Privacy Policy

Pulse AI — AI Workplace by IZA NOIR LLC

Effective Date: April 14, 2026 Last Updated: April 14, 2026

Plain-Language Summary

This is a human-readable summary of our Privacy Policy. It is not a substitute for the full legal text below, but is provided for your convenience.

• Pulse AI is local-first. Most of your data (project boards, roles, org structure, automations) stays on your machine in the .pulse/ directory. We don't see it unless you opt into cloud features.
• Cloud features are optional. If you use cloud sync, analytics, or the AI Connect bridge, some data is transmitted to our servers and third-party services (Supabase, AI model providers).
• AI agents process your workspace data. When you use Pulse AI's AI features (role prompts, agent messaging, workday automation), your prompts and workspace context are sent to AI model providers to generate responses. We do not use this data to train AI models.
• We don't sell your data. Period. We never sell personal information to third parties.
• You control your data. You can access, export, correct, or delete your data at any time. Much of it is already in plain files on your machine.
• No kids. Pulse AI is designed for professional use and is not intended for children under 13.
• Questions? Contact us at privacy@pulse-ai.dev.

Table of Contents

1. Introduction
2. Definitions
3. Information We Collect
4. How We Use Your Information
5. Legal Bases for Processing (GDPR)
6. Data Storage and Security
7. Third-Party Data Sharing
8. Artificial Intelligence Disclosures
9. Your Rights Under GDPR (European Economic Area)
10. Your Rights Under CCPA (California)
11. Cookie and Tracking Policy
12. Data Retention and Deletion
13. International Data Transfers
14. Children's Privacy
15. Changes to This Policy
16. Contact Information

1. Introduction

This Privacy Policy ("Policy") describes how IZA NOIR LLC ("Company," "we," "us," or "our") collects, uses, stores, shares, and protects information when you use the Pulse AI Workplace extension ("Pulse AI," "Extension," or "Service").

Pulse AI is a development productivity extension that runs within compatible code editors (including Antigravity and Visual Studio Code forks). It provides project management, AI agent orchestration, role management, organizational tools, sprint planning, workday automation, and related services.

By installing, accessing, or using Pulse AI, you agree to the practices described in this Policy. If you do not agree with this Policy, please do not use the Service.

This Policy applies to all users of Pulse AI, regardless of geographic location. Where local laws provide greater protections than this Policy, those laws shall prevail.

2. Definitions

• "Personal Data" or "Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
• "Workspace Data" means data created, managed, or stored by Pulse AI within your local development workspace, including project board items, role definitions, organizational structures, sprint schedules, automation configurations, and workday logs.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• "AI Agent" means the software-driven agent personas within Pulse AI that execute automated tasks, respond to prompts, and interact with workspace data according to defined role configurations.
• "AI Connect" means Pulse AI's integration layer for communicating with external AI model providers through the editor's native AI capabilities.
• "Local-First" means the architectural approach where data is primarily stored and processed on the user's local machine rather than on remote servers.

3. Information We Collect

3.1 Information You Provide Directly

We may collect the following information that you voluntarily provide:

• Account Information: If you create an IZA NOIR LLC account for cloud features, we collect your name, email address, and authentication credentials.
• Role Prompts and Agent Configurations: Descriptions, system prompts, and behavioral rules you define for AI agent roles within Pulse AI.
• Workspace Configurations: Settings and preferences you configure in Pulse AI, including heartbeat intervals, chat participant preferences, notification preferences, and cooldown settings.
• Support Communications: Information you provide when contacting us for support, including email correspondence, bug reports, and feature requests.

3.2 Workspace Data (Local-First)

Pulse AI operates on a local-first architecture. The following data is created and stored locally on your machine in the .pulse/ directory within your workspace:

• Project Board Data: Action items, tasks, goals, and their metadata (titles, descriptions, statuses, priorities, tags, dates, assignees).
• Role Definitions: Agent role configurations, including names, departments, teams, reporting structures, and expertise profiles.
• Organizational Structures: Department hierarchies, team compositions, and organizational charts.
• Sprint Schedules: Sprint definitions, timelines, phases, and associated action items.
• Automation Rules: Cron-based schedule configurations, prompt templates, and execution histories.
• Workday Logs: Session start/stop times, day focus descriptions, task queues, and dispatch records.

