Last updated: June 16, 2026
Pulse is designed so that compliance is not a checklist you manage. It is a property of the architecture. Because we collect no personal data about your visitors by design, the heaviest consent, disclosure, and deletion obligations under GDPR, Law 25, and PECR simply do not arise.
The GDPR applies when you process personal data of people in the European Union. The most common analytics compliance burden under GDPR is the requirement to obtain prior consent before placing tracking cookies or processing personal data (such as IP addresses) that could identify an individual.
Pulse eliminates this burden by architecture. The Pulse tracking snippet does not set any cookies. It does not process IP addresses; the IP address reaches Cloudflare's edge and is used to derive a country code, but Pulse never receives or stores the raw IP. It does not generate or transmit any persistent identifier tied to an individual visitor. Because no personal data is processed by Pulse, the legal basis requirements of GDPR Article 6 do not apply to visitor analytics. You do not need a consent banner for Pulse.
City-level data is protected by a k-anonymity threshold of k=5: a city only appears in your reports when at least 5 distinct visits from that city are recorded on a given day. This ensures that even aggregate geographic data cannot single out an individual in a small population.
If you use Pulse alongside other tools that do set cookies or process personal data (for example, an advertising pixel or a live-chat widget), those tools require their own consent mechanisms. Pulse does not interact with or replace those obligations.
For Pulse account holders in the EU who require a formal Data Processing Agreement as a controller-processor document, we provide one on request. Email hello@pulse.quicker.tools with subject "DPA Request."
Quebec Law 25 came into full force in September 2023 and imposes obligations on private-sector organisations that collect, use, or communicate personal information about Quebec residents. The most significant obligations include obtaining consent before collection, appointing a privacy officer, publishing a privacy policy, conducting privacy impact assessments for high-risk processing, and notifying the Commission d'acces a l'information (CAI) of confidentiality incidents.
Because Pulse collects no personal information about visitors, the consent and disclosure obligations of Law 25 do not apply to your use of Pulse as an analytics tool. Specifically: we do not use cookies, we do not log IP addresses, we do not create visitor profiles, and we do not use fingerprinting or any cross-site tracking technique. The data we collect (aggregate counts, country codes, browser families, page paths) does not meet the definition of "personal information" under Law 25, which requires that information allow for the identification of a natural person directly or indirectly.
Pulse is operated by a Quebec-based operator and is itself subject to Law 25 with respect to its account holders' data (email addresses, billing information). We maintain a privacy policy, respond to access and correction requests, and report confidentiality incidents as required.
PECR is the UK regulation that governs the use of cookies and similar technologies on websites. It requires prior informed consent before setting non-essential cookies or accessing information stored on a user's device, with limited exceptions for "strictly necessary" cookies.
Pulse sets no cookies through its tracking snippet. The snippet does not read from or write to any browser storage mechanism including cookies, localStorage, sessionStorage, or IndexedDB. It transmits only the anonymised data described in the Privacy Policy. Because no cookies or storage access occurs, PECR's consent requirement does not apply to Pulse. You do not need a cookie consent banner for Pulse on UK-facing websites.
The one exception is the opt-out cookie described below. That cookie is set only when a visitor explicitly requests to opt out, making it a user-initiated, consent-expressing action rather than a tracking action. It requires no prior consent.
CASL governs commercial electronic messages sent to Canadians. It does not directly regulate analytics data collection. Pulse does not send any commercial electronic messages to your visitors. The only emails Pulse sends are transactional messages to account holders who have actively created an account: welcome emails, billing receipts, and service notifications. These transactional messages fall within CASL's implied consent provisions for existing business relationships and do not require express consent.
Pulse does not collect visitor email addresses and does not add your visitors to any mailing list.
Pulse sets exactly one cookie in connection with your website, and only under a specific circumstance: if a visitor navigates to your designated opt-out URL (for example, yourdomain.com/optout), Pulse sets a first-party cookie named qp_optout=1 on your domain. This cookie is:
No other cookies are set by Pulse on your website, on the Pulse dashboard, or anywhere else in our infrastructure. You do not need a cookie consent banner for Pulse.
Pulse runs entirely on Cloudflare Workers and Cloudflare D1. Cloudflare's global network processes every incoming analytics request at the edge closest to the visitor. This means Cloudflare's infrastructure receives the visitor's IP address as part of normal TCP/IP routing. Cloudflare uses the IP to append a country code header (CF-IPCountry) before the request reaches our Worker code. Our Worker code never receives or logs the raw IP address.
Cloudflare does not retain per-request logs on behalf of Pulse beyond its standard infrastructure logging (which is governed by Cloudflare's own privacy and data-retention policies). Pulse retains raw hit records for 7 days, then aggregates them to anonymous daily counts and deletes the raw records. After aggregation, no data exists in our systems that could be traced to an individual request or visitor.
If your organisation requires a formal DPA to document the controller-processor relationship between you (as controller) and Pulse (as processor), we provide one on request. The DPA covers the scope of processing, the categories of data subjects and data, technical and organisational security measures, subprocessor details, and data subject rights procedures.
To request a DPA, email hello@pulse.quicker.tools with the subject line "DPA Request" and include your company name and jurisdiction. We will send a signed DPA within 5 business days at no charge.
For compliance questions, data subject access requests, privacy impact assessments, or any other data protection inquiry, contact our data protection point of contact at hello@pulse.quicker.tools. We aim to respond within 5 business days.