Pulse for WhatsApp
Last updated: 18 Jun 2026 • Chrome Extension • Applies to the Pulse AI for WhatsApp extension, the Pulse backend (app.pulseapp.ai), and the optional Pulse account dashboard.
Plain-English Summary
Pulse helps you turn busy WhatsApp Web chats into clear lists of tasks, follow-ups, decisions, and ready replies — only when you click Scan.
Chrome Web Store Limited Use
Pulse's use of information received from users adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. Data is used only to provide and improve the single user-facing feature of the extension, is not sold, and is not used for advertising.
1. Who we are (data controller)
Pulse (“Pulse”, “we”, “us”, “our”) provides the Pulse AI for WhatsApp extension and related services.
- Legal entity: Pulse AI
- Location: Bengaluru, Karnataka, India
- Governing law: India
- Privacy contact: hi@pulseapp.ai
If you have any question about this policy or your data, email hi@pulseapp.ai.
2. Scope
This policy covers three connected parts of the product:
- The Chrome extension — runs only on web.whatsapp.com, reads the chat you choose to scan, and stores results locally in your browser.
- The Pulse backend (https://app.pulseapp.ai) — receives a scan, performs the AI processing in memory, and returns the result. It also powers optional accounts, plans, and quotas.
- The optional Pulse account / dashboard — if you sign in, lets you manage your plan and (optionally) sync your task lists across devices.
You can use the core scanning features anonymously, without an account.
3. Data we collect
We group everything we handle into three buckets.
3a. WhatsApp content you ask us to process
This is read only when you click Scan (or use the suggested-reply feature). The extension reads the rendered page; it never modifies WhatsApp, never sends messages, and never marks chats as read. What is read:
- Message text of the visible chat (the most recent messages, up to your configured limit)
- Sender display names and message timestamps
- The chat or group name
- A contact's WhatsApp display name ('push name'), where shown
- Whether the chat is a group, and the group member count, where shown
- Unread counts and last-message previews shown in your chat list
This content is transmitted to our backend to generate your results and is used in memory only — see Sections 4 and 9.
3b. Account and billing data (only if you create an account)
Stored in our database:
- Email address
- Name (optional; you can set it, or it is taken from your Google profile if you sign in with Google, and you can edit or remove it)
- Google account identifier (only if you sign in with Google)
- Password — stored only as a salted bcrypt hash; we never store your raw password (only if you register with email/password)
- Plan information — subscription tier, free-trial status, and purchased scan credits
- Subscription/billing metadata — your Razorpay subscription ID, status, currency, and renewal date (we do not store your card number or bank details; those are handled by Razorpay)
- Daily scan counts — used to enforce plan limits
- Your privacy settings — Privacy Mode and storage mode (see Section 11)
- Account creation date
- Authentication tokens — stored only as one-way SHA-256 hashes (sign-in session tokens and one-time password-reset tokens); the raw tokens are never stored
Synced task items (only if you turn on sync): if you sign in and set storage to “My Pulse account” with Privacy Mode off, we store the short extracted items — their type (task / follow-up / decision / waiting-on-you), a brief title and optional detail (derived from your chat, capped in length), the chat name, and status (open/done). We do not store the raw conversation or message transcripts.
3c. Data stored locally on your device
Held in your browser's chrome.storage.local, on your device only:
- Your settings (active provider/model, theme, messages-per-scan, retention preference, your name)
- Your scan results — the extracted items and chat names (not the raw message text)
- A snapshot of your visible chat list (including last-message previews) to render the panel
- Your sign-in session tokens (access and refresh tokens), if signed in
- For anonymous use: a randomly generated device identifier and your daily scan count
- Interface state and counters
Bring-your-own-key (optional): if you choose to use your own OpenAI, Anthropic, or DeepSeek API key, the key is stored locally in your browser so you do not have to re-enter it. Only the last four characters are ever displayed. See Section 7 for how it is used.
4. How we use your data
- To produce your results. Visible chat text is sent to an AI provider to extract tasks, follow-ups, decisions, and to draft suggested replies. This happens in memory and is not stored (Section 9).
