Pulsy
Back to home

Privacy Policy

Last updated: April 15, 2026

1. Who we are

Pulsy ("we", "us", "our") is a paid media analytics platform operated by TODO_SET_LEGAL_NAME, a Dutch entity registered with the Chamber of Commerce under KvK number TODO_SET_KVK and VAT number TODO_SET_VAT. Pulsy helps advertising professionals monitor and optimize their Google Ads and Meta Ads campaigns through AI-powered insights.

For privacy questions or to exercise your rights under GDPR, contact privacy@pulsy.co. For all other support, write to support@pulsy.io.

2. What data we collect

Account information

When you create a Pulsy account we collect:

  • Name and email address
  • Hashed password (we never store plaintext passwords)
  • Account role and preferences

Advertising platform data

When you connect a Google Ads or Meta Ads account, we access the following data through official APIs with your explicit consent:

  • Campaign, ad group, and ad performance metrics (spend, impressions, clicks, conversions, ROAS, CPA)
  • Campaign structure and settings (names, budgets, statuses, targeting)
  • Creative details (headlines, descriptions, ad strength scores)
  • Search term reports and keyword quality data (Google Ads)
  • Audience targeting and overlap data (Meta Ads)
  • Device and hour-of-day performance breakdowns
  • Video creative performance data (view rates, retention percentages, completion rates)
  • Ad preview data (temporary iframe previews from Meta Ad Preview API, valid for 24 hours)

We do not access personally identifiable information about the people who see or click your ads. We only access aggregated advertising performance data.

OAuth tokens

When you authorize Pulsy via Google or Meta OAuth, we receive and store encrypted access and refresh tokens. These tokens allow us to fetch your advertising data on your behalf. Tokens are encrypted at rest using AES-256-GCM encryption and are never exposed to other users.

Usage data

We collect basic analytics about how you use the platform (pages visited, features used) to improve the product. We do not use third-party tracking scripts.

3. How we use your data

We use the data we collect to:

  • Display your advertising performance in the Pulsy dashboard
  • Generate AI-powered insights, issue detection, and optimization recommendations
  • Send you notifications about critical performance changes (if enabled)
  • Calculate health scores and trend analysis
  • Improve the accuracy of our detection and analysis engines
  • Provide customer support and respond to your inquiries

We do not sell, rent, or share your advertising data with third parties for their own marketing or advertising purposes.

4. Google API Services — Limited Use Disclosure

Pulsy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only request access to the data necessary to provide the Pulsy service (the adwords scope for Google Ads read access)
  • We do not use Google user data for serving advertisements
  • We do not transfer Google user data to third parties unless necessary to provide the service, required by law, or with your explicit consent
  • No human reads your Google Ads data except to provide support directly requested by you
  • We only retain your Google Ads data for as long as needed to provide the service (rolling 30-day window for metrics)

5. Meta Platform Data — Compliance Disclosure

Pulsy's use of data received from Meta (Facebook) APIs complies with the Meta Platform Terms and Developer Policies.

Specifically:

  • We only request the permissions necessary to provide the Pulsy service: ads_read, ads_management, pages_read_engagement, and business_management
  • We access only aggregated advertising performance data — we do not access or store personal data of people who interact with your ads
  • Meta user data is not sold, licensed, or shared with third parties for their own purposes
  • Data received from Meta APIs is used solely to provide analytics, insights, and optimization recommendations within the Pulsy platform
  • We delete all Meta advertising data associated with your account when you disconnect or delete your Pulsy account
  • Users can revoke Pulsy's access at any time through Meta Business Integrations settings
  • We support Meta's Data Deletion Callback. When a user removes Pulsy through Facebook settings, we automatically receive a signed request and delete all associated Meta data, connections, and tokens from our systems

5b. Pulsy Actions — write access disclosure

When a user opts into Pulsy Actions (an explicit feature that must be enabled per-connection), Pulsy may make limited write requests to your connected Meta ad accounts using the ads_management permission. Specifically, Pulsy may:

