Privacy Policy

Last updated: June 10, 2026

PulseBoard ("we", "us", or "our") operates the PulseBoard hosted observability service ("Service"). This Privacy Policy explains what information we collect, how we use it, with whom we share it, and the choices you have.

1. Information we collect

Account data. When you sign up we collect your email address, a password hash (Argon2id), and optionally your name and organisation. If you use GitHub OAuth we receive the OAuth profile from GitHub (email, username, avatar URL).

Billing data. Payment card details are processed and stored by Stripe; we never see or store raw card numbers. We retain Stripe customer IDs, subscription IDs, and invoice records for accounting purposes.

Usage data. We log API request counts, ingest byte totals, active series counts, and query durations per tenant for billing, quota enforcement, and capacity planning. These are aggregate counters — we do not log individual query payloads by default.

Support and communications. If you contact us by email we retain that correspondence to resolve your request and improve support quality.

2. How we use your information

• Provide, operate, and improve the Service.
• Authenticate your sessions and enforce access control.
• Calculate and collect fees based on your plan and actual usage.
• Send transactional emails (signup confirmation, password reset, invoice receipts, service-affecting incident notifications).
• Send product update emails if you opt in; you can unsubscribe at any time.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations.

We do not use your data for advertising or sell it to data brokers.

3. Sharing and disclosure

We share information only with:

• Infrastructure sub-processors — the cloud providers (compute, object storage, managed databases) that host the Service. Each operates under a data processing agreement with adequate safeguards.
• Stripe — for payment processing, under their own Privacy Policy.
• Law enforcement or courts — when we have a good-faith belief that disclosure is required by law, to protect safety, or to defend our legal rights. We will notify you of such requests unless legally prohibited.
• Successors — in the event of a merger, acquisition, or sale of assets, under written privacy commitments no less protective than this policy.

We do not share your data with third-party analytics or advertising vendors.

4. Your telemetry data

Metrics, logs, traces, and any other observability data you ingest ("Telemetry Data") belong to you. We process Telemetry Data solely to deliver the Service: storing, indexing, querying, alerting, and displaying it back to you and your authorised team members.

We do not read, analyse, or use your Telemetry Data for any purpose other than operating the Service on your behalf. Telemetry Data is stored in your dedicated tenant namespace; multi-tenant isolation is enforced at both the application and storage layers.

If you enable AI Explain features, the series samples you submit to that endpoint are processed by our in-process analyser (mean / stddev / jump detection) by default. If you configure an external LLM adapter, those samples are forwarded to your chosen provider under your own agreement with that provider.

5. Data retention

• Metrics — retained for the duration specified by your plan (default 90 days for raw samples; rolled-up aggregates kept for 13 months).
• Logs and traces — retained per your plan's log/trace retention setting (default 30 days).
• Account data — kept while your account is active and for 90 days after closure to allow reactivation, then deleted.
• Billing records — retained for 7 years as required by financial regulations.
• Support correspondence — retained for 2 years after the issue is resolved.

6. Security

We implement technical and organisational measures to protect your data, including: TLS 1.2+ for all data in transit; AES-256 encryption for data at rest; Argon2id password hashing; API key and token secrets stored as bcrypt hashes; automated dependency scanning; and tenant namespace isolation enforced in both the application layer and storage queries. No security measure is perfect; if you discover a vulnerability please disclose it responsibly to security@pulseboard.cloud.

7. Cookies and local storage

The marketing site (pulseboard.dev) uses a single first-party session cookie to maintain your signed-in state in the portal. We do not set third-party tracking cookies. The SPA workspace application uses sessionStorage to hold your bearer token for the duration of your browser session; this is cleared when you close the tab.

8. Your rights

Depending on your jurisdiction, you may have the right to access, correct, port, or erase your personal data, to restrict or object to certain processing, and to withdraw consent. To exercise any of these rights, email privacy@pulseboard.cloud. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Data export. You can request a machine-readable export of your account data and ingested telemetry at any time via GET /api/portal/export or by contacting us.

9. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us their data, contact us at privacy@pulseboard.cloud and we will delete it promptly.

10. International transfers

Our infrastructure is currently operated in the United States. If you access the Service from outside the US, your data may be transferred to and processed in the US. Where required by applicable law (e.g., EU GDPR) we rely on Standard Contractual Clauses or other appropriate transfer mechanisms.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy here with a new "Last updated" date and, for material changes, notify you via email at least 14 days before the change takes effect.

12. Contact us

For privacy questions or to exercise your rights, contact us at privacy@pulseboard.cloud. For general enquiries: hello@pulseboard.cloud.