Privacy Policy

1. Who We Are and How to Contact Us

WorkPulse ("WorkPulse," "we," "us," or "our") is a workforce productivity analytics platform operated as a sole proprietorship. WorkPulse provides a software-as-a-service platform accessible at workpulse.tech and via a downloadable desktop client ("Client Software") for Windows and macOS.

For any privacy-related questions, requests, or complaints, please contact us at:

• Email: privacy@workpulse.tech
• Support: support@workpulse.tech
• Website: https://workpulse.tech

2. Scope and Applicability

This Privacy Policy applies to:

• All visitors to workpulse.tech and its subdomains;
• Organizations ("Customers") that create accounts and use WorkPulse to monitor employee activity;
• Individual employees ("End Users") who install and use the WorkPulse desktop Client Software at the direction of their employer.

This Policy does not apply to third-party websites or services linked from our platform. WorkPulse operates as a data processor on behalf of Customers (employers) with respect to employee activity data. Customers are the data controllers for that data and are responsible for their own privacy notices to employees under applicable law.

3. Definitions

Term	Meaning
Customer	An organization or business that subscribes to WorkPulse and instructs its employees to use the Service.
End User / Employee	An individual who installs and uses the WorkPulse Client Software at the direction of a Customer.
Activity Data	Data collected by the Client Software about foreground application usage, window titles, and productivity classifications.
Account Data	Registration and profile information provided during account creation.
Service	The WorkPulse web platform, API, desktop client, and all related software and services.
Processing	Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

4. Information We Collect

4.1 Account Data (Customers / Managers)

• Full name and email address
• Organization name and team identifier
• Password (stored as a salted PBKDF2-SHA256 hash; never stored in plaintext)
• Google account identifier, if Google OAuth sign-in is used
• Billing information (processed by Stripe; we do not store full card numbers)
• IP address and approximate geographic location at the time of account creation and login
• Subscription plan, trial status, and payment history

4.2 Activity Data (Employees)

• Foreground application name — the name of the process that has keyboard focus (e.g., chrome.exe, excel.exe)
• Window title — the title bar text of the active window (e.g., "Q2 Report - Microsoft Excel")
• Active domain — the website domain extracted from the browser URL or window title when a browser is the active application (e.g., github.com)
• Active / idle classification — whether the employee had keyboard or mouse input within the last 10 minutes
• Session timestamps — start and end times of each application session
• Productivity classification — automated categorization (Work, Communication, Neutral, Non-Work) derived from application rules
• Daily productivity scores — aggregated numeric scores computed from session data
• Consent timestamp — the date and time the employee accepted the monitoring consent notice
• Self-reported activity — manual time log entries submitted voluntarily by the employee

4.3 What We Do NOT Collect

4.4 Technical and Usage Data

• IP addresses and user-agent strings for web requests
• Login timestamps and session durations on the web platform
• API request logs (retained for up to 30 days for security purposes)
• Error and diagnostic logs from the Client Software (app name and error message only)
• Analytics events collected via PostHog (page views, feature usage; no personally identifiable information is sent to PostHog by default)

5. How We Collect Information

We collect information through the following means:

• Direct submission: When you create an account, set up an organization, or contact us.
• Desktop Client Software: The WorkPulse Client Software, once installed and while the employee is signed in, periodically reads the operating system's foreground window information (approximately every 10 seconds) and transmits it to our servers over HTTPS.
• Web platform: Standard web server logs and session tokens stored in browser localStorage.
• Third-party authentication: If you sign in with Google, we receive your Google account ID and email address from Google.
• Payment processor: Stripe provides us with subscription status, payment method type (e.g., card brand), and billing event notifications. We do not receive full payment card numbers.

