Privacy Policy
Last updated: May 15, 2026 · Effective date: May 15, 2026
At PulseWork ("we", "our", or "the Service") we take seriously the privacy of the personal data we process on behalf of our customers and their employees. This Privacy Policy describes what data we collect, the purposes for which we use it, with whom we share it, how long we retain it, and how you can exercise your rights as a data subject.
By using the website pulsework.ai, the application app.pulsework.ai, or related channels (collectively, the "Service"), you agree to the practices described in this policy. The Spanish version available at pulsework.ai/privacidad.html is the authoritative version; in case of discrepancy, the Spanish version prevails.
1. Data controller
The data controller for personal data collected through the Service is:
- PulseWork (in the process of being incorporated as a legal entity).
- Legal representative as of this date: Juan Manuel Mendez.
- Contact email for privacy matters: privacy@pulsework.ai.
For employees of customer companies ("Tenants") that use PulseWork as a workforce management tool, PulseWork acts as a data processor and the Tenant acts as the data controller. That is, the Tenant decides what data to load into the platform and for what purpose, and PulseWork processes it on the Tenant's behalf following its documented instructions in the Terms of Use.
2. Personal data we collect
We collect different categories of personal data depending on your relationship with the Service.
2.1 Data you or your employer provide
- Identification: first name, last name, ID type and number, date of birth.
- Contact: corporate email, phone number, address, city, country.
- Employment data: job title, area, team, direct manager, hire date, base salary (when applicable).
- Profile picture: photograph uploaded by the employee or HR administrator.
- Time-off requests: leave type, dates, reason, comments.
- Survey responses: answers to pulse surveys (anonymous or identified, depending on Tenant configuration).
- Performance reviews: 360-degree review answers, peer feedback.
2.2 Data generated by use of the Service
- Authentication data: session ID, JWT tokens, login/logout timestamps, IP address, browser user agent.
- Technical logs: audit, security, and support logs (no sensitive free-text content). UUIDs and timestamps only.
- File metadata: name, size, upload date, and type of uploaded files (e.g. onboarding Excel templates).
2.3 Data from linked third-party accounts (optional)
If you voluntarily decide to connect a third-party account, we collect only the data strictly necessary for the corresponding feature:
- Google Calendar: the email address of your Google account, your unique Google identifier (the
subclaim of the id_token), and the OAuth tokens (access token and refresh token) needed to create, update, and delete calendar events corresponding to your approved time-off requests in PulseWork. See Section 11 for details. - Slack: workspace identifier, bot token, and mapping from your Slack ID to your PulseWork ID, to deliver notifications via Slack instead of (or in addition to) email.
2.4 Data we do NOT collect
- We do not collect personal data from minors directly. If we discover we have received data from a minor without consent from their legal guardian, we delete it without delay.
- We do not use third-party cookies for advertising purposes. We use only strictly necessary technical cookies for session functionality.
- We do not sell personal data to third parties under any circumstance.
3. Purposes of processing
We process personal data only for the following purposes:
- Providing the Service: creating, authenticating, and maintaining your account; enabling management of employees, time off, surveys, evaluations, and related modules.
- Operational notifications: sending transactional emails and Slack messages related to Service events (approvals, reminders, survey invitations, password reset).
- Google Calendar sync: when you explicitly authorize it, reflecting your approved time-off as events in your personal Google Calendar.
- Support and customer service: responding to your inquiries, bug reports, and support requests.
- Product improvement: aggregated and anonymized analytics of product usage to identify features to improve (never with identifiable data).
- Legal compliance: responding to requests from competent authorities, judicial requirements, and applicable tax or labor obligations.
- Security: detecting and preventing fraud, unauthorized access, Service abuse, and security breaches.
We will not use your data for purposes other than those stated above without your prior, explicit consent, unless the law authorizes or requires it.
4. Legal basis for processing
Processing is based, depending on the case, on one or more of the following grounds:
- Prior, explicit, and informed consent from the data subject (for example, by accepting this policy when registering or connecting your Google account).
- Performance of a contract to which the data subject is party, or pre-contractual steps at the data subject's request.
- Compliance with a legal obligation to which the controller is subject.
- Legitimate interest of PulseWork in operating, securing, and improving the Service, when such interest does not override the rights of the data subject.
For Tenant employees, the primary legal basis is the employment or service relationship between the employee and the Tenant, complemented by consent given by accepting the Tenant's terms that use PulseWork as an internal tool.
5. Processors and sub-processors
To operate PulseWork we rely on trusted technology service providers that act as processors or sub-processors. Each only accesses data strictly necessary to provide its service, under contractual agreements that guarantee security and confidentiality standards equivalent to ours.
| Provider | Service | Data processed | Location |
|---|---|---|---|
| Supabase | PostgreSQL database, authentication, file storage | All Service data | United States / Singapore (depending on Tenant region) |
| Amazon Web Services (AWS) | Backend hosting (EC2), secrets management (Parameter Store) | Data in transit and processing | us-east-2 (Ohio, USA) |
| SendGrid (Twilio) | Transactional email delivery | Recipient email address, notification content | United States |
| Slack Technologies | Slack notifications (when Tenant configures it) | Slack identifiers, notification content | United States |
| Google LLC | Optional Google Calendar sync (when employee authorizes it) | Calendar events corresponding to your time off | United States |
The current list of sub-processors can be requested at any time by writing to privacy@pulsework.ai.
