PExcis Pulse by Excis
Talk to sales Start free trial
Legal / Privacy policy

Privacy policy

How Excis Compliance Ltd. handles personal data relating to this website and the Excis Pulse product.

Last updated: 12 May 2026 · Version: 2.1 · Hosting: European Union only

1. Who we are

Excis Compliance Ltd. ("Excis", "we", "us") is a company registered in England & Wales (company number 06886815) with its registered office at 1 Northumberland Avenue, Trafalgar Square, London, WC2N 5BW, United Kingdom. We are the operator of pulse.excis.com and the publisher of the Excis Pulse software product.

Our UK Data Protection Officer can be reached at [email protected]. Our EU representative under Article 27 GDPR is Excis Compliance B.V., Amsterdam, Netherlands.

2. When we are the controller, and when we are a processor

This is the most important paragraph in this policy. Read it twice.

  • Website visitors and prospects — when you browse this site, fill in a form or email our sales team, Excis is the data controller. This policy governs that relationship.
  • Pulse product users (your employees) — when your organisation deploys the Pulse agent to staff devices, your organisation is the data controller. Excis processes that data on your behalf under our Data Processing Agreement. Employees with questions about how their data is used should contact their own employer first.
In short: on this website, ask us. On a device your employer runs Pulse on, ask your employer — we can't share that data with the data subject without their employer's instruction.

3. What personal data we collect

As controller (website & sales)

CategoryExamplesSource
Identity & contactName, business email, employer, job title, phoneYou, via forms or email
Account credentialsHashed password, MFA secretYou, at signup
BillingBilling address, VAT number, payment-method referenceYou, our payment processor (see Sub-processors)
Website usageIP address, browser, pages visited, referrerServer logs, optional analytics if you accept cookies
Support & correspondenceTickets, emails, transcriptsYou, our support team

As processor (Pulse product data, on behalf of your employer)

Where the Pulse agent runs on a device your employer manages, the agent may capture:

  • Device identifier (a randomly generated UUID — not your name)
  • Operating system, hostname and Pulse agent version
  • Foreground window title and process name
  • Idle and active periods (timestamps and durations)
  • JPEG-compressed screenshots, if your employer enables them
  • Network connectivity events (online/offline)

What it never captures, by design:

  • Keystrokes or clipboard contents
  • Email, chat or document contents
  • Webcam, microphone or location data
  • Anything matching your employer's configured redaction rules (password managers, banking, healthcare apps, etc.)
  • Anything outside the configured working-hours window, if set

4. Why we collect it

  • Operate the service — authenticate you, deliver the dashboard, send transactional email.
  • Bill you — process payments, send invoices, handle refunds.
  • Support & security — answer your questions, detect abuse, investigate incidents.
  • Improve the product — aggregated, non-identifying telemetry about features used.
  • Legal compliance — meet our obligations under tax, accounting and data protection law.

5. Legal basis for processing

PurposeLegal basis (GDPR Art. 6)
Delivering the service you signed up forContract — Art. 6(1)(b)
Billing & accountingLegal obligation — Art. 6(1)(c)
Sales contact, security, product analyticsLegitimate interest — Art. 6(1)(f)
Optional marketing emailConsent — Art. 6(1)(a) (you can withdraw any time)
Non-essential cookiesConsent — Art. 6(1)(a)

6. How long we keep it

DataRetained for
Sales leads who didn't convert24 months from last contact, then deleted
Active customer account dataDuration of subscription + 12 months
Invoices & tax records7 years (HMRC requirement)
Pulse product data (controller = customer)Per the customer's chosen retention tier; deleted 90 days after subscription ends
Server logs30 days
BackupsEncrypted, 35-day rolling window, EU-only

7. Who we share data with

We do not sell personal data. We share it only with:

  • Sub-processors we use to deliver the service — hosting, email, payments, support tooling. The complete current list is at Sub-processors.
  • Your employer, where Pulse data is collected on their behalf.
  • Law enforcement or regulators, where legally compelled. We publish an annual transparency report.
  • Professional advisors (lawyers, auditors) under confidentiality.

8. International transfers

All Pulse customer data is processed and stored in the European Union. Production runs in Frankfurt (DE); the disaster-recovery replica is in Amsterdam (NL). Backups stay in the EU.

A small number of sub-processors involved in website and support operations may process data outside the EU. Where that happens, we rely on the European Commission's Standard Contractual Clauses (Module 2 or 3, as applicable) together with the UK Addendum, and we apply additional technical measures (encryption, pseudonymisation). See the Sub-processors page for the per-vendor location.

9. Your rights

Under the GDPR and UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Have it rectified if inaccurate
  • Have it erased, where the legal basis no longer applies
  • Restrict or object to its processing
  • Receive a portable copy in a structured, machine-readable format
  • Withdraw consent at any time, without affecting the lawfulness of prior processing
  • Lodge a complaint with a supervisory authority — for the UK, that's the ICO; in the EU, your local DPA

To exercise any of these rights, email [email protected]. We respond within 30 days (usually within 5 business days). We may ask you to verify your identity before disclosing personal data.

If your employer deployed Pulse on your work device and you want to exercise a data-subject right against that data, contact your employer's DPO. We will direct you there because we can only act on your employer's documented instructions.

10. Security

We hold ourselves to the controls described in our Security & compliance overview: encryption in transit (TLS 1.3) and at rest (AES-256), least-privilege access, MFA-enforced administration, quarterly penetration tests, and 24/7 incident response.

11. Changes to this policy

We update this policy when our practices or sub-processors change. Material changes are announced by email to account admins at least 30 days before they take effect. The version number and date at the top of this page always reflect the current state.

12. Contact us

For privacy questions, data-subject requests, or breach notifications:

  • Email: [email protected]
  • Data Protection Officer: [email protected]
  • Post: Data Protection Officer, Excis Compliance Ltd., 1 Northumberland Avenue, Trafalgar Square, London WC2N 5BW, United Kingdom
  • EU representative: Excis Compliance B.V., Amsterdam, Netherlands — [email protected]