Privacy

Privacy Policy

Effective date · 2 June 2026

This Privacy Policy explains how PulseSignal (“we”, “us”) handles personal data. It covers two distinct data surfaces:

  1. Personal data we collect directly from users of the PulseSignal product (customers and subscribers).
  2. Business and public-registry information we collect about third-party companies, their products, filings, and officers, in order to power the PulseSignal intelligence service.
01

Who we are

The data controller is PulseSignal (the trading name of an independent unincorporated business; registered-entity details are available on written request). You can reach our privacy contact at privacy@pulsesignal.co. General product and billing questions go to hello@pulsesignal.co.

Two roles. For the personal data we collect about people who hold PulseSignal accounts and about third-party companies and their public officers, PulseSignal is the “controller” (or local equivalent) and decides why and how to process it. For personal data that a business customer chooses to upload into the Service (for example, contact-list entries on a watchlist), the customer is the controller and PulseSignal is the processor under our Data Processing Addendum.

Grievance Officer (India DPDP 2023). PulseSignal Grievance Officer, privacy@pulsesignal.co (a monitored role mailbox). Acknowledgement within 72 hours; resolution within 30 days.

EU representative (Article 27). We are evaluating an Article 27 representative. Until appointed, EU/EEA data subjects may direct requests to the privacy contact above and complaints to the supervisory authority listed in our regional notices.

02

Information we collect about you as a user

When you sign up, subscribe, or use PulseSignal we collect:

  • Account information: email address, display name, password hash.
  • Product configuration: saved searches, pinned companies, custom alert rules, digest cadence, webhook URLs, Slack delivery tokens.
  • Usage events: which pages you visit inside the product, which features you use, and when. This is kept in aggregate to improve the service.
  • Diagnostic data: error reports collected when something goes wrong, captured by our error-monitoring sub-processor (Sentry) and product-analytics sub-processor (PostHog).
  • Network metadata: IP address, user-agent, referrer, request timestamps. We use these for security, fraud prevention, and rate limiting.
  • Billing information: handled by our Merchant of Record, Polar.sh (Polar Software, Inc.), which uses Stripe as its payment processor. We store a customer reference and plan metadata, not card numbers.
  • Support correspondence: any email or message you send us about the service.

We do not knowingly collect special-category (GDPR Article 9), sensitive (CCPA § 1798.140(ae)), sensitive (DPDP), or sensitive (LGPD Article 5(II)) personal data. Please do not send us that data; if you do, we will delete it when we notice and ask you not to send more.

03

Information we collect about third-party companies

PulseSignal is an intelligence service about SaaS companies. To build that product we observe publicly available information about companies, their products, their filings, and, in narrow cases, their publicly identified officers. We do not profile private individuals. The observations are organized into a set of data modules. Each module is documented with its upstream sources, whether it can touch personal data, the legal basis we rely on, and how long we retain the output. The full module matrix is maintained internally and is available on request at privacy@pulsesignal.co.

In plain English, our modules cover (the categories below group those surfaces for readability):

  • Product and pricing pages published by the company.
  • Public job posts and careers-page listings.
  • Public funding, product-launch, and changelog announcements.
  • Public reviews and aggregate sentiment on Trustpilot, the app stores, Comparably, and similar platforms.
  • Public DNS, certificate transparency logs, and trust/security page signals.
  • Public GitLab, Bitbucket, package registry, and developer community footprints.
  • Public statutory filings: UK Companies House, SEC EDGAR, MCA India, OFLC H-1B LCA, and related registries.
  • Public federal contracting, lobbying, and enforcement disclosures (USAspending, SAM.gov, Senate LDA, FDA, FTC, FCC, CPSC, OSHA, EPA).
  • WIPO UDRP domain disputes.
  • Public certifications: B Corp, FedRAMP, 1% for the Planet, GLEIF LEI, SOC / ISO / HIPAA / PCI badges.
  • Publicly listed executive and director profiles (name and role), drawn from the company’s own team pages and from statutory registries.

Where a statutory registry publishes personal data as part of a legal regime (for example, a named director in a corporate filing), we reflect that published record; we do not originate it. If a registry redacts or seals a record, our mirror of that record will be removed or redacted when we next ingest.