6. Legal Basis for Processing (GDPR)

For users located in the European Economic Area (EEA) or the United Kingdom, our legal bases for processing personal data are:

Processing Activity	Legal Basis
Creating and managing user accounts	Performance of a contract (Art. 6(1)(b) GDPR)
Processing subscription payments	Performance of a contract (Art. 6(1)(b) GDPR)
Employee activity monitoring	Legitimate interests of the Customer (employer) in workforce productivity management, balanced against employee rights (Art. 6(1)(f) GDPR); or explicit consent where required by local law (Art. 6(1)(a) GDPR)
Sending transactional emails	Performance of a contract (Art. 6(1)(b) GDPR)
Sending optional analytics reports	Legitimate interests (Art. 6(1)(f) GDPR)
Security logging and fraud prevention	Legitimate interests (Art. 6(1)(f) GDPR)
Legal compliance	Legal obligation (Art. 6(1)(c) GDPR)

7. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: Providing productivity dashboards, heatmaps, session timelines, and reports to authorized managers within the same organization.
• Account management: Creating and maintaining accounts, verifying email addresses, handling password resets, and managing subscriptions.
• Billing: Processing subscription payments, issuing invoices, and managing trial periods.
• Communications: Sending account verification emails, password reset emails, weekly or daily productivity reports (if enabled by the Customer), and billing notifications.
• Security and fraud prevention: Detecting unauthorized access, enforcing rate limits, and maintaining audit logs.
• Product improvement: Aggregated, anonymized usage analytics to understand how the Service is used and to improve features. We do not use individual employee activity data for training machine learning models or for any purpose beyond the Customer's organization.
• Legal compliance: Responding to lawful requests from law enforcement or regulators where required.

We do not sell personal data. We do not use personal data for advertising or share it with data brokers.

8. Data Sharing and Third-Party Processors

We share data only with the following categories of recipients:

Recipient	Purpose	Data Shared
Amazon Web Services (AWS)	Cloud hosting and infrastructure (EC2, RDS, S3) in the US-East-1 (N. Virginia) region	All data stored on the platform
Stripe, Inc.	Payment processing and subscription management	Name, email, billing address, payment method metadata
Resend	Transactional email delivery	Recipient email address and email content
PostHog	Product analytics (self-hosted or cloud)	Anonymized usage events; no activity data or PII by default
Your Employer (Customer)	Managers within your organization have access to your Activity Data through the WorkPulse dashboard	Activity Data, productivity scores, session history

We require all sub-processors to maintain appropriate technical and organizational security measures and to process data only on our documented instructions.

We do not share personal data with any other third parties except as required by law, to enforce our Terms of Service, or to protect the rights and safety of WorkPulse, our Customers, or the public.

9. Employee Monitoring Disclosure

WorkPulse is an employer-directed monitoring tool. Employees use the Service at the direction of their employer (the Customer). The following disclosures apply specifically to employees:

• Consent notice: Before the Client Software begins monitoring, employees are presented with an "Activity Monitoring Notice" screen that describes what is collected and requires explicit acceptance. The timestamp and version of each employee's consent acceptance is logged and associated with the employee's account.
• Scope of monitoring: Monitoring is limited to the active (foreground) window on the employee's device while the employee is signed in. Monitoring stops immediately when the employee signs out via the system tray icon.
• No monitoring outside work sessions: The Client Software does not run in the background after sign-out. It does not monitor activity during personal time, weekends, or outside signed-in sessions.
• Employer access: Activity Data is accessible to managers within the employee's organization. WorkPulse does not independently review or share employee-level data with any party outside the organization except as required by law.
• Employee access: Employees may view their own activity data, productivity scores, and session history through the employee dashboard at any time while signed in.
• Legal responsibility: Customers (employers) are responsible for ensuring that their use of WorkPulse complies with applicable labor laws, employment agreements, works council requirements, and employee notification obligations in their jurisdiction. WorkPulse provides the monitoring notice feature to assist with this obligation but does not guarantee compliance with any specific jurisdiction's requirements.

10. Data Retention

Data Type	Retention Period
Activity session records	Duration of active subscription, or as configured by the Customer (default: 90 days rolling)
Daily productivity scores	Duration of active subscription
Account data (name, email)	Until account deletion, then purged within 30 days
Billing records	7 years (required for tax and accounting compliance)
Security and API logs	30 days
Consent records	Duration of account, then purged within 30 days of account deletion
Anonymized aggregated analytics	Indefinitely (no personal data)

Upon account deletion initiated by a Customer or End User, all personal data associated with the account is permanently and irreversibly deleted from our production systems within 30 days. Backups containing that data are rotated and overwritten on a rolling 30-day basis.