This Workspace Data is not transmitted to IZA NOIR LLC servers unless you explicitly opt into cloud synchronization features. It remains under your full control and is stored as human-readable Markdown and YAML files on your local file system (using the "Obsidian Pattern" for data portability).

3.2.1 Pulse Annotate Browser Add-On Data

Pulse Annotate is a local-first browser add-on for webpage annotation. When you use Pulse Annotate, the add-on may process and store the following data locally in your browser profile:

• Page screenshots captured from the visible page area.
• Visible page content context, including page URL, page title, clicked element selector, element size, scroll position, click coordinates, and limited style context needed to identify the annotated target.
• Annotation text, tags, and session history, including session names, timestamps, ended state, annotation numbers, and related metadata.
• Local storage state in IndexedDB and chrome.storage.local, including the current session id and side-panel control state.

Pulse Annotate uses this data to create, review, edit, and export numbered annotation sessions. The public Chrome Web Store build stores Annotate session data locally and does not transmit page screenshots, visible page content, annotation text, tags, or session history to IZA NOIR LLC or third-party services unless you choose to export, paste, upload, or otherwise share that data yourself.

User-initiated exports may:

• Copy annotation text, HTML, and best-effort image data to your clipboard.
• Save a ZIP package with manifest.json, annotations.md, and screenshot image files to your Downloads folder.
• Use separate native pasteboard tooling, if you install it outside the public Chrome Web Store build, to write local image files and text to the macOS pasteboard for attachment-preserving paste workflows.

Pulse Annotate does not sell this data, does not use it for advertising, does not use it to determine creditworthiness, and does not request authentication credentials, payment information, health information, precise location, or personal communications.

3.3 Automatically Collected Data

When you use Pulse AI, we may automatically collect:

• Usage Analytics (if opted in): Feature usage frequency, page navigation patterns, error counts, and extension activation metrics. Analytics collection is opt-in and can be disabled at any time in Pulse AI's settings.
• Error and Crash Reports: Stack traces, error messages, and diagnostic data when the extension encounters an error. These reports do not contain Workspace Data content, only technical metadata necessary for debugging.
• Extension Metadata: The version of Pulse AI installed, the editor environment (Antigravity version), operating system, and language settings.

3.4 Data from Third-Party Integrations

When you use Pulse AI's cloud or AI features, additional data may be processed through third-party services:

• AI Model Provider Data: Prompts, workspace context, and generated responses transmitted through AI Connect or native editor AI capabilities.
• Cloud Sync Data: If you use Supabase-backed features, selected workspace data may be synchronized to cloud databases.

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Delivery

• Operating, maintaining, and providing the features and functionality of Pulse AI.
• Processing AI agent requests and delivering intelligent responses.
• Executing scheduled automations, sprint dispatches, and workday workflows.
• Synchronizing data across devices when cloud sync is enabled.

4.2 Service Improvement

• Analyzing aggregated, anonymized usage patterns to improve Pulse AI's features.
• Identifying and fixing bugs, errors, and performance issues.
• Understanding how different features are used to inform product development.

4.3 Communication

• Responding to your support requests and inquiries.
• Sending service-related notices, including security alerts and update notifications (only with your consent where required by law).
• Payments: Processing transactions through our third-party provider (Stripe).

4.4 Security and Compliance

• Protecting against unauthorized access, fraud, and abuse.
• Complying with applicable laws and regulations.
• Enforcing our Terms of Service and other agreements.

4.5 How We Do NOT Use Your Information

• We do not sell your Personal Information to any third party, for any purpose, under any circumstance.
• We do not use your Workspace Data for advertising or marketing purposes.
• We do not use your prompts or AI interactions to train, fine-tune, or improve general AI models. Your AI interactions are processed solely to provide you with responses within Pulse AI.
• We do not create user profiles for the purpose of targeted advertising.

5. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, we process your Personal Data on the following legal bases under the General Data Protection Regulation ("GDPR"):

| Purpose | Legal Basis | |---------|-------------| | Service delivery | Performance of a contract (Article 6(1)(b)) — Processing is necessary to fulfill your license agreement and provide Pulse AI's features. | | Service improvement (analytics) | Legitimate interests (Article 6(1)(f)) — We have a legitimate interest in understanding how Pulse AI is used to improve the product, balanced against your rights. | | Security and fraud prevention | Legitimate interests (Article 6(1)(f)) — We have a legitimate interest in protecting our Service and users. | | Marketing communications | Consent (Article 6(1)(a)) — We only send marketing communications with your explicit consent. | | Legal compliance | Legal obligation (Article 6(1)(c)) — Processing is necessary to comply with applicable laws. | | Error reporting | Legitimate interests (Article 6(1)(f)) — Maintaining and improving the reliability of the Service. |

You have the right to object to processing based on legitimate interests. See Section 9 for details.

6. Data Storage and Security

6.1 Local-First Architecture

Pulse AI is designed with a local-first architecture. Your Workspace Data is stored as plain-text files (Markdown, YAML, JSON) on your local file system within the .pulse/ directory of your workspace. This means:

• You have full ownership and control over your Workspace Data at all times.
• Your data is as secure as your machine. We recommend using full-disk encryption, strong passwords, and keeping your operating system updated.
• Workspace Data never leaves your machine unless you explicitly enable cloud synchronization features.
• You can inspect, modify, or delete any file directly on your file system.

6.2 Cloud Data Storage

When cloud features are enabled, selected data is stored on servers provided by our infrastructure partners:

• Supabase: Database hosting on encrypted PostgreSQL instances. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Supabase's infrastructure is hosted on AWS in the United States.
• Authentication tokens and session data are stored securely and expire after inactivity periods.

6.3 Security Measures

We implement the following security measures to protect data transmitted to or stored on our servers:

• Encryption in transit: All network communications use TLS 1.2 or higher.
• Encryption at rest: Cloud-stored data is encrypted using AES-256 encryption.
• Access controls: Strict role-based access controls limit internal access to user data.
• Audit logging: Access to production databases and infrastructure is logged and monitored.
• Dependency security: We regularly audit third-party dependencies for known vulnerabilities.
• Secure development practices: Code reviews, static analysis, and security testing are part of our development process.

6.4 Security Incidents

In the event of a data breach that affects your Personal Data, we will:

• Notify affected users without undue delay, and no later than 72 hours after becoming aware of the breach (in compliance with GDPR Article 33).
• Notify the relevant supervisory authority where required by law.
• Provide clear information about the nature of the breach, the data affected, and the steps we are taking to mitigate the impact.

7. Third-Party Data Sharing

We share your data with third parties only in the following limited circumstances:

7.1 AI Model Providers

When you use Pulse AI's AI features (e.g., agent messaging, workday automation, prompt dispatch), your prompts and relevant workspace context are transmitted to the AI model provider configured for the task:

• Google LLC (Gemini): AI inference and text-to-speech generation. Subject to Google's Privacy Policy and the Google Cloud Data Processing Addendum.
• Anthropic PBC (Claude): AI inference and agent dispatch. Subject to Anthropic's Privacy Policy and Anthropic's Data Processing Agreement.

Runware image generation capabilities are available for internal asset production and future opt-in image features, but Runware is not active as a customer personal data sub-processor in the current release.

What is shared: The text of your prompts, selected workspace context provided by Pulse AI, and role/agent configuration rules necessary to generate a response.

What is NOT shared: Your entire workspace, personal files, authentication credentials, payment information, or data unrelated to the specific AI request.

Training opt-out: Under our API agreements with each provider, your data is not used for model training. See Section 8.4 for details.

