FeaturesHow It WorksFAQBlog
Back to Home

Privacy Policy

Effective date: March 3, 2026

1. Introduction

IMPULSE (“we”, “our”, or “us”) operates the IMPULSE mobile application (the “App”) and the website located at impulseapp.website (the “Site”). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have regarding your data.

We understand the deeply personal nature of addiction recovery. Privacy is not an afterthought — it is a core design principle of IMPULSE. We collect only the minimum data necessary to provide the service, we never sell your data, and we give you full control over its deletion.

2. Data We Collect

2.1 Account Information

When you create an account you authenticate through a third-party OAuth provider (Google or Apple). We receive and store:

  • Email address — used as your unique account identifier.
  • Display name — if provided by the OAuth provider (you may change or remove it).

We do not receive or store your OAuth provider password. Authentication tokens are managed securely by our backend provider.

2.2 Recovery Data You Provide

When you use IMPULSE you may voluntarily enter the following data:

  • Urge & relapse logs — timestamp, emotional state (e.g. boredom, stress, loneliness, fatigue), situational context (e.g. bed, work), and outcome (resisted or relapsed).
  • Onboarding preferences — self-reported session frequency, session duration, recovery start date, and how you heard about us (optional).
  • Onboarding analytics — which onboarding screens you view, when you complete or abandon, and device type (iOS/Android). Used to improve conversion rates. Linked to your account only if you complete onboarding.
  • Contact form messages — topic and message content you submit through the in-app contact form.

2.3 Data Stored Locally on Your Device

Some data is stored exclusively on your device and is never sent to our servers:

  • Notification preferences and scheduling configuration.
  • Temporary cache of urge logs (automatically cleared after 24 hours).
  • Onboarding progress (cleared once onboarding is complete).
  • Last IMPULSE Protocol configuration (to vary exercises).
  • Last app-open timestamp (used locally for inactivity reminders).

2.4 Data We Do NOT Collect

  • GPS or geolocation data.
  • Device identifiers, advertising IDs, or fingerprints.
  • Browsing history or app usage outside of IMPULSE.
  • Contacts, photos, microphone, or camera data.
  • Third-party analytics, tracking, or advertising SDKs.

3. How We Use Your Data

We use the data described above solely to:

  • Authenticate you and maintain your account.
  • Store and display your urge and relapse logs.
  • Generate your personal dashboard (control rate, triggers, time saved, risk patterns).
  • Schedule local follow-up notifications after you log an urge.
  • Respond to support messages you send via the contact form.
  • Improve the App (including onboarding analytics to optimize the sign-up flow).

We do not use your data for advertising, profiling, or sale to third parties.

4. Third-Party Services

IMPULSE relies on a limited number of third-party services to operate. Each is listed below with the data it may access.

4.1 Supabase (Backend Infrastructure)

We use Supabase for authentication, database hosting, and server-side functions. All data described in Section 2 that is stored remotely is hosted on Supabase infrastructure. Supabase encrypts data in transit (TLS) and at rest (AES-256). Supabase’s servers are located in the United States.

4.2 Google & Apple (Authentication)

If you sign in with Google or Apple, the respective provider handles the authentication flow and shares your email address (and optionally your name) with us via the OAuth protocol. We do not receive your provider password. Please refer to Google’s Privacy Policy and Apple’s Privacy Policy for details on their data practices.

4.3 Expo (Build & Notifications)

We use Expo to build and distribute the App. Push notifications in IMPULSE are scheduled locally on your device — they are not sent through an external push notification service, and no notification content leaves your device.

5. Data Security

  • All network communication between the App and our servers uses HTTPS / TLS encryption.
  • Database records are encrypted at rest (AES-256) by Supabase.
  • Authentication tokens are stored in your device's local storage and refreshed automatically.
  • Server-side operations (log submission, account deletion) are executed in isolated edge functions with scoped permissions.

While we apply industry-standard security measures, no system is 100 % secure. We encourage you to protect access to your device.

6. Data Retention

We retain your account and recovery data for as long as your account is active. Locally cached data is automatically cleared on a short cycle (24 hours for log caches; immediately upon onboarding completion for onboarding data).

If you delete your account (see Section 7), all data associated with your account is permanently removed from our servers.

7. Your Rights & Choices

  • Access & portability — You can view all of your recovery data within the App at any time.
  • Deletion — You can permanently delete your account and all associated data from the Settings screen inside the App. Deletion removes your records from the users, urge_logs, checkins, sessions, notifications, and onboarding_events tables, as well as your authentication record.
  • Notifications — You can enable or disable notifications at any time within the App or through your device settings.
  • Withdraw consent — You may stop using the App and delete your account at any time without consequence.

If you wish to exercise any right not covered above, or if you have questions, please contact us (see Section 11).

8. International Data Transfers

Our backend infrastructure is hosted by Supabase on servers located in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. By using IMPULSE, you consent to this transfer. We rely on Supabase’s data processing safeguards and their compliance with applicable data protection frameworks.

9. Children’s Privacy

IMPULSE is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or via email before the changes take effect. The “Effective date” at the top of this page indicates when the policy was last revised. Continued use of IMPULSE after a revision constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

contact@impulseapp.website