Privacy Policy

We collect only the minimum information necessary to provide our service:

Account information

When you register, we collect your name, business name, and email address. Your password is hashed using bcrypt (12 rounds) and is never stored in plain text.

Client submission data

Information submitted through your intake forms — including client names, email addresses, phone numbers, and service requests — is collected on your behalf and encrypted at rest using AES-256-GCM before storage.

Payment information

All payment processing is handled exclusively by Stripe, Inc. We do not collect, store, or have access to your credit card number, billing address, or any other payment credentials. Please review Stripe's Privacy Policy for details on how they handle your payment data.

Usage data

We log authentication events (logins, logouts) and basic usage activity for security and audit purposes. We do not use third-party analytics tools or advertising trackers.

We use the information we collect solely to:

• Provide, maintain, and improve the ClientPulse service
• Authenticate users and maintain secure sessions
• Send automated follow-up emails on your behalf to your clients
• Process subscription payments through Stripe
• Detect and prevent fraud, abuse, and security incidents
• Comply with applicable legal obligations

We do not use your data or your clients' data for advertising, profiling, or any purpose beyond delivering the service you have subscribed to.

We apply industry-standard security measures to protect your data at every layer:

• Encryption at rest: All personally identifiable client data (names, emails, phone numbers) is encrypted using AES-256-GCM with per-record keys derived via scrypt.
• Encryption in transit: All data transmitted between your browser and our servers is encrypted via TLS 1.2 or higher.
• Authentication security: Session tokens are cryptographically signed JWTs with a 2-hour expiration. Accounts are locked after 5 consecutive failed login attempts.
• Application security: We follow OWASP Top 10 guidelines and apply input validation, rate limiting, and CSRF protections throughout the application.

While we take every reasonable precaution, no system is completely immune to risk. We encourage you to use a strong, unique password and notify us immediately of any suspected unauthorised access.

We do not sell, rent, lease, or trade your personal information or your clients' data to any third party. We share information only in the following limited circumstances:

• Stripe: Payment processing. Stripe receives only the information necessary to process your subscription.
• Resend: Email delivery. When follow-up emails are sent on your behalf, your clients' email addresses are transmitted to Resend solely for the purpose of delivering those emails.
• Legal requirements: We may disclose information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of ClientPulse, our users, or others.

We retain your account data and associated client submissions for as long as your account remains active. If you cancel your account:

• All personal data associated with your account is permanently deleted within 30 days of cancellation.
• Security audit logs are retained for 90 days for fraud prevention and legal compliance purposes, after which they are permanently purged.
• You may request immediate deletion at any time by contacting us at support@clientpulse.dev.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right of Access

You may request a copy of the personal data we hold about you.

Right to Rectification

You may request correction of any inaccurate or incomplete data.

Right to Erasure

You may request deletion of your personal data (“right to be forgotten”), subject to our legal obligations.

Right to Data Portability

You may request your data in a structured, machine-readable format.

Right to Object

You may object to certain types of processing, including direct marketing.

To exercise any of these rights, please contact us at support@clientpulse.dev. We will respond to all verified requests within 30 days.

We use only strictly necessary cookies to operate the service. Specifically, we set a single authentication cookie (cpulse_session) that maintains your logged-in session. This cookie is:

• HTTP-only (not accessible to JavaScript)
• Secure (transmitted over HTTPS only)
• SameSite: Strict (not sent on cross-site requests)
• Automatically expired after 2 hours of inactivity

We do not use advertising cookies, marketing pixels, or any third-party tracking technologies.

ClientPulse is not directed at, and does not knowingly collect personal information from, individuals under the age of 16. If you believe a minor has provided us with personal information, please contact us and we will promptly delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email at least 30 days before the changes take effect. The updated policy will always be available at this URL with a revised effective date. Your continued use of the service after the effective date constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

ClientPulse
Email: support@clientpulse.dev
Website: clientpulse.dev