Privacy

Learn how we handle sensitive data and adhere to privacy laws and regulations

Introduction

PulseHA ("we," "our," or "us") is a Zero Trust Network Access (ZTNA) platform that provides secure remote connectivity through WireGuard-based tunnels. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, including our control plane, gateways, desktop/mobile agents, web console, and marketing website.

We do not rent, sell, or trade your Personal Information.

By using PulseHA, you agree to the collection and use of information in accordance with this policy. If you do not agree with these terms, please do not use our services.

Scope

This Policy applies to all visitors of our websites, users of our products and services, and any other websites owned and operated by PulseHA that link to this Policy, unless covered by a separate privacy policy.

Note: Our Data Processing Addendum (DPA) governs our processing of Personal Information in the role of a processor on behalf of our customers. This includes cloud services through which customers connect their applications to our platform, manage access policies, or otherwise collect, use, share, or process Personal Information via our services. A copy of our DPA is available upon request.

Information We Collect

Account Information

When you create an account or register your organization, we collect:

  • Identity data: Email address, display name, and avatar image
  • Organization data: Tenant name, slug, and configuration preferences
  • Authentication credentials: Passwords are hashed using industry-standard algorithms; we never store plaintext passwords
  • Role and permissions: User role (owner, admin, member) within your organization
  • SSO/IdP data: When using SAML or SCIM integration, we receive identity attributes from your identity provider (e.g., Okta, Azure AD, Google Workspace)

Device Information

When you install and use the PulseHA agent, we collect:

  • Device identifiers: Hostname, operating system (Windows, macOS, Linux, iOS, Android), OS version, and agent version
  • Cryptographic keys: WireGuard public keys (private keys remain on your device and are never transmitted)
  • Network information: Assigned tunnel IP address, public endpoint address, NAT traversal candidates (IP/port combinations)
  • Device posture data: Disk encryption status, firewall status, screen lock configuration, antivirus/EDR status (when posture checks are enabled)

Connection and Usage Data

During normal operation, we collect:

  • Connection metadata: Connection status, connected gateway ID, last seen timestamp, session duration
  • Bandwidth metrics: Bytes transmitted (TX) and received (RX) through the tunnel
  • Health telemetry: Agent and gateway heartbeats, latency measurements, handshake timestamps
  • NAT traversal statistics: Hole-punching success/failure rates for connectivity optimization
  • Failover events: Gateway switch events including reason, timing, and source/destination gateways
  • System metrics: CPU and memory utilization (aggregated, not detailed process data)

Location Information

We derive approximate geographic location from:

  • IP-based geolocation: We determine latitude, longitude, city, and country from your public IP address to enable proximity-based gateway selection and display connection maps
  • Gateway locations: We track where gateways are deployed for routing optimization

Audit and Access Logs

For security and compliance, we maintain:

  • Access decisions: Policy evaluation results (allow/deny) with associated resource, user, and timestamp
  • Authentication events: Login attempts, success/failure status, device code flows, and SSO assertions
  • Configuration changes: Audit trail of policy, service, and gateway modifications
  • Rate limiting data: Failed authentication attempt counts for brute-force protection

Website and Marketing Data

On our marketing website (pulseha.com), we collect:

  • Analytics data: Page views, feature interest, and engagement metrics
  • Cookie data: We use CookieYes for cookie consent management. See our Cookie Policy for details
  • Contact information: If you request a demo or contact sales, we collect your name, email, company, and message

Billing Information

Billing and payment information is processed by our third-party payment processor. We do not store complete credit card numbers or CVV codes on our systems.

Audio and Video Recordings

  • We may record sales calls, support calls, and training sessions for quality assurance and training purposes
  • Recordings are only made with your explicit consent, which may be withdrawn at any time
  • You will be notified before any recording begins

How We Use Your Information

Service Delivery

  • Authenticating users and devices to establish secure tunnels
  • Routing traffic through appropriate gateways based on policies and proximity
  • Enforcing access control policies based on user identity, device posture, and context
  • Providing real-time connection status and network topology visualization

Security and Compliance

  • Detecting and preventing unauthorized access, brute-force attacks, and fraudulent activity
  • Enforcing device posture requirements (disk encryption, firewall, etc.)
  • Maintaining audit logs for compliance and forensic investigations
  • Implementing rate limiting and account lockout policies (Cyber Essentials compliant)

Service Improvement

  • Analyzing connectivity patterns to optimize gateway placement and routing
  • Improving NAT traversal success rates through candidate analysis
  • Identifying and resolving performance bottlenecks
  • Developing new features based on usage patterns

Customer Support

  • Troubleshooting connection issues using diagnostic data
  • Providing technical support using connection and device information
  • Communicating service updates, security alerts, and maintenance notifications

Legal and Regulatory

  • Responding to lawful requests from law enforcement (with appropriate legal process)
  • Complying with applicable data protection regulations
  • Enforcing our Terms of Service

Note: We do not use automatic decision-making or profiling that produces legal or similarly significant effects on you.