- To run your account, plan, and quotas. Email, name, plan, credits, and scan counts are used to authenticate you, enforce daily limits, and manage your subscription.
- To process payments. Plan and subscription metadata are used to create and manage your subscription through Razorpay.
- To provide support and respond to feedback. If you contact support or submit uninstall feedback, we use your message (and contact details, if you provide them) to reply and improve the product.
- To secure the service. Identifiers and counts are used to prevent abuse, enforce rate limits, and protect against fraud.
We do not use your data for advertising, profiling, or sale to third parties. We do not use it to assess creditworthiness or for lending.
5. Cookies, tracking, and analytics
Pulse does not use cookies, web beacons, pixels, device fingerprinting, or any third-party analytics, telemetry, or advertising technologies. The extension stores data only in your browser's local storage (chrome.storage.local), and our backend does not set tracking cookies.
We do not build advertising profiles and do not track you across other websites.
The only identifier we use is a random device identifier created for anonymous (signed-out) use to count your free daily scans; it is not linked to any third-party tracking (see Sections 3c and 9).
6. Legal bases (where applicable, e.g. UK/EU GDPR)
Where data-protection law requires a legal basis, we rely on:
- Performance of a contract — to provide scanning, accounts, and billing you request.
- Legitimate interests — to secure the service, prevent abuse, and respond to support requests.
- Consent — for optional features you switch on, such as account sync. You can withdraw consent at any time by turning the feature off or deleting your account.
7. Third parties we share data with
We share data only with the service providers needed to operate Pulse. We do not sell or rent your data, and we do not share it for advertising.
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| OpenAI | AI extraction & suggested replies (default/managed mode) | Visible chat text of the chat you scan — used in memory, transient | United States |
| Anthropic | AI extraction & suggested replies (managed or your-own-key mode) | Visible chat text of the chat you scan — transient | United States |
| DeepSeek | AI extraction & suggested replies (your-own-key mode) | Visible chat text — transient. Note: DeepSeek processes and stores data in China and may use inputs to train its models. Choose DeepSeek only if you are comfortable with this. | China |
| Google (Sign in with Google) | Authentication, if you choose Google sign-in | Your Google ID token, from which we read your email, name, and Google account identifier | Google infrastructure |
| Razorpay | Payments and subscriptions | Your Pulse user identifier, selected plan/tier, and subscription metadata. Card/bank details are entered directly with Razorpay; we never receive or store them. | Razorpay infrastructure |
| SendGrid (Twilio) | Transactional email (password reset, support replies, feedback handling) | Your email address, name, and the content of your support or feedback message | SendGrid infrastructure |
| Neon | Database hosting (stores all account, plan, and synced-item data) | All data we persist (Section 3b) | AWS ap-southeast-1 (Singapore) |
| Google Cloud Platform | Application hosting and processing | Transient request data while a scan or account action is processed | asia-southeast1 (Singapore) |
About your own API key (bring-your-own-key): if you use your own provider key, the key is sent from your browser to our backend solely to relay your request to that provider on your behalf. It is used in memory, is never stored on our servers, and is redacted from our logs.
Each AI provider handles data it receives under its own privacy and retention terms. We do not control their independent retention; we send only what is needed for the scan and store nothing of it ourselves.
We may also disclose data if required by law, to enforce our terms, or to protect the rights, safety, and security of our users or the service.
8. Where your data is processed and stored
- Application processing: Google Cloud Platform, region asia-southeast1 (Singapore).
- Database: Neon (PostgreSQL) on Amazon Web Services, region ap-southeast-1 (Singapore).
- AI processing: at the provider you use — OpenAI and Anthropic (United States) or DeepSeek (China).
By using Pulse you understand that your data may be processed in these locations. Where we transfer personal data internationally, we rely on appropriate safeguards and send only the minimum data needed for the task.
9. Data retention
- WhatsApp message text: never stored. It exists only in memory during the few seconds your scan is processed, is sent to the AI provider, and is then discarded. It is excluded from our application logs by automatic redaction.
