Skip to main content
pulse
Talk to founder
privacy notice · v9 · last revised jun 2026

What we know about you, in plain English first.

The TL;DR is on top; the legalese is below it. If anything in here doesn’t match how Pulse actually behaves, that’s a bug, write to support@pulsehq.tech and we’ll fix the page or the product.

TL;DR

yes

We collect what’s needed to make Pulse work for you.

Account info, billing data, the contents of the data sources you connect, plus product telemetry that’s pseudonymous and aggregated.

no

We don’t sell your data, ever.

Not to advertisers, not to data brokers, not to “partners” in disguise. There’s no scenario in our business model that involves selling customer data.

no

We don’t train models on your prompts or content.

Model providers (Anthropic, OpenAI) are barred from training on our API traffic under their standard terms; inputs may be retained briefly (up to 30 days) for abuse monitoring. Calibration runs per-tenant inside Pulse.

yes

We use a small set of subprocessors.

Vercel for hosting, Supabase for the database, Anthropic + OpenAI for inference, Resend for transactional email. Full list with regions and transfer mechanisms on the subprocessors page.

yes

You can export and delete on demand.

Export to JSON or JSON-LD via the workspace export endpoint (/api/lifecycle/export). Deletion within 30 days, confirmed and recorded in the audit log.

yes

You have rights, and we mean it.

Access, rectification, deletion, portability, objection. We respond within 14 days; the legal floor is 30. Contact support@pulsehq.tech from any address.

01 Scope & controller / processor roles

This notice covers Pulse’s hosted product and the marketing site (both served at pulsehq.tech).

For workspace customers, your organization is the data controller and Pulse is the data processor, we handle your team’s data on your instructions, under the DPA. For free individual accounts and the marketing site, Pulse is the controller for that limited data.

Pulse, Inc. is the legal entity. EU representative and UK representative details are in §10.

02 What we collect

Three buckets. We try to keep each as narrow as the product allows.

Account & billingName, email, org, role; basic account records. Billing not yet integrated, when it is, the payment processor will hold card data.Service · contract
Connected dataThe contents of the sources you connect (Notion docs, Slack threads, Drive files, etc.) and their native ACLs.Service
Pulse-generatedMap graph entities + relations, retrieval index, audit log records, briefings, drafts, calibration feedback.Service · improving your tenant
Product telemetryPseudonymous event logs (page, action, latency). No content, no prompts. Aggregated for product analytics.Legitimate interest
Site cookiesFirst-party cookies only, each listed by name at /cookies. No third-party trackers, no advertising pixels.Strict necessity

We do not collect: precise location, biometrics, special-category data on purpose, browsing history outside Pulse, contact lists you didn’t import, camera streams, or device sensors. The one microphone exception: audio you choose to send during a Pulse Voice session streams to OpenAI’s Realtime API under the inference terms in §4, and the resulting transcripts are retained per the voice row in §5, under your control.

03 How we use it

For your service: building and maintaining your map graph, answering retrieval queries, drafting outputs, scheduling briefings, executing skills, generating audit records, propagating permission changes.

For our business: billing, invoice records, support, fraud and abuse prevention, security monitoring, internal financial reporting, contract enforcement.

For improvement: aggregated, pseudonymous telemetry to understand which features are used, where queries fail, where latency lives. Calibration uses your feedback only to tune your tenant’s confidence numbers, never aggregated across tenants.

We do not use your content to train models, advertise to you, profile you for anything outside the product, or build look-alike segments for other customers.

04 Who we share with

Three categories of recipient. Full subprocessor list (with regions) is at pulsehq.tech/legal/subprocessors; you’ll get 30 days’ notice before any new subprocessor goes live.

VercelApplication hosting and edge CDN.US (global edge)
SupabaseManaged Postgres database; data at rest.US (AWS-hosted)
AnthropicInference inputs/outputs. No training; brief abuse-monitoring retention (≤30 days) under their API terms.US
OpenAIInference inputs/outputs, plus voice-session audio you choose to stream in Voice mode. No training; brief abuse-monitoring retention (≤30 days) under their API terms.US
ResendTransactional email (briefings, alerts, verification).US
Linear, Slack, Notion, Drive, etc.You connect these; data flows in from them, never from us back out except writes you authorise.per provider
AuthoritiesOnly with valid legal process. We notify you unless legally prohibited; we publish a transparency report.per request

We do not share with advertising networks, data brokers, lead-gen services, or analytics vendors that re-sell. There is no Google Analytics, no Meta Pixel, no LinkedIn Insight tag on Pulse properties.

05 Retention & deletion

  • Connected content + map graph, kept as long as your workspace is active. Deleted within 30 days of workspace deletion. Backups expire on the same schedule.
  • Audit log, 90 days by default for operational rows; sensitive events (auth, billing, exports, security, sessions, workspace deletion) hold for 7 years.
  • Voice transcripts, 90 days by default, configurable per user (including “delete sooner” and “keep forever”); a daily sweep purges past the window. Voice audio itself is not stored by Pulse.
  • In-app notifications & activity trail, read notifications purge after 90 days and all notifications after 12 months; workspace activity events age out after 13 months.
  • Telemetry, pseudonymous events kept 24 months for trend analysis.
  • Billing records,7 years, statutory.
  • Marketing-site logs, IP addresses for 14 days, request logs aggregated after 30 days.

You can request deletion at any time. We confirm when the purge completes, and the workspace-deletion event is recorded in the audit log we keep for 7 years. Backups expire on the 30-day schedule above.

06 International transfer

Today the service runs from a single primary (US) region; EU data residency is on the Enterprise roadmap and not yet available. For inference, Anthropic and OpenAI are US-resident; we rely on the EU Standard Contractual Clauses (2021 modules), the UK International Data Transfer Addendum, and the EU-US Data Privacy Framework where applicable. The supplementary measures (no-training inference terms, encryption, access logging) are documented in the DPA.

07 Your rights

Under GDPR, UK GDPR, CCPA / CPRA, and equivalent laws, applicable to most readers, you have the rights below. We honour these for everyone, regardless of jurisdiction.

  • Access, get a copy of your data in a structured, common format.
  • Rectification, correct anything that’s wrong.
  • Erasure,“right to be forgotten.” Subject to legal-retention exceptions.
  • Portability, JSON and JSON-LD export via /api/lifecycle/export.
  • Objection, to processing based on legitimate interest.
  • Withdraw consent, where processing was consent-based.
  • Lodge a complaint, with your supervisory authority.

08 Children

Pulse isn’t designed for or directed at children under 16. We do not knowingly collect data from children. If you believe we have, write to support@pulsehq.tech and we’ll delete it.

09 Changes to this notice

We version this page. Material changes get 30 days’ advance notice via email and an in-app banner. Past versions will be archived at pulsehq.tech/legal/privacy/history once it’s real, every diff, every date.

10 Contact

Privacy questions, rights requests, breach reports: support@pulsehq.tech, our privacy contact. We have not designated a formal DPO; if we appoint one, or an EU/UK Article 27 representative, we will name them here.

For security issues, please write to support@pulsehq.tech and we’ll triage within 24h. See the Security page for our disclosure policy.

Pulse, Inc.·Read the DPA·No-surveillance pledge·Subprocessors