App Privacy Policy
v1.0·
App Privacy Policy
Business Pulse OS — app.businesspulseos.com
Version: v1.0 Effective date: 2026-04-21
1. Who we are
Business Pulse OS (the "Service", the "Platform", "we", "us") is operated by BizzBee Solutions DOOEL, a company registered in Kavadarci, North Macedonia. This Privacy Policy applies to the application at app.businesspulseos.com.
For privacy questions, contact privacy@businesspulseos.com.
2. Our role in the data chain (three-tier model)
Business Pulse OS is a platform that business-consultancy firms ("Consultants", "Tier 1") use to work with their small and medium-sized business clients ("Clients", "Tier 2"). Under GDPR, responsibilities split across three tiers:
- Tier 2 (the Client company) is the data controller of their own business data. They decide what data enters the Platform and for what purpose.
- Tier 1 (the Consultant) is the data processor, acting under the Client's instructions.
- Business Pulse OS is the sub-processor, providing secure infrastructure to the Consultant.
This three-tier arrangement matches how Salesforce, HubSpot, Notion, and other SaaS platforms describe themselves.
We sign a Data Processing Addendum (DPA) with each Consultant. The Consultant uses a platform-provided DPA template with their Client, with the Consultant's name auto-inserted. See the DPA template (L7).
3. What we collect
From Consultants (Tier 1)
- Account data: name, work email, password hash, profile picture, company, role.
- Billing data: company name, billing address, VAT ID, payment card token (handled by Stripe, we never see the raw card number).
- Usage data: login times, pages visited, features used, device and browser metadata.
- Client-uploaded content: documents, reports, notes, audio and video files that the Consultant uploads on behalf of a Client.
From Clients (Tier 2)
- Account data: name, work email, password hash, company, role assigned by Consultant.
- Content: documents, notes, survey responses, anything the Client uploads or records directly.
- Usage data: login times, pages visited.
4. How we collect it
Directly from you when you sign up, log in, upload files, or interact with the Platform. Automatically via the Platform (for logs, audit events, and product analytics). Via your employer or Consultant if they create your account on your behalf.
5. Why we collect it (legal basis)
- Contract (GDPR Art. 6(1)(b)) — processing your data is necessary to deliver the Service you signed up for.
- Legal obligation (Art. 6(1)(c)) — tax records, audit logs, breach notification.
- Legitimate interest (Art. 6(1)(f)) — keeping the Platform secure, preventing abuse, improving product quality.
We do not process your data for advertising or for training AI models.
6. Who we share it with
Only with the subprocessors listed at businesspulseos.com/subprocessors (see the App Subprocessor List (L6)), who provide infrastructure (hosting, storage, email, AI processing, transcription). We do not sell, rent, or share your data with advertisers, data brokers, or any party not on the subprocessor list.
7. Where it is stored
The primary database and file storage are in Supabase's Frankfurt, Germany region (EU). Specific AI processing operations involve international transfers; these are disclosed in Section 13.
8. How long we keep it
| Data category | Retention |
|---|---|
| Active account data (profile, content) | As long as the account is active |
| Cancelled Tier 1 subscription | 90-day grace period, then all data under that Tier 1 is hard-deleted |
| Soft-deleted accounts | 30 days, then hard-deleted |
| Audit log | 2 years (security and accountability) |
| Billing records | 10 years (North Macedonia tax law) |
| Backups | Supabase point-in-time recovery window (14 days) |
When retention expires, data is hard-deleted from all primary systems and purged from backups within the backup rotation window.
9. Your rights
Under GDPR you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Erase your data ("right to be forgotten").
- Restrict or object to processing.
- Data portability (receive your data in JSON plus original files).
- Withdraw consent at any time where consent is the legal basis.
- Lodge a complaint with a supervisory authority.
Three-tier routing rule. If you are a Tier 2 Client user, your data controller is your employer (the Client company), and your point of contact under the Consultant is Tier 1. For rights relating to Client-owned content, contact your Consultant first; they route the request to us under our DPA. For rights relating to your own account data (profile, login info), contact us directly at privacy@businesspulseos.com.
We respond to all verified rights requests within 30 days.
10. How to contact us
- Privacy: privacy@businesspulseos.com
- Security incidents: security@businesspulseos.com
- Postal: BizzBee Solutions DOOEL, Kavadarci, North Macedonia
11. Cookies
The Platform uses only strictly necessary cookies:
- Session cookie (Supabase Auth): keeps you signed in.
- CSRF token: protects against cross-site request forgery.
No tracking, advertising, or analytics cookies. No consent banner required.
12. Children
The Platform is for adults only (18+). We do not knowingly collect data from minors. If you believe a minor has created an account, contact us at privacy@businesspulseos.com and we will delete it.
13. International transfers
Some processing operations take place outside the European Economic Area:
| Vendor | Operation | Country | Safeguard |
|---|---|---|---|
| Anthropic PBC | AI generation (Claude) for summaries, analysis, content drafting | USA | EU Standard Contractual Clauses (SCCs) + EU-US Data Privacy Framework (DPF) |
| Unstructured.io | Document text extraction (when required) | USA | SCCs + DPF. Zero-retention mode enforced. |
| AssemblyAI | Audio and video transcription | EU endpoint (api.eu.assemblyai.com) is enforced. No US transfer. | N/A |
If a future subprocessor adds a new international transfer, this section and the App Subprocessor List (L6) are updated and a re-consent banner is shown.
14. AI processing disclosure
- We use Anthropic Claude to generate summaries, analysis, and drafts from the content you upload.
- We use Unstructured.io to extract text from uploaded documents (PDF, DOCX, XLSX) when native extraction is insufficient.
- We use AssemblyAI to transcribe audio and video recordings you upload.
- No Business Pulse OS customer data is used to train any AI model. Anthropic, Unstructured.io, and AssemblyAI are contractually prohibited from training on our data.
- We do not deploy any AI system that makes solely automated decisions with legal or similarly significant effects on you.
15. Breach notification
If a personal data breach is likely to result in risk to your rights and freedoms, we notify the Agency for Personal Data Protection of North Macedonia (AZLP) within 72 hours of detection. If the breach is likely to result in high risk, we also notify affected users directly via email. Our full breach workflow is documented in the internal Incident Response Plan.
16. Changes to this policy
We may update this policy. Material changes (new subprocessors, new data categories, new international transfers, shorter retention) trigger an in-app banner on your next login and require re-consent before you can continue using the Platform. Every version you have accepted is downloadable from Settings > Legal.
17. Contact and complaints
First contact us at privacy@businesspulseos.com. If you are not satisfied, you can lodge a complaint with the Agency for Personal Data Protection of North Macedonia at azlp.mk, or with your local EU data protection authority if you are an EU resident.