We do not control the data processing practices of third-party AI providers. We recommend reviewing their privacy policies before using AI features.

7.2 Payment Processing (Stripe)

If you subscribe to a paid plan, payment processing is handled by Stripe, Inc.:

• Stripe, Inc.: Payment processing and subscription management. Subject to Stripe's Privacy Policy.
• Data shared: Name, email address, billing address, and subscription status. Payment card details are collected directly by Stripe via their secure payment elements and never touch our servers.
• Data processing location: United States.
• Retention: Transaction records are retained by Stripe as required by financial regulations. Non-transaction personal data can be deleted upon request.

7.3 Supabase (Cloud Infrastructure)

If you use cloud-enabled features, selected data is transmitted to and stored by Supabase:

• Supabase, Inc.: Cloud database hosting. Subject to Supabase's Privacy Policy.
• Data shared: Account information, cloud-synchronized workspace data, and operational metadata.
• Data processing location: United States (AWS infrastructure).

7.4 Analytics Providers

If you opt into usage analytics, anonymized and aggregated usage data may be shared with analytics services to help us understand product usage patterns. No Personal Information is included in analytics data.

7.5 Legal Requirements

We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to:

• Comply with a legal obligation, subpoena, court order, or government request.
• Protect and defend the rights or property of IZA NOIR LLC.
• Prevent or investigate possible wrongdoing in connection with the Service.
• Protect the personal safety of users of the Service or the public.

7.6 Business Transfers

If IZA NOIR LLC is involved in a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your Personal Data is transferred and becomes subject to a different privacy policy.

7.7 With Your Consent

We may share your data with other third parties when you have given us your explicit consent to do so.

8. Artificial Intelligence Disclosures

Pulse AI integrates AI capabilities as a core part of its functionality. We believe in transparency about how AI processes your data.

8.1 How AI Agents Work

Pulse AI's AI agents are configuration-driven personas that operate within your workspace:

• Role Prompts: You define agent roles with system prompts, expertise profiles, and behavioral rules. These are stored locally as Markdown files.
• Task Execution: When an AI agent is invoked (manually or via automation), Pulse AI constructs a prompt containing the role configuration and relevant workspace context, then sends it to the configured AI model provider via the editor's native chat capabilities.
• Workday Automation: During scheduled workdays, Pulse AI dispatches prompts to AI agents sequentially according to sprint and board item priorities.

8.2 What AI Agents Can Access

When an AI agent is invoked, the following data may be included in the prompt sent to the AI model provider:

• The agent's role definition and system prompt.
• The specific task, action item, or board item being worked on.
• Relevant workspace context as determined by the task scope.
• Organizational context (department, team, reporting structure) if relevant to the agent's role.

AI agents cannot access: Your file system beyond the workspace, your personal files, other applications, your network, or any data you have not explicitly placed within the Pulse AI workspace.

8.3 AI Decision Transparency

• AI agents do not make autonomous decisions that affect you without your oversight. All AI actions are visible in the execution history and can be reviewed.
• You can inspect every prompt sent to AI agents. Role prompts are stored as readable files in your workspace.
• You can stop AI processing at any time using the Emergency Stop command or by pausing/stopping the workday.

8.4 AI Training Opt-Out

We do not use your data to train AI models. Your prompts, workspace data, and AI interaction results are processed solely to deliver the Service to you. Individual AI model providers may have their own data usage policies; please consult them directly. Where possible, we use API tiers and configurations that exclude your data from training.

9. Your Rights Under GDPR (European Economic Area)

If you are in the EEA, UK, or Switzerland, you have the following rights under the GDPR:

9.1 Right of Access (Article 15)

You have the right to request a copy of the Personal Data we hold about you. Because Pulse AI is local-first, most of your data is already accessible in the .pulse/ directory on your machine. For any cloud-stored data, you may request a copy by contacting us at privacy@pulse-ai.dev.

9.2 Right to Rectification (Article 16)

You have the right to request correction of any inaccurate Personal Data. For local data, you can edit files directly. For cloud data, contact us.

