSV or JSON format through the Service's export functionality. This includes all blood pressure, heart rate, weight, and mileage entries you have recorded. Your data belongs to you, and you should always be able to take it with you.

Account Deletion: You may request deletion of your account at any time. When you delete your account:

Data Retention After Deletion

When you delete individual health readings, they are moved to a Recycle Bin and retained for 35 days. During this period, you can restore deleted readings yourself from the Recently Deleted section of your dashboard. After 35 days, deleted readings are permanently and irreversibly removed from our systems.

When you delete your account, all data — including any entries in the Recycle Bin — is permanently removed immediately. There is no recovery period for account deletion.

We recommend exporting your data before deleting your account. After account deletion, we may retain server access logs containing your IP address for up to 90 days for security and abuse prevention purposes, after which they are automatically purged.

7. Self-Hosted Version

The self-hosted version of RangePulse collects zero data. We have no telemetry, no phone-home functionality, and no analytics of any kind baked into the application.

When you run RangePulse on your own server:

The self-hosted version is open source. You can audit the code yourself to verify these claims.

8. Cookies and Sessions

The cloud version of RangePulse uses session cookies for authentication only. These cookies are strictly necessary for the Service to function and allow us to keep you logged in during your session.

We do not use:

Because we use only strictly necessary session cookies, no cookie consent banner is required under most applicable privacy regulations.

9. Children's Privacy

RangePulse is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without verification of parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child under 13 has provided personal information to RangePulse, please contact us at hello@rangepulse.com so we can take appropriate action.

This policy is consistent with the requirements of the Children's Online Privacy Protection Act (COPPA).

10. Data Breach Notification

In the event of a data breach that compromises the security of your personal information or health data, we will:

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

We encourage you to review this policy periodically. The current version will always be available at this URL.

12. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

To exercise any of these rights, contact us at hello@rangepulse.com. We will respond to verifiable requests within 45 days.

13. European Users

RangePulse does not specifically target users in the European Economic Area (EEA) or the United Kingdom. However, if you access the Service from these regions, we acknowledge the following rights consistent with the General Data Protection Regulation (GDPR):

Our legal basis for processing your data is the performance of our contract with you (providing the Service you have subscribed to) and our legitimate interests in maintaining the security and functionality of the Service.

Data is stored and processed in the United States. By using the cloud version of the Service, you acknowledge that your data will be transferred to and processed in the United States.

Right to lodge a complaint: If you believe our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or place of the alleged violation (GDPR Art. 77).

Data retention (EEA / UK users): Active accounts retain health data for as long as the account exists. Deleted entries are recoverable for 35 days then permanently purged. Cancelled accounts enter a 3-day grace period before deletion. After deletion, only legally-required records (billing receipts, audit trails) are retained for the periods required by applicable tax and accounting law. Full retention details are in Section 6 above.

Data Protection contact: For all data-protection inquiries — access requests, erasure requests, supervisory-authority correspondence — contact hello@rangepulse.com with subject line "Data Protection Request". We will respond to verifiable EEA/UK requests within 30 days, consistent with GDPR Art. 12(3).

14. Contact Information

If you have questions about this Privacy Policy, wish to exercise any of your data rights, or have concerns about how your information is handled, contact us at:

Email: hello@rangepulse.com
Subject line: Privacy Policy Inquiry

We will respond to all privacy-related inquiries within 30 days.