Privacy Policy

PulseLight (“we”, “us”) is the data controller for personal data processed through the Service. For privacy enquiries, use the contact form and pick the “Privacy / data rights” topic.

We collect only what we need to provide the Service:

• Account data. Email address, name (where provided by your identity provider), GitHub login and avatar URL when you sign in with GitHub.
• Workspace and team data. Workspace name, member roles, invitation records, plan tier.
• Repository data accessed via the GitHub App. Source files, manifests, lockfiles, configuration files, and metadata of repositories you explicitly grant access to. We read this data, run scans against it, and persist the resulting findings — not the full source. Archive files used for scanning are deleted from worker disk after the scan completes and from S3 within 30 days.
• Connected-platform data. Read-only metadata from third-party platforms you connect (e.g. Vercel project config, Supabase RLS policy summaries, Stripe webhook configuration). We store the minimum needed to render findings; OAuth refresh tokens are encrypted at rest using a KMS-managed customer key.
• Scan output. Findings, pillar verdicts, acknowledgements, fix-with-AI prompt history.
• Billing metadata. Subscription plan, cadence, status, the last four digits and brand of your payment method, billing country. We do not store full card numbers, CVCs, or any PAN data — see “Payment processing” below.
• Authentication tokens. Session cookies (HttpOnly, Secure) and SHA-256 hashes of Personal Access Tokens. Plaintext PATs leave our infrastructure only at the moment you mint them; we never store them in cleartext.
• Operational logs. IP addresses, user-agent strings, request paths, response codes, and timing data, held for incident response and abuse prevention. Public-scan visitor IPs are hashed with a rotating monthly salt before storage.
• Email engagement. Bounce, complaint, and delivery signals from AWS SES (the email service we use), so we can stop emailing addresses that aren’t reachable.

We process the data above to:

• Provide the Service (run scans, render findings, build the dashboard).
• Authenticate you and protect your account.
• Bill you and prevent payment fraud.
• Send transactional email (magic links, scan completion, billing, security alerts).
• Improve the product through aggregated, de-identified usage metrics.
• Respond to support requests.
• Detect and prevent abuse.
• Comply with legal obligations.

We rely on the following legal bases under UK GDPR / EU GDPR:

• Contract — processing necessary to perform our agreement with you (running scans, billing, providing dashboard access).
• Legitimate interests — product improvement using aggregated data, abuse prevention, security logging.
• Consent — optional cookies, opt-in to peer benchmark, and any non-essential marketing email. You can withdraw consent at any time.
• Legal obligation — tax records, responding to lawful requests from authorities.

Payments are processed by Stripe Payments Europe, Ltd. When you enter card details at checkout, those details are submitted directly to Stripe via Stripe Checkout or Stripe Elements, hosted on Stripe’s PCI-DSS Level 1 compliant infrastructure. PulseLight never sees or stores full card numbers or CVC values.

Stripe processes your payment data as an independent controller for its own fraud-prevention and regulatory purposes. Stripe’s privacy practices are described in the Stripe Privacy Policy.

We use the following sub-processors to operate the Service. Each is bound by data-protection terms appropriate to the data they process.

We also integrate with the third-party platforms you choose to connect (GitHub, Vercel, Supabase, Firebase, Railway, Render, Sentry, Clerk, PostHog, Plausible, BetterStack, Canny, Lemon Squeezy, and others added over time). When you authorise a connection, those platforms are independent controllers for the data you grant access to. Their own privacy policies govern that processing.

Our primary infrastructure runs in AWS regions in the United States and United Kingdom. Where personal data is transferred from the EEA or UK to a jurisdiction not deemed adequate, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum where relevant) as the transfer mechanism.

We use a small set of strictly-necessary client-side state:

• Session cookie — HttpOnly, Secure, SameSite=Lax. Identifies your authenticated session. Required to use the dashboard.
• Active-workspace cookie — remembers which workspace you last viewed. Required for workspace switching.
• Theme preference — localStorage entry storing “light” or “dark”. Optional; defaults to your operating system preference.

We do not use third-party advertising cookies. If we add any non-essential analytics or marketing cookies in future, we will ask for opt-in consent first.

The Service generates fix-with-AI prompts and certain recommendation copy using large language model APIs. Prompts are constructed server-side from your findings and rendered for you to paste into the AI tool of your choice. When that generation involves an upstream LLM provider, only the minimum necessary context (rule output, framework detection, file paths) is sent. Full source files are not transmitted to LLM providers as part of prompt generation. Each LLM provider we use is listed in the sub-processors table.

Account data — for the lifetime of your account, then deleted within 30 days of account closure (longer if required for legal or accounting reasons).

Scan archives — deleted from worker disk after the scan completes and from S3 within 30 days.

Findings, acknowledgements, and pillar history — retained for the lifetime of the workspace so the trend dashboard and reports work, then deleted with the account.

Operational logs — 30 days for request and access logs.

Webhook dedup records — 30 days, after which the underlying provider can no longer retry the event.

Stripe billing records — retained as required by tax and accounting law (typically 6–7 years).

Subject to your jurisdiction, you have rights to access, correct, delete, export, restrict, or object to our processing of your personal data, and to withdraw consent where processing is based on consent.

You can exercise most of these directly from the dashboard: Settings → Account for export and deletion, Settings → Billing for subscription history. For anything you can’t self-serve, send a request via the contact form (pick “Privacy / data rights”) and we will respond within 30 days.

If you believe we have mishandled your data, you may complain to the UK Information Commissioner’s Office (ico.org.uk) or to your local supervisory authority.

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 on S3, KMS-managed CMK on RDS, and on integration credentials). Production access is gated by SSO and least-privilege IAM. Sessions are bound to HttpOnly Secure cookies; Personal Access Tokens are stored only as SHA-256 hashes.

No system is invulnerable. If we ever experience a data breach that affects you, we will notify you and, where required, the relevant supervisory authority within 72 hours of becoming aware.

The Service is not directed at children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, let us know via the contact form and we will delete it.

We may update this policy from time to time. Material changes (new categories of data collected, new sub-processors handling customer data, changes to retention) will be announced via in-app notice and / or email to workspace owners at least fourteen days before they take effect.

All enquiries go through the contact form — pick “Privacy / data rights” for anything covered by this policy, or “General” for the rest. See also our Terms of Service.