Data Sharing and Disclosure

We Do Not Sell Your Data

We never sell, rent, or trade your personal information to third parties for marketing purposes.

Service Providers (Subprocessors)

We use the following service providers who process data on our behalf:

  • Supabase: Database and authentication — processes account data, device registrations, policies, and audit logs
  • Microsoft Azure: Cloud infrastructure hosting — processes all service data (encrypted at rest and in transit)
  • CookieYes: Cookie consent management — processes website visitor consent preferences
  • Payment Processor: Billing and invoicing — processes billing contact information and transaction records

Within Your Organization

Tenant administrators can view all users, devices, and audit logs within their organization. Access is controlled by role-based permissions (owner, admin, member).

Legal Requirements

We may disclose information when required by law, subpoena, or other legal process, or when we believe disclosure is necessary to:

  • Comply with applicable law or respond to valid legal requests
  • Protect the rights, property, or safety of PulseHA, our users, or others
  • Detect, prevent, or address fraud, security, or technical issues

Business Transfers

If PulseHA is involved in a merger, acquisition, sale of assets, or bankruptcy, your Personal Information may be transferred as part of that transaction. You will be notified by email and/or a prominent notice on our website of any change in ownership or uses of your Personal Information, as well as any choices you may have. Any successor entity will be bound by the commitments made in this Privacy Policy unless you consent otherwise.

Aggregated or De-identified Information

We may disclose or use aggregated or de-identified Personal Information for any purpose, including business analytics, product improvement, and sharing usage statistics with partners or the public. Such information cannot be used to identify you.

Data Retention

Configurable Retention

Organizations can configure their data retention preferences:

  • Audit log retention: Configurable retention period (default varies by plan)
  • Exit logging modes: "off" (no logs), "metadata" (connection metadata only), or "full" (detailed logs)
  • Connection logs: Retained according to your organization's settings

Default Retention Periods

  • Account information: Duration of account + 30 days
  • Device registrations: Until device is removed or account deleted
  • Connection metadata: Per organization settings (default: 90 days)
  • Audit logs: Per organization settings (default: 1 year)
  • Authentication logs: 90 days
  • Support tickets: 3 years

Account Deletion

When you delete your account:

  • Personal data is deleted within 30 days
  • Aggregate, anonymized data may be retained for analytics
  • Backup copies are purged according to our backup retention schedule (maximum 90 days)

Note for Tenant Owners: Before we can process a deletion request, the following conditions must be resolved:

  • Tenant has no unpaid invoices or failed payments
  • Tenant ownership has been transferred or all other users have been removed
  • All active gateways and agents have been decommissioned
  • All running services and configurations have been removed

For assistance with these requirements, contact support@pulseha.com before submitting a deletion request.

Data Security

Encryption

  • In transit: All data is encrypted using TLS 1.2+ between clients, gateways, and control plane
  • At rest: Database and storage encryption using AES-256
  • Tunnel traffic: WireGuard encryption (ChaCha20-Poly1305) for all network traffic

Access Controls

  • Role-based access control (RBAC) for all administrative functions
  • Multi-factor authentication support
  • Service accounts use cryptographic tokens (not passwords)
  • Gateway-to-control-plane communication uses mTLS

Security Practices

  • Regular security assessments and penetration testing
  • Automated vulnerability scanning
  • Security headers (CSP, HSTS, X-Frame-Options) on all web applications
  • Rate limiting and brute-force protection on authentication endpoints

Your Rights

Access

You can access your personal data through the console or by contacting us. Administrators can export organization data.

Correction

You can update your profile information (name, avatar) through the console settings.

Deletion

You can request deletion of your account and associated data. Contact your organization administrator for tenant-level data deletion.

Data Portability

You can export your data in standard formats (JSON, CSV) through the console or API.

Restriction/Objection

You can request that we restrict processing of your data or object to certain uses by contacting us.

