Privacy Policy

Last updated: June 2026

1. Introduction

StudPulse ("we", "our", or "us") operates the StudPulse platform โ€” an AI-native horse management system for breeding, boarding, and stud management.

This Privacy Policy explains what personal data we collect, why we collect it, and how we protect it. It is designed to comply with the General Data Protection Regulation (GDPR), the EU Artificial Intelligence Act (AI Act), and applicable US privacy laws including the California Consumer Privacy Act (CCPA/CPRA), the CAN-SPAM Act, COPPA, and the Nevada Privacy Law (SB 220).

To ensure maximum data sovereignty and privacy, all StudPulse application servers, databases, and AI models are hosted exclusively within the European Union.

Data Protection Contact: StudPulse is a startup and, based on the nature and scale of our processing, is not required to appoint a formal Data Protection Officer (DPO) under GDPR Art. 37. Our designated privacy contact handles all data protection enquiries and can be reached at support@studpulse.com.

2. Data Controller & Processor Roles

For the purposes of the GDPR, StudPulse acts as the Data Controller for your account information. For the equine and farm data you input into the platform regarding your clients, boarders, or staff, you act as the Data Controller and StudPulse acts as the Data Processor.

3. Data We Collect

We collect the following categories of information:

  • Account data โ€” your name, email address, password (hashed with bcrypt), and organisation name provided during registration.
  • Horse & Farm records โ€” all data you enter into the platform: horse profiles, medical records, breeding records, training logs, stable and stall assignments, feed plans, and event history.
  • Usage data โ€” pages visited, features used, AI agent queries, and timestamps of actions within the application.
  • Device & technical data โ€” browser type, operating system, IP address, and service worker state for PWA functionality.
  • Push notification tokens โ€” VAPID-based browser push subscription objects stored to deliver booking confirmations and care reminders.
  • Voice transcriptions โ€” text transcripts of voice commands submitted to the AI Barn Agent. Voice recording requires your explicit opt-in; you may delete your transcript history at any time from the AI settings page within the application.

4. How We Use Your Data & Legal Basis (GDPR Art. 6)

Under the GDPR, we process your personal data only when we have a valid legal basis. The table below maps each processing activity to its specific lawful basis:

5. Artificial Intelligence & EU AI Act Compliance

Because StudPulse is an AI-native platform powered by generative AI (Google Gemini), we strictly adhere to the transparency and safety requirements of the EU AI Act:

  • EU-Based Processing: All AI processing is localised. The AI models we use are hosted on servers located strictly within the European Union.
  • Risk Categorisation: The StudPulse AI Barn Agent qualifies as a "Minimal/Limited Risk" AI system under the EU AI Act. It assists with farm administration and data structuring โ€” it does not perform biometric identification, affect legal eligibility, or produce legally binding decisions.
  • Human Oversight: The AI does not make autonomous medical, legal, or financial decisions. All AI-generated suggestions (e.g., breeding dates, health alerts) require human-in-the-loop validation. You retain full ability to edit, override, or delete any AI-generated data.
  • No Foundation Model Training: Your voice transcripts, farm records, and personal data are used solely to provide context to your specific organisation's AI agent. Your data is never used to train global foundation AI models.
  • Data Processing Agreement (DPA): Our use of the Google Gemini API is governed by a DPA with Google LLC under GDPR Art. 28, which contractually restricts Google from using your data for any purpose other than providing the service to us.

6. Cookies & Analytics

We use Google Analytics 4 (property ID: G-G9WWE3TGC6) on our marketing website to understand visitor behaviour. In compliance with the ePrivacy Directive and GDPR, a cookie consent banner is displayed to visitors from the EU/EEA on their first visit. Google Analytics is only loaded after you have given explicit consent. You can withdraw consent or opt out at any time via the Google Analytics Opt-out Browser Add-on.

We also set functional cookies strictly necessary for authentication (JWT session management) and your language preference (studpulse_lang). These cookies do not track you across other websites and are set on the lawful basis of contract performance; they cannot be disabled without breaking the service.

7. Data Sharing & Sub-Processors

We do not sell your personal data. We share data only with the following sub-processors and only to the extent necessary to operate the service. All sub-processors are contractually bound by Data Processing Agreements (DPAs) under GDPR Art. 28.

