Privacy/Sub-processors

Sub-processors

Last updated · 15 June 2026

PulseSignal engages the service providers listed below to operate the platform. Providers marked “Outbound read-only” are public data sources we read from; they are not processors of PulseSignal user data. Providers marked with a Data Processing Addendum (DPA) process PulseSignal user or company data under a written contract with data-protection obligations consistent with GDPR Article 28.

Any LLM prompt that may contain personal data (for example an executive’s name) is processed only by providers located in the United States or the European Union, under terms that prohibit training on our inputs; such prompts are never routed to a provider in a non-adequacy jurisdiction. A China-based provider (DeepSeek) is used only for non-personal public company-data validation (pricing, products, funding, public filings) and is routed away from any people-bearing prompt in code. We never send customer account data, credentials, payment details, or special-category personal data to any LLM provider.

We will notify active customers of material sub-processor additions at least 30 days before they begin processing, via the email on file for the account and an update to this page. Objection handling is described in our Privacy Policy.

Sub-processorPurposeData categoryLocationDPATransfer mechanismRetention
Hetzner Online GmbHApplication, frontend, and PostgreSQL hosting (marketing site pulsesignal.co, app.pulsesignal.co, backend workers, database, scheduler)All customer + company dataUnited States (Ashburn, Virginia)Yes (Hetzner DPA)EU SCCs Modules 2+3 · UK IDTAActive term + 30 days
Cloudflare, Inc. (CDN / edge proxy)CDN, DDoS protection, TLS termination, and edge caching for pulsesignal.co (orange-cloud proxy in front of the Hetzner origin)Visitor metadata (IP, user-agent, referrer, request path)Global edgeYes (Cloudflare DPA)EU SCCs Modules 2+3 · UK IDTAEdge request logs per Cloudflare retention
Polar Software, Inc. (Polar.sh)Merchant of Record: payment processing, invoicing, subscription billing, and global sales-tax / VAT determination. Polar is the seller of record; it uses Stripe (Stripe, Inc. and Stripe Payments Europe, Ltd) as its underlying payment processor.Card-holder data (not stored by us; tokenised by Polar / Stripe), billing name, billing email, billing country, VAT ID, invoice historyUnited States (Polar Software, Inc.); Stripe in the United States and Ireland for EU customersYes (Polar Data Processing Addendum, polar.sh/legal/data-processing-addendum; Polar sub-processor list, polar.sh/legal/sub-processors)EU SCCs Modules 2+3 · UK IDTA7 years (tax-record requirement)
Sentry (Functional Software, Inc.)Error and exception monitoring (application + frontend)Stack traces, error context, request URL, account ID. Personal data redacted before send via PII scrubbing rules.EU region preferred (Frankfurt) · United States fallbackYes (Sentry DPA)EU SCCs Modules 2+3 · UK IDTA90 days
PostHog Inc.Product analytics (feature usage, session replay disabled, no third-party trackers)Account ID, feature event names, coarse browser metadata. No PII by default.EU region (Frankfurt) where available · United States fallbackYes (PostHog DPA)EU SCCs Modules 2+3 · UK IDTA13 months (rolling)
Groq, Inc.LLM inference for briefings, validators, and custom alert expression evaluationPrompts that reference third-party company names and public observations. No customer PII in prompts.United StatesYes (Groq Cloud Terms)EU SCCs Modules 2+3 · UK IDTAZero retention by contract
SambaNova Systems, Inc.LLM inference (fallback provider)Same as GroqUnited StatesYes (SambaNova SambaCloud Terms)EU SCCs Modules 2+3 · UK IDTAZero retention by contract
Cloudflare, Inc. (Workers AI)LLM inference (fallback provider)Same as GroqGlobal edgeYes (Cloudflare DPA)EU SCCs Modules 2+3 · UK IDTAZero retention by contract
DeepSeekLLM inference for NON-PERSONAL company-data validation only (pricing / products / funding accuracy + gap-fill)Public company facts ONLY (pricing, products, funding, public filings). NEVER personal data: any prompt referencing people (executive names, contacts) is routed away from this provider in code.ChinaYes (DeepSeek Open Platform Terms)Non-personal data only · no personal-data cross-border transferNo training on inputs · retention per DPA
Mistral AI SASLLM inference (routing provider)Same as GroqFrance (European Union)Yes (Mistral AI Terms)EU-internal · adequacyNo training on inputs · retention per DPA
NVIDIA Corporation (NVIDIA NIM)LLM inference (fallback provider)Same as GroqUnited StatesYes (NVIDIA Cloud Terms)EU-US DPF · EU SCCs Modules 2+3 · UK IDTANo training on inputs · retention per DPA
Google LLC (Gemini API)LLM inference (fallback provider)Same as GroqUnited States / GlobalYes (Google Cloud / Generative AI Terms)EU-US DPF · EU SCCs Modules 2+3No training on inputs · retention per DPA
Cerebras Systems, Inc.LLM inference (fallback provider)Same as GroqUnited StatesYes (Cerebras Inference Terms)EU-US DPF · EU SCCs Modules 2+3 · UK IDTANo training on inputs · retention per DPA
Resend (Resend, Inc.)Primary transactional and digest email delivery (digests, alert notifications, magic links, OTP verification, contact-form replies, billing notices)Recipient email address, sender address, subject line, message body, digest contentsUnited StatesYes (Resend DPA · resend.com/legal/dpa)EU SCCs Modules 2+3 · UK IDTA30 days (delivery logs)
SendGrid (Twilio Inc.)Fallback transactional and digest email delivery when Resend is unavailable or rate-limited (same envelope as Resend; selected automatically by the dispatcher when EMAIL_PROVIDER=auto)Recipient email address, sender address, subject line, message body, digest contentsUnited StatesYes (Twilio DPA · twilio.com/legal/data-protection-addendum)EU SCCs Modules 2+3 · UK IDTA30 days (delivery logs)
Google Analytics 4 (Google LLC)Website analytics (pageviews, feature usage) on pulsesignal.coVisitor IP (truncated to /24), cookies, user agent, referrer, page pathsUnited States / GlobalYes (Google Ads Data Processing Terms)EU-US DPF · EU SCCs Modules 2+314 months
PollinationsHero image generation for blog draftsHeadline text only; no personal dataGermanyNot applicable (no personal data processed)EU-internal · adequacyNot applicable
Telegram FZ-LLCInternal operations alerting (engineering on-call only) and admin draft deliveryOperations messages and admin draft text. No customer or company personal data.United Arab Emirates · United States · Germany (multi-region)Not applicable (no customer personal data processed)Not applicableNot applicable
GitHub Actions (Microsoft GitHub Inc.)Common Crawl monthly ingest runnerPublic domain lists, ingest logsUnited StatesYes (GitHub DPA)EU SCCs Modules 2+3 · UK IDTA90 days (action logs)
UK Companies HousePublic statutory registry lookups (corporate_registry)Outbound read-onlyUnited KingdomNot applicable (public registry)UK adequacyNot applicable
data.gov.in (MCA India)Monthly bulk mirror of the Indian Ministry of Corporate Affairs company master dataOutbound read-onlyIndiaNot applicable (public registry)Not applicable (public data)Not applicable
SEC EDGARPublic US securities filings (sec_edgar)Outbound read-onlyUnited StatesNot applicable (public registry)Not applicable (public data)Not applicable
Common CrawlMonthly read of the public web archive indexOutbound read-onlyUnited StatesNot applicable (public dataset)Not applicable (public data)Not applicable
archive.org Wayback MachineHistorical snapshots of public web pagesOutbound read-onlyUnited StatesNot applicable (public archive)Not applicable (public data)Not applicable