9.3 Right to Erasure ("Right to Be Forgotten") (Article 17)

You have the right to request deletion of your Personal Data when:

• The data is no longer necessary for the purpose it was collected.
• You withdraw consent (where processing is based on consent).
• You object to processing, and there are no overriding legitimate grounds.
• The data has been unlawfully processed.

For local data, you can delete the .pulse/ directory and uninstall the extension. For cloud data, contact us and we will delete your data within 30 days.

9.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your Personal Data in certain circumstances, including when you contest the accuracy of the data or when processing is unlawful but you oppose erasure.

9.5 Right to Data Portability (Article 20)

You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format. Pulse AI's local-first design means your data is already stored in portable formats (Markdown, YAML, JSON). For cloud data, you may request a data export.

9.6 Right to Object (Article 21)

You have the right to object to the processing of your Personal Data based on legitimate interests. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.

9.7 Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Pulse AI does not engage in automated decision-making that produces legal effects on users.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

9.9 Exercising Your Rights

To exercise any of these rights, please contact our Data Protection Officer at: privacy@pulse-ai.dev. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

10. Your Rights Under CCPA (California)

If you are a California resident, the California Consumer Privacy Act ("CCPA") and its amendment, the California Privacy Rights Act ("CPRA"), provide you with the following rights:

10.1 Right to Know (§ 1798.100, 1798.110)

You have the right to request that we disclose:

• The categories of Personal Information we have collected about you.
• The categories of sources from which we collected your Personal Information.
• The business or commercial purpose for collecting your Personal Information.
• The categories of third parties with whom we share your Personal Information.
• The specific pieces of Personal Information we have collected about you.

10.2 Right to Delete (§ 1798.105)

You have the right to request that we delete Personal Information we have collected from you, subject to certain exceptions (e.g., if the information is needed to complete a transaction, detect security incidents, or comply with legal obligations).

10.3 Right to Opt-Out of Sale or Sharing (§ 1798.120)

We do not sell or share (as defined by the CCPA/CPRA) your Personal Information. Because we do not sell or share Personal Information, there is no need for an opt-out mechanism. Should this practice change, we will update this Policy and provide appropriate opt-out mechanisms.

10.4 Right to Non-Discrimination (§ 1798.125)

We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, a different quality of service, or any penalty for exercising your rights.

10.5 Right to Correct (§ 1798.106)

You have the right to request that we correct inaccurate Personal Information that we maintain about you.

10.6 Right to Limit Use of Sensitive Personal Information (§ 1798.121)

We do not collect or process Sensitive Personal Information as defined by the CCPA/CPRA.

10.7 Categories of Personal Information Collected

Under the CCPA, we disclose the following categories of Personal Information we may collect:

| Category | Examples | Collected? | |----------|----------|------------| | Identifiers | Name, email, account ID | Yes (if account created) | | Personal records | Contact information | Yes (if account created) | | Commercial information | Subscription/purchase history | Yes (if subscribed) | | Internet or network activity | Feature usage, error logs | Yes (if opted into analytics) | | Geolocation data | IP address (approximate location) | Yes (server logs) | | Professional/employment info | Job title (if provided) | No | | Inferences | Usage patterns, preferences | Yes (aggregated only) | | Sensitive Personal Information | N/A | No |

10.8 Exercising Your CCPA Rights

To exercise your CCPA rights, contact us at: privacy@pulse-ai.dev. We will verify your identity and respond within 45 days. You may designate an authorized agent to make a request on your behalf.

11. Cookie and Tracking Policy

11.1 Extension Context

Pulse AI is a code editor extension, not a website. As such, Pulse AI itself does not use cookies, web beacons, pixels, or similar browser-based tracking technologies in its primary operation.

11.2 Web-Based Services

If you interact with IZA NOIR LLC's websites (e.g., documentation, support, account management), those sites may use:

• Strictly Necessary Cookies: Required for the website to function (session management, authentication). These cannot be disabled.
• Analytics Cookies: Used to understand website usage patterns. These are set only with your consent and can be managed through our cookie banner.
• Preference Cookies: Used to remember your settings and preferences. Set only with your consent.

