Privacy Policy

This Privacy Policy describes how Pulspective (“Pulspective”, “we”, “our”, or “us”) collects, uses, and discloses personal data in connection with the Pulspective platform and website (collectively, the “Service”). We are committed to protecting personal data in accordance with Singapore's Personal Data Protection Act 2012 (PDPA).

By using the Service, you confirm that you have read and understood this Privacy Policy.

1. Data Controller

Pulspective is the data controller in respect of personal data collected directly from visitors to our website and from managers who use the platform. In respect of member data collected on behalf of a Customer organisation (“Customer”), Pulspective acts as a data processor; the Customer is the data controller. Please refer to the relevant Customer's privacy policy for information about how they govern that data.

To contact us about data protection matters: privacy@pulspective.com

2. Data We Collect

2a. Member data (collected on behalf of Customers)

When a shift worker joins the platform via an invite link, we collect and store:

• Email address (used to verify whitelist membership and authenticate the account)
• Display name and profile photo (optional, sourced from the OAuth provider or set by the member)
• Group assignment and employment status within the Customer organisation
• Timestamped check-in responses: wellbeing scores, free-text offload entries, and rotating question answers, linked to the authenticated account
• Concern submissions: category, urgency level, title, description, and any follow-up messages. Members may choose to submit a concern without their name being shown to managers; however, the submission remains linked to their account in the database
• Compliment messages sent within the platform
• Push notification subscription tokens (if the member opts in to notifications)
• Last active timestamp

2b. Manager account data

When a manager registers or logs in, we collect:

• Email address (used for magic-link authentication)
• Organisation name, display name, and role (where provided)
• Authentication session tokens (stored in secure cookies)
• Usage data: pages visited and actions taken within the dashboard

2c. Contact form submissions

When you submit a demo request or enquiry, we collect:

• Name, work email address, job title, organisation name, country, staff count, and any message you provide

2d. Technical data

• IP address, browser type and version, operating system, referring URL
• Cookies: see our Cookie Policy for details

3. How We Use Your Data

We use personal data for the following purposes:

• To provide the Service: authenticate users, process check-ins, generate team-level analytics, and deliver communications
• To respond to enquiries: follow up on demo requests and support questions
• To improve the Service: analyse usage patterns to fix bugs and improve features (using aggregate, non-identifiable data only)
• To comply with legal obligations: respond to lawful requests from regulatory authorities

We do not use personal data for advertising, profiling, or any purpose other than those listed above.

4. Manager Visibility and Data Minimisation

Members authenticate using their email address, and their check-in and concern data is linked to their authenticated account in the database. However, Pulspective applies strict limits on what managers can see through the platform interface:

• Trend analytics are displayed at the team level only. Individual check-in scores or responses are never surfaced in the manager dashboard. A minimum response threshold is required before trend data is displayed, reducing the risk of de-anonymisation in small teams.
• Concern reports submitted with the anonymous option hide the member's name from managers. The underlying submission remains linked to the member's account in the database for data integrity purposes, but this association is not accessible through the platform interface.
• Compliments are visible to managers at the group level without individual attribution unless the member chose to include their name.

These measures do not make the platform anonymous by design. Members' email addresses and identities are collected and stored. The protections described above are applied at the interface level to limit what managers can access through normal platform use.

5. Data Sharing and Sub-processors

We share personal data only with the following sub-processors:

• Supabase Inc. (infrastructure, database, and authentication provider, United States): processes all platform data on our behalf under a Data Processing Agreement. Supabase is SOC 2 Type II certified.
• Resend Inc. (transactional email provider, United States): processes manager email addresses solely to deliver authentication and notification emails on our behalf.
• Getstream Inc. (messaging infrastructure provider, United States): processes member and manager identifiers and message content in connection with the in-app chat and concern messaging features.
• Vercel Inc. (hosting and content delivery, United States): hosts and serves the Pulspective application. May process IP addresses and request metadata in connection with content delivery.

We do not sell, rent, or share personal data with any other third parties. We will disclose personal data to law enforcement or regulatory bodies only where required by applicable law.

6. Data Retention

• Member check-in and concern data: retained for the duration of the Customer contract plus 30 days, after which it is permanently deleted
• Manager account data: retained until the account is closed plus 30 days
• Contact form submissions: retained for 12 months from the date of submission
• Authentication logs: retained for 90 days

7. Your Rights Under the PDPA

Where Pulspective is the data controller, you have the right to:

• Access: request a copy of personal data we hold about you
• Correction: request that inaccurate personal data be corrected
• Withdrawal of consent: withdraw consent to processing where consent is the legal basis
• Erasure: request deletion of your personal data (subject to our legal obligations)

To exercise any of these rights, contact us at privacy@pulspective.com. We will respond within 30 days.

If you are a member and wish to have your account and associated data removed, please contact your organisation's administrator or reach us at the address above. Previously submitted check-in responses that have been incorporated into aggregated team-level analytics cannot be individually identified or removed.

8. Data Security

We implement the following security measures:

• All data in transit encrypted via TLS 1.2 or higher
• All data at rest encrypted via AES-256
• Manager authentication via single-use magic links (no passwords stored)
• Role-based access controls enforced at the database level via Row Level Security
• Access to production systems limited to authorised personnel only

9. Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals, we will notify the Personal Data Protection Commission (PDPC) and affected Customers without undue delay, and in any event within 3 business days of becoming aware of the breach, as required under the PDPA Notification Obligation.

10. Cross-Border Data Transfers

Personal data may be transferred to and stored on servers outside Singapore (including in the United States, where our sub-processors are headquartered). Where we transfer personal data outside Singapore, we ensure that the recipient provides a standard of protection comparable to the PDPA, including through contractual arrangements.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify Customers by email at least 14 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact Us

For any questions about this Privacy Policy or our data practices, please contact:
Pulspective: Data Protection
privacy@pulspective.com