Privacy Policy

Effective date: May 29, 2026

This Privacy Policy describes how Axiolo LLC ("Axiolo," "we," "us," or "our") collects, uses, and discloses information when you use Pulse (the "Service"), our decision-validation tool for consultants and their clients.

1. Who this policy applies to

Pulse has two kinds of users:

• Operators — consultants and team members who sign in to the Pulse admin console to create engagements and review responses.
• Clients — the consultant's customers, who interact with Pulse only through a single-use magic link sent by the operator and do not create an account.

2. Information we collect

2.1 Operator account information

When you sign up or sign in as an operator, we collect information you provide directly, including:

• Your email address and display name.
• A salted password hash (we never store your password in plaintext) if you sign in with email and password.
• If you sign in with Google or Microsoft, we receive your email address, basic profile information, and a unique provider identifier — limited to the openid, email, and profile OAuth scopes. We do not request access to your mailbox, calendar, contacts, files, or any other Google or Microsoft data.

2.2 Engagement and response content

Operators create engagements consisting of decision cards (questions and pre-populated answers). When a client opens their magic link, we collect the responses, confirmations, corrections, comments, and any files the client uploads in connection with that engagement.

2.3 Authentication and session data

We use signed cookies to keep operators logged in. Magic links contain a random 16-character token that identifies a client to a specific engagement. We log basic authentication events (sign-in, sign-out, token creation) for security purposes.

2.4 Technical information

Our servers automatically receive standard information from your browser such as IP address, user-agent, and request timestamps. This information is used for security, abuse prevention, and operational diagnostics.

3. How we use information

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Authenticate operators and authorize clients to specific engagements.
• Store, display, and export engagement responses to operator-authorized destinations (such as the operator's own task tracker).
• Send transactional emails (verification, password reset, magic-link delivery).
• Detect, prevent, and respond to fraud, abuse, and security incidents.
• Comply with legal obligations.

We do not sell your personal information. We do not use information obtained through Google or Microsoft OAuth sign-in for advertising or to train AI/ML models.

4. Use of Google user data

Pulse's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements.

Specifically:

• We only request the minimum scopes needed to sign you in: openid, email, and profile.
• We use Google account data solely to identify your operator account.
• We do not transfer this data to third parties except as required to provide or improve the sign-in feature, comply with applicable law, or as part of a merger, acquisition, or sale of assets.
• We do not use this data for advertising and do not allow humans to read it except with your explicit consent, for security purposes, to comply with applicable law, or where the data is aggregated and used for internal operations.

5. How we share information

We share information only in these limited circumstances:

• With operators on the same engagement. Client responses are visible to the operator who created the engagement.
• With service providers. We use vendors to host infrastructure, send email, and provide error monitoring. They are contractually bound to handle data only on our behalf.
• For legal reasons. We may disclose information if required by law, subpoena, or court order, or to protect the rights, property, or safety of Axiolo, our users, or the public.
• Business transfers. If Axiolo is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to this Policy.

6. Data retention

We retain operator account data for as long as the account is active. Engagement and response data is retained while the engagement is active and for a reasonable period thereafter to allow operators to export or reference it. You may request deletion at any time as described in Section 8.

7. Security

We protect the Service with row-level database security, encrypted transport (HTTPS/TLS), salted password hashing (argon2), encrypted storage of sensitive secrets at rest, and signed session cookies. No method of transmission or storage is 100% secure, but we work to protect your information using industry-standard practices.

8. Your rights and choices

You may, at any time:

• Access, correct, or delete your operator account by contacting us.
• Disconnect Google or Microsoft sign-in from your account.
• Revoke Pulse's access to your Google account at any time at myaccount.google.com/permissions .
• Request a copy of the personal information we hold about you.

To exercise any of these rights, contact [email protected]. We will respond within a reasonable timeframe and in accordance with applicable law.

9. Children

Pulse is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us so we can delete it.

10. International users

Pulse is operated from the United States. If you access the Service from outside the United States, you understand that your information may be transferred to, stored, and processed in the United States.

11. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective date" above and, where appropriate, notify operators by email or through the Service.

12. Contact us

Axiolo LLC
Email: [email protected]