Privacy Policy

1. Introduction

PulseAI Now Inc. (“PulseAI”, “we”, “us”, or “our”) is committed to protecting the privacy of the individuals and organisations that use our AI Maturity Intelligence Platform (the “Platform”). This Privacy Policy explains what personal information we collect, how we use it, how we protect it, and your rights in relation to it.

PulseAI is a business-to-business platform. We process personal information on behalf of the organisations that subscribe to our Platform and, in limited circumstances, as a data controller for account management and platform operations.

This Privacy Policy applies to all users of the Platform, including organisation administrators, contributors, and viewers. It should be read alongside our Terms of Use and any applicable subscription or partner agreement.

2. Who we are

PulseAI Now Inc. is incorporated in Ontario, Canada, with its principal office in Windsor, Ontario. For privacy inquiries, contact:

3. Information we collect

3.1 Account information

When you are invited to the Platform by your Organisation’s administrator, we collect:

• Full name
• Email address (typically your corporate email)
• Organisation name, department assignment, and user role
• Password (stored in hashed form in AWS Cognito)

3.2 Assessment data

When you complete AI Readiness Compass™ assessments, we collect your individual domain-level responses, evidence text, and confidence ratings. This data is classified as Private (Tier 1) and is never visible to other organisations or to PulseAI staff on an individual basis.

Important: Your individual assessment responses are never shared with your Organisation’s management. Only aggregated department-level scores are visible to leadership within your Organisation.

3.3 Platform usage data

We automatically collect technical and usage information when you access the Platform, including:

• Login timestamps and session duration
• Browser type and version, operating system
• IP address (used for security and region verification, not shared)
• Pages viewed and features used within the Platform

3.4 Organisation data

Administrators may submit additional Organisation data, including AI Tool Registry entries (tool names, department mappings, cost data, workflow impact notes), custom Compass domain weights, and organisation-specific use cases. This data is classified as Private (Tier 1).

4. How we classify your data

PulseAI operates a four-tier data classification framework designed to balance privacy protection with the network effects that make the Platform valuable. Understanding these tiers is essential to understanding how your data is used.

5. How we use your information

5.1 To provide the Platform

We process your personal information and Organisation data to operate the Platform, including calculating Compass Scores, displaying dashboards, generating reports, sending assessment invitations, and delivering the Directive™ intelligence feed.

5.2 To generate anonymised benchmarks

Benchmarking is fundamental to the Platform’s value proposition. We derive anonymised, aggregated data (Tier 2) from assessment scores across multiple organisations to produce industry benchmarks. This aggregation is subject to strict safeguards:

• A minimum cohort of five organisations is required before any benchmark is generated.
• K-anonymity rules prevent the re-identification of any individual tenant, department, or user.
• Once aggregated, the data is no longer personal information under PIPEDA or personal data under GDPR Recital 26.

Participation in anonymised benchmarking is mandatory for standard deployments. This is a condition of using the Platform, established contractually in your Organisation’s agreement with PulseAI and disclosed here. Organisations requiring full isolation may purchase a dedicated enterprise deployment.

5.3 To improve the Platform

We use Derived data (Tier 4)—product analytics, feature usage patterns, and model performance metrics—to improve the Platform. This data is internal to PulseAI and is never customer-facing.

5.4 To communicate with you

We may use your email address to send Platform-related communications such as assessment invitations, score notifications, and service updates. We do not send marketing email to individual users; marketing communications are directed to Organisation administrators who have opted in.

5.5 To comply with legal obligations

We may process your information where required by law, regulation, or valid legal process.

6. Legal basis for processing

Depending on your location and the nature of the processing, our legal bases include:

• Contractual necessity: Processing your account information and assessment data to deliver the Platform services under your Organisation’s agreement with PulseAI.
• Legitimate interests: Generating anonymised benchmarks, improving the Platform, and ensuring security. Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your rights.
• Legal obligation: Where required by applicable law.
• Consent: Where applicable (e.g., optional marketing communications to administrators).

7. Who we share your data with

PulseAI does not sell your personal information. We share data only in the following limited circumstances:

• Your Organisation: Aggregated department-level scores and reports are visible to your Organisation’s administrators. Individual assessment responses are never shared with management.
• Infrastructure providers: We use Amazon Web Services (AWS) for hosting, including Cognito for authentication, DynamoDB for data storage, and Amazon Bedrock for AI-generated narratives. AWS processes data as a sub-processor under our instructions.
• Benchmarking participants: Other Platform customers receive anonymised benchmark data (Tier 2). No individual organisation can be identified from the benchmarks.
• Legal compliance: We may disclose information if required by law, regulation, or valid legal process.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to the same privacy protections.