We do not use advertising or third-party tracking cookies on our websites.

11.3 Editor Telemetry

Pulse AI respects your editor's telemetry settings. If you have disabled telemetry in Antigravity or VS Code, Pulse AI will not send any usage analytics regardless of Pulse AI's own settings.

12. Data Retention and Deletion

12.1 Local Data

Workspace Data stored locally in the .pulse/ directory is retained for as long as you choose to keep it. You have full control:

• Delete individual items: Remove specific files from the .pulse/ directory.
• Delete all Pulse AI data: Delete the entire .pulse/ directory.
• Uninstall Pulse AI: Remove the extension from your editor. Note that uninstalling the extension does not automatically delete the .pulse/ directory — you must delete it manually.

12.2 Cloud Data

Where data is stored in cloud services, we retain it as follows:

| Data Type | Retention Period | After Deletion Request | |-----------|-----------------|----------------------| | Account information | Duration of account + 30 days | Deleted within 30 days | | Cloud-synced workspace data | Duration of account + 30 days | Deleted within 30 days | | Usage analytics (anonymized) | 24 months | Cannot be attributed to individuals | | Error and crash reports | 12 months | Deleted automatically | | Server access logs | 90 days | Deleted automatically | | Support communications | 36 months | Deleted upon request |

12.3 Deletion Process

When you request deletion of your data:

1. We will confirm your identity and acknowledge your request within 5 business days.
2. Your data will be marked for deletion and removed from active systems within 30 days.
3. Data in backups will be purged during the next backup rotation cycle (up to 90 days).
4. We will confirm deletion upon completion.

12.4 Data You Cannot Delete

We may retain certain data where required by law, including data necessary for:

• Compliance with legal obligations (e.g., tax records, law enforcement requests).
• Establishment, exercise, or defense of legal claims.
• Fraud prevention and security.

13. International Data Transfers

13.1 Transfer Mechanisms

IZA NOIR LLC is a Florida limited liability company headquartered in the United States. If you are located outside the United States, your data may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.

For transfers of Personal Data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision from the European Commission, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses for data transfers to countries without an adequacy decision.
• Data Processing Agreements: We maintain data processing agreements with active sub-processors that include appropriate data transfer mechanisms.
• Supplementary Measures: Where necessary, we implement additional technical and organizational measures (e.g., encryption, pseudonymization) to ensure an essentially equivalent level of protection.

13.2 Sub-Processors

We engage the following sub-processors to deliver specific components of the Service. Each sub-processor receives only the minimum data necessary to perform its function.

| Sub-Processor | Service | Data Shared | Location | DPA Status | |--------------|---------|-------------|----------|------------| | Supabase, Inc. | Cloud database, authentication, PostgreSQL storage | Account credentials, cloud-synced workspace data, session tokens | United States (AWS) | DPA executed (includes SCCs) | | Stripe, Inc. | Payment processing, subscription management | Name, email, payment method (card details handled directly by Stripe — never touch our servers), billing address, subscription status | United States | DPA in effect via Stripe's Data Processing Addendum | | Google LLC (Gemini) | AI model inference, text-to-speech generation | Prompts, workspace context included in AI requests, role/agent configuration text | United States | Google Cloud DPA with SCCs | | Anthropic PBC (Claude) | AI model inference, agent dispatch | Prompts, workspace context included in AI requests, role/agent configuration text | United States | Anthropic DPA in effect | | Amazon Web Services, Inc. | Infrastructure hosting (via Supabase) | Data stored in Supabase transits AWS infrastructure | United States | AWS DPA with SCCs (via Supabase's agreement) |

Note on Runware B.V.: Runware image generation tooling is available for internal asset production and future opt-in image features, but it is not active as a customer personal data sub-processor in the current release. If activated for customer data, Pulse AI will require the appropriate DPA record and update this table before processing begins.

