Privacy Policy

Last updated: March 24, 2026

The short version

  • We only collect data necessary to deliver your daily email reports.
  • Your analytics data is fetched, processed, and emailed to you. We don't sell it. Ever.
  • We use industry-standard encryption and security practices.
  • You can export or delete your data at any time.

Read on for the legally complete version.

MorningPulse ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and service (the "Service").

This policy applies to all users of MorningPulse, regardless of location. Where specific regulations apply (such as the GDPR for EU/EEA users or the CCPA for California residents), additional provisions are noted below.

1

Information We Collect

1.1 Information You Provide Directly

  • Account Information: Your name, email address, and password when you create an account.
  • Billing Information: Payment method details (credit card number, billing address) processed securely through our third-party payment processor. We do not store full card numbers on our servers.
  • Preferences: Your selected metrics, delivery time, timezone, and notification preferences.
  • Communications: Any messages or feedback you send to our support team.

1.2 Information from Third-Party Services

  • Google Analytics 4 Data: When you connect your GA4 account, we access metrics such as sessions, pageviews, active users, traffic sources, conversions, and revenue data via the Google Analytics Data API using read-only OAuth 2.0 scopes.
  • Apple App Store Connect Data: When you provide an App Store Connect API key, we access metrics such as app units, impressions, product page views, in-app purchases, proceeds, crash counts, and ratings via the App Store Connect API.
  • Google Play Console Data: When you provide a service account JSON key, we access metrics such as store listing visitors, installs, uninstalls, revenue, ratings, reviews, and crash reports via the Google Play Developer Reporting API.
  • Stripe Data: When you provide a restricted API key with read-only permissions, we access metrics such as charges, customer counts, active subscriptions, balance transactions, and revenue breakdowns via the Stripe API. We never gain the ability to create charges, issue refunds, or modify any data in your Stripe account.

We only request the minimum data scopes necessary to generate your reports. We do not access personal data of your end users.

1.3 Information Collected Automatically

  • Usage Data: Pages visited, features used, email open rates, and click-through rates to improve the Service.
  • Device Information: Browser type, operating system, device type, and screen resolution.
  • Log Data: IP address, access timestamps, referring URLs, and error logs for security and diagnostics.
  • Cookies: We use essential cookies for authentication and session management. See Section 8 for details.
2

How We Use Your Information

We use collected information for the following purposes:

Service Delivery

Fetching your analytics data, generating reports, and delivering daily emails.

Account Management

Authentication, billing, subscription management, and customer support.

Service Improvement

Analyzing usage patterns to improve features, performance, and user experience.

Communication

Service announcements, security alerts, billing notifications, and (with consent) product updates.

Security & Fraud Prevention

Detecting unauthorized access, preventing abuse, and maintaining platform integrity.

Legal Compliance

Meeting legal obligations, responding to lawful requests, and enforcing our Terms.

We do not use your analytics data for advertising, profiling, or any purpose other than generating your requested reports.

3

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:

  • Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you signed up for.
  • Legitimate Interests (Art. 6(1)(f) GDPR): Improving the Service, ensuring security, and preventing fraud, where these interests do not override your fundamental rights.
  • Consent (Art. 6(1)(a) GDPR): Marketing communications and non-essential cookies, which you may withdraw at any time.
  • Legal Obligation (Art. 6(1)(c) GDPR): Compliance with applicable laws and regulations.
4

Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

  • Service Providers: We engage trusted third-party processors to assist with payment processing (Stripe), cloud hosting (Render, AWS), and analytics (GA4). Each processor is bound by data processing agreements and may only use your data as instructed by us.
  • Legal Requirements: We may disclose information if required by law, subpoena, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you of any such change and any choices you may have regarding your data.
  • With Your Consent: We may share data with third parties when you explicitly authorize us to do so.
5

Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this policy:

Data Type Retention Period
Account information Until account deletion + 30 days
Analytics data (reports) 90 days rolling, then permanently deleted
Billing records 7 years (legal/tax requirement)
Server logs 90 days
Support correspondence 2 years after last interaction
OAuth tokens / API keys Until revoked or account deletion

When data is no longer needed, it is permanently deleted or anonymized so that it can no longer be associated with you.

6

Data Security

We implement robust technical and organizational measures to protect your data:

  • Encryption in Transit: All data transmitted between your browser, our servers, and third-party APIs is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: Sensitive data stored on our servers is encrypted using AES-256 encryption.
  • Access Controls: Access to user data is restricted to authorized personnel on a need-to-know basis, protected by multi-factor authentication.
  • Infrastructure: We host on AWS with SOC 2 Type II-compliant infrastructure, regular security audits, and automated vulnerability scanning.
  • OAuth & API Key Security: Google OAuth tokens and App Store Connect API keys are stored in encrypted vaults and are never exposed in logs or to support staff.
  • Incident Response: We maintain an incident response plan and will notify affected users within 72 hours of discovering a personal data breach, as required by applicable law.

While we take every reasonable precaution, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the highest commercially reasonable standard.

7

International Data Transfers

MorningPulse is based in the United States. If you access the Service from outside the U.S., your data may be transferred to and processed in the United States or other countries where our service providers operate.

For transfers from the EEA, UK, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data processing agreements with all sub-processors that include appropriate safeguards.
  • Additional technical measures (encryption, pseudonymization) to ensure an equivalent level of protection.
8

Cookies and Tracking Technologies

We use a minimal set of cookies:

Cookie Type Purpose Duration
mp_session Essential Authentication and session management Session
mp_csrf Essential Cross-site request forgery protection Session
mp_prefs Functional Remembering your timezone and preferences 1 year

We use Google Analytics for website analytics, which is a privacy-focused analytics tool. Fully GDPR-compliant.

We do not use advertising cookies, tracking pixels, or social media trackers of any kind.

9

Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

9.1 Rights for All Users

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Data Portability: Request an export of your data in a machine-readable format (JSON or CSV).
  • Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

9.2 Additional Rights for EU/EEA/UK Users (GDPR)

  • Restriction: Request restriction of processing under certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Supervisory Authority: Lodge a complaint with your local data protection authority.

9.3 Additional Rights for California Residents (CCPA/CPRA)

  • Right to Know: Request disclosure of the categories and specific pieces of personal information collected.
  • Right to Delete: Request deletion of personal information collected.
  • Right to Opt-Out of Sale: We do not sell personal information. This right is automatically honored.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA.

To exercise any of these rights, contact us at privacy@morningpulse.app. We will respond within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.

10

Children's Privacy

MorningPulse is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal data, we will take immediate steps to delete that information.

If you believe a child has provided us with personal data, please contact us at privacy@morningpulse.app.

11

Third-Party Links

The Service may contain links to third-party websites or services that are not owned or controlled by MorningPulse. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

12

Do Not Track Signals

We honor Do Not Track (DNT) browser signals. When we detect a DNT signal, we disable any non-essential analytics tracking for that session. Since we already use privacy-focused analytics that does not track individual users, the practical effect is minimal — your experience remains unchanged.

13

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes:

  • We will update the "Last updated" date at the top of this page.
  • We will notify you by email at least 15 days before changes take effect.
  • For significant changes, we may require you to re-acknowledge the updated policy.

We encourage you to review this page periodically. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

14

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out:

MorningPulse — Data Protection

Email: privacy@morningpulse.app

Website: morningpulse.app

For GDPR-related inquiries, you may also contact our Data Protection Officer at dpo@morningpulse.app.

We aim to respond to all privacy-related requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.