Privacy Policy

Last updated: May 29, 2026

1. Introduction

CEO Pulse (“we,” “our,” or “us”) provides real-time team notification services through a browser extension and backend API. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data. By using CEO Pulse, you agree to the practices described in this policy.

2. Data We Collect

When you use CEO Pulse, we collect the following categories of information:

• Identity Data — Email address, display name, and username.
• Organization Data — Company/organization name and timezone preference.
• Authentication Credentials — bcrypt-hashed passwords and signed session tokens. We never store plain-text passwords.
• Notification Content — Titles, message bodies, priority levels, button text, and targeting preferences for notifications you send or receive.
• Delivery & Read Receipts — Timestamps of when notifications were delivered, viewed, or confirmed as read.
• Device Data — Browser user-agent string and Web Push subscription endpoints (including encryption keys p256dh and auth) required for push notification delivery.
• Temporary Verification Data — One-time verification codes (OTPs) stored in memory with short-lived expiration (5–15 minutes) for account registration and password resets.
• Usage Counters — Aggregated daily/monthly notification send counts per organization for quota management.

3. Data We Do NOT Collect

• IP addresses are used for in-memory rate limiting only and are never stored persistently.
• We do not use analytics trackers, cookies for advertising, or tracking pixels.
• We do not collect browsing history, page content, or any data from websites you visit.
• We do not sell, rent, or share your personal data with third parties for marketing purposes.

4. How We Use Your Data

• Service Delivery — Authenticating users, delivering real-time and push notifications, and managing team memberships.
• Email Communication — Sending OTP verification codes for registration and password resets, and sending welcome emails to invited team members via Brevo (Sendinblue).
• Push Notifications — Delivering notification content to your browser via Firebase Cloud Messaging (FCM) using VAPID-authenticated Web Push protocol.
• Audit & Security — Maintaining an audit log of administrative actions and monitoring for unauthorized access.

5. Data Storage & Retention

• Persistent Data — User accounts, organization details, notifications, and audit logs are stored in PostgreSQL until an organization administrator deletes the organization or user account.
• Temporary Data — OTP codes and verification flags are stored in Redis with automatic expiration (5–15 minutes). Rate-limit counters also expire automatically.
• Session Tokens — Authentication cookies expire based on the configured session TTL (default 12 hours).
• Local Storage — The browser extension stores your email, username, and session token in Chrome’s local storage for session persistence. This is cleared when you log out.

6. Third-Party Services

We use the following third-party services to operate:

• Brevo (Sendinblue) — For sending transactional emails (OTP codes, welcome emails). Brevo receives the recipient email address and email content. See Brevo’s Privacy Policy.
• Firebase Cloud Messaging (Google) — For delivering Web Push notifications to your browser. FCM receives your browser’s push endpoint and encrypted notification payload. See Google’s Privacy Policy.

7. Data Security

• All passwords are hashed using bcrypt before storage.
• Session tokens are cryptographically signed using HMAC-SHA256.
• All communication between the extension and our servers uses HTTPS in production.
• Authentication cookies are set with HttpOnly, Secure (in production), and SameSite flags.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Request correction or deletion of your data.
• Object to or restrict processing of your data.
• Request a copy of your data in a portable format.

To exercise any of these rights, contact your organization administrator (who controls team membership) or reach us directly using the contact information below.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes through the extension or via email. Continued use of CEO Pulse after changes constitutes acceptance of the updated policy.