Section 01Introduction
EmoPulse ("we," "our," or "us"), operated by Arvydas Pakalniskis (sole proprietor), is committed to protecting your privacy. This Privacy Policy explains how our emotion AI platform handles your information in compliance with the EU General Data Protection Regulation (GDPR), the Lithuanian Personal Data Protection Law, and other applicable data protection regulations.
This policy applies to all users of the EmoPulse platform, including the web application at emopulse.app, mobile applications, and any enterprise or API deployments.
Section 02Data Controller
The data controller responsible for your personal data is:
For data protection inquiries, contact us at privacy@emopulse.app.
Section 03Two Processing Modes
EmoPulse operates in two distinct modes. Your data is handled differently depending on the mode:
3a. On-Device Mode (Default)
By default, all biometric and emotional analysis is performed entirely on your device:
- Camera, microphone, and biometric data never leave your device
- All AI models run locally using TensorFlow.js
- No internet connection required for core features
- No data is transmitted, stored on servers, or accessible to EmoPulse
- Works in air-gapped and offline environments
3b. Server-Side Mode (Enterprise & Defence)
For enterprise, healthcare, and defence clients who choose server-side processing:
- Data processing occurs on dedicated servers under a separate Data Processing Agreement (DPA)
- All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
- Server deployments can be on-premise, private cloud, or air-gapped — as required by the client
- Data retention, access controls, and deletion policies are defined per contract
- No data is shared with third parties without explicit client authorization
Important
Server-side mode is only activated by explicit enterprise agreement. Consumer users always operate in on-device mode. You will never be moved to server-side processing without your knowledge and written consent.
Section 04Data We Process (On-Device Only)
In on-device mode, EmoPulse analyzes the following data types — all processed entirely on your device:
- Camera Feed: Used for facial expression analysis, heart rate detection (rPPG), micro-expression detection, gaze tracking, and neural mesh mapping. Never recorded or transmitted.
- Microphone Input: Used for voice emotion analysis (pitch, tone, speech patterns, emotional contagion). Never recorded or transmitted. Microphone access requires your explicit permission before activation.
- Biometric Data: Heart rate (BPM), heart rate variability (HRV), breathing rate, stress levels, cognitive load, authenticity score, and 47 additional emotional and physiological parameters. Calculated locally and stored only on your device.
Section 05Data We Do NOT Collect
We want to be clear about what we do NOT do in on-device mode:
- We do NOT record video or audio
- We do NOT send camera or microphone data to any server
- We do NOT store facial images or voice recordings
- We do NOT share biometric data with third parties
- We do NOT use your biometric data for advertising or profiling
- We do NOT sell your data to anyone, ever
- We do NOT use your data to train AI models
Section 06Data We May Collect
We may collect limited, non-biometric data for platform functionality:
| Data Type | Purpose | Legal Basis (GDPR) |
|---|
| Email address | Account creation (optional) | Consent (Art. 6(1)(a)) |
| Subscription status | Service delivery | Contract (Art. 6(1)(b)) |
| Anonymous usage statistics | App improvement (no biometric data) | Legitimate interest (Art. 6(1)(f)) |
| Crash reports | Technical stability | Legitimate interest (Art. 6(1)(f)) |
| IP address (server logs) | Security & abuse prevention | Legitimate interest (Art. 6(1)(f)) |
Section 07AI Model Downloads
EmoPulse uses AI models (TensorFlow.js) that run locally on your device. These models are downloaded once during initial setup or app update. During this download:
- Only the AI model files are transmitted to your device — no user data is sent back
- After download, models operate fully offline
- No personal or biometric data is transmitted during the model download process
Section 08Consent for Camera & Microphone
EmoPulse requires explicit user permission before accessing your camera or microphone. You can:
- Grant or deny camera and microphone access at any time through your device settings
- Use EmoPulse with camera only (no microphone) — voice analysis will be disabled
- Revoke permissions at any time — EmoPulse will continue to function without biometric analysis
Voice Data Notice
In certain jurisdictions (including Illinois under BIPA and Texas under CUBI), voice data may be classified as biometric data requiring explicit informed consent before collection. EmoPulse processes voice data only after you grant microphone permission, and this data never leaves your device in on-device mode. No voice recordings are stored.
