Regional privacy notices

Controller. PulseSignal is the controller of personal data described in our Privacy Policy. Where you, as a business customer, use the Service to process the personal data of others, you act as the controller and we act as your processor under our Data Processing Addendum.

Legal basis. Our Article 6 legal bases are stated in section 4 of the Privacy Policy: contract for account data, legitimate interests for third-party-company observations, legal obligation for statutory-registry mirroring, and consent for optional marketing.

Article 14 notice to third-party data subjects. Where we obtain personal data about a named officer or executive from a public source (UK Companies House, SEC filings, a company’s own team page, etc.), we rely on Article 14(5)(b): direct notice is impossible or would involve disproportionate effort given the volume and the public nature of the upstream record. This page, together with our Privacy Policy and erasure-request form, constitutes the public notice required under Article 14(5)(b).

Your rights. Access (Article 15), rectification (16), erasure (17), restriction (18), portability (20), objection (21), and not to be subject to a decision based solely on automated processing (22). To exercise, use /privacy/data-subject-rights or email privacy@pulsesignal.co. We respond within one month (extendable by two further months for complex requests, under Article 12(3)).

EU representative. We are evaluating an Article 27 representative; we do not currently have a designated representative in the Union. We will appoint one before the threshold conditions in Article 27(2) cease to apply.

Supervisory authority. You have the right to lodge a complaint with a supervisory authority, in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. PulseSignal is not established in the European Union and does not designate a single lead supervisory authority; you may contact the supervisory authority for your own jurisdiction. The Swiss FDPIC (www.edoeb.admin.ch) handles Swiss complaints.

The rights and processes in section 1 apply equally to UK residents under the UK GDPR and the Data Protection Act 2018. Your supervisory authority is the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, tel 0303 123 1113, ico.org.uk.

UK-to-third-country transfers are covered by the UK International Data Transfer Addendum (IDTA) or the UK Addendum to the EU SCCs, as described in our DPA.

Categories of personal information we collect from a California consumer, by reference to Cal. Civ. Code § 1798.140:

• Identifiers (name, email, IP address).
• Customer records (account configuration, billing reference).
• Commercial information (subscription plan, purchase history).
• Internet or other electronic network activity (cookies, usage telemetry, log files).
• Geolocation (coarse only, derived from IP).
• Inferences drawn from the above for the sole purpose of operating the Service (for example, “this account is on the Professional plan and has used the Slack delivery integration this month”).

Sources: directly from you, from your browser as you use the Service, and from our sub-processors. Purposes: to operate, secure, bill, and improve the Service. Categories of third parties with whom we share for these purposes: the sub-processors listed at /privacy/sub-processors.

Sensitive Personal Information. We do not collect or process Sensitive PI within the meaning of CCPA § 1798.140(ae) (we do not collect government ID numbers, financial-account login credentials, precise geolocation, racial/ethnic origin, religious or philosophical beliefs, union membership, mail/email/text content of communications, genetic or biometric data, health data, sexual-orientation data). Account passwords are stored as one-way hashes and are not used for any purpose other than authentication.

Sale / share. We do not sell personal information and we do not share personal information for cross-context behavioural advertising, within the meaning of the CCPA. We have not done so in the preceding 12 months.

Retention. See section 9 of the Privacy Policy. Briefly: account data for the life of the account plus 30 days; billing records for 7 years (US tax-record requirements); usage telemetry in a rolling 13-month window; raw logs 30 days; analytics 13 months.

Your CCPA rights: know, access (including a portable copy), correct, delete, limit use of Sensitive PI (not applicable as we do not collect Sensitive PI), opt out of sale/share (not applicable as we do not sell or share), and non-discrimination. To exercise, use /privacy/data-subject-rights or email privacy@pulsesignal.co. You may also designate an authorised agent in writing. We verify identity by matching the request against your account email and may ask for two additional pieces of identifying information for deletion and access requests. We respond within 45 days, extendable by another 45 days with notice. Right to appeal an adverse determination: reply to our response with “I am appealing” in the subject and we will escalate to a second reviewer. You may also complain to the California Privacy Protection Agency at cppa.ca.gov or the California Attorney General at oag.ca.gov/privacy.

Global Privacy Control. We treat a GPC signal as a valid opt-out request for any sale or share, regardless of cookie-banner state. Because we do not engage in sale or share, the GPC signal currently has no practical effect on us, but we honour it and would honour it if our practices changed.

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), New Hampshire (NHPA), New Jersey (NJDPA), Tennessee (TIPA), Minnesota (MCDPA), Indiana (INCDPA), Kentucky (KCDPA), Maryland (MODPA), and Rhode Island (RIDTPPA) have substantially similar rights to those described in section 3 above. To exercise, use /privacy/data-subject-rights. Where the state law gives you the right to appeal an adverse determination, you may also appeal by replying to our response. We do not engage in “targeted advertising,” “sale,” or “profiling that produces a legal or similarly significant effect” within the meaning of these statutes.

