Privacy Policy
How Pulvian collects, uses, and protects your data.
Last updated: 31 May 2026
What Pulvian is
Pulvian is a workplace signal aggregator that collects and analyses publicly available information about companies. It does not require user accounts, does not use cookies for tracking, and does not sell or share data with third parties.
Data controller
Pulvian is operated as an independent project. The data controller for any personal data you submit (correction requests, alert subscriptions, waitlist sign-ups) is the individual operator of Pulvian. Contact details are available on the About page.
Legal basis for processing (GDPR Art. 6). Where you provide personal data voluntarily (e.g., an email address in a correction form), processing is based on your consent. Where we retain server logs for security, processing is based on our legitimate interest in protecting the service. You may withdraw consent at any time (see Your rights below).
Data we collect
Pulvian collects minimal data. Here is an exhaustive list of what we store:
- Data correction requests. If you submit a correction or removal request through the form on a company page, we store the message you write, the company it relates to, and optionally your email address if you provide one. Your IP address is stored as a one-way hash (SHA-256) solely for rate-limiting purposes and cannot be reversed to identify you.
- Company suggestion requests. If you suggest a company to be added, we store the information you provide in the suggestion form.
- Score-change alert subscriptions. If you subscribe to score-change alerts on a company page, we store your email address solely to send notifications when that company's score is updated. You may unsubscribe at any time by contacting us via the About page. Subscription email addresses are deleted within 30 days of an unsubscribe request.
- Pro waitlist and subscription enquiries. If you submit your email address via the Pro tier waitlist form on the Pricing page, we store that address to notify you when Pro access becomes available. You may withdraw at any time by contacting us.
- Server logs. Standard HTTP server logs (IP address, request path, timestamp) are retained for up to 30 days for security monitoring and then automatically deleted.
We use PostHog for privacy-preserving product analytics, configured with no cookies (in-memory only), the EU data region, no session/keystroke recording, and no collection of personal data. We do not use advertising trackers and we do not build user profiles for marketing.
Email addresses
Providing an email address in a data correction request is optional. If you choose to provide one, it is used solely to notify you about the resolution of your request.
Email addresses associated with resolved or dismissed requests are automatically deleted within 90 days of resolution. You may request immediate deletion at any time (see Your rights below).
Company data sources
All company data displayed on Pulvian is derived from publicly available sources. We currently aggregate signals from:
- Hacker News — community discussions via the Algolia HN Search API (public)
- GDELT — global news article metadata (headlines, tone, source)
- SEC EDGAR — public regulatory filings for US-listed companies
- GitHub — public repository activity and contributor signals
- Reddit — community discussions via Reddit's public API (r/cscareerquestions, company subreddits)
- App Store — Apple customer review aggregates via Apple's official RSS feed (consumer companies only)
- Yahoo Finance — public financial news RSS headlines for publicly traded companies
- Wikidata — structured company information (CC0 licensed)
- RSS newsroom feeds — company-published press releases and industry publications
No private, leaked, or paywalled data is used. No employee personal data is collected or displayed. Scores reflect aggregate patterns in public documents, not individual reviews or identifiable information.
Your rights
Regardless of where you are located, you have the following rights regarding data you have submitted to Pulvian:
- Access. You may request a copy of any data we hold that is linked to your email address.
- Correction. You may request correction of inaccurate information you have submitted.
- Deletion. You may request deletion of your email address and any associated data correction requests at any time. We will process deletion requests within 30 days.
- Withdrawal. You may withdraw a pending data correction request at any time.
- Complaint. If you are located in the European Economic Area or the UK, you have the right to lodge a complaint with your local data protection authority. If you are located in Turkey, you have the right to lodge a complaint with the Kişisel Verileri Koruma Kurumu (KVKK).
To exercise any of these rights, email privacy@pulvian.com with subject "Privacy request". You may also use the data correction form on any company page. We will acknowledge your request within 5 business days and complete it within 30 days.
California residents (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:
- Right to Know. You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
- Right to Delete. You may request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to Opt-Out. Pulvian does not sell personal information. There is nothing to opt out of.
- Right to Non-Discrimination. Exercising your CCPA rights will not result in any penalty or difference in service.
To submit a CCPA request, email privacy@pulvian.com with subject "CCPA Request".
Data retention
- Data correction requests: retained while pending review. Email addresses deleted within 90 days of resolution.
- Alert subscription emails: deleted within 30 days of an unsubscribe request.
- IP hashes: used for rate-limiting only. Stored as a one-way SHA-256 hash and automatically nullified within 2 hours of submission by an automated cleanup job. The raw IP address is never stored.
- Server logs: retained for up to 30 days, then automatically deleted.
- Company data: public data is retained as long as the company is listed. If a company requests removal, their data is deleted from all snapshots and signals.
Security
All traffic is served over HTTPS. The database is not publicly accessible. Administrative endpoints require authentication. We do not store passwords because there are no user accounts.
Children
Pulvian is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has submitted data, please contact us for immediate deletion.
Changes to this policy
We may update this privacy policy from time to time. Material changes will be noted at the top of this page with a revised "Last updated" date. Continued use of Pulvian after changes constitutes acceptance.