← Back to home

Privacy Policy

Last updated: 2026-04-30

Privacy Policy

_Last updated: April 30, 2026_

This Privacy Policy explains what information DTPulse Ltd. ("DTPulse", "we") collects when you use the DTPulse service at dtpulse.com, how we use it, who we share it with, and the rights you have over it.

DTPulse is a multi-tenant employee portal. Most of the personal data inside a workspace ("Customer Data") is uploaded by an organization (the "Customer") about its own employees. For Customer Data, the Customer is the Controller and DTPulse is the Processor. For account-level information about Customers and the operational metadata we generate to run the Service ("Other Information"), DTPulse is the Controller.

1. Information We Collect

1.1 You give us this directly

  • Account information. When a Customer creates a workspace: organization name, the primary admin's name and email, and the password they set (stored as a bcrypt hash, never in plaintext).
  • Profile information. When a User signs in: name, email, optional photo, optional position, department, manager, birth date, hire date.
  • Customer Data. Anything an admin or User adds inside the workspace: department structures, floor plans, absence requests, KB articles, 360-review scores and comments, goals, awards, and similar content.
  • Billing. When you upgrade to a paid plan: company name, billing address, VAT/tax ID. Card details are entered directly into Stripe and never reach our servers.
  • Communications. Messages you send to [email protected], [email protected], etc.

1.2 We collect automatically

  • Technical data. IP address, user agent, browser language, timestamps of sessions and key actions.
  • Audit log. A record of admin and data-access events inside your workspace (who created/modified/deleted what, and when).
  • Operational metrics. Aggregate, non-identifying numbers used to monitor the platform (request counts, error rates, DB latency).
We do not use third-party advertising or analytics cookies, and we do not track you across sites.

1.3 We receive from third parties

  • Slack / Google / Microsoft Teams — when an admin connects an integration: workspace ID, channel list, OAuth tokens (encrypted), and message metadata for events you authorize (e.g. approve/reject buttons clicked).
  • Stripe — payment status events for your subscription.

2. How We Use Information

We process information to:

  • Provide the Service (display profiles, run review cycles, route absence approvals, etc.).
  • Authenticate you and keep your account secure.
  • Send transactional email (invites, password reset, approval notifications).
  • Bill you, prevent fraud, and meet tax and accounting obligations.
  • Respond to support requests.
  • Improve the Service through aggregate, non-identifying analysis.
  • Comply with legal obligations.
We do not:
  • Sell personal data to anyone.
  • Share Customer Data with advertisers.
  • Use Customer Data to train machine-learning models.

3. Legal Bases (GDPR / UK GDPR)

We rely on the following lawful bases:

  • Performance of a contract. Processing required to deliver the Service to you under our Terms of Service.
  • Legitimate interests. Running the Service securely, preventing abuse, debugging, and aggregate analytics. We balance these against your rights.
  • Consent. For things you explicitly opt into (e.g. optional notifications, profile photo upload). You can withdraw consent at any time without affecting prior processing.
  • Legal obligation. Tax, accounting, anti-money-laundering, and lawful requests from authorities.

4. Who We Share With

4.1 Sub-processors

We use the third-party providers listed at https://dtpulse.com/legal/subprocessors to host, send email, process payments, and monitor the Service. Each Sub-processor is bound by a written contract that limits their use of personal data to providing services to us.

4.2 Integrations you connect

If your admin connects Slack, Microsoft Teams, Google Chat, Google SSO, or another integration, certain data flows to and from that platform. Those flows are governed by the third party's own privacy policy.

4.3 Legal and safety

We may disclose information if we have a good-faith belief that disclosure is required to:

  • Comply with a court order, subpoena, or other legal process.
  • Enforce our Terms or investigate violations.
  • Protect the rights, property, or safety of DTPulse, our users, or the public.

4.4 Business transfers

If DTPulse is acquired, merged, or sells substantially all of its assets, personal data may be transferred to the successor entity. We will notify Customers via email or in-app banner before any such transfer becomes effective.

5. Data Retention

DataRetention
Active workspace dataWhile the workspace is active
Audit log entries2 years, then auto-purged
Data exports7 days from creation
Cancelled workspace30-day grace period for export, then deleted
Billing records7 years (tax / accounting requirement)
BackupsUp to 30 days

You can also delete specific records inside the workspace at any time, or request workspace-wide deletion before the grace period ends.

6. International Data Transfers

We may transfer personal data to countries outside the EEA, UK, or your country of residence. When we do, we rely on:

  • Standard Contractual Clauses (EU SCCs / UK IDTA) with our Sub-processors.
  • Adequacy decisions where they exist.
  • Encryption in transit and at rest.
A copy of our SCCs with a Sub-processor is available on request.

7. Your Rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase ("right to be forgotten") your data, subject to retention obligations above.
  • Restrict or object to certain processing.
  • Portability — receive a machine-readable copy of your data.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local data-protection authority.
Inside a workspace, your admin can perform most of these actions for you (Admin → GDPR). You can also email [email protected] directly. We respond within 30 days.

If your workspace is the Controller and we are the Processor, we will forward your request to your admin and assist them in fulfilling it.

8. Region-Specific Notices

8.1 California (CCPA / CPRA)

California residents have the right to know, delete, and correct personal information, the right to opt out of "sales" or "sharing" (we do neither), and the right not to be discriminated against for exercising these rights. Contact [email protected].

8.2 Brazil (LGPD)

You may contact us at [email protected] to exercise the rights described in Article 18 of the LGPD (confirmation, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent).

8.3 Other jurisdictions

We aim to comply with PIPA (South Korea), PDPA (Singapore, Thailand), APPI (Japan), and similar regimes. Local rights and contact details are honored to the extent applicable.

9. Age Limit

DTPulse is a workplace tool and is not directed to anyone under 16. If you believe a child has submitted personal data, contact [email protected] and we will delete it.

10. Security

We protect personal data with TLS 1.2+ in transit, encryption at rest, AES-256-GCM for integration tokens, bcrypt-hashed passwords, role-based access, and audit logging. No system is 100% secure; we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes we will notify Customers by email or in-app banner at least 30 days before the new version takes effect. Older versions are kept on request.

12. Contacting Us

If you are in the EEA or UK, you have the right to contact your local supervisory authority directly.