Privacy Policy

Pulse is a product of Hatched Digital, a New Zealand-based digital agency. When this policy says “we”, “our”, or “Pulse”, it refers to Hatched Digital trading as Pulse Analytics.

Contact: hello@hatched.digital

Pulse is a website analytics and conversion optimisation tool. It tracks how visitors interact with our customers’ websites — page loads, scroll behaviour, clicks, form interactions, and exit intent — and uses AI to generate actionable recommendations.

• No cookies. Pulse does not set, read, or require any browser cookies.
• No IP addresses. IP addresses are stripped before storage. They are never written to disk or transmitted to any analytics pipeline.
• No personal data. We do not collect names, emails, device IDs, fingerprints, or any information that identifies an individual visitor.
• No form values. We track field names (e.g. “email”, “name”) to measure friction, but never the content typed into fields.
• No cross-site tracking. Visitors cannot be tracked across different websites.

For each event sent by the tracker script, we store:

• Event type (pageview, scroll, click, rage_click, exit_intent, etc.)
• Page path (e.g. /pricing)
• Anonymised session identifier (random, per-tab, not persistent)
• Viewport dimensions and breakpoint category
• Referrer category (e.g. organic, paid, social — not the full URL)
• OS family and browser family (derived from User-Agent, then discarded)
• Event-specific data: scroll milestone %, grid coordinates, field name, element selector
• UTM parameters (if present in the URL)

All data is stored in AWS infrastructure in the ap-southeast-2 (Singapore) region. Data is encrypted at rest using AES-256 (S3 SSE).

When you create a Pulse account, we store:

• Email address (login identifier)
• Hashed password (bcrypt, never stored in plain text)
• Company name (optional)
• Site URLs and configuration
• Billing information processed via Stripe (we do not store card numbers)

• Analytics aggregation: Raw events are aggregated weekly into per-page statistics.
• AI report generation: Aggregated (not raw) data is sent to AWS Bedrock (Claude) to produce actionable recommendations. No personal data reaches the AI model.
• Billing: Usage data (pageview counts per site) is used for plan enforcement and overage metering via Stripe.

• Raw events (S3): 13 months, then automatically deleted via lifecycle policy.
• Aggregated reports: Retained for the lifetime of the account.
• Account data: Retained until the account is deleted. You can request deletion at any time by emailing hello@hatched.digital.

We use the following third-party services:

• AWS (Amazon Web Services): Infrastructure — DynamoDB, S3, Lambda, Bedrock. Region: ap-southeast-1.
• Stripe: Payment processing. Stripe’s privacy policy applies to billing data.
• AWS Amplify: Application hosting.

We do not sell, share, or transfer visitor analytics data to any third party.

Because Pulse does not collect personal data as defined by the GDPR (no IP addresses, no cookies, no device fingerprints, no identifiers), the processing of website visitor data does not require a legal basis under GDPR Article 6.

No consent banner required. Websites using Pulse do not need to display a cookie consent banner for Pulse tracking.

For account holder data (email, password), our legal basis is contract performance (Art. 6(1)(b)).

Pulse does not sell personal information. Because we do not collect data that identifies individual visitors, website visitor data does not constitute “personal information” under the CCPA.

• All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
• Passwords hashed with bcrypt (12 rounds)
• Rate limiting on authentication endpoints
• Content Security Policy and Permissions-Policy headers
• API key authentication for tracker endpoints
• No sensitive fields exposed in API responses

You can request access to, correction of, or deletion of your account data at any time by emailing hello@hatched.digital.

Because visitor analytics data is anonymous and cannot be linked to an individual, data subject access requests (DSARs) for visitor data cannot be fulfilled — there is no personal data to return.

We may update this policy from time to time. Material changes will be communicated via email to account holders and posted on this page.