Privacy Policy

1. Introduction

PulseAI Now Inc. (“PulseAI”, “we”, “us”, or “our”) is committed to protecting the privacy of the individuals and organizations that use our AI Maturity Intelligence Platform (the “Platform”). This Privacy Policy explains what personal information we collect, how we use it, how we protect it, and your rights in relation to it.

PulseAI is a business-to-business platform. We process personal information on behalf of the organizations that subscribe to our Platform and, in limited circumstances, as a data controller for account management and platform operations.

This Privacy Policy applies to all users of the Platform, including organization administrators, contributors, and viewers. It should be read alongside our Terms of Use and any applicable subscription or partner agreement.

2. Who we are

PulseAI Now Inc. is incorporated in Ontario, Canada, with its principal office in Windsor, Ontario. For privacy inquiries, contact:

3. Information we collect

3.1 Account information

When you are invited to the Platform by your Organization’s administrator, we collect:

• Full name
• Email address (typically your corporate email)
• Organization name, department assignment, and user role
• Password (stored in hashed form by our identity provider)

3.2 Assessment data

When you complete AI Readiness Compass™ assessments, we collect your individual domain-level responses, evidence text, and confidence ratings. This data is classified as Private (Tier 1) and is never visible to other organizations or to PulseAI staff on an individual basis.

Important: Your individual assessment responses are never shared with your Organization’s management. Only aggregated department-level scores are visible to leadership within your Organization.

3.3 Platform usage data

We automatically collect technical and usage information when you access the Platform, including:

• Login timestamps and session duration
• Browser type and version, operating system
• IP address (used for security and region verification, not shared)
• Pages viewed and features used within the Platform

3.4 Organization data

Administrators may submit additional Organization data, including AI Tool Registry entries (tool names, department mappings, cost data, workflow impact notes), custom Compass domain weights, and organization-specific use cases. This data is classified as Private (Tier 1).

4. How we classify your data

PulseAI operates a four-tier data classification framework designed to balance privacy protection with the network effects that make the Platform valuable. Understanding these tiers is essential to understanding how your data is used.

5. How we use your information

5.1 To provide the Platform

We process your personal information and Organization data to operate the Platform, including calculating Compass Scores, displaying dashboards, generating reports, sending assessment invitations, and delivering the Directive™ intelligence feed.

5.2 To generate anonymized benchmarks

Benchmarking is fundamental to the Platform’s value proposition. We derive anonymized, aggregated data (Tier 2) from assessment scores across multiple organizations to produce industry benchmarks. This aggregation is subject to strict safeguards:

• A minimum cohort of five organizations is required before any benchmark is generated.
• K-anonymity rules prevent the re-identification of any individual tenant, department, or user.
• Once aggregated, the data is no longer personal information under PIPEDA or personal data under GDPR Recital 26.

Participation in anonymized benchmarking is mandatory for standard deployments. This is a condition of using the Platform, established contractually in your Organization’s agreement with PulseAI and disclosed here. Organizations requiring full isolation may purchase a dedicated enterprise deployment.

5.3 To improve the Platform

We use Derived data (Tier 4)—product analytics, feature usage patterns, and model performance metrics—to improve the Platform. This data is internal to PulseAI and is never customer-facing.

5.4 To communicate with you

We may use your email address to send Platform-related communications such as assessment invitations, score notifications, and service updates. We do not send marketing email to individual users; marketing communications are directed to Organization administrators who have opted in.

5.5 To comply with legal obligations

We may process your information where required by law, regulation, or valid legal process.

6. Legal basis for processing

Depending on your location and the nature of the processing, our legal bases include:

• Contractual necessity: Processing your account information and assessment data to deliver the Platform services under your Organization’s agreement with PulseAI.
• Legitimate interests: Generating anonymized benchmarks, improving the Platform, and ensuring security. Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your rights.
• Legal obligation: Where required by applicable law.
• Consent: Where applicable (e.g., optional marketing communications to administrators).

7. Who we share your data with

PulseAI does not sell your personal information. We share data only in the following limited circumstances:

• Your Organization: Aggregated department-level scores and reports are visible to your Organization’s administrators. Individual assessment responses are never shared with management.
• Infrastructure providers: We use Amazon Web Services (AWS) for hosting, identity, data storage, and managed AI inference. AWS processes data as a sub-processor under our instructions.
• Benchmarking participants: Other Platform customers receive anonymized benchmark data (Tier 2). No individual organization can be identified from the benchmarks.
• Legal compliance: We may disclose information if required by law, regulation, or valid legal process.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to the same privacy protections.

8. Data residency and international transfers

PulseAI today operates production infrastructure in a single AWS region:

• Canada: ca-central-1 (Montréal) — primary production region. Subject to PIPEDA.

