Privacy Policy

Last updated: April 27, 2026
Effective: April 27, 2026

At a glance

We’re Pulse Cards, a digital business card you can share with anyone via QR code or link. Pulse Cards is a service offered by Douglas Business Group, LLC.
We collect what we need to run the service: your account email, the content you publish on your card, basic request metadata (IP address, browser, country/city) for analytics and abuse prevention, and billing identifiers from our payment processor when you subscribe.
We do not sell your personal information, share it for cross-context behavioral advertising, or use it to train third-party AI models.
We use three subprocessors: Cloudflare (hosting, edge delivery, and platform-native error logging), Stripe (billing), and Resend (transactional email). No others.
You can export or permanently delete your entire account from Settings → Account at any time.
U.S. residents (every state), EEA/UK residents, and Canadian residents have specific privacy rights described in Section 13.

Who we are
Scope of this policy
Information we collect
Categories of personal information
Sources of personal information
How we use your information
How we share your information
No sale, no sharing for advertising, no AI training
Cookies and similar technologies
International data transfers
How long we keep information
Data security
Your privacy rights
Children’s privacy
If you submitted a lead form on someone’s card
Marketing communications
Automated decision-making
Third-party links
Do Not Track
Changes to this policy
Contact us

1. Who we are

Pulse Cards (“Pulse Cards,” “we,” “us,” “our”) is a service offered by Douglas Business Group, LLC, a Wyoming limited-liability company doing business as “Pulse Cards”, with its registered office at 30 N Gould St, Ste 5769, Sheridan, WY 82801. Douglas Business Group, LLC is the controller responsible for the personal information described in this policy. References to “you” mean the individual reading this policy or whose personal information we process.

For privacy questions or to exercise your rights, use our feedback form (or email privacy@pulse.cards if you prefer). For general support, use our feedback form.

2. Scope of this policy

This Privacy Policy applies to personal information we process in connection with:

our websites at pulse.cards, app.pulse.cards, and api.pulse.cards;
the digital business cards we host on your behalf;
the lead-capture form embedded on those cards;
our customer support, billing, and marketing communications.

It applies to three groups of people: (a) account holders, (b) paying customers, and (c) card visitors (including people who submit a contact form on a card — see Section 15).

It does not apply to third-party websites that link to or from Pulse Cards. Those services have their own privacy practices.

3. Information we collect

3.1 Information you provide

Account information: email address; optional display name; on paid plans, a chosen username for your public URL.
Card content: any information you publish on your card — name, title, company, phone, email, website, social handles, address, organization, department, birthday, free-form notes, and any photo or media you upload. This content is intended to be public.
Billing information: when you subscribe, payment-card details are collected and stored by our payment processor, Stripe. We never see or store your full card number, CVC, or full expiration. We retain a Stripe customer ID, subscription ID, subscription status, plan tier, and trial dates.
Support correspondence: messages you send to our support, security, or legal email addresses, including any attachments.
Survey or feedback responses if you choose to provide them.

3.2 Information collected automatically

When anyone (including you) visits Pulse Cards or views a card, we automatically collect:

Request metadata: IP address, user-agent string, approximate country and city derived from the IP address, device type (mobile, tablet, desktop), referrer URL, and timestamps. We do not request or use precise GPS location.
Marketing campaign parameters: if a card or link includes UTM parameters (e.g. utm_source, utm_medium, utm_campaign, utm_term, utm_content), we record them so we can attribute the visit to a campaign you created.
Session identifiers used to deduplicate views and tie a session to its actions (taps on a contact link, vCard downloads, lead-form submissions).
Aggregate hosting and security logs produced by our hosting provider, Cloudflare, including network-layer access logs and bot/abuse signals.

3.3 Information about your card visitors

When someone views your card or submits the contact form on it, we collect the items in Section 3.2 about them, plus any details they provide (name, email, phone, company, message). For the legal allocation of responsibility for that data, see Section 15.

3.4 Information from service providers

We may receive limited information from our subprocessors:

Stripe sends us subscription status updates and identifiers via webhook when you subscribe, renew, downgrade, or cancel.
Resend may report delivery, bounce, and spam-complaint events for transactional emails we send to you.

4. Categories of personal information

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), the following categories of personal information have been collected from or about California residents in the prior 12 months. The same categories apply to residents of other U.S. states with comprehensive privacy laws.

