Privacy Policy

Last Updated: June 24, 2026  ·  Effective Date: June 24, 2026

In Plain Language

PulsePoint Strategic is a done-for-you business-development service. We monitor public business events ("signals"), build datasets of professional business contacts who are likely to need our customers' services, use artificial intelligence to draft outreach about those events, and present that outreach in a dashboard where our customer reviews and approves it before anything is sent. This Privacy Policy explains what personal information we collect, where it comes from, how we use it, who we share it with, how long we keep it, and the rights you have — including if you are a business professional whose information appears in our datasets even though you never signed up with us. We rely on legitimate interests (not consent) to process business-contact data, you can opt out at any time, and a human approves every message before it is sent.



1. Who We Are and Scope of This Policy

PulsePoint Strategic ("PulsePoint," "we," "us," or "our") is a business-development intelligence and outbound-execution service operated by Ty Bibas as a sole proprietorship doing business as "PulsePoint Strategic." References in this Policy to PulsePoint include Ty Bibas in his individual capacity and any successor entity that later operates the business (including any limited liability company or corporation formed to continue it).

This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with:

  • our website at pulsepointstrategic.com and related subdomains (the "Site");
  • our customer dashboard and the services we provide to our business customers (the "Services"), including our signal-intelligence platform, our done-for-you outbound program, and Command F, our knowledge-retrieval tool; and
  • the business-contact datasets we build, enrich, and maintain so that our customers can identify and reach relevant prospects.

This Policy does not apply to the independent privacy practices of our customers, the third-party data providers from whom we obtain information, or any third-party website or service we link to. Our customers are responsible for their own privacy practices and for their lawful use of the outreach we prepare for them.

2. The Two Groups of People This Policy Covers

We handle personal information about two distinct groups, and your rights and our practices differ depending on which group applies to you:

(a) Customers and Website Visitors. These are the people who sign up for, pay for, administer, or inquire about our Services, and people who visit our Site. We collect this information directly from you when you create an account, contact us, book a meeting, or use the dashboard.

(b) Business Contacts (Data Subjects). These are professionals whose work-related information we collect from public and third-party sources and include in the datasets we build for our customers, and who may receive outreach prepared through our Services. If you received an email referencing this Policy and you never created a PulsePoint account, you are in this group. We did not collect your information from you directly; Sections 5, 9, 11, and 13 explain where it came from, why we may process it, and how to opt out or request deletion.

3. Information We Collect From Customers and Website Visitors

When you sign up for, use, or inquire about the Services, we collect:

CategoryExamples
Account and identity dataName, business email address, the company you represent, role/title, dashboard login credentials (passwords are stored only as cryptographic hashes by our authentication provider).
Customer content and configurationYour ideal-customer profile, target criteria, voice and tone preferences, case studies, and other materials you provide to configure the Services; edits and feedback you give on drafts.
Command F documentsThe documents, files, and knowledge you upload or connect for retrieval through Command F. We process these solely to provide the Command F service to you.
Email-sending credentials and connectionsWhere you connect a mailbox, the OAuth authorization tokens (for Google/Gmail) or mailbox app-password references needed to send and synchronize email on your behalf. Credentials are held in encrypted storage (see Section 16).
Billing and transaction dataThe information needed to invoice and be paid under your service agreement. We price on a custom basis and invoice directly; we do not process card payments on the Site.
Communications and support dataMessages, requests, and correspondence you send us, and meeting-scheduling information when you book time with us (currently through Calendly, a third-party scheduling tool).

4. Information We Collect Automatically

When you use the dashboard, we and our infrastructure providers automatically collect limited operational data such as log records, device and browser information, IP address, and usage events, for security, debugging, and to operate and improve the Services.

Marketing Site cookies and analytics. As of the Effective Date, our public marketing Site does not load third-party advertising or analytics cookies or tracking pixels. If we add analytics or advertising technologies in the future, we will update this Policy and provide any consent mechanism required in your jurisdiction before doing so. Section 10 separately describes the open-tracking and reply-monitoring that may apply to outreach email.

5. Business-Contact Data We Collect and Where It Comes From

To deliver the Services, we build and maintain datasets of professionals in their business capacity. We do not seek to collect personal information about individuals in their personal or consumer capacity, and we do not knowingly collect special categories of data (such as health, biometric, racial or ethnic, political, or similar sensitive data). If special-category data is incidentally captured from a public source, we delete or suppress it and do not use it to make decisions or to target outreach.

