Last Updated: June 24, 2026 · Effective Date: June 24, 2026
In Plain Language
PulsePoint Strategic is a done-for-you business-development service. We monitor public business events ("signals"), build datasets of professional business contacts who are likely to need our customers' services, use artificial intelligence to draft outreach about those events, and present that outreach in a dashboard where our customer reviews and approves it before anything is sent. This Privacy Policy explains what personal information we collect, where it comes from, how we use it, who we share it with, how long we keep it, and the rights you have — including if you are a business professional whose information appears in our datasets even though you never signed up with us. We rely on legitimate interests (not consent) to process business-contact data, you can opt out at any time, and a human approves every message before it is sent.
Table of Contents
PulsePoint Strategic ("PulsePoint," "we," "us," or "our") is a business-development intelligence and outbound-execution service operated by Ty Bibas as a sole proprietorship doing business as "PulsePoint Strategic." References in this Policy to PulsePoint include Ty Bibas in his individual capacity and any successor entity that later operates the business (including any limited liability company or corporation formed to continue it).
This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with:
This Policy does not apply to the independent privacy practices of our customers, the third-party data providers from whom we obtain information, or any third-party website or service we link to. Our customers are responsible for their own privacy practices and for their lawful use of the outreach we prepare for them.
We handle personal information about two distinct groups, and your rights and our practices differ depending on which group applies to you:
(a) Customers and Website Visitors. These are the people who sign up for, pay for, administer, or inquire about our Services, and people who visit our Site. We collect this information directly from you when you create an account, contact us, book a meeting, or use the dashboard.
(b) Business Contacts (Data Subjects). These are professionals whose work-related information we collect from public and third-party sources and include in the datasets we build for our customers, and who may receive outreach prepared through our Services. If you received an email referencing this Policy and you never created a PulsePoint account, you are in this group. We did not collect your information from you directly; Sections 5, 9, 11, and 13 explain where it came from, why we may process it, and how to opt out or request deletion.
When you sign up for, use, or inquire about the Services, we collect:
| Category | Examples |
|---|---|
| Account and identity data | Name, business email address, the company you represent, role/title, dashboard login credentials (passwords are stored only as cryptographic hashes by our authentication provider). |
| Customer content and configuration | Your ideal-customer profile, target criteria, voice and tone preferences, case studies, and other materials you provide to configure the Services; edits and feedback you give on drafts. |
| Command F documents | The documents, files, and knowledge you upload or connect for retrieval through Command F. We process these solely to provide the Command F service to you. |
| Email-sending credentials and connections | Where you connect a mailbox, the OAuth authorization tokens (for Google/Gmail) or mailbox app-password references needed to send and synchronize email on your behalf. Credentials are held in encrypted storage (see Section 16). |
| Billing and transaction data | The information needed to invoice and be paid under your service agreement. We price on a custom basis and invoice directly; we do not process card payments on the Site. |
| Communications and support data | Messages, requests, and correspondence you send us, and meeting-scheduling information when you book time with us (currently through Calendly, a third-party scheduling tool). |
When you use the dashboard, we and our infrastructure providers automatically collect limited operational data such as log records, device and browser information, IP address, and usage events, for security, debugging, and to operate and improve the Services.
Marketing Site cookies and analytics. As of the Effective Date, our public marketing Site does not load third-party advertising or analytics cookies or tracking pixels. If we add analytics or advertising technologies in the future, we will update this Policy and provide any consent mechanism required in your jurisdiction before doing so. Section 10 separately describes the open-tracking and reply-monitoring that may apply to outreach email.
To deliver the Services, we build and maintain datasets of professionals in their business capacity. We do not seek to collect personal information about individuals in their personal or consumer capacity, and we do not knowingly collect special categories of data (such as health, biometric, racial or ethnic, political, or similar sensitive data). If special-category data is incidentally captured from a public source, we delete or suppress it and do not use it to make decisions or to target outreach.
Categories of business-contact data we collect:
| Category | Examples |
|---|---|
| Professional identifiers | Full name; business email address; job title or role. |
| Employer and company data | Company name, company website/domain, industry, size, and other public firmographic details. |
| Professional profile data | LinkedIn or other public professional-profile URLs; publicly listed business phone number where available. |
| Signal and event data | The public business event tied to the contact or their company (for example, a leadership hire, funding round, lease signing, acquisition, regulatory filing, or expansion), and the source where we observed it. |
| Outreach data | The outreach drafts we generate referencing the signal, the status of any outreach (for example, pending, sent, opened, replied), and reply content where a contact responds. |
Where this data comes from. We obtain business-contact data from:
We use the information described above to:
We do not use the content of a customer's Command F documents, or business-contact data, to train, fine-tune, or improve any general-purpose or foundational AI model, and (as described in Section 7) the AI providers we use are contractually restricted from using the data we submit to train their models.
Artificial intelligence is central to how the Services work, and we want to be transparent about it.
If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR and UK GDPR:
Our role for business-contact data. We process business-contact data on behalf of, and for the exclusive benefit of, the client for whom we perform the Services. For that processing, the client is the controller and we act as the client's processor on its instructions; where we and a client jointly determine the purposes and means of processing, we act as joint controllers under an arrangement that allocates our respective responsibilities. We do not build or maintain a shared, cross-client database of prospects, and we do not reuse one client's prospects for another client.
Because we obtain business-contact data from sources other than you, Article 14 of the GDPR requires us to tell you about it within a reasonable period after obtaining your data and at the latest within one month, or — if earlier — at the time of our first communication with you. We make this Privacy Policy publicly available as that notice, and where we send outreach we additionally include a link to it and identify the category of source from which we obtained the data, in that first message.
