Privacy Policy

1. Introduction

PulseBoard ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our team well-being and productivity monitoring platform.

We understand that privacy is fundamental to building trust, especially when handling sensitive workplace and well-being data.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, password, job title, department
• Organization Data: Company name, team structure, organizational settings
• Check-in Responses: Mood ratings, stress levels, workload assessments, comments
• Feedback: Anonymous feedback submissions and responses
• Recognition Data: Peer recognition messages and nominations
• Communication: Messages sent through our platform

2.2 Automatically Collected Information

• Usage Data: Login times, feature usage, session duration
• Device Information: IP address, browser type, operating system
• Analytics: Aggregated usage patterns and platform performance metrics
• Cookies: Authentication tokens, preferences, session management

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: Provide check-in tools, analytics, and reporting features
• Team Insights: Generate anonymized team health and engagement metrics
• Burnout Prevention: Identify risk patterns and provide early warnings
• Communication: Facilitate feedback and recognition programs
• Account Management: Authentication, billing, and customer support
• Improvement: Enhance platform features and user experience
• Security: Protect against fraud, abuse, and security threats
• Legal Compliance: Meet regulatory requirements and legal obligations

4. Data Privacy and Anonymization

We implement strong privacy protections for sensitive workplace data:

• Anonymous Feedback: Feedback submissions are truly anonymous and cannot be traced back to individuals
• Aggregated Analytics: Team metrics are aggregated and anonymized to protect individual privacy
• Organization-Wide Anonymization: Organization admins can enable anonymization settings that apply across all teams, removing personally identifiable information from analytics and reports
• Role-based Access: Managers only see team-level insights, not individual responses unless explicitly permitted
• Data Minimization: We collect only data necessary for platform functionality
• Retention Limits: Personal data is retained only as long as necessary

4.1 Health and Wellbeing Data Protection

We recognize that health and wellbeing data is particularly sensitive and implement additional protections:

• Special Category Data: Mood tracking, stress levels, and burnout indicators are treated as special category data under GDPR
• Explicit Consent: We obtain your explicit consent before collecting any health-related information
• Health Data Anonymization: Organizations can enable health data anonymization to prevent identification of individuals in wellbeing reports
• Limited Access: Only authorized managers and HR personnel with legitimate need can access aggregated health metrics
• No Automated Decisions: Health data is never used for automated employment decisions without human review
• Right to Object: You can object to processing of your health data at any time by contacting privacy@pulseboard.nl

5. Third-Party Integrations

PulseBoard integrates with third-party services to enhance functionality. When you connect these integrations, certain data may be shared:

5.1 Slack Integration

• Data Shared: Check-in reminders, team health notifications, burnout alerts (aggregated data only)
• Authentication: We use OAuth 2.0 for secure authentication with Slack
• User Control: Organization admins control which Slack channels receive notifications
• Data Flow: Individual check-in responses are never sent to Slack; only aggregated, anonymized team metrics

5.2 Microsoft Teams Integration

• Data Shared: Interactive check-in cards, reminder notifications, burnout alerts to managers
• Authentication: We use Microsoft OAuth 2.0 for secure authentication
• Team-Level Control: Each team can independently connect their own Microsoft Teams workspace
• Data Protection: Check-in responses submitted through Teams are subject to the same privacy protections as web submissions
• Bot Commands: Bot interactions are logged for service improvement but never shared with your organization

You can disconnect these integrations at any time through your settings. Disconnecting will stop data sharing immediately, though previously shared aggregated data may remain in the third-party service according to their retention policies.

