Privacy Policy

We collect three categories of information:

1.1 Account information

When you create a Pulse account, we collect:

• Your name
• Your email address
• An encrypted version of your password (we never see or store the plain password)
• The name of your agency / workspace

1.2 Connected platform data

When you connect a third-party platform (such as Google Analytics 4 or Google Ads) via OAuth, we receive and store:

• An access token and refresh token issued by that platform
• The email address of the Google account used to authorize
• The list of properties or accounts that authorization grants us access to
• Whichever properties / accounts you choose to display in Pulse

We do not store any reporting metrics, user-level data, or audience information from these platforms in our database. Reports are fetched from the source platform on demand when you view a dashboard, then discarded once the page renders.

1.3 Usage information

To keep the Service running, our hosting providers (Vercel and Supabase) automatically log:

• IP address
• Browser type and version
• Pages visited
• Timestamps

This is standard server log data used only for security, debugging, and abuse prevention.

We use the information we collect to:

• Authenticate you and keep your sessions active
• Fetch and display reporting data from the platforms you connect
• Refresh OAuth tokens automatically when they expire
• Send transactional emails (sign-up confirmation, password reset)
• Maintain and improve the Service
• Investigate and prevent abuse, fraud, or security incidents

We do not use your data to train any machine learning models, and we do not sell, rent, or trade your information to third parties.

• Database: hosted on Supabase (PostgreSQL) with row-level security policies that restrict each agency's data to its own members.
• OAuth tokens: encrypted at rest using AES-256-GCM with a key that is never sent to your browser.
• Passwords: hashed by Supabase Auth using industry-standard algorithms. We never see them in plain text.
• HTTPS: all traffic is encrypted in transit via TLS.
• Hosting: our application runs on Vercel and our database on Supabase, both SOC 2 Type II certified providers.

To be clear, Pulse does not:

• Modify any campaigns, audiences, bids, or settings in the platforms you connect
• Upload anything to those platforms
• Track individual end-users of your connected websites
• Use cookies for advertising or third-party tracking
• Sell or share your data with marketing partners

We use the following service providers to operate Pulse:

• Supabase — authentication and PostgreSQL database hosting (privacy policy)
• Vercel — application hosting (privacy policy)
• Google — when you connect Google Analytics 4 or Google Ads, your data requests go directly to Google's APIs governed by their privacy policy.

These providers process data on our behalf under their respective data processing agreements.

Pulse's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:

• We only request access to scopes necessary for the features you use (analytics.readonly, adwords).
• We use your data solely to provide reporting features within Pulse.
• We do not transfer your Google data except as needed to render dashboards in your browser.
• We do not use Google data for advertising purposes.
• We do not sell your Google data.
• We do not use Google data to develop, improve, or train generalized AI/ML models.

You can revoke Pulse's access to your Google account at any time via Google Account Permissions.

You have the right to:

• Access: request a copy of the data we hold about you
• Delete: delete your account and all associated data via Settings, or by emailing us
• Disconnect: revoke any connected platform at any time from the Pulse dashboard
• Correct: update your account information from the Settings page
• Export: download any dashboard as PDF or PNG

We retain your account data for as long as your account is active. If you delete your account, we delete all associated data within 30 days, including OAuth tokens, profile information, and workspace records. Server logs are retained for up to 90 days for security purposes.

Pulse is intended for use by professionals managing marketing operations. The Service is not directed to children under 16, and we do not knowingly collect data from anyone under 16.

We may update this policy from time to time. When we make material changes, we will notify active account holders by email and update the "Last updated" date at the top of this page.

For questions about this Privacy Policy, data deletion requests, or any privacy concern, email us at: grow@krytal.com