Note on Replicate, Inc.: Replicate model inference capabilities are available but not active in the current release. If activated in a future release, Replicate will be added to this table and affected users will be notified prior to activation.

Data Flow Summary

• Local-only data (never leaves your machine): Board items, role definitions, org structures, sprint schedules, automation configs, workday logs, local settings.
• Cloud sync (opt-in only, via Supabase): Account info, selected workspace data, session state.
• AI inference (triggered by user action): Prompts and workspace context sent to Google (Gemini) or Anthropic (Claude) depending on your configuration. Responses are returned to your local workspace. Neither provider uses your data for model training under our API agreements.
• Payment processing (subscription users only): Billing details sent to Stripe. Card numbers are tokenized by Stripe and never stored on our servers.

Sub-Processor Data Retention

| Sub-Processor | Retention Policy | Deletion on Request | |--------------|-----------------|---------------------| | Supabase | Duration of account + 30 days | Deleted within 30 days of account closure | | Stripe | As required by financial regulations (typically 7 years for transaction records) | Non-transaction PII deleted within 30 days; transaction records retained per legal obligation | | Google (Gemini) | API inputs/outputs not retained beyond request processing under our API tier | Immediate — data is not persisted | | Anthropic (Claude) | API inputs/outputs not retained beyond request processing under our API agreement | Immediate — data is not persisted | | AWS | Governed by Supabase's retention (data-in-transit only) | Per Supabase deletion schedule |

We will update this sub-processor list when we engage new sub-processors. For material changes (new categories of data sharing or new sub-processors handling Personal Data), we will notify affected users at least 30 days before the new sub-processor begins processing data, giving you the opportunity to object.

14. Children's Privacy

14.1 Age Restriction

Pulse AI is a professional development tool designed for software developers, project managers, and enterprise teams. Pulse AI is not intended for use by individuals under the age of 13 (or the applicable age of digital consent in your jurisdiction).

14.2 COPPA Compliance

We comply with the Children's Online Privacy Protection Act ("COPPA"). We do not:

• Knowingly collect Personal Information from children under 13.
• Direct the Service toward children.
• Engage in behavioral advertising targeting children.

14.3 Parental Notification

If we become aware that we have inadvertently collected Personal Information from a child under 13, we will take immediate steps to:

1. Delete the information from our servers within 48 hours.
2. Notify the child's parent or guardian if contact information is available.
3. Prevent further collection from the child.

14.4 Parental Rights

If you are a parent or guardian and believe your child has provided Personal Information to us, please contact us at privacy@pulse-ai.dev. We will promptly investigate and delete any such information.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

15.1 Notification of Changes

• Material changes: We will notify you by email (if you have an account), by prominent notice within the Extension, or by updating the "Last Updated" date at the top of this Policy. Material changes include: new categories of data collection, new third-party data sharing, or changes to your rights.
• Non-material changes: Minor clarifications or formatting changes will be reflected by updating the "Last Updated" date.

15.2 Continued Use

Your continued use of Pulse AI after any changes to this Policy constitutes your acceptance of the updated Policy. If you disagree with the changes, you should discontinue use of the Service.

15.3 Prior Versions

Prior versions of this Privacy Policy will be archived and available upon request by contacting privacy@pulse-ai.dev.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us through the following channels:

Data Protection Officer / Privacy Inquiries:

• Email: privacy@pulse-ai.dev
• Subject Line: "Pulse AI Privacy Inquiry"

General Legal Inquiries:

• Email: legal@pulse-ai.dev

Company Location: IZA NOIR LLC Florida limited liability company, United States

Postal Notices: If a request or notice legally requires postal delivery, contact legal@pulse-ai.dev for the current postal notice address or registered-agent instructions before sending it.

Response Times:

• General inquiries: Within 10 business days
• Data subject rights requests (GDPR): Within 30 days
• Data subject rights requests (CCPA): Within 45 days

© 2026 IZA NOIR LLC. All rights reserved.