6. Automated Processing and AI

We use automated processing and artificial intelligence to provide valuable insights:

• Sentiment Analysis: AI analyzes text responses to identify sentiment trends and patterns at the team level
• Burnout Detection: Automated algorithms identify potential burnout risk based on mood patterns, stress levels, and engagement metrics
• Team Health Scoring: Automated calculation of team health scores based on multiple wellbeing indicators
• No Automated Decisions: AI insights are provided as recommendations only; employment decisions always require human review and judgment
• Right to Object: You have the right to object to automated processing of your personal data and request human review
• Transparency: We provide explanations of how AI-generated insights are calculated upon request

7. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share information in the following circumstances:

• Within Your Organization: Team insights shared with authorized managers and HR personnel as configured by your organization
• Service Providers: Trusted third parties who assist in platform operations (hosting, analytics, email delivery, payment processing)
• Integration Partners: Slack and Microsoft Teams when you enable these integrations (as detailed in Section 5)
• Legal Requirements: When required by law, court order, or government request
• Business Transfer: In connection with a merger, acquisition, or sale of assets (with continued privacy protection)
• Safety: To protect the rights, property, or safety of PulseBoard, users, or others

8. Data Security

We implement comprehensive security measures to protect your information:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256) using industry-standard protocols
• Access Controls: Strict role-based access controls and multi-factor authentication requirements
• Infrastructure: Secure cloud hosting with SOC 2 compliance and regular security audits
• Monitoring: Continuous security monitoring, intrusion detection, and incident response procedures
• Data Isolation: Logical data isolation between organizations with row-level security policies
• Training: Regular security and privacy training for all team members
• Penetration Testing: Annual third-party security assessments and vulnerability testing

9. Your Privacy Rights and Consent Management

You have comprehensive control over your personal data. Depending on your location, you have the following rights:

• Access: Request access to your personal data and information about how it's processed
• Correction: Request correction of inaccurate or incomplete data
• Deletion (Right to be Forgotten): Request deletion of your personal data, including health data
• Portability: Request a copy of your data in a structured, machine-readable format (JSON or CSV)
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interests, including AI analysis and automated profiling
• Withdrawal: Withdraw consent for data processing at any time without affecting prior processing
• Complaint: Lodge a complaint with your local data protection authority

Managing Your Consent and Preferences

You can manage your privacy preferences through your account settings:

• Notification Preferences: Control which notifications you receive via email, Slack, or Teams
• Data Visibility: Choose what information is visible to your managers and team members
• Integration Controls: Enable or disable Slack and Microsoft Teams integrations
• Anonymous Mode: Opt to submit check-ins anonymously (where enabled by your organization)
• Health Data Consent: Manage consent for collection and processing of health-related information

To exercise any of these rights, contact us at privacy@pulseboard.nl. We will respond to your request within 30 days as required by GDPR.

10. Data Retention

We retain your information for as long as necessary to:

• Provide our services and maintain your account
• Comply with legal obligations and resolve disputes
• Maintain security and prevent fraud
• Improve our services through aggregated analytics

Account Deletion: When you delete your account or request data deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law. This includes all check-in data, health information, and personal identifiers.

Retention Periods: Active check-in data is retained for the duration of your account plus 30 days. Aggregated, anonymized analytics may be retained indefinitely for service improvement, as this data cannot be linked back to individuals.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for international transfers, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by relevant data protection authorities
• Other appropriate safeguards as required by applicable law

12. Cookies and Tracking

We use cookies and similar technologies to:

• Essential Cookies: Required for authentication, session management, and security
• Functional Cookies: Remember user preferences, language settings, and interface customization
• Analytics Cookies: Understand platform usage patterns and performance (anonymized)
• Integration Cookies: Enable Slack and Microsoft Teams integrations

You can control cookie settings through your browser, though disabling essential cookies may affect platform functionality. We do not use cookies for advertising or cross-site tracking.

13. Children's Privacy

PulseBoard is intended for workplace use and is not designed for children under 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected such information, we will delete it promptly and take steps to prevent future collection.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page with an updated "Last updated" date
• Sending an email notification to your registered email address for significant changes
• Displaying a prominent notice in the application for changes affecting your rights

We encourage you to review this Privacy Policy periodically. Your continued use of PulseBoard after changes are posted constitutes acceptance of the updated policy.

15. Contact Us and Data Protection Officer

If you have any questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about our data practices, please contact us:

We aim to respond to all privacy inquiries and data subject requests within 30 days. For urgent security or privacy concerns, please mark your email as "URGENT" in the subject line.