Identifiers — name, email address, username, IP address, account identifiers, Stripe customer ID, session identifiers.
Customer records — billing-related identifiers and subscription status (full payment-card details are held by Stripe, not by us).
Commercial information — subscription plan, trial dates, billing history, products considered.
Internet/network activity — pages viewed, links clicked, vCard downloads, referrer URLs, UTM parameters, user-agent string, request timestamps.
Geolocation data — approximate country and city derived from IP address; no precise GPS location.
Professional/employment information if you put it on your card — job title, employer, organization, department, address.
Inferences — we draw very limited inferences (e.g., mobile-vs-desktop, scan-converted-to-lead) for the analytics we show you about your own card. We do not build profiles for advertising.
Sensitive personal information — we do not intentionally collect any of the categories that California treats as sensitive (Social Security number, government IDs, financial-account credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, mail/email/text contents, genetic data, biometric data, health data, sexual orientation). If you choose to publish such information on your card, you do so at your discretion.

5. Sources of personal information

Directly from you when you create an account, build your card, configure your settings, subscribe, or contact us.
From your devices when you or a card visitor accesses our service (request metadata, cookies described in Section 9).
From card visitors who submit a contact form on a card you operate.
From our subprocessors (Stripe, Resend) for billing and email delivery events.
From public sources only as needed to verify identity for rights-requests (we do not buy data from data brokers).

6. How we use your information

We use personal information for the following business and commercial purposes:

Provide the service. Create and authenticate your account (we use passwordless magic-link sign-in), render and serve your card to people you share it with, generate QR codes and vCards, deliver the dashboard and analytics for your own card.
Lead capture. Receive contact-form submissions on your card, store them for you to view, and notify you by email (Pro plans).
Process payments. Run subscription billing, trials, renewals, cancellations, refunds, and tax handling, in conjunction with Stripe.
Communicate with you. Send transactional email (sign-in links, billing receipts, lead notifications, security or service notices, trial-expiry reminders, essential changes to these policies).
Provide support. Respond to your questions, troubleshoot issues, and investigate complaints.
Protect the service. Detect, investigate, and prevent fraud, abuse, spam, scraping, credential-stuffing, denial-of-service attacks, and other security incidents; enforce our Terms of Service.
Improve the product. Aggregate, anonymized analysis of usage to plan features and fix bugs. We do not condition any feature on accepting analytics, and we do not personalize advertising.
Comply with law. Respond to lawful requests, protect rights and safety, and keep records required by tax, accounting, and consumer-protection rules.

7.1 Service providers (subprocessors)

We share the minimum personal information necessary with the vetted subprocessors below. Each is bound by contract to use the data only to provide services to us, to keep it secure, and to comply with applicable privacy laws.

Cloudflare, Inc. — hosting (Cloudflare Workers, D1, KV), edge delivery, DNS, DDoS protection, bot management, and Turnstile spam protection on the lead form. cloudflare.com/privacypolicy.
Stripe, Inc. — subscription billing, payment processing, fraud protection, and tax computation. Stripe is the controller of your payment-card data, not us. stripe.com/privacy.
Resend, Inc. — transactional email delivery (sign-in links, billing-related notifications, lead-capture notifications, trial-expiry reminders, security notices). resend.com/legal/privacy-policy.

Error monitoring is handled by Cloudflare’s native Workers Observability platform (logs and traces emitted by our own workers running on Cloudflare’s infrastructure). We do not use a third-party error-monitoring subprocessor.

These are our only subprocessors as of the date above. If we engage a new subprocessor that will materially affect the categories of data shared, we will update this section before the change takes effect.

7.2 Card owners

If you submit a contact form on someone’s card, the information you provide is delivered to that card owner. The card owner controls how your information is used after that point. See Section 15.

7.3 Legal disclosures

We may disclose personal information when we have a good-faith belief that doing so is necessary to: (a) comply with a subpoena, court order, search warrant, or other lawful process; (b) enforce our Terms of Service; (c) detect, investigate, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Pulse Cards, our users, or the public.

7.4 Business transfers

If Douglas Business Group, LLC is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, personal information may be transferred as part of that transaction. We will notify account holders by email or in-product notice before any transfer that would change the controller of your data and give you a reasonable opportunity to delete your account first.

7.5 With your direction or consent

We may share information at your explicit direction (for example, when you choose to share your public card link) or with your consent.

8. No sale, no sharing for cross-context behavioral advertising, no AI training

We do not “sell” personal information for money or other valuable consideration. We do not “share” personal information for cross-context behavioral advertising. We do not license, sell, or otherwise make personal information available to third parties to train artificial intelligence or machine-learning models.

We have not engaged in such sales or sharing in the prior 12 months and have no current plans to do so. If that ever changes, we will update this policy and provide the rights and notices required by law (including the right to opt out).

9. Cookies and similar technologies

Pulse Cards uses a small number of strictly-necessary cookies and similar technologies. We do not use third-party advertising cookies, analytics cookies, or cross-site tracking pixels.