Your absolute right to object to direct marketing (Article 21). You have the right to object at any time to our processing of your data for direct marketing, including the profiling related to it. If you object, we will stop, and we will add you to a permanent suppression list so you are not contacted again. See Section 11 for how.
Our EU and UK Representatives (Article 27). Where we are required to appoint representatives under Article 27 of the EU GDPR and UK GDPR because we process the data of individuals in the EEA or UK, we will do so and will list them here. In the meantime, EEA and UK data subjects may contact us directly at [email protected] on any matter relating to our processing of their personal data.
When a customer approves an outreach message, it is sent on the customer's behalf, typically from a secondary sending domain we provision and warm up to protect the customer's primary domain, and/or through the customer's connected mailbox. Our tools are designed to include the sender's identity, a physical postal address, and a working way to opt out in each message, and to support opt-out honoring as required by the U.S. CAN-SPAM Act and, for Canadian recipients, Canada's Anti-Spam Legislation (CASL). As described in our Terms of Service, the customer who approves a message is its legal sender and is responsible for the accuracy of the address used, the truthfulness of the content, and the lawful basis for contacting each recipient.
Depending on where you are and which group you fall into (Section 2), you may have some or all of the following rights: to access the personal data we hold about you; to correct inaccurate data; to delete your data; to object to or restrict processing (including the absolute right to object to direct marketing); to data portability; and to withdraw consent where we rely on it.
How to exercise your rights — including if you never signed up with us:
Where we process data on behalf of a customer (for example, Command F documents), we will refer your request to the relevant customer and assist them as required.
If you are in the EEA or UK and believe we have not handled your data properly, you may lodge a complaint with your local supervisory authority, though we hope you will contact us first.
California (CCPA/CPRA). California's business-to-business exemption has expired, so California residents whose professional information we process have full rights, even though that information is business-related.
Other U.S. states. Most other state privacy laws (for example, Virginia, Colorado, Connecticut, Texas, Oregon, and Utah) currently exclude data processed in a purely business-to-business or employment context, which is the nature of the business-contact data we process. To the extent any state law applies to data we hold about you, we honor the rights it grants. Contact us using Section 20.
Some U.S. states (including California, Texas, Oregon, and Vermont) require "data brokers" to register. A data broker is generally a business that collects and sells personal information about consumers with whom it has no direct relationship. We do not operate that way: we act as a service provider that sources and enriches prospects for a single client's exclusive use, under a contract that prohibits reuse across clients or any independent sale, and we do not sell data to unrelated third parties. On that basis, we do not act as a data broker subject to these registration requirements. We monitor our activities against these definitions and will register, and comply with the associated deletion mechanisms, if and where that determination changes. If you wish to have your information deleted, see Section 11.
We are based in the United States, and our infrastructure and sub-processors are primarily located in the United States. If you are in the EEA, the UK, or another region with data-transfer restrictions, your personal information may be transferred to and processed in the United States and other countries that may not provide the same level of protection as your home jurisdiction.
When we transfer personal data out of the EEA or UK, we rely on appropriate safeguards, which may include the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, and, for vendors that are certified, the EU–U.S. / UK Extension Data Privacy Framework. To request information about the safeguards we use, contact us using Section 20.
We keep personal information for as long as it is needed for the purposes described in this Policy, and then delete or de-identify it. The periods below describe how long we retain each category, or the criteria we use to determine that period.
| Category | Retention |
|---|---|
| Account and identity data (customers) | For the life of the customer relationship and up to 24 months afterward, to meet legal, accounting, tax, and dispute-resolution needs. |
| Command F documents | While the customer uses Command F; deleted or returned within 30 days of termination, except where the customer's service agreement specifies otherwise or where retention is legally required. |
| Business-contact data | Until the related signal is no longer commercially relevant, until the data is no longer accurate or current, or until a valid deletion or opt-out request — whichever is earliest. We delete or de-identify on a valid deletion request within the periods required by applicable law. |
| Outreach and engagement records (sent messages, opens, replies) | Retained while needed to support the customer relationship and recordkeeping, and then deleted or de-identified. |
| Suppression data | Retained indefinitely, but limited to the minimum needed (such as an email address) so that we do not contact you again. We do not use suppression-list data for any other purpose. |
| Account and mailbox credentials | For the duration of the connection; deleted or revoked promptly when the connection is removed or the relationship ends. |
We use administrative, technical, and organizational measures designed to protect personal information, including access controls, tenant isolation so that one customer cannot access another's data, transport encryption, and encrypted storage of sensitive credentials (such as mailbox OAuth tokens and app passwords, which are held in encrypted secret storage). No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
If we become aware of a personal-data breach affecting your information, we will act without undue delay to investigate and contain it, and will notify affected individuals and applicable authorities (and, where we process data on a customer's behalf, that customer) where and within the time required by applicable law.
The Site and Services may link to third-party websites and tools (for example, our scheduling tool and our customers' own resources). We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies.
The Site and Services are intended for businesses and professionals and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.
We may update this Policy from time to time. When we do, we will revise the "Last Updated" date above and, where required by law or where changes are material, provide additional notice. For customers, continued use of the Services after an update means you accept the revised Policy. For business contacts who are not customers, your protections do not depend on accepting this Policy — you may exercise your rights, including objecting to processing or opting out, at any time as described in Section 11.
PulsePoint Strategic
Attn: Privacy — Ty Bibas
222 Purchase Street
Rye, NY 10580
United States
Email: [email protected]
If you are a business professional who received outreach and wish to opt out or have your information deleted, email us at the address above with your name and employer, and we will take care of it.
See also: Terms of Service