Privacy Policy

The data controller is PulseSignal. You can reach our privacy contact at privacy@pulsesignal.co. General product and billing questions go to hello@pulsesignal.co.

When you sign up, subscribe, or use PulseSignal we collect:

• Account information: email address, display name, password hash.
• Product configuration: saved searches, pinned companies, custom alert rules, digest cadence, webhook URLs, Slack delivery tokens.
• Usage events: which pages you visit inside the product, which features you use, and when. This is kept in aggregate to improve the service.
• Billing information: handled by our payment provider. We store a customer reference and plan metadata, not card numbers.
• Support correspondence: any email or message you send us about the service.

PulseSignal is an intelligence service about SaaS companies. To build that product we observe publicly available information about companies, their products, their filings, and, in narrow cases, their publicly identified officers. We do not profile private individuals. The observations are organised into a set of data modules. Each module is documented with its upstream sources, whether it can touch personal data, the legal basis we rely on, and how long we retain the output. The full module matrix is maintained internally and is available on request at privacy@pulsesignal.co.

In plain English, our modules cover (16 distinct data modules total, grouped here for readability):

• Product and pricing pages published by the company.
• Public job posts and careers-page listings.
• Public funding, product-launch, and changelog announcements.
• Public reviews and aggregate sentiment on G2, Capterra, Trustpilot, the app stores, Comparably, and similar platforms.
• Public DNS, certificate transparency logs, and trust/security page signals.
• Public GitHub, GitLab, Bitbucket, package registry, and developer community footprints.
• Public statutory filings: UK Companies House, SEC EDGAR, MCA India, OFLC H-1B LCA, and related registries.
• Public federal contracting, lobbying, and enforcement disclosures (USAspending, SAM.gov, Senate LDA, FDA, FTC, FCC, CPSC, OSHA, EPA).
• Public court dockets (CourtListener) and WIPO UDRP domain disputes.
• Public certifications: B Corp, FedRAMP, 1% for the Planet, GLEIF LEI, SOC / ISO / HIPAA / PCI badges.
• Publicly listed executive and director profiles (name and role), drawn from the company’s own team pages and from statutory registries.

Where a statutory registry publishes personal data as part of a legal regime (for example, a named director in a corporate filing), we reflect that published record; we do not originate it. If a registry redacts or seals a record, our mirror of that record will be removed or redacted when we next ingest.

• Contract (Article 6(1)(b)) for information collected directly from you to deliver the service: account, saved configuration, alerts, digests, webhook delivery.
• Legitimate interests (Article 6(1)(f)) for information we collect about third-party companies to deliver competitive intelligence about public and commercial activity. Our legitimate interest is operating a professional market-intelligence service; we have weighed this against the rights of data subjects and apply safeguards including restriction to publicly observable information, redaction on valid request, and proportionate retention.
• Legal obligation (Article 6(1)(c)) applies, where relevant, to our mirroring of statutory public registries (company registries, securities filings, court records, enforcement records).
• Consent (Article 6(1)(a)) for optional marketing communications. You can withdraw consent at any time by emailing us.

• To operate the product and show you competitive intelligence about the companies you track.
• To generate daily or weekly digests, per-company briefings, and custom alerts you have configured.
• To detect changes across the modules we ingest, and to power search, export, and API responses.
• To answer support questions, prevent abuse, and keep the service secure.
• To improve the product, in aggregate, using usage telemetry.

We do not sell personal data. We do not use your data to train third-party machine-learning models for purposes unrelated to PulseSignal.

We rely on a small number of service providers to run PulseSignal. The complete list, what each one does, and where they are located is maintained at /privacy/sub-processors. Material additions are announced on that page and by email, at least 30 days before the new provider begins processing customer data.

PulseSignal is operated from the United States and most of our infrastructure providers are also US-based. Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the European Commission Standard Contractual Clauses (SCCs) built into each provider’s data processing addendum, together with technical safeguards such as in-transit encryption, at-rest encryption, and access logging.

Where applicable law grants you rights over personal data, you can exercise them by writing to privacy@pulsesignal.co. Those rights typically include:

• Access to the personal data we hold about you.
• Correction of inaccurate personal data.
• Erasure of personal data, subject to exceptions where a statutory public record requires us to continue mirroring upstream. You can submit a structured request via our erasure-request form; we hard-delete the matching officer and leadership records and tombstone them so subsequent ingests cannot resurrect the row.
• Restriction or objection to processing based on legitimate interests.
• Portability of information you have provided directly.
• Withdrawal of consent for marketing, at any time.
• A right to complain to your local data-protection authority. In the EU, that is typically the supervisory authority of your country of residence.