The Brazilian Lei Geral de Proteção de Dados Pessoais (Law 13.709/2018, “LGPD”) gives you rights to confirmation, access, correction, anonymisation/blocking/deletion of unnecessary or excessive data, portability, information about public and private entities with whom we shared your data, information about the possibility of refusing consent (with consequences), and revocation of consent. We rely on legitimate interests (LGPD Article 7, IX) for the same purposes described in our global Privacy Policy.

Data Protection Officer (Encarregado). Until we appoint a Brazil-resident DPO, you may direct LGPD requests and complaints to privacy@pulsesignal.co. We respond within 15 days, in Portuguese on request.

Supervisory authority. Autoridade Nacional de Proteção de Dados (ANPD), www.gov.br/anpd.

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec’s Act respecting the protection of personal information in the private sector, as amended by Law 25 (2021), give you the rights to access, correct, withdraw consent, and complain about our handling of your personal information. We process Canadian personal information on the basis of consent (express, by signing up) and legitimate purposes a reasonable person would consider appropriate in the circumstances.

Privacy Officer. Direct PIPEDA / Law 25 requests to privacy@pulsesignal.co. We respond within 30 days. For Quebec residents, the same office acts as the “person in charge of the protection of personal information” under Law 25.

Cross-border transfers. Under Quebec Law 25, we have carried out a privacy impact assessment of cross-border transfers to our U.S. sub-processors and confirmed appropriate protections (SCCs / DPA, encryption, access logging). The assessment is available on written request.

Authorities. Office of the Privacy Commissioner of Canada (OPC), priv.gc.ca, tel 1-800-282-1376. Commission d’accès à l’information du Québec (CAI), cai.gouv.qc.ca.

India’s Digital Personal Data Protection Act 2023 (DPDP) and the DPDP Rules 2025 give Indian residents the rights to access, correction, completion, updating, erasure, and grievance redressal, and the right to nominate another person to exercise rights in the event of death or incapacity. We obtain consent at signup for the processing described in our Privacy Policy, and we may also rely on “legitimate uses” under DPDP Section 7 where applicable.

Grievance Officer. Until the Data Protection Board of India issues operational rules that require a different role, we designate the following point of contact as Grievance Officer for DPDP purposes:

• Designation: Grievance Officer
• Role: Grievance Officer, PulseSignal
• Email: privacy@pulsesignal.co
• Address: available on written request to the email above.

We acknowledge grievances within 72 hours and resolve them within 30 days, as required by DPDP Rules 2025. If you are not satisfied with our response, you may approach the Data Protection Board of India once it is operational. Until then, we follow DPDP Rules 2025 best practice and treat the Ministry of Electronics and Information Technology (MeitY) at meity.gov.in as the interim contact for systemic concerns.

Children. We do not knowingly process the personal data of children under 18 from India. If you believe we have, contact the Grievance Officer above and we will delete it.

Significant data fiduciary. We do not believe we currently meet the volume or sensitivity thresholds to be notified as a Significant Data Fiduciary under DPDP Section 10. We will publish a separate notification, appoint a resident DPO, and conduct independent Data Protection Impact Assessments if and when we are notified.

Singapore’s Personal Data Protection Act 2012, as amended in 2020, gives you the rights of access and correction, and the right to withdraw consent for any purpose. We comply with the nine main obligations (consent, purpose limitation, notification, access and correction, accuracy, protection, retention limitation, transfer limitation, openness) and the Do Not Call provisions.

Data Protection Officer (Singapore). We designate privacy@pulsesignal.co as our PDPA DPO contact. We respond to access and correction requests within 30 days. Supervisory authority: Personal Data Protection Commission (PDPC), pdpc.gov.sg.

The Australian Privacy Principles (APPs) under the Privacy Act 1988 give Australian residents rights of access, correction, and complaint, and protect against use of personal information for direct marketing without an opt-out. We handle Australian personal information consistently with our global Privacy Policy and the APPs.

Cross-border disclosure. Under APP 8, we take reasonable steps to ensure our overseas sub-processors handle Australian personal information consistently with the APPs, primarily through the DPA and SCCs described in our DPA page.

Notifiable Data Breaches. If a data breach is likely to result in serious harm to Australian individuals, we notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, as required by Part IIIC of the Privacy Act. Authority: OAIC, oaic.gov.au, tel 1300 363 992.

PulseSignal is a product for professional use and is not directed at children. We do not knowingly collect personal information from anyone under 16 (or under the higher age set by local law: 18 in India under DPDP, 14 in Spain, 13 in the U.S. under COPPA, etc.). We do not run advertising and we do not engage in cross-context behavioural advertising. If you are a parent or guardian and you believe a child has provided personal information to us, contact privacy@pulsesignal.co and we will delete it without undue delay.

We extend, to residents of jurisdictions not specifically listed above, the rights and processes that most closely correspond under their local law (typically: access, correction, deletion, objection, and a complaint to the local regulator). To exercise, use /privacy/data-subject-rights or email privacy@pulsesignal.co. If your local law gives you stronger rights than this page describes, those rights apply.

Effective date 2 June 2026 (prior version: 22 May 2026). Material additions to the regulator list, the rights table, or our cross-border transfer mechanisms will be announced by in-product banner and by email to active customers at least 30 days before they take effect.