legal and compliance
Last updated May 25, 2026
OutPulse is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 and the UK GDPR. This page explains how we protect EU/EEA/UK data subjects' rights and how our platform supports your GDPR obligations.
Controller: OutPulse is the data controller for account data, billing data, and marketing site interactions.
Processor: OutPulse acts as a data processor for contact data that customers upload, discover, or verify through the platform. Customers are the data controller for this data.
A Data Processing Agreement (DPA) is available at /dpa for all customers.
Contract Performance (Art. 6(1)(b)): Processing account data to deliver the OutPulse service.
Legitimate Interest (Art. 6(1)(f)): B2B email discovery and verification where the data subject has a reasonable expectation of business contact. We conduct Legitimate Interest Assessments (LIAs) for these activities.
Consent (Art. 6(1)(a)): Marketing communications, newsletter, and non-essential cookies.
Legal Obligation (Art. 6(1)(c)): Tax records, regulatory compliance.
OutPulse supports all GDPR data subject rights:
• Right of Access (Art. 15): Request a copy of your personal data via GET /api/user/gdpr or email privacy@outpulse.io.
• Right to Rectification (Art. 16): Correct inaccurate data via account settings or by contacting support.
• Right to Erasure (Art. 17): Delete your account and all associated data via DELETE /api/user/gdpr or account settings.
• Right to Restriction (Art. 18): Request restriction of processing by contacting privacy@outpulse.io.
• Right to Data Portability (Art. 20): Export your data in machine-readable JSON format via the data export feature.
• Right to Object (Art. 21): Object to processing based on legitimate interest by contacting privacy@outpulse.io.
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time via account settings or unsubscribe links.
Response time: Within 30 days of receiving a verified request.
• Privacy by Design and Default (Art. 25): Minimal data collection, purpose limitation, storage limitation.
• Data Protection Impact Assessments (DPIAs) conducted for high-risk processing activities.
• Encryption at rest (AES-256) and in transit (TLS 1.2+).
• Row-Level Security ensuring strict data isolation between customers.
• Regular security audits and penetration testing.
• Employee training on data protection obligations.
Where personal data is transferred outside the EEA, we rely on:
• Standard Contractual Clauses (SCCs) - EU Commission Decision 2021/914
• Adequacy decisions where applicable
• Supplementary measures (encryption, access controls) as recommended by the EDPB
All subprocessors are contractually bound to equivalent data protection standards.
In the event of a personal data breach likely to result in a risk to data subjects' rights and freedoms:
• We notify the relevant supervisory authority within 72 hours (Art. 33).
• We notify affected data subjects without undue delay where the breach is likely to result in a high risk (Art. 34).
• We maintain a breach register documenting all incidents.
A GDPR-compliant DPA is available for all customers at /dpa.
The DPA covers: scope of processing, subprocessor list, security measures, breach notification, audit rights, and data deletion.
Enterprise customers may request a countersigned PDF copy via legal@outpulse.io.
Current subprocessor list (updated quarterly):
• Supabase - Database & Auth - US/EU - SOC 2 Type II
• Stripe - Payments - US - PCI DSS Level 1
• Resend - Email Delivery - US - SOC 2
• Hetzner - Infrastructure - Germany/US - ISO 27001
• Cloudflare - CDN & Security - Global - SOC 2, ISO 27001
• Sentry - Error Monitoring (anonymized) - US - SOC 2
Subscribe to subprocessor change notifications: privacy@outpulse.io.
If you use OutPulse's outreach features to contact EU/EEA data subjects:
• You must have a lawful basis for processing (typically legitimate interest for B2B cold outreach, or consent).
• You must include an unsubscribe mechanism (OutPulse includes this automatically).
• You must respond to data subject requests from your recipients.
• OutPulse provides tools to suppress contacts who exercise their rights.
OutPulse displays in-app warnings when sending to EU recipients to remind you of these obligations.
EU data subjects may lodge a complaint with their local supervisory authority.
OutPulse's lead supervisory authority: [To be designated based on EU establishment].
Contact our DPO: dpo@outpulse.io.
Contact OutPulse if your team needs DPAs, vendor-security documentation, or clarification on how marketing-site policies map to the application workspace.