Legal

Privacy Policy

How we collect, use, and protect your data — and the data of the nursing staff on our platform.

Last updated: 8 April 2026

This Privacy Policy describes how Pulspective (“Pulspective”, “we”, “our”, or “us”) collects, uses, and discloses personal data in connection with the Pulspective platform and website (collectively, the “Service”). We are committed to protecting personal data in accordance with Singapore's Personal Data Protection Act 2012 (PDPA).

By using the Service, you confirm that you have read and understood this Privacy Policy.

1. Data Controller

Pulspective is the data controller in respect of personal data collected directly from visitors to our website and from managers who use the platform. In respect of nurse-linked data collected on behalf of a hospital or healthcare organisation (“Customer”), Pulspective acts as a data processor — the Customer is the data controller. Please refer to the relevant Customer's privacy policy for information about how they govern that data.

To contact us about data protection matters: privacy@pulspective.com

2. Data We Collect

2a. Nurse device data (collected on behalf of Customers)

When a nurse joins a ward via a QR invite code, we generate and store:

  • A randomly generated device UUID — a pseudonymous identifier tied to the device, not to the individual
  • The ward group ID the device was enrolled to
  • Timestamped check-in responses (wellbeing scores, concern submissions, compliments) linked to the device UUID

The device UUID is stored in a long-lived browser cookie on the nurse's device and is transmitted alongside check-in data for the purposes of rate-limiting and personal history recovery. No name, email, or identity is ever collected, so the UUID cannot be linked to a real person by Pulspective. However, because the UUID could theoretically be used to re-identify an individual (e.g., by physical access to a device), we treat it as personal data under the PDPA.

2b. Manager account data

When a manager registers or logs in, we collect:

  • Email address (used for magic-link authentication)
  • Organisation name and role (where provided)
  • Authentication session tokens (stored in secure cookies)
  • Usage data: pages visited, actions taken within the dashboard

2c. Contact form submissions

When you submit a demo request or enquiry, we collect:

  • Name, work email address, job title, organisation name, country, staff count, and any message you provide

2d. Technical data

  • IP address, browser type and version, operating system, referring URL
  • Cookies — see our Cookie Policy for details

3. How We Use Your Data

We use personal data for the following purposes:

  • To provide the Service — process check-ins, generate ward analytics, authenticate managers, and deliver communications
  • To respond to enquiries — follow up on demo requests and support questions
  • To improve the Service — analyse usage patterns to fix bugs and improve features (using aggregate, non-identifiable data only)
  • To comply with legal obligations — respond to lawful requests from regulatory authorities

We do not use personal data for advertising, profiling, or any purpose other than those listed above.

4. Anonymity Architecture

Pulspective is built around a Decoupled Authentication model. During onboarding, a nurse scans a QR code that links their device to a ward group — no name, email, or account is created. The device UUID stored on-device is a randomly generated identifier that carries no connection to a real person.

Check-in responses are stored in the database alongside the device UUID and the ward group ID. This means a Pulspective employee with database access can determine which check-in rows came from the same device — but they cannot determine who that device belongs to, because no name, contact detail, or identity was ever collected during onboarding.

The analytics output visible to managers is always aggregated at the ward level — individual check-in rows and device UUIDs are never exposed through the manager interface. The protection against individual identification comes from the absence of any identity data in the system, not from technical separation of database columns.

5. Data Sharing and Sub-processors

We share personal data only with the following party:

  • Supabase Inc. (infrastructure and database provider, United States) — processes data on our behalf under a Data Processing Agreement. Data is stored on servers in the region selected at account setup. Supabase is SOC 2 Type II certified.

We do not sell, rent, or share personal data with any other third parties. We will disclose personal data to law enforcement or regulatory bodies only where required by applicable law.

6. Data Retention

  • Nurse device and check-in data — retained for the duration of the Customer contract plus 30 days, after which it is permanently deleted
  • Manager account data — retained until the account is closed plus 30 days
  • Contact form submissions — retained for 12 months from the date of submission
  • Authentication logs — retained for 90 days

7. Your Rights Under the PDPA

Where Pulspective is the data controller, you have the right to:

  • Access — request a copy of personal data we hold about you
  • Correction — request that inaccurate personal data be corrected
  • Withdrawal of consent — withdraw consent to processing where consent is the legal basis
  • Erasure — request deletion of your personal data (subject to our legal obligations)

To exercise any of these rights, contact us at privacy@pulspective.com. We will respond within 30 days.

If you are a nurse and wish to remove your device's association with a ward, you may clear the site data for this application in your browser settings. Because check-in responses are decoupled from your device UUID at submission, previously submitted responses cannot be linked back to you and cannot be deleted on an individual basis — they exist only as aggregated ward-level data.

8. Data Security

We implement the following security measures:

  • All data in transit encrypted via TLS 1.2 or higher
  • All data at rest encrypted via AES-256
  • Manager authentication via single-use magic links (no passwords stored)
  • Role-based access controls enforced at the database level via Row Level Security
  • Access to production systems limited to authorised personnel only

9. Data Breach Notification

In the event of a data breach that is likely to result in significant harm to affected individuals, we will notify the Personal Data Protection Commission (PDPC) and affected Customers without undue delay, and in any event within 3 business days of becoming aware of the breach, as required under the PDPA Notification Obligation.

10. Cross-Border Data Transfers

Personal data may be transferred to and stored on servers outside Singapore (including in the United States, where Supabase Inc. is headquartered). Where we transfer personal data outside Singapore, we ensure that the recipient provides a standard of protection comparable to the PDPA, including through contractual arrangements.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify Customers by email at least 14 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact Us

For any questions about this Privacy Policy or our data practices, please contact:
Pulspective — Data Protection
privacy@pulspective.com