Categories of business-contact data we collect:

CategoryExamples
Professional identifiersFull name; business email address; job title or role.
Employer and company dataCompany name, company website/domain, industry, size, and other public firmographic details.
Professional profile dataLinkedIn or other public professional-profile URLs; publicly listed business phone number where available.
Signal and event dataThe public business event tied to the contact or their company (for example, a leadership hire, funding round, lease signing, acquisition, regulatory filing, or expansion), and the source where we observed it.
Outreach dataThe outreach drafts we generate referencing the signal, the status of any outreach (for example, pending, sent, opened, replied), and reply content where a contact responds.

Where this data comes from. We obtain business-contact data from:

  • Publicly available sources on the internet — company websites, news articles, and press releases, which we discover and read using web-search and content-retrieval tools (including Exa and Jina);
  • Public regulatory and securities filings — including U.S. Securities and Exchange Commission EDGAR filings, U.K. regulatory announcements, and European regulatory disclosures;
  • Public professional profiles, including LinkedIn, identified through search tools (including Serper) and, in limited cases, public-profile data services (including Apify);
  • Third-party data and email-enrichment providers — we use these providers to find, complete, and verify business email addresses and related professional details. Our providers include AnyMailFinder and Prospeo, and, in fallback scenarios, may include Hunter and Apollo. When we query these providers, we send them limited data (such as a person's name and their employer's domain) so they can return or verify a business email address; and
  • Our customers, who may provide target criteria, lists, or context.

6. How We Use Information

We use the information described above to:

  • provide and operate the Services, including monitoring public signals, building and enriching business-contact datasets, scoring and prioritizing opportunities, generating outreach drafts, and presenting them in the customer dashboard for human review and approval;
  • send approved outreach on a customer's behalf through secondary sending domains and connected mailboxes, and synchronize replies (see Section 10);
  • provide Command F, by retrieving and generating answers from a customer's own documents;
  • operate, secure, debug, and improve the Services and our infrastructure;
  • communicate with customers about their account, support requests, and service updates;
  • handle billing and administer service agreements; and
  • comply with law and enforce our terms, including honoring opt-out, deletion, and suppression requests.

We do not use the content of a customer's Command F documents, or business-contact data, to train, fine-tune, or improve any general-purpose or foundational AI model, and (as described in Section 7) the AI providers we use are contractually restricted from using the data we submit to train their models.

7. How We Use Artificial Intelligence

Artificial intelligence is central to how the Services work, and we want to be transparent about it.

  • What the AI does. We use large language models to (i) evaluate whether a discovered signal and company are relevant to a customer's criteria, (ii) draft personalized outreach tied to a specific public event, and (iii) power the conversational retrieval in Command F. The AI assists with research, evaluation, and drafting.
  • Which providers. We use Anthropic (Claude models, including Claude Haiku and Claude Sonnet) and OpenAI (GPT models, including GPT-4o and GPT-4o-mini). To provide the Services, we send these providers the data needed for the task — for example, article text, company information, signal details, and the criteria for a draft. We use these providers under the commercial API terms applicable to our account, under which they act as our service providers and are contractually restricted from using the content we submit to train their models. These providers may retain submitted content for a limited period for security and abuse-monitoring purposes under their terms. Provider terms can change; we monitor them and adjust our configuration to maintain this posture.
  • A human is always in the loop for outreach. Our AI prepares drafts; it does not send them. No outreach email is sent until a human at our customer reviews and approves it. You are not subject to a decision that produces legal or similarly significant effects based solely on automated processing. The act of receiving a cold business email is not such a decision.
  • AI output may be imperfect. AI-generated drafts and Command F answers can contain errors. Our customers are responsible for reviewing outreach before approving it, and Command F answers should be independently verified before being relied upon.

8. How We Share Information; Sub-Processors

We share personal information only as described here. We do not sell business-contact data, and we do not operate a self-serve database that anyone can buy. We act as a service provider to each client: we source and enrich prospects for that client's defined target profile, for that client's exclusive use, under a contract that prohibits us from reusing that data for any other client or for our own independent purposes. Because we provide the data only to the client on whose behalf we collected it, and not to unrelated third parties, our disclosures to clients are made as a service provider rather than as a sale.

