Privacy Policy

Last updated: June 16, 2026

Short version: We never store your IP address. We never set tracking cookies. We only see aggregate, anonymised counts of visits to your site. Your visitors are invisible to us as individuals.

Who we are

Pulse Analytics is a web analytics service operated by Quicker Tools, a sole proprietorship based in Gatineau, Quebec, Canada. When this policy says "Pulse," "we," "us," or "our," it refers to Quicker Tools. Our contact email for all privacy matters is hello@pulse.quicker.tools.

This policy covers two distinct groups of people: (1) account holders, meaning website owners who have signed up for Pulse, and (2) end visitors, meaning people who visit a website that uses our tracking snippet. Most of this policy is about end visitors, because that is where privacy matters most.

What we collect about your visitors

When someone visits a website that has the Pulse snippet installed, we receive a small packet of anonymised data. Here is exactly what we record:

Page URL path. The path portion of the URL (for example, /blog/hello-world). We strip query strings that appear to contain personal data (such as query strings containing "email=", "token=", or "user=") before storage.
Referrer domain. The hostname of the referring site only (for example, google.com). We do not store the full referrer URL or any path/query data from it.
UTM parameters. Standard campaign tracking parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) if present in the URL, to help you understand which campaigns drive traffic.
Browser family and OS family. Derived from the User-Agent string at the time of the request (for example, "Chrome" and "macOS"). We do not store the raw User-Agent string.
Device category. Desktop, mobile, or tablet, derived from the User-Agent at request time.
Country. Derived from the Cloudflare CDN header (CF-IPCountry), which Cloudflare attaches to every request. We store the two-letter country code. We do not receive or store the IP address itself.
City (k-anonymity protected). City-level data is only recorded when a city reaches 5 or more distinct visits in a single day. This k-anonymity threshold (k=5) prevents us from singling out an individual from a small population. Cities below the threshold are aggregated into an "Other" bucket.
Truncated timestamp. The time of the visit, truncated to the nearest hour. We never record the exact minute or second.

We do not collect: IP addresses (Cloudflare processes them in transit; we never receive them), user identifiers of any kind, cross-site tracking IDs, device fingerprints, personal names, visitor email addresses, or any data that could identify a specific individual across multiple sites.

How we collect it

You place a small JavaScript file (p.js) on your website. When a visitor loads a page, the script sends a single POST request to our servers containing the anonymised data described above. The script uses no cookies, no localStorage, no sessionStorage, and no IndexedDB. It does not read or write any data to the visitor's browser storage. It does not communicate with any third-party analytics, advertising, or data-broker service.

How long we keep it

Raw pageview records are retained for 7 days. At the end of that window, the raw records are rolled up into anonymous daily aggregate counts (for example, "your site received 42 visits from Canada on this date from organic search"). The raw records are then deleted. The aggregated counts contain no data that can be traced back to any individual and are retained indefinitely for your dashboard history.

Because the raw records contain no personal data to begin with, the 7-day retention window is a belt-and-suspenders measure, not a legal necessity. We apply it anyway as a matter of principle.

Your rights as a visitor

Because we collect no personal data about visitors, most data-subject rights under GDPR, Quebec Law 25, and PECR do not apply in the traditional sense. There is no profile to access, correct, or delete. However, we fully respect the spirit of those rights:

Opt-out. Any website using Pulse can offer its visitors an opt-out page. When a visitor visits that opt-out URL, we set a first-party cookie (qp_optout=1) on that site's domain. Our snippet checks for this cookie and, if present, sends no data at all. The cookie is set by the site's own domain, not by us, and it persists until the visitor clears it.
Access and portability. If you believe we hold data about you (for example, if you are an account holder), contact us at hello@pulse.quicker.tools and we will provide a copy within 30 days.
Deletion. Account holders can delete their site data at any time from the Pulse dashboard. Deletion is permanent and irreversible. End visitors who wish to request deletion may contact us; because we hold no personal data about end visitors, we will confirm that in writing.
Data Processing Agreement (DPA). If you require a DPA for GDPR or Law 25 compliance purposes, email hello@pulse.quicker.tools with subject "DPA Request" and your company name. We will send a signed DPA within 5 business days.

What we collect about account holders

When you create a Pulse account, we collect your email address (used for login and transactional notifications) and, if you subscribe to a paid plan, your billing information is processed by Stripe. We do not store full card numbers. We store your Stripe customer ID to manage your subscription. We may store your website domains and API keys as part of the service configuration.

Subprocessors

We use a small number of subprocessors to deliver the service:

Cloudflare, Inc. (US/EU). All traffic passes through Cloudflare's global network. Our worker code and database (Cloudflare D1) run on Cloudflare infrastructure. Cloudflare processes IP addresses in transit to derive country codes but does not pass raw IPs to us. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.
Stripe, Inc. (US). Stripe processes billing for paid subscriptions. Stripe receives your billing email address and payment details. Stripe does not receive any analytics data. Stripe's privacy policy is available at stripe.com/privacy.

We do not use any advertising networks, data brokers, or third-party analytics services as subprocessors.

Data residency

By default, your analytics data is stored in Cloudflare D1 in the United States. If you require EU data residency for GDPR compliance, contact us at hello@pulse.quicker.tools to enable the EU D1 region for your account. Your data will then remain within Cloudflare's EU region at all times.

Security

All data in transit is encrypted via TLS 1.2 or higher. Data at rest is encrypted by Cloudflare D1's storage layer. Access to production data is limited to the service operator. We do not share, sell, or rent your data or your visitors' data to any third party.

Changes to this policy

If we make material changes to this policy, we will notify account holders by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Continuing to use Pulse after the effective date constitutes acceptance of the revised policy.

Governing law

This policy is governed by the laws of the Province of Quebec, Canada, including Quebec's Act respecting the protection of personal information in the private sector (Law 25) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA). Where applicable, we also comply with the EU General Data Protection Regulation (GDPR) and the UK Privacy and Electronic Communications Regulations (PECR).

Contact us

For privacy requests, data subject access requests, DPA requests, or any other privacy-related inquiry, email hello@pulse.quicker.tools. We aim to respond within 5 business days.