ServicePulse

Privacy Policy

Last updated: April 2026

ServicePulse (“we”, “our”, “us”) operates the servicepulse.dev website and application (the “Service”). This policy explains what information we collect, how we use it, and your rights.

Information we collect

  • Account information: Name, email address, and profile photo via Clerk authentication (Google, GitHub, or email/password).
  • Usage data: Which vendors you track, your status page configuration, notification preferences, and feature usage patterns.
  • Repo analysis inputs (optional): If you use the GitHub Repo Analyzer, we fetch a small subset of public repository files from GitHub (based on the URL you provide) and send extracted snippets to Anthropic to generate recommendations. We do not store raw repository contents for this feature by default.
  • OAuth app credentials (optional): If you configure Google SSO or Microsoft Entra SSO for your secure status page, we store your OAuth client ID and client secret. All credential data is encrypted in transit via TLS 1.2+ and client secrets are encrypted at rest using AES-256-GCM with a key held separately from the database. These credentials are used solely to authenticate your status page visitors and are never shared with third parties.
  • Status page visitor emails: When one of your end users signs in to your secure status page via Google or Microsoft SSO, we receive their email address from the identity provider to verify access. This email is checked against your configured domain allowlist and used to set a short-lived session cookie. We do not store it persistently or use it for any other purpose.
  • Billing information: Processed by Stripe. We never store raw payment card numbers.
  • Log data: IP addresses, browser type, and pages visited, retained for up to 90 days for security and debugging purposes.

How we use your information

  • To provide and operate the Service (vendor monitoring, alerts, status pages).
  • To send transactional emails (incident alerts, billing receipts, email verification).
  • To improve the product and fix bugs.
  • To comply with legal obligations.

We do not sell your personal data to third parties. We do not use your data to train AI models.

Third-party services

We use the following sub-processors to operate the Service. You can view the live status of our infrastructure on our system status page.

  • Clerk — Authentication (United States)
  • Vercel — Hosting and deployment (United States)
  • Neon — Database (United States)
  • Stripe — Payment processing (United States)
  • Resend — Transactional email (United States)
  • Anthropic — AI incident summaries (United States)

Data security

We take the security of your data seriously. Specifically:

  • All data is encrypted in transit via TLS 1.2+.
  • Sensitive credentials (OAuth client secrets, integration tokens) are encrypted at rest using AES-256-GCM. Encryption keys are managed separately from the database.
  • Passcodes for secure status pages are stored as one-way SHA-256 hashes and are never recoverable in plaintext.
  • Our database (Neon) and hosting infrastructure (Vercel) are located in the United States and maintain their own security certifications.

Data retention

We retain your account data for as long as your account is active. You may delete your account at any time from Settings → Danger Zone, which permanently removes all your data. Incident and status history is retained according to your plan tier (7 days on Free, up to 1 year on Team/Business).

Cookies

We use session cookies for authentication. If you use the secure status page tier, a signed HMAC cookie is set to remember your authenticated session (7-day expiry). This applies both to passcode-based access and to end users who sign in via Google or Microsoft SSO. We do not use advertising or tracking cookies.

Your rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Ask us to correct inaccurate or incomplete data.
  • Erasure (right to be forgotten): Request deletion of your personal data. You can delete your account and all associated data at any time from Settings → Danger Zone. You may also contact us to request erasure of specific data.
  • Portability: Request an export of your data in a machine-readable format.
  • Objection / restriction: Object to or ask us to restrict certain processing of your data.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

GDPR & international data transfers

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following applies to you.

Legal bases for processing. We process your personal data under the following legal bases: performance of a contract (to provide the Service you signed up for); legitimate interests (security, fraud prevention, product improvement); legal obligation (compliance with applicable law); and, where required, consent.

Controller vs. processor. For data you submit as a ServicePulse account holder, we act as the data controller. When you use ServicePulse to operate a secure status page and your end-users authenticate via Google or Microsoft SSO, we act as a data processor on your behalf — you are the controller of your end-users' data.

International transfers. Our sub-processors (Vercel, Neon, Clerk, Stripe, Resend, Anthropic) are based in the United States. Transfers of personal data from the EEA to the United States are made under Standard Contractual Clauses (SCCs) or other approved transfer mechanisms maintained by each sub-processor. You can request copies of applicable Data Processing Agreements (DPAs) by emailing [email protected].

Right to lodge a complaint. If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data protection authority (e.g. your EU member state's DPA, or the UK ICO).

Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. Continued use of ServicePulse after changes constitutes acceptance.

Contact

Questions? Email us at [email protected].