Legal · Privacy Policy

Privacy, plainly written.

GDPR (Regulation (EU) 2016/679) and Austrian DSG. What pulsemail collects, why, who else touches it, and how to get it back or have it deleted — with a clean separation between Sender and Recipient data.

Last updated 2026-05-04
Controller BLUN · Mayk Biletti
Hosting EU only · Hetzner DE

1. Controller

Operator: BLUN — Mayk Biletti

Address: Sportplatzgasse 32b, 2443 Leithaprodersdorf, Austria

Email: blun.ai.app@gmail.com

Status: Sole proprietor (Kleinunternehmer §6 Abs.1 Z 27 UStG)

Service: pulsemail / send.blun.ai — hosted email-sending platform

For most data we hold — your account, your billing, your campaign templates — BLUN is the controller under Art. 4(7) GDPR. For Recipient data (your subscribers' email addresses and engagement events) BLUN acts as a processor on the Sender's instruction; see Section 6 and our Data Processing Agreement.

2. Categories of personal data we process

Sender account data

Email address, optional display name, organisation, role, OAuth provider IDs (when sign-in via Google/etc.), subscription tier, API tokens (hashed), notification preferences.

Sender's subscriber data ("Recipients")

Email address, optional fields (name, country, locale, custom merge tags), consent state and timestamp, source attribution, suppression status (unsub/bounce/complaint), open and click events, IP at open (truncated to /24 for IPv4 or /48 for IPv6), user-agent.

Sending and deliverability data

Message metadata (subject hash, send timestamp, queue, sending IP), DKIM/SPF/DMARC alignment results, ESP feedback loop reports, bounce categories.

Technical data

IP address (truncated for analytics), browser type/version, operating system, device type, dashboard access timestamps, referring page.

Payment data

Card and bank details are processed exclusively by Stripe Payments Europe Ltd. We retain only a Stripe customer reference, payment status, currency, amount, and invoice line items.

Cookies & local storage

Essential session, CSRF token, locale, and dashboard UI state. Optional analytics only with consent (Section 7).

  • Art. 6(1)(b) — Performance of contract: account creation, sending of campaigns, billing, deliverability infrastructure, dashboard analytics, support.
  • Art. 6(1)(f) — Legitimate interest: service security, fraud and abuse prevention, anti-spam pre-send checks, DKIM/SPF reputation monitoring, aggregated benchmarking, system stability.
  • Art. 6(1)(a) — Consent: non-essential cookies, optional product analytics, push notifications, marketing emails from pulsemail to the Sender.
  • Art. 6(1)(c) — Legal obligation: retention of payment and invoice records under Austrian tax law (BAO § 132).
  • Art. 28 GDPR — Processor role: processing of Recipient data on documented instruction of the Sender, governed by our DPA.

4. Retention

  • Sender account: for the lifetime of the account; deleted on request or after prolonged inactivity (24 months).
  • Recipient data (active subscribers): retained per the Sender's instruction; deleted within 30 days of the Sender's account closure unless the Sender requests an export first.
  • Suppression list (unsubscribe, hard bounce, complaint): retained indefinitely at hashed-email level. This is required by anti-spam compliance — once a Recipient unsubscribes, we must remember it forever to honour the opt-out.
  • Activity / engagement logs: 12 months for security and abuse prevention, then aggregated and anonymised.
  • Payment references & invoices: 7 years (Austrian BAO § 132 — bookkeeping retention).
  • Consent records: 3 years beyond the end of the business relationship.
  • Backups: encrypted, EU-only, rolling 30-day retention. Deletion requests are honoured in live data immediately and propagate through backups within the rolling window.

5. Sub-processors & data transfers

We sign Data Processing Agreements with each sub-processor per Art. 28 GDPR. The current list:

  • Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) — hosting, storage, sending infrastructure, backups. EU only.
  • Stripe Payments Europe Ltd. (1 Grand Canal Street Lower, Dublin, Ireland) — payment processing for paid plans. EU; some onward US transfers under EU-US Data Privacy Framework + SCCs.
  • BLUN AI gateway (in-house, EU) — AI-assisted subject-line suggestions, send-time optimisation, and copy review. We do not use external LLM providers as default backends.
  • Apple Push Notification Service (Apple Inc., US) — only when a Sender opts in to dashboard push notifications. Data Privacy Framework + SCCs.
  • Google (Firebase Cloud Messaging) (Google Ireland Ltd. + Google LLC US) — only when a Sender opts in to dashboard push notifications. Data Privacy Framework + SCCs.
  • Expo (650 Industries, Inc., US) — push-notification dispatch for the optional pulsemail mobile app. Data Privacy Framework + SCCs.

The default flow has no US transfers. Push providers are activated only when you explicitly enable mobile/desktop notifications.

6. Sender vs Recipient — two relationships

This distinction is critical for understanding pulsemail's GDPR posture:

Sender · Our Customer

You — when you send campaigns

You signed up for pulsemail. We are the controller of your account, billing, and dashboard data. This Privacy Policy applies directly to you.

Legal basis: contract performance (Art. 6(1)(b)).

Recipient · Your Subscribers

People your campaigns reach

Their email addresses, names, opens and clicks. You are the controller. pulsemail (BLUN) is your processor per Art. 28 GDPR.

Governed by the DPA — which auto-applies when you accept our Terms.

Practical consequence: if a Recipient asks pulsemail directly to access or delete their data, we will forward the request to the Sender (controller) and process it on the Sender's instruction. Recipients should contact the Sender first; we still respond to direct inquiries within 30 days under Art. 12(3).

7. Cookies & tracking

Default cookies are essential only — session, CSRF, locale, dashboard UI state. Optional analytics and product-marketing cookies require your consent via the cookie banner; you may withdraw consent at any time via the same banner or by emailing us.

Tracking pixels in your outgoing emails (open beacons, click-tracking redirects) are optional features you control per campaign in the dashboard. When disabled, no tracking pixel is inserted.

8. Your rights (GDPR Art. 15-22)

  • Access (Art. 15) — request a copy of your data
  • Rectification (Art. 16) — fix incorrect or incomplete data
  • Erasure (Art. 17) — request deletion (subject to legal retention and indefinite suppression-list compliance)
  • Restriction (Art. 18) — temporarily limit processing
  • Portability (Art. 20) — receive your data in machine-readable form (CSV / JSON)
  • Objection (Art. 21) — opt out of legitimate-interest processing
  • Withdraw consent (Art. 7) at any time, without affecting prior lawful processing
  • Right to lodge a complaint with the supervisory authority (see Section 9)

Reach us at blun.ai.app@gmail.com. We respond within 30 days as required by Art. 12(3). For data-breach notifications under Art. 33 we notify Senders and authorities within 72 hours of becoming aware.

9. Supervisory authority

Authority: Österreichische Datenschutzbehörde

Address: Barichgasse 40-42, 1030 Wien, Austria

Phone: +43 1 52 152-0

Email: dsb@dsb.gv.at

Web: www.dsb.gv.at

You may also lodge a complaint with the supervisory authority of your habitual residence within the EU.

10. Changes to this policy

We may update this policy to reflect changes in our service or law. Material changes will be announced via email and via in-app banner at least 14 days before they take effect. The current version date is shown at the top of this page; previous versions are archived and available on request.