  • Pause an ad or ad set (changing its status field to PAUSED)
  • Adjust an ad set's daily_budget field within capped delta thresholds (10–30% steps, 24-hour caps)

Pulsy will never automatically:

  • Create new campaigns, ad sets, or ads
  • Modify creative content, copy, or assets
  • Change targeting, audiences, or bidding strategies
  • Modify any Meta object outside the ad accounts you have explicitly connected

Approval required: every Pulsy Action is proposed first and requires explicit per-action approval inside the Pulsy product before any write occurs. Users can run a "dry-run" beforehand to see the literal Meta API request that would be sent.

Audit log: every action is recorded with creation, dry-run, approval, queue, execution, and outcome events. Audit history is retained for the lifetime of the connection plus the deletion-grace window described below.

Rollback: the previous state of any modified object is captured before the write. Users can request a rollback through the Pulsy Actions dashboard, which generates a NEW pre-filled proposal that the user approves the same way as a forward action.

Three-gate safety: Pulsy Actions execution is gated by (1) a top-level feature flag, (2) a per-connection allowlist requiring an admin to opt-in for each ad account, and (3) a per-proposal dry-run flag. All three gates must permit before any write is sent to Meta.

6. Data security

We take the security of your data seriously and implement the following measures:

  • Token encryption at rest — OAuth tokens are encrypted using AES-256-GCM with unique IVs per encryption operation
  • PKCE — Our OAuth flows use Proof Key for Code Exchange (S256 method) to prevent authorization code interception
  • CSRF protection — Cryptographically random state tokens with server-side validation and 15-minute expiry
  • Transport encryption — All data in transit is encrypted via HTTPS/TLS
  • Password hashing — Passwords are hashed with bcrypt before storage
  • Token revocation — When you disconnect an account, we revoke the OAuth token at the provider level
  • Minimal data retention — We store a rolling 30-day window of performance metrics

7. Data sharing

We may share your data in the following limited situations:

  • AI processing — Aggregated and anonymized advertising metrics are sent to our AI provider (OpenAI) to generate insights. No personally identifiable information or raw tokens are shared.
  • Infrastructure providers — Our hosting and database providers (Vercel, Neon) process data as part of providing their services, subject to their own privacy policies and data processing agreements.
  • Legal requirements — We may disclose data if required by law, regulation, or legal process.

8. Your rights

You have the right to:

  • Disconnect accounts — Remove any connected advertising account at any time. This revokes our access and deletes associated data.
  • Delete your account — Request complete deletion of your Pulsy account and all associated data.
  • Export your data — Request a copy of the data we hold about you.
  • Revoke access— Revoke Pulsy's access to your Google or Meta account at any time through the respective platform's settings (Google, Meta).

To exercise any of these rights, contact us at privacy@pulsy.co.

9. Cookies

Pulsy uses only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

10. Data retention

  • Metrics — Rolling 30-day window, older data is automatically deleted during sync
  • Insights — Kept for the duration of your account
  • OAuth tokens — Stored as long as the connection is active; deleted and revoked upon disconnection
  • Account data — Retained until you delete your account

11. International data transfers

Pulsy is operated from the Netherlands (EU). Your data may be processed in other countries where our infrastructure providers operate (such as the United States for Vercel and Neon). Where data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, such as standard contractual clauses.

If you are a resident of the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), including the right to access, rectify, erase, restrict, and port your data. Our legal basis for processing is your consent (when you connect advertising accounts) and legitimate interest (for providing the Service).

12. Children's privacy

Pulsy is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us at privacy@pulsy.co and we will promptly delete it.

13. Changes to this policy

We may update this privacy policy from time to time. We will notify you of material changes by email or through the Pulsy dashboard. Continued use of the service after changes constitutes acceptance of the updated policy.

14. Contact

For privacy-related questions or requests, contact us at:

Pulsy
Email: privacy@pulsy.co