Skip to main content
pulse
no-surveillance pledge · v3 · last revised apr 2026

Eleven things Pulse will never do.

A pledge without proof is marketing. So below the pledge, the receipts. We can only revise this page upward, adding stricter clauses, never weakening one, and any change ships with 30 days’ public notice.

Eleven things we will never do

  1. 01

    We will never sell, rent, or barter customer data.

    Not to advertisers, not to data brokers, not to “research partners,” not to private-equity acquirers as part of a deal. There’s no scenario in our business model that depends on selling data. If we’re acquired, this clause survives the acquisition or we’ll wind the product down honourably.

  2. 02

    We will never train foundation models on your content.

    Not on your prompts, not on your retrieved sources, not on your map graph. Inference goes through zero-retention APIs at Anthropic and OpenAI; our calibration loop runs per-tenant inside Pulse. Your team’s writing does not become anyone else’s model.

  3. 03

    We will never aggregate across tenants for product features.

    “Other companies like yours also do X” is not a feature we will build. The retrieval index is per-tenant, the calibration loop is per-tenant, the map graph is per-tenant.

  4. 04

    We will never read tenant data to “improve the product.”

    Our engineers cannot read your data without a customer-signed break-glass token, time-limited and audited. Even debugging on a customer report requires the customer’s explicit consent and a record in the audit log.

  5. 05

    We will never include third-party trackers on Pulse properties.

    No Google Analytics, no Meta Pixel, no LinkedIn Insight tag, no Hotjar, no FullStory, no Segment-into-twelve-vendors. Our marketing site uses one first-party session cookie. Our app uses zero third-party scripts on the auth-walled pages.

  6. 06

    We will never add a feature that surveils users for their employer.

    Pulse is not a productivity surveillance tool. We will not build per-user “engagement scores,” typing-speed dashboards, screen-monitoring, location tracking, sentiment surveillance of internal messages, or “manager x-ray” features. Customers have asked. We have said no.

  7. 07

    We will never retain data after deletion.

    Deletion is real and verifiable. Within 30 days we delete from primaries, replicas, and backups; you receive a cryptographic deletion certificate. The only carve-out is statutory billing retention (7 years), which is metadata, not content.

  8. 08

    We will never hand over data without a valid legal order.

    We push back on overbroad requests. We require valid process for the jurisdiction, scope it to the minimum necessary, and notify the affected customer unless legally prohibited. Where prohibited, we deploy our warrant canary so the absence speaks where the words can’t.

  9. 09

    We will never dark-pattern users into more data sharing.

    If a setting controls something privacy-relevant, the more-private option is the default, the language is plain, and we don’t shame you for choosing it. No “you’re missing out” modals. No nags after you decline. No re-prompts in 30 days.

  10. 10

    We will never ship a backdoor for any government.

    Not for the US, not for the EU, not for any signatory of any treaty. Our policy engine has no internal-only mode that bypasses customer policy. Capability scopes apply to support staff and engineers exactly as they apply to a third-party app. We will fight, in court, any order that compels us to add one.

  11. 11

    We will never let this pledge erode silently.

    We can only revise this page upward, adding stricter clauses, never weakening one. If we genuinely need to change a clause, we’ll publish the proposed change, the reasoning, and the diff at least 30 days before it takes effect.

The receipts

Six things we’ve published or done that demonstrate the pledge isn’t aspirational.

Receipt 01

Zero-retention contracts with model providers.

Written agreements with Anthropic and OpenAI prohibiting logging or training on the inference traffic we send. Not a click-through ToS, a negotiated contract.

see DPA, §6.2renewal: Q3 2026
Receipt 02

The audit log streams to your SIEM, not just ours.

Every Pulse action is recorded; admins can stream to Splunk, Datadog, Elastic, or S3 in real time. Our records and yours match.

Security · auditsince v0.9
Receipt 03

Quarterly transparency reports.

Counts of: legal-process requests received, requests refused, requests narrowed, requests complied with, customers notified, customers we couldn’t notify (by jurisdiction).

Q1 2026 reportnext: Jul 2026
Receipt 04

Documented exits we’ve taken.

Two prospects asked us to add productivity-surveillance features. We declined and documented why. We lost the deals. The internal memos are available to existing Enterprise customers under NDA.

NDA · Enterprise2025 + 2026
Receipt 05

The capability proofs.

Formal proofs that the policy engine cannot grant scopes it wasn’t given, that tenant isolation cannot be bypassed, and that audit records cannot be backdated.

trust packCoq + paper

Transparency report

Pulse is in private beta. We have not received any government requests for customer data because we have no public customers yet. Our first transparency report will publish here once we’re past private-beta volume, on a quarterly cadence, with jurisdictional breakdowns for everything we’re legally allowed to disclose.

first report

The four metrics we will track from day one: requests received, requests refused or narrowed, customers notified, and backdoors added (which will always read zero, because if it ever doesn’t, the warrant canary below disappears first).

Warrant canary · coming at GA

Some legal processes prohibit a company from telling its users they exist. A canary is a public statement updated on a fixed schedule; if the statement disappears or stops updating, users can infer that something the company was not allowed to disclose has happened. Pulse will publish its first canary at GA, signed by both founders, refreshed on the 1st and 15th of every month. Below is the template; the signed version will live at pulsehq.tech/canary.txt.asc once it’s real.

[ warrant canary · pulsehq.tech · TEMPLATE ]

As of <date>, Pulse has:

  · Received zero National Security Letters that
    we cannot disclose under §2709(c) of 18 U.S.C.
  · Received zero FISA orders, including under
    50 U.S.C. §1801 et seq.
  · Received zero gag orders preventing us from
    disclosing the existence of legal process.
  · Made no code changes that bypass the policy
    engine's scope checks for any party.

Signed (PGP, fingerprints below):
  Apoorv Jain  · Co-founder
  Manav Jain   · Co-founder

Next refresh: <next refresh date>.

We are not building surveillance.

If you’re looking for productivity scoring, employee monitoring, or sentiment dashboards, we’re not the right tool. We’re proud of that.

Read security docs