8. Data residency and international transfers

PulseAI operates regional infrastructure in three AWS regions:

• Canada: ca-central-1 (Montréal)—PIPEDA
• United States: us-east-1 (Virginia)
• European Union: eu-central-1 (Frankfurt)—GDPR

Your Organisation selects a hosting region during onboarding. This choice is permanent. Your Private data (Tier 1) is stored exclusively in the selected region and will not be transferred outside that region without your Organisation’s prior written consent.

Anonymised aggregate data (Tier 2) may be processed across regions to generate global benchmarks. Because this data contains no personal information, cross-region transfer restrictions under privacy law do not apply.

9. Data retention

• Private data (Tier 1): Retained for the duration of your Organisation’s subscription. Deleted or returned within thirty (30) days of termination, subject to any legal retention obligations.
• Account information: Retained for the duration of your account. If your Organisation terminates its agreement, your account is deactivated and PII is deleted within thirty (30) days.
• Aggregated data (Tier 2): Retained indefinitely, as it contains no personal information and forms part of the benchmark dataset.
• Platform and Derived data (Tiers 3–4): Retained at PulseAI’s discretion as part of platform operations and intellectual property.
• Usage logs: Retained for up to twelve (12) months for security and audit purposes, then deleted.

10. Data security

PulseAI implements commercially reasonable technical and organisational security measures, including:

• Encryption at rest (AES-256) and in transit (TLS 1.2+) for all data.
• Tenant isolation at the DynamoDB partition level, ensuring no cross-tenant data leakage.
• AWS Cognito for authentication with PKCE flow, secure password hashing, and optional multi-factor authentication.
• Role-based access controls (Admin, Contributor, Viewer) enforced via JWT claims.
• Regular security assessments and vulnerability monitoring.
• 72-hour breach notification to affected Organisations.

11. Your rights

11.1 Under PIPEDA (Canada)

If you are a Canadian user, you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate personal information.
• Withdraw consent for processing, subject to legal or contractual restrictions.
• Complain to the Office of the Privacy Commissioner of Canada.

11.2 Under GDPR (European Union)

If you are an EU user (accessing the Platform through the eu-central-1 region), you have the right to:

• Access, rectify, or erase your personal data.
• Restrict or object to processing.
• Data portability (receive your data in a structured, machine-readable format).
• Lodge a complaint with your local supervisory authority.

11.3 Under the CCPA/CPRA (California)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with specific rights regarding your personal information.

Categories of personal information we collect:

• Identifiers: name, email address, IP address.
• Professional or employment-related information: organisation name, department, role.
• Internet or electronic network activity: usage logs, pages viewed, session duration, browser type.
• Inferences: Compass Scores, domain-level assessment results derived from your responses.

As a California resident, you have the right to:

• Know what personal information we collect, use, and disclose about you.
• Request deletion of your personal information, subject to certain exceptions.
• Request correction of inaccurate personal information.
• Opt out of the sale or sharing of your personal information.
• Not be discriminated against for exercising any of these rights.

PulseAI does not sell or share your personal information as those terms are defined under the CCPA.

To submit a California privacy request, email legal@pulseai.now with “California Privacy Request” in the subject line. We will verify your identity before processing your request and respond within forty-five (45) calendar days.

11.4 How to exercise your rights

Contact your Organisation’s administrator to request data exports or corrections within the Platform. For privacy rights requests directed to PulseAI, email legal@pulseai.now. We will respond within thirty (30) days.

12. Children’s privacy

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe that a minor has provided personal information to PulseAI, please contact us and we will promptly delete the information.

13. Cookies and tracking technologies

The Platform uses strictly necessary cookies for authentication and session management. We do not use advertising cookies, social media tracking pixels, or third-party analytics trackers. Session cookies are deleted when you close your browser.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Platform or by email to your Organisation’s administrator. The effective date at the top of this document indicates the date of the most recent revision. Your continued use of the Platform after a material change constitutes acceptance of the revised Privacy Policy.

15. Contact us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact:

legal@pulseai.now

PulseAI Now Inc. · Windsor, Ontario, Canada

pulseai.now