1. What data we collect
DTPulse collects and processes personal data that your organization provides, including: name, email address, job title, department, phone number, office location, birth date, hire date, and profile photo.
2. How we use your data
Your data is used to:
- Display your profile in the company team directory
- Show your position in the organizational chart
- Manage absence requests and approvals
- Conduct 360-degree review cycles with competency scoring
- Send notifications via connected platforms (Slack)
- Display birthday celebrations
- Maintain internal knowledge base articles
3. Data storage and security
Data is stored in encrypted PostgreSQL databases. Platform integration tokens are encrypted at rest using AES-256-GCM. All connections use TLS encryption.
4. Data retention
- Employee data: retained while the account is active
- Audit logs: retained for 2 years, then automatically purged
- Data exports: available for 7 days after creation
- After account cancellation: data may be deleted. We recommend exporting your data before cancellation.
5. Your rights
Under GDPR, you have the right to:
- Access: View all data we hold about you
- Portability: Export your data in machine-readable format (JSON)
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Rectification: Request correction of inaccurate data
- Withdraw consent: Revoke optional data processing consents at any time
You can exercise these rights from your profile settings or by contacting your organization's administrator.
6. Consent and Lawful Basis
DTPulse processes personal data based on the following lawful bases:
- Contract performance: Processing necessary to provide the Service as agreed in the Terms of Service.
- Legitimate interest: Organization management, team directories, absence tracking, and performance reviews serve the legitimate interests of both the employer and employees.
- Consent: Where required (e.g., optional notifications, photo uploads, profile enrichment). Consent can be withdrawn at any time.
Administrator responsibility: The organization administrator who enters personal data into DTPulse warrants that they have obtained all necessary consents and have a lawful basis to process such data under applicable regulations (GDPR, CCPA, LGPD, PIPA, PDPA, and others).
7. Third-party services (Sub-processors)
DTPulse uses the following third-party services to deliver the product:
- Railway (hosting): Application hosting and database — data stored in the provider's infrastructure
- Slack: SSO authentication, notifications, approval workflows, status sync — only when connected by admin
- Google: SSO authentication — only when enabled by admin
- Stripe: Payment processing — we do not store card details; Stripe acts as an independent controller for payment data
- Resend: Transactional email delivery (invites, password reset, notifications)
We will notify customers before adding new sub-processors. A complete sub-processor list is available upon request.
8. International Data Transfers
DTPulse may process data in jurisdictions outside your country of residence. Where personal data is transferred outside the European Economic Area (EEA), UK, or other regions with data transfer restrictions, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) with sub-processors
- Adequacy decisions where available
- Encryption of data in transit and at rest
9. Data Processing Agreement
Organizations that require a Data Processing Agreement (DPA) as part of their compliance obligations can request one at [email protected]. Our DPA covers: scope of processing, security measures, sub-processor management, breach notification procedures, and data subject rights handling.
10. Applicable Regulations
DTPulse is designed to comply with:
- GDPR (EU/EEA) — General Data Protection Regulation
- UK GDPR — United Kingdom data protection framework
- CCPA/CPRA (California, USA) — California Consumer Privacy Act
- LGPD (Brazil) — Lei Geral de Proteção de Dados
- PIPA (South Korea) — Personal Information Protection Act
- PDPA (Singapore, Thailand) — Personal Data Protection Act
- APPI (Japan) — Act on the Protection of Personal Information
Specific compliance features (consent collection, data residency, retention policies) can be configured per organization.