- Your own API key (BYOK): never stored on our servers; held only in your local browser storage until you remove it.
- Account and billing data: kept for the life of your account and deleted when you delete your account.
- Synced task items: kept until you delete them, switch storage back to local-only, turn Privacy Mode on, or delete your account; re-scanning a chat replaces its previous items.
- Sign-in (refresh) tokens: stored as hashes, valid up to ~90 days and rotated on use; password-reset tokens expire after 1 hour and are single-use.
- Anonymous device identifier: if you use Pulse without an account, the random device identifier and daily scan count remain in our database and are not automatically deleted. Contact hi@pulseapp.ai if you would like it removed.
- Local data on your device: your settings, scan results, and any saved API key remain in your browser until you delete them.
10. Security
- All communication uses encrypted HTTPS connections.
- Passwords are stored only as salted bcrypt hashes (work factor 12); authentication tokens are stored only as SHA-256 hashes.
- WhatsApp message text and your API key are redacted from our server logs.
- Backend access is restricted to the Pulse extension and the Pulse dashboard (CORS-restricted), with rate limiting on sensitive endpoints.
- If a data breach affecting your personal data occurs, we will notify affected users and any relevant regulator as required by applicable law.
No method of transmission or storage is perfectly secure, but we work to protect your data using industry-standard measures.
11. Your rights and controls
You are in control of your data:
- Privacy Mode (on by default): keeps your results private to the Pulse panel and prevents any items from being saved to our servers.
- Storage choice: keep your results only on your device ('Private — this device'), or sync the extracted items to your account ('My Pulse account'). Switching back to private deletes items saved to your account.
- Export: download everything we store about your account (profile, billing metadata, usage, and any synced items) as a JSON file from the dashboard, or by contacting us.
- Delete your account: permanently deletes your account and all associated data (profile, items, usage, subscriptions, tokens) and cancels any active subscription.
- Remove a saved API key or clear your scans at any time from the extension Settings.
If you are in India, you have rights under the Digital Personal Data Protection Act, 2023 — including to access, correct, and erase your personal data, to nominate another person to exercise your rights, and to grievance redressal. You may raise any grievance with us at hi@pulseapp.ai.
Depending on where you live, you may also have rights to access, correct, restrict, or object to processing, and to lodge a complaint with your local data-protection authority. To exercise any right, email hi@pulseapp.ai.
12. US state privacy rights
If you are a resident of California or another US state with a comprehensive privacy law (such as Virginia, Colorado, Connecticut, or Utah), you have the right to know what personal information we collect, to access a copy of it, to delete it, and to correct it.
- We do not sell your personal information, and we do not share it for cross-context behavioral advertising — so there is nothing to opt out of on that front.
- We do not use or disclose sensitive personal information for purposes that would give you a right to limit such use.
- We will not discriminate against you for exercising any of these rights.
- California 'Shine the Light': we do not share personal information with third parties for their own direct marketing.
To exercise your access, deletion, or correction rights, email hi@pulseapp.ai. We may need to verify your identity before acting on a request.
13. Automated decisions and AI
Pulse uses AI models to read the chat you choose to scan and produce summaries, task lists, and suggested replies. These outputs are suggestions for you to review and act on. Pulse does not make automated decisions that produce legal or similarly significant effects about you, and you are always in control of whether to use a result.
14. Links to third-party services
Pulse may link to third-party sites and services — for example, an AI provider's website, Razorpay's checkout, or your Pulse dashboard. Those services have their own privacy policies, and we are not responsible for their content or practices.
15. Children
Pulse is not intended for, and not directed to, children under 16 (or the minimum age in your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided us data, contact hi@pulseapp.ai and we will delete it.
16. Not affiliated with WhatsApp or Meta
Pulse is an independent tool. It is not affiliated with, endorsed by, or sponsored by WhatsApp LLC or Meta Platforms, Inc. “WhatsApp” is a trademark of its respective owner.
17. Changes to this policy
We may update this policy as the product evolves. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you. Continued use after an update means you accept the revised policy.
18. Contact
Questions, requests, or concerns about your privacy: hi@pulseapp.ai