Privacy Policy

We collect three categories of information:

1.1 Account information

When you create a Pulse account, we collect:

• Your name
• Your email address
• An encrypted version of your password (we never see or store the plain password)
• The name of your agency / workspace

1.2 Connected platform data

When you connect a third-party advertising or analytics platform — Meta (Facebook & Instagram), Google Ads, Google Analytics 4, TikTok, or Snapchat — via OAuth, we receive and store:

• An access token (and, where the platform issues one, a refresh token)
• The email address or account identifier used to authorize the connection
• The list of ad accounts / properties that the authorization grants us access to
• Whichever ad accounts / properties you choose to display in Pulse

We do not store any reporting metrics, user-level data, or audience information from these platforms in our database. Reports are fetched from the source platform on demand when you view a dashboard, then discarded once the page renders.

1.3 Usage information

To keep the Service running, our hosting providers (Vercel and Supabase) automatically log:

• IP address
• Browser type and version
• Pages visited
• Timestamps

This is standard server log data used only for security, debugging, and abuse prevention.

We use the information we collect to:

• Authenticate you and keep your sessions active
• Fetch and display reporting data from the platforms you connect
• Refresh OAuth tokens automatically when they expire
• Send transactional emails (sign-up confirmation, password reset)
• Maintain and improve the Service
• Investigate and prevent abuse, fraud, or security incidents

We do not use your data to train any machine learning models, and we do not sell, rent, or trade your information to third parties.

• Database: hosted on Supabase (PostgreSQL) with row-level security policies that restrict each agency's data to its own members.
• OAuth tokens: encrypted at rest using AES-256-GCM with a key that is never sent to your browser.
• Passwords: hashed by Supabase Auth using industry-standard algorithms. We never see them in plain text.
• HTTPS: all traffic is encrypted in transit via TLS.
• Hosting: our application runs on Vercel and our database on Supabase, both SOC 2 Type II certified providers.

Pulse uses a small number of cookies:

• Essential cookies — set by our authentication provider (Supabase) to keep you signed in and secure your session. The Service cannot function without these, so they are strictly necessary and not subject to consent.
• Analytics cookies — we use Google Analytics 4 to understand aggregate, de-identified usage (which pages are visited, broad traffic sources) so we can improve the product. Google Analytics sets cookies such as _ga. We do not use this data to identify you personally.

We do not use advertising, retargeting, or cross-site tracking cookies. You can opt out of Google Analytics with the Google Analytics Opt-out Browser Add-on or by blocking cookies in your browser. Wherever you are, you can limit analytics cookies using that opt-out or your browser's cookie controls.

To be clear, Pulse does not:

• Modify any campaigns, audiences, bids, or settings in the platforms you connect
• Upload anything to those platforms
• Track individual end-users of your connected websites
• Use advertising or ad-retargeting cookies
• Sell or share your data with marketing partners

We use the following service providers to operate Pulse:

• Supabase — authentication and PostgreSQL database hosting (privacy policy)
• Vercel — application hosting (privacy policy)
• Google — Google Analytics 4 (product analytics), and, when you connect Google Analytics 4 or Google Ads, your data requests go directly to Google's APIs (privacy policy)
• Meta Platforms — when you connect Meta (Facebook & Instagram), your data requests go directly to Meta's Marketing API (privacy policy)
• TikTok — when you connect TikTok, requests go to the TikTok Marketing API (privacy policy)
• Snap (Snapchat) — when you connect Snapchat, requests go to the Snap Marketing API (privacy policy)

These providers process data on our behalf under their respective data processing agreements.

Pulse's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements:

• We only request access to scopes necessary for the features you use (analytics.readonly, adwords).
• We use your data solely to provide reporting features within Pulse.
• We do not transfer your Google data except as needed to render dashboards in your browser.
• We do not use Google data for advertising purposes.
• We do not sell your Google data.
• We do not use Google data to develop, improve, or train generalized AI/ML models.

You can revoke Pulse's access to your Google account at any time via Google Account Permissions.

When you connect Meta (Facebook & Instagram) through Facebook Login for Business, Pulse's use of information received from Meta complies with the Meta Platform Terms and Developer Policies:

• We request only the permissions needed to read your advertising data — ads_read (to read ad insights such as spend, impressions, and conversions) and business_management (to list the ad accounts in your Business Manager so you can choose which to report on). We also receive your basic public profile and email to identify the connected account.
• We use this data solely to display reporting dashboards and generate reports within Pulse. Access is read-only — Pulse never creates, edits, pauses, or otherwise modifies ads, audiences, budgets, or settings.
• We do not sell Meta data, do not transfer it except as needed to render your dashboards, do not use it for advertising, and do not use it to develop or train AI/ML models.

You can revoke Pulse's access at any time from Facebook Settings → Business Integrations or by disconnecting Meta inside Pulse. See our Data Deletion instructions.

You have the right to:

• Access: request a copy of the data we hold about you
• Delete: delete your account and all associated data — see our Data Deletion instructions
• Disconnect: revoke any connected platform at any time from the Pulse dashboard
• Correct: update your account information from the Settings page
• Export: download any dashboard as PDF or PNG

Pulse serves customers worldwide, and the rights available to you depend on where you live. Depending on your location, applicable data-protection laws — such as the UK GDPR, the EU GDPR, and comparable laws in other regions — may grant you rights including access, rectification, erasure, restriction, data portability, and objection to processing. Krytal is the data controller for your personal data, and we honor these rights for all users regardless of location. Where local law provides for it, you may also lodge a complaint with your data-protection authority. To exercise any of these rights, email grow@krytal.com.

We retain your account data for as long as your account is active. If you delete your account, we delete all associated data within 30 days, including OAuth tokens, profile information, and workspace records. Server logs are retained for up to 90 days for security purposes.

Pulse is intended for use by professionals managing marketing operations. The Service is not directed to children under 16, and we do not knowingly collect data from anyone under 16.

We may update this policy from time to time. When we make material changes, we will notify active account holders by email and update the "Last updated" date at the top of this page.

For questions about this Privacy Policy or any privacy concern, email us at: grow@krytal.com. For data deletion specifically, see our Data Deletion instructions.