International transfers

PulseSignal’s primary application and database are hosted in the United States (Ashburn, Virginia). Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country outside its jurisdiction (principally the United States), we rely on: the European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module 2 controller-to-processor and Module 3 processor-to-processor) for EU transfers; the UK International Data Transfer Addendum (IDTA) version B1.0 for UK transfers; and the EU SCCs as modified by the Swiss FDPIC for Swiss transfers. Each transfer is supplemented by technical measures: TLS 1.2+ in transit, AES-256 at rest, structured audit logging, and least-privilege access.

A transfer impact assessment for each US-located sub-processor is available to customers on written request. We monitor the EU-US Data Privacy Framework and equivalent UK / Swiss extensions and will rely on the framework where the sub-processor is certified and the framework is in force.

For transfers from Canada (PIPEDA / Quebec Law 25), Brazil (LGPD), India (DPDP 2023), Singapore (PDPA), and Australia (Privacy Act 1988), see the corresponding section on /privacy/regional.

Sub-processor change notifications

We notify active customers of material additions at least 30 days before the new provider begins processing, via the billing email on file and by an update to this page. Customers on a signed DPA may object on reasonable data-protection grounds; the objection process is described in section 7 of the DPA.

Questions

Contact privacy@pulsesignal.co to raise an objection to a current or proposed sub-processor, to request the relevant DPA documentation, or to receive a transfer impact assessment.