Name	Purpose	Duration	Type
`pulse-cards-session`	Authenticated session cookie. `HttpOnly`, `Secure`, `SameSite=Lax`. Required to keep you signed in.	24 hours after last sign-in	Strictly necessary
CSRF synchronizer token	Held in browser memory only (not a cookie). Prevents cross-site request forgery on state-changing API calls.	Session	Strictly necessary
Cloudflare bot-management tokens (e.g. `__cf_bm`)	Cloudflare may set short-lived cookies to identify trusted clients and block automated abuse. Set by Cloudflare, not us.	Up to 30 minutes	Strictly necessary (security)

Because we use only strictly-necessary cookies and do not run third-party trackers, we do not display a cookie consent banner. If we ever add optional cookies, we will request consent in a manner consistent with applicable law before setting them.

10. International data transfers

Pulse Cards is operated from the United States. Our subprocessors (Cloudflare, Stripe, Resend) operate globally and may process personal information in the United States, Europe, and other jurisdictions. By using the service, you understand that your information may be transferred to and processed in countries whose data-protection laws may differ from those of your country of residence. Where required by law, we rely on Standard Contractual Clauses, the EU-U.S. Data Privacy Framework, or equivalent transfer mechanisms.

11. How long we keep information

We keep personal information only as long as we need it for the purposes described above:

Account, card, and analytics data — for as long as your account is active.
After account deletion — we delete your personal information within 30 days, except for limited records we are legally required to keep (see below).
Lead-form submissions — retained for as long as the receiving card owner’s account is active. The card owner may delete individual leads at any time. When the card owner’s account is deleted, the leads are deleted with it.
On subscription cancellation — lead-form submissions, campaign data, and view analytics collected during a paid subscription are retained for 45 days after cancellation, then permanently deleted from our live database. Backups containing this data may persist up to an additional 35 days before being rotated out. Re-subscribing within the 45-day window restores all data. GDPR Article 17 erasure requests are honored immediately. Anonymized aggregate event rows in Cloudflare Analytics Engine age out within 90 days per Cloudflare’s platform retention; we do not expose this data to canceled accounts.
Billing and tax records — retained for at least seven years from the end of the related tax year, or longer if required by law.
Subscription event records (Stripe webhook log, idempotency keys) — up to two years for fraud prevention and dispute resolution.
Authentication logs and security records — up to 13 months.
Customer support correspondence — up to three years after the most recent message.
Backups — backups containing deleted data may persist for up to 35 days before being rotated out.

12. Data security

We use a defense-in-depth approach informed by industry standards:

TLS 1.2+ encryption for all traffic in transit.
HttpOnly, Secure, SameSite session cookies; CSRF synchronizer tokens stored server-side.
Hashed verification tokens at rest so that a database leak cannot directly hijack pending email changes or sign-in flows.
Rate limiting and abuse detection on authentication endpoints, lead submissions, and general API traffic.
A strict Content Security Policy, HSTS, X-Frame-Options, and other modern security headers.
The Cloudflare security stack (WAF, DDoS protection, bot management).
Principle-of-least-privilege access controls for our team; admin actions are recorded in an audit log.

No system can be made completely secure. If we become aware of a breach affecting your personal information, we will notify you and the appropriate authorities without undue delay and consistent with applicable law.

13. Your privacy rights

13.1 Rights available to all users

Regardless of where you live, you can use the self-service tools at Settings → Account to:

Access your data — the “Export My Data” button downloads a complete JSON copy of your profile, cards, fields, leads, campaigns, and analytics history.
Correct your information — edit your card content, profile, and settings at any time.
Delete your account permanently — the “Delete Account” button cancels any active subscription, removes all of your owned data, and revokes all sessions.
Opt out of non-essential communications — we do not send marketing email by default; if we ever do, every message will include an unsubscribe link.

For requests beyond these self-service tools, use our feedback form (or email privacy@pulse.cards). We will respond within the time required by applicable law (typically 30 to 45 days).

13.2 EEA, United Kingdom, and Switzerland (GDPR / UK GDPR / FADP)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

Access a copy of the personal data we process about you.
Rectify inaccurate or incomplete data.
Erase your data (the “right to be forgotten”).
Restrict or object to certain processing.
Receive your data in a structured, commonly used, machine-readable format (portability).
Withdraw consent where processing is based on consent.
Lodge a complaint with your local data-protection authority.

Our legal bases for processing under the GDPR are:

Contract (Article 6(1)(b)) — to provide the service you signed up for, including paid subscriptions.
Legitimate interests (Article 6(1)(f)) — to secure the service, prevent abuse and fraud, deliver the analytics card owners expect, and improve the product. We balance these interests against your rights and freedoms.
Legal obligation (Article 6(1)(c)) — to retain billing records and respond to lawful requests.
Consent (Article 6(1)(a)) — where required for optional processing.