We share information with:

  • Our customers — each customer receives the business-contact data, signals, and outreach drafts prepared for that customer. Customer data is isolated by tenant; one customer cannot access another customer's data.
  • Service providers and sub-processors that operate our infrastructure and perform functions on our behalf, under contracts that limit their use of the data. Our principal sub-processors are:
Sub-ProcessorFunctionLocation
SupabaseDatabase, authentication, and encrypted secret storageUnited States
ModalApplication compute and job orchestrationUnited States
CloudflareDNS, edge hosting, and email-queue triggeringUnited States / global
AnthropicLarge-language-model processing (vetting, drafting, retrieval)United States
OpenAILarge-language-model processing (vetting, classification)United States
Exa; JinaPublic-web signal discovery and article content retrievalUnited States / global
Serper; ApifyPublic search and public-profile dataUnited States / global
AnyMailFinder; Prospeo; (fallback) Hunter; ApolloBusiness email discovery and verificationUnited States / global
Resend; Google (Gmail/IMAP/SMTP)Email sending and reply synchronizationUnited States / global
CalendlyMeeting scheduling for prospective and current customersUnited States

We maintain a current list of sub-processors and will update it as our vendors change. To request the most current list, contact us using Section 20.

  • Professional advisors and authorities — we may disclose information to comply with law, respond to lawful requests, enforce our agreements, or protect rights, safety, and property.
  • In a corporate transaction — if the business is incorporated, sold, merged, financed, or reorganized, information may be transferred as part of that transaction, subject to this Policy.

10. Email Sending, Open Tracking, and Reply Monitoring

When a customer approves an outreach message, it is sent on the customer's behalf, typically from a secondary sending domain we provision and warm up to protect the customer's primary domain, and/or through the customer's connected mailbox. Our tools are designed to include the sender's identity, a physical postal address, and a working way to opt out in each message, and to support opt-out honoring as required by the U.S. CAN-SPAM Act and, for Canadian recipients, Canada's Anti-Spam Legislation (CASL). As described in our Terms of Service, the customer who approves a message is its legal sender and is responsible for the accuracy of the address used, the truthfulness of the content, and the lawful basis for contacting each recipient.

  • Open tracking. Outreach email may include a small (1×1 pixel) tracking image that, when your email client loads it, tells us that the message was opened and when. We use this to help our customers gauge engagement.
  • Reply monitoring. We synchronize replies to the connected mailbox so the customer can respond and so we can detect opt-out requests.
  • Your controls and our legal posture. Where applicable law — including the EU ePrivacy Directive and the UK's PECR — requires a lawful basis before placing a tracking pixel, we will not apply open tracking without one. Because open tracking works only when your email client loads a remote image, you can prevent it at any time by configuring your email client to block remote or external images, and many email clients block them by default. You can also opt out of all further outreach using the unsubscribe mechanism in any message or by contacting us (Section 20).

11. Your Rights and Choices

Depending on where you are and which group you fall into (Section 2), you may have some or all of the following rights: to access the personal data we hold about you; to correct inaccurate data; to delete your data; to object to or restrict processing (including the absolute right to object to direct marketing); to data portability; and to withdraw consent where we rely on it.

How to exercise your rights — including if you never signed up with us:

  • Opt out of all outreach / object to direct marketing: use the unsubscribe link in any message, reply asking to be removed, or email [email protected]. We honor opt-outs by adding you to a permanent suppression list so you are not contacted again. We action opt-outs no later than 10 business days as required by the U.S. CAN-SPAM Act, and give effect to unsubscribe requests within the period required by Canada's CASL.
  • Access, correction, or deletion: email [email protected] with enough detail for us to locate your record (for example, your name and employer). We will verify your request as appropriate and respond within the time required by applicable law — generally within one month under the GDPR/UK GDPR (extendable by two further months for complex requests) and within 45 days under the CCPA (extendable once). We will not discriminate against you for exercising your rights.

Where we process data on behalf of a customer (for example, Command F documents), we will refer your request to the relevant customer and assist them as required.

If you are in the EEA or UK and believe we have not handled your data properly, you may lodge a complaint with your local supervisory authority, though we hope you will contact us first.

12. Notice to California and Other U.S. State Residents

California (CCPA/CPRA). California's business-to-business exemption has expired, so California residents whose professional information we process have full rights, even though that information is business-related.

