GDPR & Compliance
PULSE GDPR compliance and data privacy
GDPR & Compliance
PULSE is designed with privacy and compliance built in.
GDPR Compliance
Data Retention
PULSE automatically deletes events after the retention period:
// Default: 90 days
// Configured in environment
const DATA_RETENTION_DAYS = 90
// Nightly deletion
DELETE FROM events
WHERE created_at < NOW() - INTERVAL '90 days'Configure in wrangler.toml:
[vars]
DATA_RETENTION_DAYS = "90"
GDPR_RETENTION_DAYS = "30"Right to Access
Users can request their data:
curl "https://api.example.com/api/v1/privacy/export?user_id=user_123" \
-H "Authorization: Bearer YOUR_API_KEY"Response: JSON or CSV export of user data
Right to Deletion
Users can request deletion of their data:
curl -X DELETE "https://api.example.com/api/v1/privacy/user/user_123" \
-H "Authorization: Bearer YOUR_API_KEY"This deletes:
- All events for the user
- User profile
- Cohort membership
- Any personal information
Data Portability
Users can export their data in standard format:
curl "https://api.example.com/api/v1/privacy/export?user_id=user_123" \
-H "Authorization: Bearer YOUR_API_KEY"CCPA Compliance
California Consumer Privacy Act (CCPA) requirements:
- Right to Know — User can request data
- Right to Delete — User can request deletion
- Right to Opt-Out — User can opt out of sale
- Right to Non-Discrimination — Cannot discriminate for exercising rights
PULSE implements all through privacy API.
Cookie Policy
If using the JavaScript tracker, disclose cookies:
<!-- Required: Cookie consent banner -->
<div id="cookie-banner">
We use analytics cookies to understand how you use our site.
<button onclick="acceptCookies()">Accept</button>
<button onclick="rejectCookies()">Reject</button>
</div>
<script>
// Only track if user accepts
if (localStorage.getItem('cookies_accepted')) {
PULSE.init({ siteId: 'site_abc123' })
}
</script>Data Processing Agreement (DPA)
PULSE can act as a Data Processor:
- Agree to Data Processing Addendum
- Update privacy policy to disclose processing
- Implement data security measures
Default DPA Terms:
- PULSE processes events only for analytics
- Data is not sold or shared
- User data is deleted after retention period
- Data is encrypted in transit and at rest
Privacy Policy Language
Include in your privacy policy:
"We use PULSE Analytics to understand how users interact with our service.
PULSE collects:
- Page views and events
- Device type and location
- Session information
Data is retained for 90 days and then automatically deleted.
Users can request data export or deletion at any time."Audit Logging
PULSE logs all data access:
{
"timestamp": "2024-03-05T10:30:00Z",
"action": "user_data_export",
"user_id": "user_123",
"requester": "admin@example.com",
"ip_address": "203.0.113.1"
}View audit logs:
wrangler tail --env production | grep "audit"SOC 2 Compliance
PULSE works toward SOC 2 Type II:
- ✓ Encryption in transit (TLS 1.3)
- ✓ Encryption at rest (D1)
- ✓ Access controls (API keys, rate limiting)
- ✓ Audit logging (Request logging)
- ✓ Incident response (Health checks)
Data Security
Encryption
- In Transit: TLS 1.3+ for all connections
- At Rest: D1 encryption enabled
- In KV: Encrypted by Cloudflare
Access Control
- API keys for authentication
- Per-site isolation
- Rate limiting per IP
Incident Response
Health monitoring with alerts:
# Health check includes security posture
curl https://api.example.com/health/readyCompliance Checklist
- Privacy policy updated
- Cookie consent implemented
- Data retention configured
- Deletion mechanism tested
- Export mechanism tested
- Audit logging enabled
- TLS 1.3+ enabled
- DPA agreement signed
- Staff privacy trained
Jurisdictions
PULSE data locations:
- Default: US (us-west-2, us-east-1)
- EU: Available with GDPR compliance
- Custom: Contact support for sovereign hosting
Next Steps
- Deployment — Deploy PULSE
- Security — Security architecture
Last updated: April 3, 2026