Privacy

Privacy notice

Version 2026.05 · Last updated 2026-05-12. Earlier versions are kept on request — email [email protected].

This notice explains what personal data PULSE collects, why, the legal basis we rely on, where the data lives, and the rights you have under UK / EU GDPR. It is written so you can read it without a lawyer.

1. Who we are

"PULSE", "we" and "us" mean the operator of the PULSE workspace platform at runonpulse.com. We are the data controller for the marketing site and our own business records, and the data processor for the workspace content our customers put into PULSE on behalf of their employees and contractors.

2. What we collect and why

  • Account data — name, work email, profile image, role assignment, branch assignment. Used to authenticate you and show your activity to your team.
  • Workspace content — anything you or your teammates author in PULSE: SOPs, tasks, comments, course progress, review responses, uploaded files. We process this on your employer's behalf — they decide what goes in.
  • Operational metadata — sign-in IPs, session timestamps, feature-usage events, audit-log entries. Used for security, fraud detection, billing, and product improvement.
  • Marketing-site data — form submissions (demo / trial enquiries), and standard request logs. Form submissions are kept against the consent box you tick.

We rely on the following lawful bases under Article 6:

  • Contract — to provide the service to your employer (account data, workspace content, operational metadata required to deliver the service).
  • Legitimate interests — to keep the platform secure, prevent abuse, and run aggregate, non-identifying analytics on the marketing site.
  • Consent — to send you marketing email after a demo / trial enquiry, and to set non-essential cookies. You can withdraw at any time.
  • Legal obligation — to retain billing and invoice records for the period required by tax law.

4. Who we share with (sub-processors)

The full, current list of sub-processors lives at /subprocessors. We give 30 days advance notice to annual customers before adding a new sub-processor. The headline list:

  • Brevo (Sendinblue) — Transactional email (sign-up, reset, notifications) (EU (France))
  • OpenAI — AI features (Porter answers, course drafting, document parsing) (USA)
  • Slack Technologies — Team messaging integration (Signal channel + slash commands) (USA / EU)
  • Microsoft (Outlook / Teams / Entra / Graph API) — Outlook calendar synchronisation, Microsoft Teams connector, and Microsoft Entra (Azure AD) sign-in / SSO (USA / EU)
  • Google (Sign-in with Google) — Google sign-in / OIDC for users who choose social login (USA / EU)
  • Giphy — Recognition GIFs in Pack and Signal (USA)
  • Stripe — Subscription billing and payment processing (USA / Ireland)
  • Replit (hosting & Object Storage) — Application hosting, managed PostgreSQL, and encrypted Object Storage for daily per-schema database snapshots and user-uploaded attachments (Region selected at sign-up (default Auckland, New Zealand))

5. International transfers

Your workspace data is stored in the region you select at sign-up (Auckland, NZ by default). Where personal data is transferred outside the UK or EEA — for example to a US-based AI provider — that transfer is governed by the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. We use AI providers that support data-residency commitments and zero training-on-customer-content terms.

6. Retention & deletion

  • Active workspace data — kept for the lifetime of your subscription.
  • Cancelled workspaces — your data remains exportable for 30 days, then it is deleted from our primary systems. Encrypted backups expire on a rolling basis, typically within 35 days.
  • Audit log — kept for at least 12 months for security and incident response, then pruned.
  • Marketing leads — kept up to 12 months from last contact, unless you ask us to delete sooner.
  • Billing records — kept for the period required by tax law (typically 7 years).

7. Your rights

You have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your account ("right to be forgotten").
  • Restrict or object to certain processing.
  • Portability — receive your data in a machine-readable form.
  • Withdraw consent at any time.

End users with a PULSE login: open Account › Privacy & data from the menu to download your data or request erasure self-service. We action requests within 30 days.

Workspace owners: contact your platform admin or [email protected] for a tenant-level export or deletion.

Visitors: email [email protected].

8. Cookies

The cookie banner you saw on first visit is the legal record of your choice. Open the cookie preferences panel any time to change it. Full detail is on the cookie policy page.

9. Contact & complaints

Email [email protected]. For UK / EU residents: you also have the right to complain to your supervisory authority — the UK Information Commissioner's Office or your national Data Protection Authority. We'd appreciate the chance to fix it first.