GDPR Article 14 notice. Where the data subject (typically a named officer) is not the source of the data, we rely on Article 14(5)(b): individual notice is impossible or would involve disproportionate effort given the volume and public nature of the upstream record. This Privacy Policy, our regional notices, and the erasure-request form constitute the public notice required by Article 14(5)(b). Equivalent notice is also given under LGPD Article 9 and DPDP Section 5 (which recognize “publicly available data” processing on legitimate-interest grounds with a notice obligation).

04

Legal basis (GDPR Article 6)

  • Contract (Article 6(1)(b)) for information collected directly from you to deliver the service: account, saved configuration, alerts, digests, webhook delivery.
  • Legitimate interests (Article 6(1)(f)) for information we collect about third-party companies to deliver competitive intelligence about public and commercial activity. Our legitimate interest is operating a professional market-intelligence service; we have weighed this against the rights of data subjects and apply safeguards including restriction to publicly observable information, redaction on valid request, and proportionate retention.
  • Legal obligation (Article 6(1)(c)) applies, where relevant, to our mirroring of statutory public registries (company registries, securities filings, court records, enforcement records).
  • Consent (Article 6(1)(a)) for optional marketing communications. You can withdraw consent at any time by emailing us.
05

How we use the data

  • To operate the product and show you competitive intelligence about the companies you track.
  • To generate daily or weekly digests, per-company briefings, and custom alerts you have configured.
  • To detect changes across the modules we ingest, and to power search, export, and API responses.
  • To answer support questions, prevent abuse, and keep the service secure.
  • To improve the product, in aggregate, using usage telemetry.

We do not sell personal data. We do not use your data to train third-party machine-learning models for purposes unrelated to PulseSignal.

06

Sub-processors

We rely on a small number of service providers to run PulseSignal. The complete list, what each one does, and where they are located is maintained at /privacy/sub-processors. Material additions are announced on that page and by email, at least 30 days before the new provider begins processing customer data.

07

International transfers

PulseSignal hosts its application and primary database in the United States (Ashburn, Virginia). Billing is handled by our Merchant of Record, Polar.sh (Polar Software, Inc.), in the United States, which in turn uses Stripe as its payment processor (United States, and Ireland for EU customers). Error monitoring (Sentry) and product analytics (PostHog) are hosted in the European Union where the EU region is available and otherwise in the United States. The full sub-processor list, including each provider’s location, is at /privacy/sub-processors.

Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country that has not received an adequacy decision (principally the United States), we rely on the appropriate transfer mechanism: the European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Modules 2 and 3) for EU transfers, the UK International Data Transfer Addendum (IDTA) for UK transfers, and the EU SCCs as modified by the Swiss FDPIC for Swiss transfers. The transfer terms are documented in each provider’s DPA and incorporated into our own Data Processing Addendum. We supplement contractual safeguards with technical measures: TLS 1.2+ in transit, AES-256 at rest, structured audit logging, and least-privilege access. A transfer impact assessment for the current sub-processor stack is available on written request.

For transfers from Canada (PIPEDA / Quebec Law 25), Brazil (LGPD), India (DPDP), Singapore (PDPA), and Australia (Privacy Act 1988), see the corresponding section on /privacy/regional.

08

Your rights

The complete catalog of rights, the law each one rests on, the timeline that applies, and the exact path to exercise it is at /privacy/data-subject-rights. Region-specific rights (CCPA, UK ICO, India DPDP grievance, ANPD, OAIC, PDPC, OPC, CAI) are at /privacy/regional. You can also exercise any right by writing to privacy@pulsesignal.co. Those rights typically include:

  • Access to the personal data we hold about you.
  • Correction of inaccurate personal data.
  • Erasure of personal data, subject to exceptions where a statutory public record requires us to continue mirroring upstream. You can submit a structured request via our erasure-request form; we hard-delete the matching officer and leadership records and tombstone them so subsequent ingests cannot resurrect the row.
  • Restriction or objection to processing based on legitimate interests.
  • Portability of information you have provided directly.
  • Withdrawal of consent for marketing, at any time.
  • A right to complain to your local data-protection authority. The regulator list, including the BfDI (Germany), the UK ICO, the California CPPA, the Brazilian ANPD, the Indian Data Protection Board (when operational), the Singapore PDPC, the Office of the Privacy Commissioner of Canada, and the Australian OAIC, is at /privacy/regional.

