1. Who We Are
PulseShield ("we", "us", "our") is a sole trader operating the website pulseshield.co.uk and admin.pulseshield.co.uk, providing automated website security scanning and compliance auditing services.
For the purposes of UK GDPR, PulseShield is the data controller of your personal data. Our contact details are in Section 12.
2. Data We Collect
2.1 Account Data
When you create an account, we collect:
- Your name and email address
- Company name (if provided)
- Account credentials (hashed password)
- Role within the account (owner, admin, member)
2.2 Scan Data
When you use our scanning services, we collect and store:
- Target domains and IP addresses you specify for scanning
- Scan configurations (which modules are enabled, passive vs active testing mode)
- Scan results and generated reports (vulnerabilities, findings, compliance checks)
- Timestamps of when scans were initiated and completed
2.3 Consent and Authorisation Records
We log explicit authorisation confirmations, including:
- Your confirmation of authorisation to scan a target domain
- Active testing opt-in records (the checkbox you tick to enable active testing)
- Timestamp and account details of when consent was given
These records are retained to demonstrate lawful scanning activity.
2.4 Payment Data
- Subscription and billing records (plan type, billing dates, amounts)
- We do not collect or store card details — all payment processing is handled by Stripe
2.5 Communication Data
- Emails you send to us ([email protected])
- Contact form submissions
- Outreach emails sent through the platform (domain, recipient email, findings shared)
2.6 Technical Data (Collected Automatically)
- IP address and browser type when accessing our websites
- Account activity logs (logins, scans run, reports downloaded)
- Cloudflare analytics (anonymised page views, performance data)
3. How We Use Your Data
We use your personal data to:
- Provide, maintain, and improve our security scanning services
- Generate scan reports and deliver them to you
- Process subscription payments and manage your account
- Send security alerts and scan completion notifications
- Send outreach emails on your behalf (when you use the Outreach feature)
- Respond to your enquiries and support requests
- Maintain records of authorisation and consent for scanning activities
- Detect and prevent misuse of the Service
- Comply with legal obligations
4. Legal Basis for Processing (UK GDPR)
We process your personal data under the following lawful bases:
- Contractual necessity (Article 6(1)(b)) — to provide the scanning services you signed up for, including running scans, generating reports, and managing your account
- Legitimate interests (Article 6(1)(f)) — to improve our services, detect misuse, send service-related notifications, and maintain security of our platform
- Consent (Article 6(1)(a)) — for marketing communications and any optional data processing beyond core service delivery
- Legal obligation (Article 6(1)(c)) — to comply with applicable laws, including maintaining records of authorisation for scanning activities
5. Data Sharing
We do not sell, rent, or trade your personal data to third parties. We share data only with:
- Stripe — for secure payment processing. Stripe processes your card details directly; we never see or store them
- Cloudflare — for website security, DDoS protection, and performance optimisation
- Google (Gmail SMTP) — to send outreach emails and notifications on your behalf
- Law enforcement or legal authorities — when required by law, court order, or to protect our rights and the safety of others
We require all service providers to process data under appropriate data protection agreements.
6. Data Retention
| Data Type |
Retention Period |
| Account data |
Duration of account + 12 months after closure |
| Scan results & reports |
Duration of subscription + 12 months |
| Authorisation & consent records |
6 years (for legal protection) |
| Payment records |
7 years (HMRC requirement) |
| Communication logs |
2 years |
| Server access logs |
30 days |
You can request earlier deletion of your data at any time (see Section 8).
7. Data Security
We implement appropriate technical and organisational measures to protect your data:
- Encryption in transit — all connections use TLS 1.2+ (HTTPS)
- Access control — multi-tenant data isolation, JWT-based authentication, role-based access
- Infrastructure protection — Cloudflare Access for admin portal, DDoS protection, IP blocking
- Password storage — passwords are hashed using industry-standard algorithms (never stored in plain text)
- Regular assessments — we scan our own infrastructure for vulnerabilities
While we take all reasonable steps to protect your data, no system is completely secure. We cannot guarantee absolute security.
8. Your Rights
Under UK GDPR and the Data Protection Act 2018, you have the right to:
- Access — request a copy of all personal data we hold about you
- Rectification — correct any inaccurate or incomplete data
- Erasure — request deletion of your personal data (subject to legal retention requirements)
- Restriction — limit how we process your data in certain circumstances
- Data portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests or for direct marketing
- Withdraw consent — withdraw consent at any time where processing is based on consent
To exercise any of these rights, contact [email protected]. We will respond within 30 days.
If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
9. Cookies and Tracking
Our websites use the following types of cookies:
- Essential cookies — for authentication, session management, and security (always active)
- Cloudflare cookies — for performance optimisation and bot protection (always active)
We do not use third-party analytics cookies, advertising cookies, or social media tracking pixels on our marketing site (pulseshield.co.uk).
The admin portal (admin.pulseshield.co.uk) uses essential cookies only for session management and authentication.
You can manage cookie preferences through your browser settings at any time.
10. Third-Party Domains and Scan Data
When you scan a domain using PulseShield, we collect and store information about that domain's security posture. You are responsible for ensuring you have authorisation to scan any target domain (see our Terms of Service).
Scan data about third-party domains is stored as part of your account data and subject to the same retention periods. If you scan a domain you do not own, the scan results are still tied to your account — not to the domain owner.
11. International Data Transfers
PulseShield is a UK-based service. Your data is processed on servers within the United Kingdom.
Some of our service providers (Cloudflare, Google, Stripe) may process data outside the UK. Where this occurs, we ensure adequate safeguards are in place, including:
- UK International Data Transfer Agreements (IDTAs)
- Standard contractual clauses approved by the ICO
- Providers with certifications equivalent to UK GDPR standards
12. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes by email or through our website. Continued use after changes constitutes acceptance.
13. Contact
For questions about this privacy policy, data requests, or to exercise your rights:
Email: [email protected]
If you are not satisfied with our response, you may complain to the ICO: ico.org.uk/make-a-complaint