Privacy policy
Last updated: June 2026
Pulli is a native macOS download manager. We do not use usernames or passwords. Your account is a random key like pulli-XXXX-XXXX-XXXX. This policy explains what data we process, why, how long we keep it, and what you can do about it.
Data controller
Pulli is operated by Mehdi Benmebarek, a sole proprietorship. For data protection inquiries, contact privacy@pulli.app.
What we process and why
For a field-by-field breakdown of every data point we store, see our transparency page . The table below covers the legal basis for each processing activity.
- Contract
- License activation, device management, feature gating. We need this data to provide the service you signed up for.
- Legitimate interest
- Aggregate install statistics, crash diagnostics, OS version breakdown. We use these to keep the app working across macOS versions. You can object to this at any time.
- Consent
- Optional email attachment and opt-in diagnostic logging. You give us your email for receipts and recovery. In Settings you can also turn on "Help improve Pulli" to send anonymized warning and error logs plus aggregated resource metrics to Axiom, or "Share full diagnostic logs" to send the complete trace. Both are off by default. Withdraw any of these by removing your email, turning off the toggle, or deleting your account.
How long we keep it
- License dataUntil you delete it
- Your license and activation records persist until you request erasure. Free licenses never expire.
- Event dataIndefinitely
- Website and app events (page views, downloads, update checks) are retained for aggregate statistics. Website events are anonymous. App events include your license key and hashed machine ID.
- EmailUntil you remove it or delete your account
- If you attached an email, it stays until you detach it or erase your account.
- Polar recordsPer Polar's retention policy
- Polar retains transaction records for legal/accounting requirements. When you erase your account, we ask Polar to anonymize your PII.
- Server logsUp to 72 hours
- Cloudflare Workers logs are ephemeral. We do not maintain long-term access logs.
- Diagnostic logs (Axiom)30 days
- If you opt in, anonymized application logs are retained in Axiom for 30 days. Turning off the setting stops transmission immediately; existing logs age out per the retention window.
Who else sees your data
- Polar.shMerchant of Record
- Processes payments, stores card details, and manages subscriptions. We never see your payment information. Polar acts as data controller for payment data. Their privacy policy is at polar.sh/privacy.
- CloudflareInfrastructure
- Hosts our website and API on Cloudflare Workers. Derives your coarse country from IP at the edge. Cloudflare is a data processor under our instructions. Their DPA is at cloudflare.com/gdpr.
- AxiomDiagnostic logging (opt-in)
- Receives anonymized application logs only if you opt in under Settings. Two separate toggles control how much you send. "Help improve Pulli" sends warning and error events to Axiom, plus aggregated resource metrics (memory, CPU, thread count, active download count, and feature-usage flags like your appearance and scheduler preferences) to our own API on Cloudflare. "Share full diagnostic logs" sends the complete trace to Axiom, which we reserve for when you ask us to help debug a problem. Logs contain component names and timing data; we filter out URLs, file paths, emails, tokens, and credentials before transmission. Neither sends what you download or how much. Axiom is a data processor under our instructions. Their privacy policy is at axiom.co/privacy.
International data transfers
Pulli runs on Cloudflare's global edge network. Your request may be processed in a data center outside your country of residence. Cloudflare relies on Standard Contractual Clauses (SCCs) for transfers from the EEA. Polar.sh may also process data outside the EEA under their own SCCs. If you opt in to diagnostic logging, Axiom processes your anonymized logs in their infrastructure, also under SCCs. We do not transfer data to countries lacking adequacy decisions.
Cookies and tracking
We do not use cookies, local storage for tracking, or analytics scripts. The website sets no cookies at all. The desktop app stores your license key locally on your machine; that is device storage, not a cookie.
We do not respond to Do Not Track signals because we do not track you in the first place. California residents: we do not sell or share your personal data for cross-context behavioral advertising, and no such sale has occurred in the past 12 months.
Browser extension
The Pulli Chrome extension intercepts downloads in the browser and forwards them to the Pulli desktop app running on your Mac. It does not download anything itself, and it does not send data to any remote server. All communication with the desktop app uses Chrome's native messaging API, which restricts communication to a locally registered host (app.pulli.host) installed by the Pulli app.
When a download is intercepted, the extension reads the following from the browser and forwards it to the local app:
- Download URL — the address of the file being fetched.
- Referrer URL — the page that initiated the download.
- Cookies — session cookies for the download's domain, so authenticated downloads succeed in Pulli without re-authenticating.
- Filename and file size — the suggested name and expected size from Chrome.
This data stays on your machine. It is not sent to pulli.app or any other remote endpoint. The extension does not include analytics, telemetry, or tracking.
A content script runs on all pages to detect drag-to-fetch gestures on links. It reads link URLs and page titles when you drag a link, and sends them to the background script for forwarding to the local app. It does not monitor browsing history, keystrokes, or mouse movement outside of drag gestures.
The extension allows pulli.app to ask whether it would intercept a given download. The only response is a boolean (yes or no). No browsing data is shared with the website in this exchange.
Security
All traffic between the app, our website, and our API travels over HTTPS with TLS 1.2+. License keys are signed with Ed25519 and verified on every request. Your account key is generated locally and stored in your Mac's keychain, not on our servers. Database access is restricted to the Cloudflare Workers runtime; no human reads your data unless you ask us to.
If a data breach occurs that risks your rights, we notify the relevant supervisory authority within 72 hours and inform you directly if the breach is likely to result in a high risk to you.
Your rights
Under GDPR and UK GDPR, you have the following rights. To exercise any of them, email privacy@pulli.app with your account key.
- Access
- Ask us for a copy of everything we hold linked to your account key. We send it to the email on file (or one you provide).
- Erasure
- Delete your key and all associated data. Use the form at /key, or email us. We cascade-delete your license, activations, and event records. If you have an active Pro subscription, we also cancel it and anonymize your Polar customer record.
- Portability
- Receive your data in a machine-readable format. Ask us and we export it as JSON.
- Objection
- Tell us to stop processing your data for a specific purpose. We honor it unless we have a compelling legal ground to continue.
- Rectification
- Correct inaccurate data. Attach or update your email at /key, or tell us what is wrong.
- Restriction
- Ask us to limit processing to storage only while a dispute or accuracy claim is resolved. We freeze the data until we resolve your request.
- Complaint
- Lodge a complaint with your local data protection authority. You can find your DPA at edpb.europa.eu. You do not need to contact us first.
Children
Pulli does not target children and we do not knowingly process data from anyone under 16. If you believe we hold data from a minor, contact us and we will delete it.
Changes to this policy
We update this page when our data practices change. The "last updated" date above reflects the most recent revision. Material changes will also be announced in the app.