Additional regions are planned but not yet operational:

• European Union: eu-central-1 (Frankfurt) — planned. When live, will be subject to GDPR and supported by Standard Contractual Clauses (EU 2021/914 Module 2) and a UK International Data Transfer Addendum.
• United States: us-west-2 (Oregon) — planned.

Customer assessment data (Tier 1) is stored exclusively in the customer’s selected region and will not be transferred outside that region without the customer’s prior written consent. For EU data subjects accessing the Platform today, Canada has been recognized as providing an adequate level of data protection by the European Commission under its 2023 adequacy decision.

Anonymized aggregate data (Tier 2) may be processed across regions to generate global benchmarks. Because this data contains no personal information, cross-region transfer restrictions under privacy law do not apply.

9. Data retention

• Private data (Tier 1): Retained for the duration of your Organization’s subscription. Deleted or returned within thirty (30) days of termination, subject to any legal retention obligations.
• Account information: Retained for the duration of your account. If your Organization terminates its agreement, your account is deactivated and PII is deleted within thirty (30) days.
• Aggregated data (Tier 2): Retained indefinitely, as it contains no personal information and forms part of the benchmark dataset.
• Platform and Derived data (Tiers 3–4): Retained at PulseAI’s discretion as part of platform operations and intellectual property.
• Usage logs: Retained for up to twelve (12) months for security and audit purposes, then deleted.

10. Data security

PulseAI implements commercially reasonable technical and organizational security measures, including:

• Encryption at rest (AES-256) and in transit (TLS 1.2+) for all data.
• Tenant isolation at the database partition level, ensuring no cross-tenant data leakage.
• OAuth 2.0 / OIDC authentication with PKCE flow, secure password hashing, and multi-factor authentication required for all users.
• Role-based access controls applied across the platform, with permissions scoped to the minimum needed for each user's role.
• Regular security assessments and vulnerability monitoring.
• Breach notification to the Office of the Privacy Commissioner of Canada as soon as feasible after determining the breach poses a real risk of significant harm, in accordance with PIPEDA s. 10.1.
• Breach notification to affected Organizations within 72 hours of confirmation, with the technical and remediation detail they need to assess downstream impact. EU supervisory-authority notification under GDPR Art. 33 will apply once PulseAI is operationally hosting EU data.

11. Your rights

11.1 Under PIPEDA (Canada)

If you are a Canadian user, you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate personal information.
• Withdraw consent for processing, subject to legal or contractual restrictions.
• Complain to the Office of the Privacy Commissioner of Canada.

11.2 Under GDPR (European Union)

If you are an EU user (accessing the Platform through the eu-central-1 region), you have the right to:

• Access, rectify, or erase your personal data.
• Restrict or object to processing.
• Data portability (receive your data in a structured, machine-readable format).
• Lodge a complaint with your local supervisory authority.

11.3 Under the CCPA/CPRA (California)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with specific rights regarding your personal information.

Categories of personal information we collect:

• Identifiers: name, email address, IP address.
• Professional or employment-related information: organization name, department, role.
• Internet or electronic network activity: usage logs, pages viewed, session duration, browser type.
• Inferences: Compass Scores, domain-level assessment results derived from your responses.

As a California resident, you have the right to:

• Know what personal information we collect, use, and disclose about you.
• Request deletion of your personal information, subject to certain exceptions.
• Request correction of inaccurate personal information.
• Opt out of the sale or sharing of your personal information.
• Not be discriminated against for exercising any of these rights.

PulseAI does not sell or share your personal information as those terms are defined under the CCPA.

To submit a California privacy request, email legal@pulseai.now with “California Privacy Request” in the subject line. We will verify your identity before processing your request and respond within forty-five (45) calendar days.

11.4 How to exercise your rights

Contact your Organization’s administrator to request data exports or corrections within the Platform. For privacy rights requests directed to PulseAI, email legal@pulseai.now. We will respond within thirty (30) days.

12. Children’s privacy

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe that a minor has provided personal information to PulseAI, please contact us and we will promptly delete the information.

13. Cookies and tracking technologies

The Platform uses strictly necessary cookies for authentication and session management. We do not use advertising cookies, social media tracking pixels, or third-party analytics trackers. Session cookies are deleted when you close your browser.

Strictly: what we do not do

For clarity, PulseAI does not:

• Run advertising, retargeting, or marketing-attribution pixels on any PulseAI property.
• Use third-party web analytics on the marketing site or in the product.
• Sell or share personal information for monetary or other valuable consideration.
• Use customer assessment data, AI Tool Registry entries, or organization-specific use cases to train third-party AI models.
• Profile individuals for marketing purposes.
• Scrape, enrich, or augment your data using external data brokers.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Platform or by email to your Organization’s administrator. The effective date at the top of this document indicates the date of the most recent revision. Your continued use of the Platform after a material change constitutes acceptance of the revised Privacy Policy.

15. Contact us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact:

legal@pulseai.now

PulseAI Now Inc. · Windsor, Ontario, Canada

pulseai.now