Privacy Policy — AI Sales Pulse

AI Sales Pulse, Inc. ("AI Sales Pulse," "we," "us," or "our") operates the Pulse sales assistant platform (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we protect it, and what rights you have.

Our Core Principle: Your business data belongs to you. We collect only what is necessary to deliver the Service, we never sell your data, and you can export or delete your data at any time.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Name and email address (required)
Phone number (optional)
Company name (required)
Password (stored as an irreversible bcrypt hash — we never store your actual password)
ERP/distribution system type (e.g., BGATE, SAP, NetSuite) for integration configuration

1.2 Business Data

As you use the Service, you and your team may store:

Customer and prospect records (names, emails, phone numbers, company information, addresses)
Sales pipeline data (opportunities, deal values, stages)
Messages and conversation threads (email and WhatsApp, if connected)
Product catalog information (SKUs, pricing, inventory)
Follow-up tasks, notes, and reminders
Purchase/order history
AI-generated insights and draft messages

1.3 Security & Session Data

To protect your account, we collect:

IP address and approximate geographic location on login
Device and browser information (e.g., "Chrome on macOS")
Login timestamps and session activity
Audit log events (logins, password changes, 2FA setup, session revocations)

1.4 Integration Credentials

If you connect third-party services, we store:

API keys or OAuth tokens for your ERP system, email provider, WhatsApp Business, or AI provider
All credentials are encrypted at rest using AES symmetric encryption before storage

2. How We Use Your Information

Purpose	Data Used
Provide the Service (CRM, pipeline, AI insights)	Account info, business data
Authenticate you and secure your account	Email, password hash, 2FA codes, sessions
Send transactional emails (2FA codes, password resets, daily digests, welcome emails)	Email address, name, task summaries
Connect your ERP, email, or messaging systems	Integration credentials, sync configuration
Generate AI-powered insights and draft messages	Customer data, conversation history, product catalog (sent to AI provider only when you enable AI features)
Detect and prevent abuse	IP address, failed login attempts, rate limiting
Maintain audit trail for compliance	Security events, timestamps, device info

We do NOT: sell your data, use it for advertising, share it with data brokers, or use your business data to train AI models.

3. Third-Party Services & Data Sharing

We use the following third-party services to operate Pulse. Data is shared only as necessary to provide features you enable:

Service	Purpose	Data Shared
Resend	Transactional email delivery	Email address, name, email content (2FA codes, password reset links, daily digests, welcome emails)
Anthropic (Claude AI)	AI sales assistant (opt-in)	Business data you query about (customer info, product catalog, sales metrics). Only activated when you provide your own API key and use the AI chat feature.
Microsoft Graph API	Outlook email integration (opt-in)	OAuth tokens, email messages. Only activated when you connect your Outlook account via OAuth2 authorization.
Meta WhatsApp Business API	WhatsApp messaging integration (opt-in)	WhatsApp access token, contact metadata. Only activated when you configure WhatsApp Business integration.
BGATE / ERP Systems	Customer & product data sync (opt-in)	API credentials, salesperson code. Syncs customer, product, and inventory data from your ERP. Only activated when you configure your ERP connection.
Google Fonts	Web font delivery	Standard HTTP request data (IP address, browser info) when loading the Inter font family
Railway	Application hosting	All application data is hosted on Railway's infrastructure. Railway provides the PostgreSQL database and compute environment.

All optional integrations (AI, email, WhatsApp, ERP) are disabled by default and only activated when you explicitly configure them in Settings > Integrations.

4. Data Security

We implement the following security measures to protect your data:

Encryption

In Transit: All data transmitted between your browser and our servers is encrypted via TLS/HTTPS. We enforce HSTS (HTTP Strict Transport Security) with a one-year maximum age.
At Rest: Integration API keys and OAuth tokens are encrypted using AES symmetric encryption (Fernet) before database storage.
Passwords: Stored as irreversible bcrypt hashes (12 rounds). We never store or have access to your plaintext password.

Authentication & Access Control

Two-Factor Authentication (2FA): Optional email-based one-time codes with backup recovery codes (bcrypt-hashed).
Session Management: 30-minute inactivity timeout, 8-hour absolute session limit. Sessions can be viewed and revoked from the Security settings page.
Brute Force Protection: Account lockout after 5 failed login attempts (15-minute cooldown). API rate limiting on all authentication endpoints.
Role-Based Access: Three role tiers (sales rep, admin, super admin) with strict permission boundaries.

Security Headers

Strict-Transport-Security (HSTS)
X-Content-Type-Options: nosniff
X-Frame-Options: DENY (prevents clickjacking)
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera, microphone, and geolocation disabled

Infrastructure

Hosted on Railway's managed infrastructure
PostgreSQL database with parameterized queries (SQL injection prevention)
CORS restricted to authorized origins only
Comprehensive audit logging of all security events

5. Multi-Tenant Data Isolation

Pulse is a multi-tenant platform. Each company's data is strictly isolated:

Every business data table is scoped by a company_id identifier.
All database queries filter by the authenticated user's company, ensuring you can never access another company's customers, products, messages, or pipeline data.
Admin users can only manage users and data within their own company.
Foreign key constraints and database-level indexes enforce isolation at the schema level.

6. Data Retention

Data Type	Retention Period
Account & profile data	Until you delete your account
Business data (customers, products, messages)	Until you delete your account or individual records
Session data	Automatically expired after 8 hours (30 min inactivity)
2FA verification codes	Automatically deleted after 5 minutes
Password reset tokens	Automatically expired after 1 hour
Failed login attempts	Cleared after 15 minutes or on successful login
Audit log	Retained for compliance; available in your data export
Integration credentials	Until you disconnect the integration

7. Your Rights

Regardless of where you are located, you have the following rights regarding your personal data:

GDPR Rights (EU/EEA/UK)

Right of Access: View all data we hold about you via your account settings.
Right to Portability (Article 20): Export all your personal and business data as a JSON file via Settings > Privacy > Export My Data. The export includes your profile, audit log, sessions, customers, messages, and follow-ups.
Right to Rectification: Update your personal information at any time through your profile settings.
Right to Erasure: Request deletion of your account and all associated data by contacting us.
Right to Restrict Processing: Use Privacy Settings to control which communication channels are tracked and how AI processes your data.
Right to Object: Opt out of daily digest emails and AI features at any time.

CCPA Rights (California)

Right to Know: This policy describes all categories of personal information we collect and how they are used.
Right to Delete: Contact us to request deletion of your personal information.
Right to Non-Discrimination: We will not treat you differently for exercising your privacy rights.
No Sale of Personal Information: We do not sell, rent, or share personal information for cross-context behavioral advertising.

To exercise any of these rights, email us at hello@aisalespulse.com.

8. Cookies & Tracking

Pulse uses minimal cookies:

Authentication Token: A JSON Web Token (JWT) stored in your browser's local storage to keep you signed in. This is essential for the Service to function.
Session Identifier: Used to manage your active session and enforce timeout policies.

We do not use:

Third-party analytics or tracking cookies
Advertising cookies or pixels
Cross-site tracking of any kind

9. Children's Privacy

Pulse is a business-to-business (B2B) application designed for sales professionals. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a platform announcement within the Service. The "Last Updated" date at the top of this page indicates when it was last revised.

11. Contact Us

If you have any questions about this Privacy Policy or your data, please contact us:

Email: hello@aisalespulse.com
Company: AI Sales Pulse, Inc.
Website: aisalespulse.com