International Data Transfers: Where data is transferred outside the European Economic Area (EEA), we ensure an adequate level of protection through Standard Contractual Clauses (SCCs) approved by the European Commission, or by relying on the EU-U.S. Data Privacy Framework (DPF) where applicable (GDPR Art. 44โ€“49).

8. Data Retention

We retain data only as long as necessary for the purposes described in this policy:

9. Your Rights (GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar data protection law, you have the right to:

  • Access (Art. 15) โ€” request a copy of the personal data we hold about you.
  • Correction (Art. 16) โ€” ask us to correct inaccurate or incomplete data.
  • Deletion (Art. 17) โ€” request that we delete your personal data ("right to be forgotten").
  • Portability (Art. 20) โ€” receive your data in a structured, machine-readable format (JSON or CSV).
  • Objection (Art. 21) โ€” object to processing based on legitimate interests (Art. 6(1)(f)).
  • Restriction (Art. 18) โ€” request that we restrict processing in certain circumstances.
  • Withdraw Consent โ€” where processing is based on consent (e.g., push notifications, voice transcription, GA cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Automated Decision-Making (Art. 22) โ€” you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The StudPulse AI Barn Agent provides suggestions only and never makes binding automated decisions; a human is always in the loop.
  • Lodge a Complaint (Art. 77) โ€” you have the right to lodge a complaint with your national data protection supervisory authority. A list of EU supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu.

To exercise any of these rights, contact us at support@studpulse.com. We will respond within 30 days and, in complex cases, within 90 days with advance notice of the extension.

10. Security

We protect your data using industry-standard measures:

  • All data is transmitted over HTTPS (TLS 1.2+).
  • Passwords are hashed with bcrypt and never stored in plain text.
  • API access requires short-lived JWT access tokens (30-minute expiry) and rotating refresh tokens (7-day expiry).
  • Strict data isolation ensures users can only access data belonging to their own organisation.
  • Data Breach Notification: In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33). If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (GDPR Art. 34).

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to support@studpulse.com.

11. Children's Privacy

StudPulse is a B2B and professional tool not directed at children. We do not knowingly collect personal data from minors.

  • EU/EEA (GDPR Art. 8): Users must be at least 16 years of age (or have verifiable parental/guardian consent where applicable national law permits a lower age, with a minimum of 13). Where we become aware that data from a child under 16 has been collected without appropriate consent, we will delete it promptly.
  • United States (COPPA, 16 CFR Part 312): We do not knowingly collect personal information from children under 13 years of age. If you believe a child under 13 has provided us with personal information, contact us at support@studpulse.com and we will delete it immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you by email or a notice within the application at least 30 days before the changes take effect.

13. Contact & Governing Law

For privacy-related questions, data requests, or to exercise your rights, contact us at:
support@studpulse.com

This Privacy Policy and any disputes arising from it are governed by the laws of the European Union and the Republic of Poland (as the jurisdiction of the Data Controller). This does not affect your right to bring proceedings before your local supervisory authority or courts under applicable data protection law.

14. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

  • Right to Know โ€” request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete โ€” request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, security purposes, legal obligations).
  • Right to Correct โ€” request correction of inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale or Sharing โ€” We do not sell your personal information and do not share it for cross-context behavioural advertising. You do not need to opt out, but you may contact us at support@studpulse.com to confirm this in writing.
  • Right to Limit Use of Sensitive Personal Information โ€” We do not use or disclose sensitive personal information beyond the purposes permitted by the CPRA.
  • Right to Non-Discrimination โ€” We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive a different level of service or be charged different prices.

Categories of Personal Information Collected (CCPA categories): Identifiers (name, email address, IP address); Commercial information (subscription plan); Internet or other electronic network activity (usage logs, pages visited); Audio/electronic data (voice transcripts, if consented); Inferences drawn (AI-generated farm summaries).

Shine the Light (California Civil Code ยง 1798.83): California residents may request once per year a list of categories of personal information disclosed to third parties for direct marketing purposes. StudPulse does not disclose personal information for third-party direct marketing purposes.

To exercise any of your California rights, contact us at support@studpulse.com with the subject line "California Privacy Request". We will respond within 45 days (extendable by a further 45 days with notice).

15. Nevada Residents

Nevada Revised Statutes Chapter 603A gives Nevada residents the right to opt out of the "sale" of certain personal information to third parties. StudPulse does not sell personal information as defined by Nevada law. If you have questions or wish to submit a request, contact us at support@studpulse.com.