Skip to main content
pulse
privacy notice · v8 · last revised apr 2026

What we know about you, in plain English first.

The TL;DR is on top; the legalese is below it. If anything in here doesn’t match how Pulse actually behaves, that’s a bug, write to support@pulsehq.tech and we’ll fix the page or the product.

TL;DR

yes

We collect what’s needed to make Pulse work for you.

Account info, billing data, the contents of the data sources you connect, plus product telemetry that’s pseudonymous and aggregated.

no

We don’t sell your data, ever.

Not to advertisers, not to data brokers, not to “partners” in disguise. There’s no scenario in our business model that involves selling customer data.

no

We don’t train models on your prompts or content.

Model providers (Anthropic, OpenAI) are called via zero-retention APIs, contractually no logging, no training. Calibration runs per-tenant inside Pulse.

yes

We use a small set of subprocessors.

AWS for infra, Anthropic + OpenAI for inference, Stripe for billing, Postmark for transactional email. Full list with regions on the subprocessors page.

yes

You can export and delete on demand.

Export to JSON-LD or Parquet via the open map-export tool. Deletion within 30 days, with a verifiable certificate.

yes

You have rights, and we mean it.

Access, rectification, deletion, portability, objection. We respond within 14 days; the legal floor is 30. Contact support@pulsehq.tech from any address.

01 Scope & controller / processor roles

This notice covers Pulse’s hosted product (app.pulsehq.tech) and the marketing site (pulsehq.tech).

For workspace customers, your organization is the data controller and Pulse is the data processor, we handle your team’s data on your instructions, under the DPA. For free individual accounts and the marketing site, Pulse is the controller for that limited data.

Pulse, Inc. is the legal entity. EU representative and UK representative details are in §10.

02 What we collect

Three buckets. We try to keep each as narrow as the product allows.

Account & billingName, email, org, role; billing address, last-4 of card (Stripe holds the rest).Service · contract
Connected dataThe contents of the sources you connect (Notion docs, Slack threads, Drive files, etc.) and their native ACLs.Service
Pulse-generatedMap graph entities + relations, retrieval index, audit log records, briefings, drafts, calibration feedback.Service · improving your tenant
Product telemetryPseudonymous event logs (page, action, latency). No content, no prompts. Aggregated for product analytics.Legitimate interest
Site cookiesOne first-party session cookie. No third-party trackers, no advertising pixels.Strict necessity

We do not collect: precise location, biometrics, special-category data on purpose, browsing history outside Pulse, contact lists you didn’t import, microphone/camera streams, or device sensors.

03 How we use it

For your service: building and maintaining your map graph, answering retrieval queries, drafting outputs, scheduling briefings, executing skills, generating audit records, propagating permission changes.

For our business: billing, invoice records, support, fraud and abuse prevention, security monitoring, internal financial reporting, contract enforcement.

For improvement: aggregated, pseudonymous telemetry to understand which features are used, where queries fail, where latency lives. Calibration uses your feedback only to tune your tenant’s confidence numbers, never aggregated across tenants.

We do not use your content to train models, advertise to you, profile you for anything outside the product, or build look-alike segments for other customers.

04 Who we share with

Three categories of recipient. Full subprocessor list (with regions) is at pulsehq.tech/legal/subprocessors; you’ll get 30 days’ notice before any new subprocessor goes live.

Amazon Web ServicesInfrastructure host (compute, storage, networking).US · EU
AnthropicInference inputs/outputs, zero-retention.US
OpenAIInference inputs/outputs, zero-retention.US
StripeBilling data; we don’t see card numbers.US
PostmarkTransactional email (briefings, alerts, receipts).US
Linear, Slack, Notion, Drive, etc.You connect these; data flows in from them, never from us back out except writes you authorise.per provider
AuthoritiesOnly with valid legal process. We notify you unless legally prohibited; we publish a transparency report.per request

We do not share with advertising networks, data brokers, lead-gen services, or analytics vendors that re-sell. There is no Google Analytics, no Meta Pixel, no LinkedIn Insight tag on Pulse properties.

05 Retention & deletion

  • Connected content + map graph, kept as long as your workspace is active. Deleted within 30 days of workspace deletion. Backups expire on the same schedule.
  • Audit log,13 months by default, configurable up to 7 years on Enterprise.
  • Telemetry, pseudonymous events kept 24 months for trend analysis.
  • Billing records,7 years, statutory.
  • Marketing-site logs, IP addresses for 14 days, request logs aggregated after 30 days.

You can request deletion at any time. Deletion produces a verifiable certificate (cryptographic attestation that the data and its backups have been purged).

06 International transfer

EU and UK customers get an EU-resident default (eu-west-1 + eu-central-1). For inference, Anthropic and OpenAI are US-resident; we rely on the EU Standard Contractual Clauses (2021 modules), the UK International Data Transfer Addendum, and the EU-US Data Privacy Framework where applicable. The supplementary measures (zero-retention, encryption, access logging) are documented in the DPA.

07 Your rights

Under GDPR, UK GDPR, CCPA / CPRA, and equivalent laws, applicable to most readers, you have the rights below. We honour these for everyone, regardless of jurisdiction.

  • Access, get a copy of your data in a structured, common format.
  • Rectification, correct anything that’s wrong.
  • Erasure,“right to be forgotten.” Subject to legal-retention exceptions.
  • Portability, JSON-LD and Parquet export via map-export.
  • Objection, to processing based on legitimate interest.
  • Withdraw consent, where processing was consent-based.
  • Lodge a complaint, with your supervisory authority.

08 Children

Pulse isn’t designed for or directed at children under 16. We do not knowingly collect data from children. If you believe we have, write to support@pulsehq.tech and we’ll delete it.

09 Changes to this notice

We version this page. Material changes get 30 days’ advance notice via email and an in-app banner. Past versions live at pulsehq.tech/legal/privacy/history, every diff, every date.

10 Contact

Privacy questions, rights requests, breach reports: support@pulsehq.tech. DPO: support@pulsehq.tech. EU rep: Pulse Privacy GmbH, Berlin. UK rep: Pulse Privacy UK Ltd., London.

For security issues, please use support@pulsehq.tech with our PGP key (fingerprint on the Security page) and we’ll triage within 24h.

Pulse, Inc.·Read the DPA·No-surveillance pledge·Subprocessors