13.3 United States — state privacy rights

Residents of states with comprehensive privacy laws (including but not limited to California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia) have the following rights, subject to the conditions and exceptions of their local statute:

Right to know / right of access — confirm whether we process your personal information and obtain a copy.
Right to delete personal information we have collected from you.
Right to correct inaccurate personal information.
Right to data portability — receive your data in a portable format.
Right to opt out of (a) the sale of your personal information, (b) sharing for cross-context behavioral advertising, and (c) certain types of profiling. As described in Section 8, we do not engage in any of these activities.
Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond providing the service.
Right to non-discrimination — we will not deny service, charge a different price, provide a different level of quality, or retaliate against you for exercising these rights.
Right to appeal a denial of a privacy request — if we deny your request, you may appeal by replying to our denial email; if your appeal is denied, you may complain to your state Attorney General.

13.4 California-specific disclosures

California residents have the rights above under the CCPA, plus the following additional information:

Categories collected, sources, purposes, and recipients: see Sections 3, 4, 5, 6, and 7.
Categories sold or shared: none (see Section 8).
Categories disclosed for a business purpose: identifiers, customer records, commercial information, and internet/network activity, as needed to provide the service to you and disclosed only to the subprocessors named in Section 7.1.
Notice of financial incentive: we do not offer financial incentives in exchange for personal information.
Shine the Light: California residents may request information about our disclosures of personal information to third parties for direct-marketing purposes. We do not make such disclosures.
Authorized agents: you may designate an authorized agent to exercise rights on your behalf. We will require written, signed permission from you and may verify your identity directly. Use our feedback form or email privacy@pulse.cards.

13.5 Verification of requests

To protect your information, we will verify rights requests through the email on file for your account. For requests not associated with an account (for example, a card visitor who submitted a lead form), we may ask you to confirm details we already hold about you, such as the email address used at submission.

14. Children’s privacy

Pulse Cards is not directed to children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has provided personal information to us, use our feedback form or email privacy@pulse.cards and we will delete it.

We comply with the U.S. Children’s Online Privacy Protection Act (COPPA) by prohibiting the use of Pulse Cards by children under 13. If we learn that we have collected information from a child under 13 without verifiable parental consent, we will delete that information promptly.

15. If you submitted a contact form on someone’s card

Pulse Cards is a tool used by individuals and businesses to share their contact information and capture follow-ups. When you submit a contact form (the “Let’s Connect” form) on someone’s card:

The card owner is the data controller of your submission. They decide how your information is used (whether to follow up with you, add you to their contacts, or otherwise process the information).
Pulse Cards acts as a processor on the card owner’s behalf. We store your submission so the card owner can view it in their dashboard, send the card owner an email notification (Pro plans), and apply the security and abuse-prevention described above. We do not use your information to market Pulse Cards to you, build profiles, or train AI models.
To exercise privacy rights against the card owner, contact them directly using the contact information on their card. The card owner is responsible for responding.
To exercise rights against us (for example, to ask us to delete a submission from our systems), use our feedback form (or email privacy@pulse.cards). If you cannot reach the card owner, we will use commercially reasonable efforts to facilitate your request.

16. Marketing communications

We do not currently send marketing email. Every email we do send (sign-in links, billing receipts, lead notifications, trial-expiry reminders, security or service announcements) is transactional and necessary to provide the service. If we ever introduce optional marketing email, every message will include a one-click unsubscribe link, and we will only send to addresses that affirmatively opt in.

17. Automated decision-making

We do not use personal information for automated decision-making that produces legal or similarly significant effects on you. We do use automated systems (rate limiting, bot detection, Cloudflare Turnstile on the lead form) to detect and prevent abuse; these systems may temporarily block traffic, but you can contact us if you believe a block is in error.

18. Third-party links

Cards may include links you choose to publish (your website, social profiles, etc.). When a visitor follows one of those links, the destination’s own privacy practices apply. We are not responsible for the privacy practices of websites or services we do not operate.

19. Do Not Track

Many browsers offer a “Do Not Track” signal. Because Pulse Cards does not engage in cross-site tracking or behavioral advertising, there is nothing for the signal to disable. Where required by law, we treat the Global Privacy Control (GPC) signal as a valid opt-out of any sale or sharing.

20. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top always reflects the current version. If we make material changes (for example, adding a new category of personal information, a new subprocessor that materially changes how data is processed, or a new purpose of processing), we will notify account holders by email or by an in-product notice before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

21. Contact us

For privacy questions, requests, or complaints, use our feedback form. You can also email privacy@pulse.cards or write to:

Douglas Business Group, LLC
d/b/a Pulse Cards
Attn: Privacy Officer
30 N Gould St, Ste 5769
Sheridan, WY 82801
United States

For general support, use our feedback form.

California residents may also contact the California Attorney General’s Office to report a privacy concern at oag.ca.gov.