  • Categories of personal information we collect about business contacts: identifiers (name, business email), professional/employment information (title, employer), internet/profile information (public professional-profile URLs), and inferences/commercial information (signal relevance and scoring). Sources, purposes, and disclosures are described in Sections 5, 6, and 8.
  • "Sale" and "sharing." We do not sell or share personal information. We act as a service provider that sources and enriches prospects for a client's exclusive use under a contract that prohibits reuse or independent sale, so our disclosures to that client are not a "sale" or "sharing" under the CCPA. You may still opt out of all outreach and request deletion at any time (see below and Section 11).
  • Sensitive personal information. The only "sensitive personal information" we collect is account log-in credentials (for customers) and mailbox access credentials that customers connect. We use these solely to provide and secure the Services and to send and synchronize email as the customer directs; we do not use or disclose them to infer characteristics about anyone, and we do not use sensitive personal information for purposes that would trigger the right to limit. We do not collect sensitive personal information about the business contacts in our datasets.
  • Your California rights: to know/access, to delete, and to correct your personal information. Because we do not sell or share personal information, the opt-out of sale/sharing does not apply; you may nonetheless opt out of all outreach at any time.
  • Notice at collection. This Privacy Policy serves as our CCPA notice at collection. Because we collect most business-contact data from third-party and public sources rather than from you directly, we make this notice publicly available, and where we send outreach we link to it in the first message.
  • How to exercise: email [email protected], or use the opt-out and removal options we make available. We will respond within the timeframes the CCPA requires (generally 45 days, extendable once). You may use an authorized agent.

Other U.S. states. Most other state privacy laws (for example, Virginia, Colorado, Connecticut, Texas, Oregon, and Utah) currently exclude data processed in a purely business-to-business or employment context, which is the nature of the business-contact data we process. To the extent any state law applies to data we hold about you, we honor the rights it grants. Contact us using Section 20.

13. Our Status Under Data-Broker Laws

Some U.S. states (including California, Texas, Oregon, and Vermont) require "data brokers" to register. A data broker is generally a business that collects and sells personal information about consumers with whom it has no direct relationship. We do not operate that way: we act as a service provider that sources and enriches prospects for a single client's exclusive use, under a contract that prohibits reuse across clients or any independent sale, and we do not sell data to unrelated third parties. On that basis, we do not act as a data broker subject to these registration requirements. We monitor our activities against these definitions and will register, and comply with the associated deletion mechanisms, if and where that determination changes. If you wish to have your information deleted, see Section 11.

14. International Data Transfers

We are based in the United States, and our infrastructure and sub-processors are primarily located in the United States. If you are in the EEA, the UK, or another region with data-transfer restrictions, your personal information may be transferred to and processed in the United States and other countries that may not provide the same level of protection as your home jurisdiction.

When we transfer personal data out of the EEA or UK, we rely on appropriate safeguards, which may include the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, and, for vendors that are certified, the EU–U.S. / UK Extension Data Privacy Framework. To request information about the safeguards we use, contact us using Section 20.

15. Data Retention

We keep personal information for as long as it is needed for the purposes described in this Policy, and then delete or de-identify it. The periods below describe how long we retain each category, or the criteria we use to determine that period.

CategoryRetention
Account and identity data (customers)For the life of the customer relationship and up to 24 months afterward, to meet legal, accounting, tax, and dispute-resolution needs.
Command F documentsWhile the customer uses Command F; deleted or returned within 30 days of termination, except where the customer's service agreement specifies otherwise or where retention is legally required.
Business-contact dataUntil the related signal is no longer commercially relevant, until the data is no longer accurate or current, or until a valid deletion or opt-out request — whichever is earliest. We delete or de-identify on a valid deletion request within the periods required by applicable law.
Outreach and engagement records (sent messages, opens, replies)Retained while needed to support the customer relationship and recordkeeping, and then deleted or de-identified.
Suppression dataRetained indefinitely, but limited to the minimum needed (such as an email address) so that we do not contact you again. We do not use suppression-list data for any other purpose.
Account and mailbox credentialsFor the duration of the connection; deleted or revoked promptly when the connection is removed or the relationship ends.

16. Security

We use administrative, technical, and organizational measures designed to protect personal information, including access controls, tenant isolation so that one customer cannot access another's data, transport encryption, and encrypted storage of sensitive credentials (such as mailbox OAuth tokens and app passwords, which are held in encrypted secret storage). No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

If we become aware of a personal-data breach affecting your information, we will act without undue delay to investigate and contain it, and will notify affected individuals and applicable authorities (and, where we process data on a customer's behalf, that customer) where and within the time required by applicable law.

18. Children's Privacy

The Site and Services are intended for businesses and professionals and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.

19. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the "Last Updated" date above and, where required by law or where changes are material, provide additional notice. For customers, continued use of the Services after an update means you accept the revised Policy. For business contacts who are not customers, your protections do not depend on accepting this Policy — you may exercise your rights, including objecting to processing or opting out, at any time as described in Section 11.

20. How to Contact Us

PulsePoint Strategic

Attn: Privacy — Ty Bibas

222 Purchase Street

Rye, NY 10580

United States

Email: [email protected]

If you are a business professional who received outreach and wish to opt out or have your information deleted, email us at the address above with your name and employer, and we will take care of it.

See also: Terms of Service