6. International transfers
Some of our sub-processors are located outside the country of residence of the data subject (mainly the United States). When this occurs, we ensure that transfers are made under contractual clauses protecting personal data at a level equivalent to that required by Colombian data protection law (Law 1581 of 2012 and Decree 1377 of 2013) and to the EU General Data Protection Regulation (GDPR), where applicable.
7. Retention period
We retain personal data only for the time necessary to fulfill the purposes for which it was collected, or as required by applicable law:
- Active employee data: throughout the employee's relationship with the Tenant, plus the period necessary to comply with legal obligations (typically up to 10 years after termination).
- Time-off requests: 5 years from the request end date (payroll support and labor obligations).
- Technical logs: 90 days in detail, aggregated data for up to 1 year.
- Google Calendar OAuth tokens: until the employee disconnects their account or the Tenant terminates its Service subscription. Deleted immediately upon disconnection.
- Anonymous survey responses: indefinitely in aggregated form, without respondent identifier.
If a Tenant terminates its contract with PulseWork, its data is retained for an additional 90 days to allow export before final deletion, unless the law requires a different timeframe.
8. Security measures
We apply reasonable technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or improper disclosure. Such measures include:
- Encryption in transit: all Service traffic travels over TLS 1.2 or higher.
- Encryption at rest: the database is encrypted at the disk level. Google OAuth tokens are additionally encrypted with AES-256-GCM before being persisted.
- Row-Level Security (RLS): the database applies policies that isolate data per Tenant.
- Authentication: session tokens are signed JWTs (ES256 algorithm). Passwords are stored with appropriate hashing.
- Role-based access control: PLATFORM_ADMIN, ACCOUNT_ADMIN, HR_ADMIN, LEADER, and EMPLOYEE; each role only accesses the relevant data.
- Audit logs: we log relevant events (logins, role changes, administrative accesses, controlled user impersonation for support).
- Certified sub-processors: our main sub-processors (Supabase, AWS, SendGrid, Slack, Google) hold SOC 2 Type II, ISO 27001, and equivalent certifications.
No security measure is absolute. If a security incident affecting your personal data should occur, we will notify you without undue delay and inform the competent authorities when required by law.
9. Data subject rights
As a data subject, you have the right to:
- Know, update, and rectify your personal data.
- Access free of charge to your data being processed.
- Request proof of the authorization granted for the processing of your data.
- Be informed, upon request, about the use given to your personal data.
- Revoke authorization and/or request deletion of your data when the principles, rights, and legal guarantees are not respected.
- File complaints before the Superintendence of Industry and Commerce (SIC) in Colombia, or before the competent authority in your country of residence, for breaches of data protection regulations.
To exercise any of these rights, write to privacy@pulsework.ai clearly stating your request, your identification, and the means to respond to you. We will address your request within the applicable legal deadlines (generally 10 business days for queries and 15 business days for complaints in Colombia).
If you are an employee of a customer company, we recommend first contacting your employer's HR department, since they are the primary controller of your data on the platform. If you do not get a satisfactory response, you can write to us directly.
10. Cookies and similar technologies
The Service uses only strictly necessary cookies:
- Session cookies: keep your session active while you navigate the application.
- Local preferences: store your theme (light/dark) and language preference using
localStoragein your browser.
We do not use advertising tracking cookies or third-party marketing cookies. We do not link your activity on PulseWork with other websites or external services.
11. Use of Google data (Google API Services User Data Policy)
When an employee voluntarily decides to connect their Google account to PulseWork to sync time off with Google Calendar, we request the following OAuth scopes:
openidandemail— to identify the Google account being connected and display its email in the connection management screen.https://www.googleapis.com/auth/calendar.events— to create, modify, and delete exclusively the events corresponding to time off approved in PulseWork. We do not access any other events in the employee's calendar.
11.1 Limited Use commitment
PulseWork's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google data only to provide and improve user-facing features, in this case syncing time off with Google Calendar.
- We do not sell Google data.
- We do not transfer Google data to third parties, except: (i) as necessary to provide or improve user-facing features, (ii) for security reasons (e.g., investigating abuse), (iii) to comply with applicable law, or (iv) as part of a merger, acquisition, or sale of assets with prior notice to users.
- We do not use Google data for advertising of any kind, including retargeted or personalized advertising.
- We do not allow humans to access Google data, except: (i) with your explicit and specific consent, (ii) for security reasons (investigating abuse), (iii) to comply with applicable law, or (iv) when the data has been aggregated and anonymized such that it can no longer be linked to an individual user.
- We do not use Google data to train or improve generalized AI models, language models (LLMs), or any AI model external to user-facing features.
11.2 How to revoke access
You can revoke PulseWork's access to your Google account at any time in two ways:
- From the application itself: go to your profile at app.pulsework.ai and select Disconnect Google Calendar. This removes OAuth tokens from our database and revokes the refresh token with Google.
- From your Google account: visit myaccount.google.com/permissions, select PulseWork, and revoke access.
After revocation, events previously created by PulseWork in your calendar remain there until you manually delete them. New time off will stop syncing immediately.
12. Changes to this policy
We may occasionally update this Privacy Policy to reflect changes in the Service, in applicable regulations, or in our processing practices. When changes are substantial, we will notify you by email at least 15 calendar days before they take effect.
The current version will always be available at pulsework.ai/privacy.html with the date of the latest update in the header.
13. Contact
If you have questions about this Privacy Policy, about the processing of your data, or want to exercise any rights as a data subject:
- Email: privacy@pulsework.ai
- Website: pulsework.ai
We will respond to your request within the applicable legal deadlines.