Privacy Notice

Last updated: April 23, 2026 · Version v1-20260423

This notice explains how Pulse — a people-operations platform operated by Nurix.ai (“Pulse”, “we”, “us”) — collects, uses, protects, and shares personal data. It is written to satisfy India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the EU / UK General Data Protection Regulation (“GDPR”).

1. Who we are and how to contact us

Pulse is provided by Nurix.ai, with its registered office in India. For the purposes of the GDPR we act as a processor of personal data on behalf of the employer organization that has subscribed to Pulse (the “customer”). That customer is the controller. For internal operations data (billing, support, security telemetry) we act as a controller in our own right.

For the purposes of the DPDP Act we are a Data Fiduciary for our own operations data and a Data Processor for customer data.

Data Protection Officer / Grievance Officer: dpo@nurix.ai
Privacy inbox: privacy@nurix.ai

2. Personal data we process

We collect and process the following categories of personal data. Which categories apply to you depends on how your employer has configured Pulse.

Identity and authentication — name, work email address, Google subject identifier, profile photograph (if provided by your Google Workspace).
Employment profile — job title, team, manager, worker type, cost centre, start date, exit date, employee number, location region.
Workspace activity — OKRs, check-ins, feedback you give or receive, performance review submissions, leave requests and balances, reimbursement claims, policy acknowledgements, Ask-Pulse conversations.
Sensitive personal data — where configured by your employer, Pulse may hold bank account details, government-issued identifiers (Aadhaar / PAN / SSN equivalents), and compensation figures. These fields are stored encrypted at the field level and access is restricted to designated finance / HR roles.
Product telemetry — authenticated page views, feature usage, errors, and performance data. Public-site traffic is measured without a persistent visitor identity and reported only in aggregate.
Communications — emails and Slack messages we send you about your account; support requests you send us.

3. Why we process your data and on what legal basis

Purpose	GDPR legal basis	DPDP ground
Operate Pulse, authenticate you, deliver the features your employer has purchased.	Contract (Art. 6(1)(b))	Performance of employment (§7(e))
Detect fraud, secure the platform, keep audit logs.	Legitimate interest (Art. 6(1)(f))	Legitimate use (§7(i))
Send you product updates or marketing emails.	Consent (Art. 6(1)(a))	Consent (§6)
Process your data with AI-assisted features (summaries, drafts, classifications).	Consent (Art. 6(1)(a))	Consent (§6)
Comply with tax, labour, and regulatory requirements.	Legal obligation (Art. 6(1)(c))	Legal obligation (§7(b))

Where processing relies on your consent, you can withdraw it at any time from the Profile → Preferences page. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. Automated decision-making and AI processing

Pulse uses large-language-model (LLM) providers to offer AI-assisted features — draft check-ins, review briefs, Ask-Pulse Q&A, and candidate screening assistance. These features generate suggestions for a human to review; they do not make final decisions that produce legal or similarly significant effects on you. A human reviewer remains in the loop for every decision that carries employment consequences.

Before any data leaves Pulse for an LLM provider, we apply a redaction layer that strips obvious identifiers (email addresses, phone numbers, government IDs, JWTs, API keys). Inputs and outputs are recorded in our audit log with the same redaction applied. You can opt out of AI processing at any time; see the AI Processing Addendum.

5. Who we share data with

We do not sell personal data. We share it only with the following categories of recipients:

Your employer — managers, admins, and finance or HR roles within your workspace see data relevant to their role, subject to in-product access controls.
Sub-processors we rely on to run the service:
- Vercel Inc. (US) — application hosting
- Supabase Inc. (US) — managed Postgres database
- Google LLC (US, EU) — Workspace sign-in and email
- OpenAI, L.L.C. (US) — LLM inference for AI features
- Resend, Inc. (US) — transactional email delivery
- Slack Technologies LLC (US) — workspace notifications, where connected
Authorities — when required by law, or to defend our legal rights.
Successors — in the event of a merger, acquisition, or sale of assets, data may transfer to the successor entity under the same protections.

6. International transfers

Some of our sub-processors are located outside your country. Transfers out of the EU / UK rely on the EU Commission’s Standard Contractual Clauses. Transfers of personal data originating in India are made only to jurisdictions where such transfer is permitted under the DPDP Act and accompanying rules. A current list of transfer destinations and safeguards is available from the Data Protection Officer on request.

7. How long we keep data

Category	Retention
Active employee profile + workspace content	For the duration of the customer’s subscription.
Audit logs (operational_events)	13 months rolling.
Notification delivery records	90 days.
Inactive user profile (post-exit)	Up to 7 years, where required for labour or tax law.
AI prompt / output audit summaries	13 months rolling; redacted at write time.
Encrypted backups	35 days.

When the customer ends its subscription, we delete or return their personal data within 60 days, unless a specific record is subject to a legal obligation to retain.

8. Security

We operate Pulse with the following baseline security controls: TLS 1.2+ in transit; encryption at rest for databases and backups; application-level encryption for designated sensitive fields using AES-256-GCM with key-rotation support; Google OAuth 2.0 sign-in with optional enforced SSO; role-based access control inside the product; structured audit logs of every AI action and administrative mutation; rate limiting at the edge and per user; managed vendors holding SOC 2 or equivalent attestations.

No system is perfectly secure. In the event of a personal data breach affecting your rights, we will notify the relevant regulator and, where legally required, you directly, within the timelines set by the DPDP Act and the GDPR.

9. Your rights

Subject to local law, you have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Request deletion (“right to be forgotten”).
Restrict or object to certain processing.
Receive your data in a portable, machine-readable format.
Withdraw consent you previously gave, without affecting prior lawful processing.
Nominate an individual to exercise these rights on your behalf in the event of death or incapacity (DPDP §14).
Complain to a supervisory authority — in India, the Data Protection Board; in the EU, your national DPA; in the UK, the ICO.

To exercise any right, contact privacy@nurix.ai. We respond within 30 days; if a request is complex we may extend once by 60 days and tell you why. If your employer is the controller of the data in question, we will route your request to them and confirm the routing to you.

10. Children

Pulse is a workplace tool and is not directed to children. We do not knowingly collect data from anyone under 18. If you believe a child has used the service, contact us and we will remove the data.

11. Cookies and similar technologies

Pulse uses essential cookies for authentication and session continuity. We do not use third-party advertising or cross-site tracking cookies. Public-site traffic is measured with a first-party, cookie-less identifier that is aggregated after collection.

12. Changes to this notice

When we make material changes we bump the version (shown above the title), update the date, and prompt you to renew consent the next time you sign in. Previous versions are available from the Data Protection Officer on request.