PRIVACY POLICY

Last updated October 28, 2025

This Privacy Notice for Hancock Digital Design, LLC (doing business as PulseAPI.io) ("we," "us," or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

• Visit our website at https://www.pulseapi.io or any website of ours that links to this Privacy Notice
• Engage with us in other related ways, including any sales, marketing, or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@pulseapi.io.

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use. Learn more about personal information you disclose to us.

Do we process any sensitive personal information? We do not process sensitive personal information.

Do we collect any information from third parties? We do not collect any information from third parties.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Learn more about how we process your information.

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

• names
• email addresses
• phone numbers
• company names
• job titles
• usernames and passwords
• billing addresses
• debit/credit card numbers (processed securely through Stripe)

Payment Data. We may collect data necessary to process your payment if you choose to make purchases, such as your payment instrument number, and the security code associated with your payment instrument. All payment data is handled and stored by Stripe. You may find their privacy notice at: https://stripe.com/privacy.

Social Media Login Data. We may provide you with the option to register with us using your existing social media account details, like your Facebook, X, or other social media account. If you choose to register in this way, we will collect certain profile information about you from the social media provider, as described in the section called "HOW DO WE HANDLE YOUR SOCIAL LOGINS?" below.

API Monitoring Data

When you use our Service to monitor API endpoints, we automatically collect and process data from the API responses, including:

Endpoint Configuration Data:

• Endpoint URLs you configure for monitoring
• Monitoring frequency and check intervals you set
• Alert thresholds and notification preferences
• API authentication credentials (encrypted and stored securely)
• Geographic monitoring locations you select

Real-Time Response Data:

• HTTP status codes (200, 404, 500, etc.)
• Response times and latency metrics
• Response headers (Content-Type, Cache-Control, etc.)
• Response body content (the actual data returned by your monitored APIs)
• Error messages and stack traces from failed requests
• SSL/TLS certificate information and expiration dates

Historical Performance Data:

• Uptime percentages and availability trends
• Response time patterns and performance baselines
• Anomaly detection results and AI-generated insights
• Alert history and notification logs
• Comparative analytics across your monitored endpoints

Your Responsibility: You are solely responsible for ensuring you have appropriate legal authorization to monitor these endpoints and process any data they return. You must comply with all applicable privacy laws and the terms of service of the APIs you monitor.

Our Role: We process this monitoring data solely to provide the Service features you've enabled (monitoring, alerting, analytics, anomaly detection). We do not access, review, or use the content of API responses for any other purpose without your explicit consent.

Information automatically collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.
• To deliver and facilitate delivery of services to the user. We may process your information to provide you with the requested service, including API monitoring, alerts, and performance analytics.
• To maintain service reliability and uptime. We process your monitoring configuration data to deliver our promised service levels, including our 99.9% uptime target, monitoring frequency as configured, and alert delivery within 60 seconds of detection.
• To respond to user inquiries/offer support to users. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
• To send you marketing and promotional communications. We may process the personal information you send to us for our marketing purposes, if this is in accordance with your marketing preferences.
• To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
• To evaluate and improve our Services, products, marketing, and your experience. We may process your information when we believe it is necessary to identify usage trends, determine the effectiveness of our promotional campaigns, and to evaluate and improve our Services, products, marketing, and your experience.

3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We share information with third-party service providers necessary to operate our Service, as described below.

We share your personal information with the following categories of third-party service providers:

Infrastructure and Hosting Providers:

• DigitalOcean (cloud hosting and infrastructure) - Stores all monitoring data, databases, and application servers on US-based infrastructure
• Cloudflare (CDN and DDoS protection) - Proxies traffic to our servers and provides security services

Payment Processing:

• Stripe (payment processor) - Processes credit card payments and stores billing information. We do not store complete credit card numbers on our servers. View Stripe's privacy policy: https://stripe.com/privacy

Communication and Alert Delivery:

• Zoho - Delivers alert emails, transactional messages, and marketing communications

Analytics and Product Improvement:

• Google Analytics - Website usage tracking, conversion analysis, and user behavior analytics. View Google's privacy policy: https://policies.google.com/privacy

Customer-Configured Integrations:

When you enable third-party integrations through your account settings, we share alert and monitoring data with:

• Slack workspaces you configure - Sends alert notifications to your specified channels
• Custom webhook URLs you configure - Sends monitoring event data to endpoints you specify

Third-Party Contractual Protections:

All third-party service providers are contractually bound to:

• Use your data only for the specific services they provide to us
• Implement appropriate security measures to protect your data
• Not sell or share your data with other parties
• Comply with applicable privacy laws and regulations
• Delete or return data upon termination of services

Data Shared with Third Parties:

We only share the minimum data necessary for each service provider to perform their specific function:

• Infrastructure providers: All data (necessary for hosting and service delivery)
• Payment processors: Billing information, transaction details, email address
• Communication services: Email address, phone number (if applicable), alert content
• Analytics providers: Anonymized usage data, device information, location data
• Customer integrations: Monitoring events, alert data, endpoint status (as you configure)

Important: We do not sell, trade, or rent your personal information to third parties for their own marketing purposes.

Business Transfers:

We may share or transfer your information in connection with, or during negotiations of:

• Merger or acquisition of PulseAPI.io or Hancock Digital Design LLC
• Sale of company assets or business units
• Financing rounds or investment transactions
• Bankruptcy or similar proceedings

In such events, we will require the acquiring party to honor this Privacy Notice. We will notify you via email and/or prominent notice on our website of any change in ownership or use of your personal information.

International Data Transfers:

Some service providers may process or store data outside the United States. When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by relevant authorities
• Adequacy decisions by regulatory bodies
• Other legally valid data transfer mechanisms

Legal Requirements:

We may disclose your information if required to do so by law or in response to:

• Valid court orders or subpoenas
• Law enforcement requests with proper legal authority
• Regulatory investigations or compliance requirements
• Protection of our legal rights or prevention of fraud
• Emergency situations involving danger to persons or property

We will notify you of such disclosures unless prohibited by law or court order.

4. DATA PROCESSOR RELATIONSHIP

Role Definition: We process monitoring data solely on your behalf and according to your instructions through your account configuration.

Your Responsibilities as Data Controller:

• Ensuring you have legal authorization to monitor all configured API endpoints
• Determining what APIs to monitor and what data will be processed as a result
• Complying with all applicable privacy laws (GDPR, CCPA, state privacy laws, etc.)
• Obtaining necessary consents from data subjects whose information may appear in monitored API responses
• Maintaining appropriate data processing agreements with the API providers you monitor
• Ensuring your monitoring activities comply with the terms of service of monitored APIs

Our Responsibilities as Data Processor:

• Processing monitoring data only as necessary to provide the Service features you enable
• Implementing appropriate technical and organizational security measures to protect monitored data
• Not accessing or reviewing monitored API response content except when necessary to provide Service features, for debugging with your permission, or when required by law
• Deleting monitoring data according to your retention settings and upon request
• Assisting with your data protection compliance obligations where reasonably possible

Limitation of Liability: You acknowledge and agree that we have no control over, and cannot verify, what data is contained in your monitored API responses. We are not responsible for:

• Ensuring your monitoring activities comply with privacy laws or regulations
• Verifying that you have authorization to monitor specific endpoints
• Any personal information, sensitive data, or confidential information that appears in monitored API responses
• Compliance with API provider terms of service
• Any legal claims arising from your monitoring activities or the data you choose to process

Data Processing Agreement: For enterprise customers requiring formal Data Processing Agreements (DPAs) for GDPR compliance or other regulatory requirements, please contact us at enterprise@pulseapi.io. We can execute Standard Contractual Clauses (SCCs) or other appropriate legal mechanisms as needed.

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We may use cookies and other tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.

Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice: http://www.pulseapi.io/cookies.

6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.

Our Services offer you the ability to register and log in using your third-party social media account details (like your Google or GitHub logins). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name, email address, and profile picture.

We will use the information we receive only for the purposes that are described in this Privacy Notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider.

7. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.

We maintain different retention periods for different types of data:

Account and Profile Information:

• Retained while your account is active and in good standing
• Deleted within 30 days of account termination
• Exception: Billing records and transaction history retained for 7 years to comply with tax and accounting legal requirements

Monitoring Data (API responses, performance metrics, response content):

• Real-time monitoring data: Retained for 90 days from collection date
• Historical aggregated analytics: Retained for 1 year for long-term trend analysis
• Alert history and notification logs: Retained for 90 days
• Upon account termination: All monitoring data deleted within 30 days
• User-requested deletion: Monitoring data can be deleted immediately upon request through account settings or by contacting privacy@pulseapi.io

Configuration and Settings Data:

• Endpoint configurations, alert rules, team settings: Retained while account is active
• Deleted immediately upon account termination
• API credentials: Encrypted during storage, permanently deleted upon removal or account termination

Anonymized and Aggregated Data:

• We may retain anonymized, aggregated monitoring data indefinitely for product improvement, research, and industry benchmarking
• This data has all customer identifiers, endpoint URLs, and personal information removed
• Cannot be used to identify you, your company, or your monitored endpoints

Legal Hold and Compliance:

• If we are required to retain data longer due to legal proceedings, regulatory investigations, or valid law enforcement requests, we will retain the minimum data necessary for the required period
• We will notify you of such retention requirements unless prohibited by law

Early Deletion Requests:

You may request earlier deletion of your monitoring data at any time by:

• Using the data deletion tools in your account settings
• Contacting us at privacy@pulseapi.io
• Submitting a formal data deletion request under applicable privacy laws

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information. If deletion is not possible (for example, because data has been stored in backup archives), we will securely isolate the information from any further processing until deletion is possible.

8. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. Specifically for PulseAPI.io:

• Encryption in Transit: All data transmission uses TLS 1.3 encryption
• Encryption at Rest: Customer data is encrypted at rest using AES-256 encryption
• Access Controls: Database access is restricted to essential personnel only
• Threat Detection: Automated threat detection and intrusion prevention systems
• Security Audits: Regular security audits and penetration testing
• Data Isolation: Monitoring data is logically separated per customer account
• Compliance: We maintain industry-standard security practices and work toward SOC 2 Type II compliance
• Backups: Daily automated backups with 30-day retention

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. You should only access the Services within a secure environment.

If you have security concerns or discover a potential vulnerability, please contact us immediately at security@pulseapi.io.

9. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect, solicit data from, or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at privacy@pulseapi.io.

10. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: You may review, change, or terminate your account at any time, depending on your country, province, or state of residence.

Account Information: If you would at any time like to review or change the information in your account or terminate your account, you can log in to your account settings and update your user account, or contact us using the contact information provided below.

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

11. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

12. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal information we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your personal information.

Depending upon the state where you live, you may have specific privacy rights regarding your personal information. To exercise these rights, you can contact us by submitting a data subject access request, or by emailing us at privacy@pulseapi.io.

13. INTERNATIONAL USERS AND GDPR

Primary Data Location: All customer data, monitoring data, and account information is stored on servers located in the United States.

European Economic Area (EEA), UK, and Swiss Users:

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, please be aware that by using our Service, you are transferring personal data to the United States. The United States may have data protection laws that differ from those in your jurisdiction.

Legal Basis for Processing (EEA/UK Users):

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service under our Terms of Service
• Legitimate Interests: Improving our Service, fraud prevention, and security
• Legal Obligations: Compliance with applicable laws and regulations
• Consent: Where we have obtained your explicit consent for specific processing activities

Your Rights (EEA/UK/Swiss Users):

In addition to the rights described in Section 10, users in these jurisdictions have additional rights under GDPR and equivalent laws:

• Right to Data Portability: Export your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, contact us at privacy@pulseapi.io.

Standard Contractual Clauses: For enterprise customers requiring formal GDPR compliance mechanisms, we can execute Standard Contractual Clauses (SCCs) as approved by the European Commission. These provide appropriate safeguards for international data transfers. Contact enterprise@pulseapi.io to request our Data Processing Agreement.

Canadian Users: We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws for Canadian users.

Other International Users: We strive to comply with applicable data protection laws in all jurisdictions where we operate. If you have questions about how we handle your data under your local laws, contact privacy@pulseapi.io.

14. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Revised" date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

15. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at:

• General privacy inquiries: privacy@pulseapi.io
• Data deletion requests: privacy@pulseapi.io
• GDPR/CCPA requests: privacy@pulseapi.io
• Security concerns: security@pulseapi.io
• DPA requests: enterprise@pulseapi.io

Or contact us by post at:

Hancock Digital Design, LLC (doing business as PulseAPI.io)
Attn: Privacy Officer / PulseAPI.io
1500 N Grant St STE N
Denver, CO 80203
United States

For fastest response, email privacy@pulseapi.io with subject line: "Privacy Request - [Your Request Type]"

We will respond to all privacy inquiries within 30 days.

16. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country or state of residence in the US, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information.

To request to review, update, or delete your personal information, please fill out and submit a data subject access request.