Legal

Privacy Policy

How PagePulse collects, uses, and protects performance data from your websites and applications.

1. Overview

PagePulse, Inc. (“PagePulse”, “we”, “us”) operates a frontend performance monitoring platform that measures Core Web Vitals, JavaScript performance, and deployment impact for customer websites. This Privacy Policy explains what data we collect, why we collect it, how long we keep it, and the controls you have over it.

We designed PagePulse to measure timings, not people. We do not record session replays, capture keystrokes, log personal browsing history, or build user profiles for advertising. Our default collection mode is cookie-free, which means we do not set any cookies in your end users' browsers unless you explicitly enable an optional feature that requires them.

2. Data we collect

We collect two categories of data: account data and performance telemetry.

2.1 Account data

When you create a PagePulse account, we collect your name, work email address, company name, and billing information. Billing is handled by our payment processor; we never store full card numbers on our infrastructure. We also retain audit logs of dashboard actions, API calls, and configuration changes you or your team members perform.

2.2 Performance telemetry

When the PagePulse browser SDK runs on a customer website, it collects the following timing data: Core Web Vitals (LCP, INP, CLS, FCP, TTFB), route URL (path only, never query string), device class (e.g. “mobile”), browser family (e.g. “Chrome”), country (derived from IP address, then discarded), connection type (e.g. “4G”), and any custom metrics you explicitly track.

We do not collect IP addresses on a persistent basis. IP addresses are used momentarily to derive country-level geolocation, then discarded within 60 seconds of ingestion. We never use IP addresses for fingerprinting, cross-site tracking, or advertising.

3. How we use data

We use account data to operate your workspace, manage billing, and provide support. We use performance telemetry to power the dashboards, alerts, reports, and deployment impact diffing you see inside PagePulse.

We do not sell your data. We do not share your data with third parties for advertising purposes. We do not use your data to train machine learning models that benefit anyone other than your own workspace.

4. Data retention

You control how long we keep your performance telemetry. The default retention period depends on your plan: 7 days on Starter, 90 days on Growth, and 365 days or custom on Scale. You can shorten or extend retention at any time from your workspace settings.

When you delete a project, we hard-delete all associated telemetry within 30 days. When you close your account, we hard-delete all data across all projects within 30 days. Audit logs are retained for 7 years to comply with SOC 2 and ISO 27001 requirements.

5. International data transfers

PagePulse operates collection regions in the United States, European Union, and Asia Pacific. Customer telemetry is processed in the region closest to the end user, then stored in your chosen primary region. EU customers can elect EU-only data residency, in which case telemetry from non-EU end users is forwarded to the EU region for storage.

We rely on Standard Contractual Clauses (SCCs) for any transfer of personal data from the European Economic Area to a third country. A signed copy of the SCCs is available on request.

6. Your rights

Under the GDPR, CCPA, and similar regulations, you have the right to access, correct, export, or delete the personal data we hold about you. For account data, you can exercise these rights directly from your workspace settings. For end-user telemetry, your workspace admin can submit a data subject access request to support@pagepulse.dev and we will respond within 72 hours.

You have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first so we can resolve the issue directly.

7. Security

PagePulse is SOC 2 Type II and ISO 27001 certified. All data is encrypted at rest with AES-256 and in transit with TLS 1.3. Encryption keys are rotated every 90 days. Access to production infrastructure is restricted to a small group of engineers and is logged for audit.

We engage independent third parties to perform annual penetration tests. A summary of the most recent test is available on request under NDA. Suspected security incidents should be reported to security@pagepulse.dev.

8. Sub-processors

We use a small number of sub-processors to operate the platform: a cloud hosting provider, a managed database provider, an email delivery service, and a payment processor. Each sub-processor is bound by a data processing agreement that meets GDPR Article 28 requirements.

We provide 30 days' notice before engaging a new sub-processor. You can subscribe to sub-processor updates by emailing support@pagepulse.dev.

9. Changes to this policy

We will notify you by email at least 30 days before this Privacy Policy changes in a material way. A changelog of past versions is available on request. Continued use of PagePulse after the effective date of a new policy constitutes acceptance of the updated terms.

Questions about this document? Email support@pagepulse.dev.