We respond within the timeline required by the law that applies to you: 30 days under GDPR / UK GDPR / DPDP / PIPEDA / PDPA / Privacy Act, 45 days under CCPA (extendable by another 45 days with notice), and 15 days under LGPD. We may ask for proof of identity before we act, to prevent impersonation attacks against the data we hold.

09

Retention

We retain personal data only for as long as we need it for the purpose it was collected, and then we delete it on an automated monthly sweep. The conservative defaults are:

  • Account data (email, name, password hash, configuration): life of the account plus 30 days.
  • Billing and invoice records: 7 years from the date of the transaction, to satisfy U.S. IRS, UK HMRC, EU VAT, and India GST record-keeping requirements.
  • Raw request logs (IP, user-agent, path, timestamp): 30 days.
  • Product analytics: PostHog on a rolling 13-month window; Google Analytics 4 up to 14 months.
  • Error reports (Sentry): 90 days.
  • Support tickets and email correspondence: 2 years from the date of the last message.
  • Audit logs of administrative actions on customer accounts: 1 year.
  • Backups containing any of the above: rolling 35-day cycle; a deletion request flows through to all backup copies on the next cycle.
  • UK Companies House officer mirrors: hard-deleted seven years after the resignation date recorded against the officer, unless the same person still holds a current role on another company we track.
  • Leadership profiles: hard-deleted two years after the last verification, when the company is no longer active.
  • Company-public-fact records (filings, product launches, certifications): kept for as long as the company is actively tracked plus up to two years afterwards. Mirrors of statutory public registries follow the retention policy of the upstream registry; if the registry seals or redacts a record we mirror, our copy is removed on the next ingest.

Where a longer period is required by law (for example, a litigation hold, a tax audit, or a regulator’s data-preservation order), we extend retention only for the affected records and only for as long as the obligation lasts.

10

Cookies and analytics

We use cookies and similar storage to keep you signed in, remember your preferences, and (with your consent) run Google Analytics 4 on pulsesignal.co and app.pulsesignal.co so we can understand aggregate traffic. The full list of cookies, what each one does, and how long it lasts is maintained on the Cookie Policy page. Analytics and marketing cookies require your explicit opt-in via the cookie banner. You can change your choice at any time using the Cookie preferences link in the page footer, or through your browser settings.

11

California privacy rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), grants you the following rights with respect to personal information about you:

  • Right to know the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
  • Right to delete personal information we have collected from you, subject to exceptions (for example, a statutory public record we mirror).
  • Right to correct inaccurate personal information.
  • Right to opt out of any sale or sharing of personal information.
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising any of these rights.

We do not sell personal information and we have not sold personal information in the preceding 12 months. We share personal information with the sub-processors documented on the sub-processor list solely to operate the Service. We do not knowingly process personal information of consumers under 16. To exercise any of these rights, contact privacy@pulsesignal.co. You may also designate an authorized agent in writing; we will verify the agent’s authorization before acting.

12

Other state privacy laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), New Hampshire (NHPA), New Jersey (NJDPA), Tennessee (TIPA), Minnesota (MCDPA), Indiana (INCDPA), Kentucky (KCDPA), Maryland (MODPA), and Rhode Island (RIDTPPA) have rights substantially similar to those described in the California section above. To exercise those rights, use /privacy/data-subject-rights or contact privacy@pulsesignal.co. We will verify your identity before acting and respond within the timeline required by the applicable statute. We honor the Global Privacy Control (GPC) signal as a valid opt-out of any sale or share, even though we do not engage in those activities today.

13

Privacy rights outside the United States

Residents of the European Economic Area, United Kingdom, Switzerland, Brazil (LGPD), Canada (PIPEDA and Quebec Law 25), India (DPDP 2023), Singapore (PDPA), Australia (Privacy Act 1988), South Africa (POPIA), South Korea (PIPA), Japan (APPI), and other jurisdictions with comprehensive privacy legislation are covered by the dedicated addenda at /privacy/regional. Where local law gives you stronger rights than this Privacy Policy describes, those local rights apply.