Section 09Cookies & Website Tracking
The EmoPulse website (emopulse.app) may use the following:
- Essential cookies: Required for website functionality (session management). Cannot be disabled.
- Analytics cookies: Anonymous usage data to improve the website. You can opt out at any time.
- No advertising cookies: We do not use any advertising or tracking cookies.
By using our website, you consent to essential cookies. Analytics cookies are only activated with your consent, in line with the EU ePrivacy Directive.
Section 10Third-Party Services
We may use the following third-party services. None of them receive biometric data from EmoPulse:
- Apple App Store / Google Play: App distribution and in-app purchases
- Stripe: Payment processing (if applicable)
- Vercel: Website hosting — receives standard HTTP request data (IP, user agent)
- TensorFlow.js: ML library loaded from CDN — no data sent to Google
- Google Fonts: Typography assets loaded from CDN
Each third-party service operates under its own privacy policy. We select providers that comply with GDPR or offer adequate data protection safeguards.
Section 11Data Retention
- On-device biometric data: Stored only for the duration of your session, or until you delete it through app settings. We have no access to this data.
- Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
- Analytics data: Anonymized and retained for up to 12 months.
- Enterprise/server data: Retention defined per Data Processing Agreement with each client.
Section 12International Data Transfers
In on-device mode, no personal data is transferred anywhere. For any non-biometric data we process (account info, analytics), data is processed within the European Economic Area (EEA). If any data is transferred outside the EEA, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
Section 13Children's Privacy
EmoPulse is not intended for unsupervised use by children. Age restrictions vary by jurisdiction:
- European Union: Users must be at least 16 years old (or the minimum age set by their EU member state, which may be as low as 13)
- United States: Users must be at least 13 years old (in compliance with COPPA)
- Other jurisdictions: Users must meet the minimum digital consent age in their country
We do not knowingly collect personal data from children below the applicable age threshold. If you believe a child has provided us with personal data, please contact us at privacy@emopulse.app and we will delete it promptly.
Section 14Your Rights Under GDPR
If you are located in the European Economic Area, you have the following rights:
- Right of access (Art. 15): Request a copy of any personal data we hold about you
- Right to rectification (Art. 16): Correct inaccurate personal data
- Right to erasure (Art. 17): Request deletion of your personal data
- Right to restriction (Art. 18): Request restriction of processing in certain circumstances
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
- Right to object (Art. 21): Object to processing based on legitimate interest
- Right to withdraw consent: Withdraw consent at any time without affecting prior processing
To exercise any of these rights, contact us at privacy@emopulse.app. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. For users in Lithuania:
- Valstybine duomenu apsaugos inspekcija (VDAI)
- Website: vdai.lrv.lt
- Email: ada@ada.lt
Section 15Security
We implement appropriate technical and organizational measures to protect your data:
- On-device processing: Biometric data is air-gapped from the internet by default
- Encryption: All data in transit uses TLS 1.3; stored preferences use industry-standard encryption
- Access control: No EmoPulse employee has access to your biometric data (it exists only on your device)
- Regular security reviews: We conduct periodic security assessments of our platform
- Minimal data collection: We collect only what is strictly necessary for service delivery
Section 16Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify registered users by email (if applicable)
- Display a notice in the application
Our core commitment — biometric data stays on your device — is an architectural guarantee, not a policy choice. Changing this would require rebuilding the entire system.
Section 17Contact Us
If you have questions about this Privacy Policy or want to exercise your data protection rights:
Summary
EmoPulse is built with privacy at its core. By default, all emotion analysis happens on your device — we don't see your face, hear your voice, or access your biometric data. Enterprise clients who choose server-side processing receive dedicated Data Processing Agreements with full GDPR compliance. Your privacy is protected by architecture, not just policy.