Pulse HR Back to home

Privacy Policy

Last updated: April 17, 2026

Pulse HR ("we", "us", "our") provides a multi-tenant HR portal that customer organizations ("Customers") use to manage their employees ("Users"). This policy explains what personal data we process, why, how we protect it, and your rights.

1. Roles

For data Customers upload about their employees (profiles, time tracking, leave, documents, assets), the Customer is the data controller and Pulse HR is the data processor. For account and billing data of Customer admins, Pulse HR is the controller.

2. Data we collect

  • Account data: name, work email, password hash, role.
  • Profile data: job title, department, manager, hire date, phone, optional date of birth and avatar.
  • Operational data: attendance logs, leave requests and balances, document metadata and uploads, asset assignments, internal requests, knowledge-base activity.
  • Technical data: IP address, user-agent, session tokens, audit logs of administrative actions.

3. How we use data

  • To provide and operate the HR portal for your organization.
  • To authenticate users and enforce role-based access controls.
  • To detect, prevent, and respond to abuse, fraud, and security incidents.
  • To send transactional emails (account confirmation, password reset, invites).
  • To comply with legal obligations.

We do not sell personal data. We do not use Customer data to train AI models.

4. Tenant isolation

Each Customer's data is logically isolated using PostgreSQL Row Level Security policies enforced at the database layer. Roles are stored in a dedicated user_roles table that cannot be modified by end users, preventing privilege escalation.

5. Subprocessors

We rely on a small number of vetted subprocessors to operate the service:

  • Supabase — managed Postgres, authentication, file storage.
  • Cloudflare — application hosting and edge compute.
  • Email infrastructure provider — transactional email delivery.

6. Data retention

Customer data is retained for the duration of the subscription and deleted within 30 days of account termination, except where longer retention is required by law. Customers can export their data at any time from the settings page.

7. Your rights

Subject to applicable law (GDPR, UK GDPR, CCPA, and others), you have the right to access, correct, export, and delete your personal data, and to object to or restrict processing. Employees should contact their employer (the Customer) first; we will assist the Customer in fulfilling such requests.

8. Security

  • Encryption in transit (TLS 1.2+) and at rest.
  • Passwords hashed and checked against the Have I Been Pwned database on signup and change.
  • Audit logs for all super-admin actions.
  • Least-privilege access for our personnel.

9. International transfers

Data may be processed in regions where our subprocessors operate. Where required, transfers are protected by Standard Contractual Clauses or equivalent safeguards.

10. Children

Pulse HR is not directed to anyone under 16 and we do not knowingly collect data from children.

11. Changes

We may update this policy. Material changes will be notified to admins by email and announced in-app at least 14 days before they take effect.

12. Contact

Questions or requests: privacy@pulsehr.example.com.