11. Data Security

We implement the following technical and organizational security measures:

• Encryption in transit: All data transmitted between the Client Software, browser, and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Password security: Passwords are hashed using PBKDF2-SHA256 with 260,000 iterations and a unique salt per user. Plaintext passwords are never stored or logged.
• Authentication tokens: JSON Web Tokens (JWTs) expire after 7 days. Tokens are invalidated upon password change. The desktop client uses one-time exchange codes (valid for 60 seconds) to pass tokens to the embedded browser, preventing token exposure in browser history.
• Rate limiting: Login attempts are limited to 5 per 15-minute window per IP address to prevent brute-force attacks. All API endpoints are rate-limited to 200 requests per minute per IP.
• Access control: Manager-level API endpoints require authenticated manager-role tokens. Employees can only access data associated with their own account.
• Infrastructure security: Our servers are hosted on AWS with security groups restricting inbound access. Database credentials are stored as environment variables and never committed to source control.
• Data isolation: Organization data is logically isolated using row-level security. One organization cannot access another organization's data.

While we implement industry-standard security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

In the event of a data breach that affects your personal data, we will notify affected individuals and, where required, relevant supervisory authorities within the timeframes required by applicable law.

12. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

12.1 Rights Available to All Users

• Access: You may request a copy of the personal data we hold about you. Employees may view their activity data directly in the employee dashboard. Managers may export data via the dashboard.
• Correction: You may update your account information (name, email, department) through account settings.
• Deletion: You may delete your account and all associated data at any time via Settings → Delete Account. Customers may request deletion of all organizational data by contacting privacy@workpulse.tech.
• Email opt-out: You may unsubscribe from non-essential email communications via the unsubscribe link in any email we send.

12.2 Additional Rights Under GDPR (EEA / UK Users)

• Right to restriction: You may request that we restrict processing of your personal data in certain circumstances.
• Right to portability: You may request your personal data in a structured, machine-readable format.
• Right to object: Where we rely on legitimate interests as a legal basis, you may object to that processing. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or the relevant EU supervisory authority).

To exercise any of these rights, contact us at privacy@workpulse.tech. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing requests.

Note for employees: Because WorkPulse is an employer-directed service, certain requests related to Activity Data may need to be coordinated with your employer (the Customer). WorkPulse acts as a data processor in this context and will refer certain requests to the Customer as the data controller.

13. Children's Privacy

The Service is intended solely for use in professional workplace environments by individuals who are at least 18 years of age, or the age of majority in their jurisdiction. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly. If you believe we have collected data from a minor, please contact privacy@workpulse.tech.

14. International Data Transfers

WorkPulse is operated from the United States. Our servers are located in AWS's US-East-1 (N. Virginia) region. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

For users in the EEA or UK, transfers of personal data to the United States are made on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission, or another recognized transfer mechanism under GDPR Chapter V. By using the Service, you acknowledge that your data may be transferred to and processed in jurisdictions that may not provide the same level of data protection as your home jurisdiction.

15. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the following rights:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: WorkPulse does not sell or share personal information for cross-context behavioral advertising. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact privacy@workpulse.tech. We will verify your identity and respond within 45 days. We do not respond to browser "Do Not Track" signals as there is no uniform standard for interpreting them.

Categories of personal information collected in the past 12 months: Identifiers (name, email, IP address); professional or employment-related information (activity data, productivity scores); commercial information (subscription and billing data); and inferences drawn from activity data to create a productivity profile. We do not collect sensitive personal information as defined under CPRA.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will indicate the "Last Updated" date at the top of this page. For material changes that affect how we process personal data, we will provide notice by:

• Posting a prominent notice on the WorkPulse web platform;
• Sending an email notification to the registered email addresses of active Customers; and/or
• Requiring renewed consent from End Users through the Client Software where required by law.

Your continued use of the Service after the effective date of the updated Policy constitutes your acceptance of the changes. If you do not agree to the updated Policy, you must cease using the Service and may request deletion of your data.

17. Contact and Complaints

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: privacy@workpulse.tech
• General support: support@workpulse.tech

We are committed to resolving privacy complaints promptly and in good faith. If you are not satisfied with our response, you have the right to lodge a complaint with:

• Your local data protection authority (for EEA/UK users);
• The California Attorney General's office (for California residents); or
• The applicable consumer protection authority in your jurisdiction.

← Back to WorkPulse