We will respond within 30 days of a verified request. We may ask for proof of identity before we act, to prevent impersonation attacks against the data we hold.

Account data is kept for the lifetime of your PulseSignal account and for up to 30 days afterwards, unless a longer period is required by law (for example, invoicing records). Usage analytics is kept in a rolling 13-month window.

Information about third-party companies is kept for as long as the company is actively tracked by PulseSignal plus up to two years afterwards. Mirrors of statutory public registries follow the retention policy of the upstream registry.

Personal data we hold about named individuals follows two specific retention windows enforced by an automated monthly sweep:

• UK Companies House officers: hard-deleted seven years after the resignation date recorded against the officer, unless the same person still holds a current role on another company we track.
• Leadership profiles: hard-deleted two years after the last verification, when the company is no longer active.

We use cookies and similar storage to keep you signed in, remember your preferences, and (with your consent) run Google Analytics 4 on pulsesignal.co so we can understand aggregate traffic. The full list of cookies, what each one does, and how long it lasts is maintained on the Cookie Policy page. Analytics and marketing cookies require your explicit opt-in via the cookie banner. You can change your choice at any time from the banner controls or your browser settings.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), grants you the following rights with respect to personal information about you:

• Right to know the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
• Right to delete personal information we have collected from you, subject to exceptions (for example, a statutory public record we mirror).
• Right to correct inaccurate personal information.
• Right to opt out of any sale or sharing of personal information.
• Right to limit use of sensitive personal information.
• Right to non-discrimination for exercising any of these rights.

We do not sell personal information and we have not sold personal information in the preceding 12 months. We share personal information with the sub-processors documented on the sub-processor list solely to operate the Service. We do not knowingly process personal information of consumers under 16. To exercise any of these rights, contact privacy@pulsesignal.co. You may also designate an authorised agent in writing; we will verify the agent’s authorisation before acting.

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other U.S. states with comprehensive consumer-privacy statutes have rights similar to those described in the California section above (typically: access, correction, deletion, portability, and opt-out of targeted advertising or profiling that produces legal effects). To exercise those rights, contact privacy@pulsesignal.co. We will verify your identity before acting and respond within the timeline required by the applicable statute.

We use third-party large-language-model providers as a component of the Service to summarise and classify public-source content. The full provider list is in our sub-processor list. We have contractual commitments from each provider that they will not use the inputs we send them to train their own models, and that our prompts and outputs are not retained beyond the operational window required to serve the response.

We do not use personal information about you to train, fine-tune, or evaluate any AI or machine-learning model. Aggregated, anonymised, and de-identified telemetry (for example, average API latency, total companies tracked, error rates) may be used to operate, benchmark, and improve the Service.

Automated processing in the Service is limited to: severity scoring of changes, deduplication of near-identical events across sources, language-model summarisation, and similarity search. None of these produce a legal effect or similarly significant effect on you within the meaning of GDPR Article 22 or comparable U.S. state law; the outputs are operational metadata, not decisions about people.

PulseSignal is a product for professional use and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe we have collected information about a child, contact privacy@pulsesignal.co and we will delete it.

We protect user data with industry-standard controls: TLS in transit, at-rest encryption, least-privilege access, structured audit logs, and routine review of dependency vulnerabilities. Production access is gated by SSO with two-factor authentication and is logged. Backups are encrypted and rotated.

We coordinate disclosure of security issues at security@pulsesignal.co. We will acknowledge a report within two business days and keep the reporter informed. No online service can guarantee absolute security; we report any breach that affects your personal data in line with our legal obligations and, where applicable, within 72 hours of becoming aware of it.

Business customers who process the personal data of EU/UK/Swiss residents through PulseSignal can request our Data Processing Addendum (DPA), which incorporates the European Commission Standard Contractual Clauses, by emailing privacy@pulsesignal.co. Once signed, the DPA forms part of your subscription agreement.

We will update this policy as our modules and providers change. The effective date at the top reflects the most recent revision. Material changes are announced through an in-product banner and by email to active customers at least 30 days before they take effect.

Privacy questions: privacy@pulsesignal.co.
Erasure / rights requests: /privacy/erasure-request or privacy@pulsesignal.co.
Security disclosures: security@pulsesignal.co.
Product and support: hello@pulsesignal.co.