14

Use of language models and AI

We use third-party large-language-model providers as a component of the Service to summarize and classify public-source content. The full provider list is in our sub-processor list. These providers process our prompts under their standard published API terms. We route any prompt that could contain personal data, in code, away from providers we cannot confirm exclude our inputs from model training, and never to a provider in a non-adequacy jurisdiction; but we do not hold a separately negotiated agreement with every model host, so we do not claim a blanket contractual no-training or zero-retention guarantee across the full provider set. We keep exposure low by minimising what is sent: prompts carry public company facts and, at most, publicly identified officer names, and never customer account data, credentials, payment details, or special-category personal data.

We do not use personal information about you to train, fine-tune, or evaluate any AI or machine-learning model. Aggregated, anonymized, and de-identified telemetry (for example, average API latency, total companies tracked, error rates) may be used to operate, benchmark, and improve the Service.

Automated processing in the Service is limited to: severity scoring of changes, deduplication of near-identical events across sources, language-model summarization, and similarity search. None of these produce a legal effect or similarly significant effect on you within the meaning of GDPR Article 22 or comparable U.S. state law; the outputs are operational metadata, not decisions about people.

15

Children's data

PulseSignal is a product for professional use and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe we have collected information about a child, contact privacy@pulsesignal.co and we will delete it.

16

Security

We protect user data with industry-standard controls: TLS 1.2+ in transit, AES-256 at rest, least-privilege access, structured audit logs, and routine review of dependency vulnerabilities. Production access is gated by single sign-on with two-factor authentication and is logged. Backups are encrypted and rotated on a 35-day cycle. The full control inventory, including incident-response runbook and disclosure program, is at /security.

Certifications we do and do not have. We do not claim certifications we have not earned. Our current posture: we follow SOC 2-aligned Trust Services Criteria controls internally, but a formal AICPA audit is not yet in scope and we do not claim a SOC 2 report; we will engage an auditor once paying-customer revenue justifies the cost. ISO 27001, HIPAA, PCI-DSS, and FedRAMP are not in scope today. We will update this page and /security if and when our posture changes.

We coordinate disclosure of security issues at security@pulsesignal.co. We will acknowledge a report within two business days and keep the reporter informed. No online service can guarantee absolute security.

Breach notification. We notify the relevant supervisory authority and affected data subjects in line with our legal obligations: within 72 hours of becoming aware of the breach for GDPR/UK GDPR/Swiss FADP; without unreasonable delay for CCPA and other US state laws; without undue delay (and within 72 hours of becoming aware) for India DPDP Rules 2025; within 72 hours for the LGPD ANPD; as soon as practicable for the Australian OAIC under the Notifiable Data Breaches scheme; and to PIPEDA / Quebec Law 25 standards for Canadian data subjects. We will also notify our business customers, under the DPA, of any breach affecting Personal Data they control, within 48 hours of becoming aware.

17

Data Processing Addendum

Business customers who process the personal data of EU/UK/Swiss residents (or LGPD, DPDP, PIPEDA, PDPA, Privacy Act data subjects) through PulseSignal can co-sign our pre-signed Data Processing Addendum, which incorporates the EU Standard Contractual Clauses (Modules 2 and 3), the UK IDTA, and the Swiss FADP addendum. Email privacy@pulsesignal.co from the billing email on the account, with the countersigned page attached, and we will return a fully executed copy within five business days.

18

Acceptable use

How you may and may not use the Service and the data we deliver is set out in our Acceptable Use Policy. It is part of the Agreement.

19

Changes to this policy

Effective date 2 June 2026. The immediately prior version was effective from 22 May 2026. Material changes since then: added GDPR Article 14 transparency notice for third-party data subjects; expanded retention table with per-category timelines; added GPC declaration; added jurisdiction-specific regulator contacts and timelines (UK, India, Brazil, Canada, Singapore, Australia); added explicit breach-notification SLAs by jurisdiction; added pointers to the new DPA, AUP, regional-notices, and data-subject-rights pages; clarified the controller/processor split.

We will continue to update this policy as our modules, sub-processors, and regulatory exposure change. Material changes are announced through an in-product banner and by email to active customers at least 30 days before they take effect.

20

Contact

Privacy questions: privacy@pulsesignal.co.
Rights requests (access, correction, deletion, portability, objection): /privacy/data-subject-rights.
Erasure request flow: /privacy/erasure-request or privacy@pulsesignal.co.
India DPDP Grievance Officer: privacy@pulsesignal.co.
Regional regulators: /privacy/regional.
Security disclosures: security@pulsesignal.co.
Product and support: hello@pulsesignal.co.