Data Residency

Enterprise customers can specify geographic regions for data storage. Contact sales for availability.

International Data Transfers

PulseHA operates globally. Data may be transferred to and processed in countries other than your country of residence. When we transfer data internationally, we use:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all subprocessors
  • Technical measures to protect data during transfer

Data Privacy Framework

PulseHA complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

We adhere to the Data Privacy Framework Principles with regard to the processing of personal data received from the European Union, the United Kingdom, and Switzerland. If there is any conflict between the terms in this privacy policy and the DPF Principles, the Principles shall govern.

To learn more about the Data Privacy Framework program, please visit https://www.dataprivacyframework.gov/.

With respect to Personal Information received or transferred pursuant to the DPF Frameworks, PulseHA is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Transfer Impact Assessment

For detailed information about our data transfer safeguards and risk assessments, please refer to our Transfer Impact Assessment (TIA), available upon request.

Data Locations

For information about specific locations where your data may be stored by product, please see our Trust Center or contact us at privacy@pulseha.com.

Cookies and Tracking

Console Application

The PulseHA console uses essential cookies for:

  • Session management and authentication
  • Security (CSRF protection)
  • User preferences

We do not use advertising or third-party tracking cookies in the console.

Marketing Website

Our marketing website uses:

  • CookieYes for cookie consent management
  • Analytics cookies (with consent)
  • Essential cookies for site functionality

See our Cookie Policy for details.

Children's Privacy

PulseHA is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.

California Privacy Rights (CCPA)

California residents have additional rights under the CCPA:

  • Right to Know: Request disclosure of personal information collected, used, and disclosed
  • Right to Delete: Request deletion of personal information (subject to exceptions)
  • Right to Opt-Out: We do not sell personal information
  • Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at privacy@pulseha.com.

European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, you have rights under GDPR including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making

Legal Basis for Processing: We process your data based on:

  • Contract performance (providing our services)
  • Legitimate interests (security, service improvement)
  • Legal obligations (compliance, law enforcement)
  • Consent (marketing communications, cookies)

Data Protection Officer: For GDPR inquiries, contact dpo@pulseha.com.

EU/UK Representative: If you are a resident of the European Economic Area or United Kingdom and wish to contact our local representative, please email: eu-representative@pulseha.com

Alternative Dispute Resolution

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, PulseHA commits to resolve DPF Principles-related complaints about our collection and use of your personal information.

EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data should first contact us at privacy@pulseha.com.

If you do not receive timely acknowledgment of your complaint, or if we have not addressed your complaint satisfactorily, you may contact your local data protection authority for assistance. Under certain conditions, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Virginia Privacy Rights (VCDPA)

Virginia residents have rights under the Virginia Consumer Data Protection Act (VCDPA), including:

  • Right to Access: Confirm whether we are processing your personal data and access such data
  • Right to Correct: Correct inaccuracies in your personal data
  • Right to Delete: Delete personal data you have provided or that we have obtained
  • Right to Data Portability: Obtain a copy of your personal data in a portable format
  • Right to Opt Out: Opt out of targeted advertising, sale of personal data, or profiling

To exercise these rights, contact us at privacy@pulseha.com.

If you wish to appeal a decision regarding your consumer request, you may contact the Attorney General of Virginia at https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website
  • Sending email notification to account holders
  • Displaying a notice in the console

Your continued use of PulseHA after changes become effective constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices:

Email: privacy@pulseha.com

Data Protection Officer: dpo@pulseha.com

Postal Address:
PulseHA Ltd
71-75 Shelton Street
Covent Garden
London
WC2H 9JQ
United Kingdom

For security vulnerabilities, contact: security@pulseha.com

Security and Trust

Security Team

PulseHA maintains a dedicated security team responsible for protecting our infrastructure, products, and customer data. Our security program includes:

  • Detection and incident response
  • Cloud and infrastructure security
  • Product security assessments
  • Governance, risk, and compliance (GRC)

Penetration Testing

PulseHA engages reputable third-party security firms to perform regular penetration testing of our products and infrastructure. Enterprise customers may request extracts from these reports by contacting customertrust@pulseha.com.

Secure Communications

For secure communications with our security team, you may use our PGP public key available at https://pulseha.com/.well-known/pgp-key.txt.

Abuse Reporting

PulseHA takes all abuse complaints seriously. If you observe or suspect abuse of PulseHA services, please report it to abuse@pulseha.com. Our Acceptable Use Policy is available at https://pulseha.com/legal/acceptable-use.