Privacy posture

Analytics that refuses
to spy on people.

This is a plain-language summary of how Halo Pulse handles data — not a legal document. Your Data Processing Agreement and sub-processor list are the binding terms, provided during onboarding.

What we collect

  • Meeting and calendar metadata — times, durations, counts, attendee counts
  • Email metadata — volume and timing, never subjects or bodies
  • Teams call and presence metadata
  • Active application time by category from the Pulse Desktop agent
  • Organisational structure (manager hierarchy) to build supervisor views

What we never collect

  • Email or message bodies
  • Documents, files or attachments
  • Keystrokes
  • Screenshots or screen recording
  • Camera or microphone
  • App or window titles (off by default; opt-in only)
  • Anything from personal, non-enrolled devices

Six commitments we build into the product

Metadata only, privacy at ingestion

We collect counts, timings and categories — not content. Protected people are suppressed at the point of ingestion, not filtered out later, so out-of-scope data is never landed in the first place. Capturing window titles is off by default and requires a deliberate change.

The self tier — transparency as a feature

Every person who is monitored can log into Halo Pulse and see exactly what is collected about them. A per-tenant 'what we collect' page is generated automatically from the connectors you have enabled, so the disclosure always matches reality. Nobody is measured in secret.

Roles that limit reach

Admins configure and see everyone. Supervisors see only their own team subtree. Users see only themselves. Sensitive connectors carry a minimum-role setting, so the most private signals are visible to the fewest people by default.

UK-only hosting

All data is processed and stored in Google Cloud's London region (europe-west2) — BigQuery and Cloud Run alike. Nothing lives anywhere else. There are no datasets, backups or logs outside the UK.

Isolated per customer

Every customer gets a dedicated dataset. There are no shared tables, no pooled dead-letter storage and no cross-tenant queries. Your data physically cannot be mixed with another customer's.

GDPR by design

You are the data controller; we are the processor. Deletion is a full dataset drop. Data-subject access requests are served by the same per-person endpoint that powers the self view. Retention is a per-tenant parameter (13 months by default on Core). A standard DPA and sub-processor list (Google) are available as part of onboarding.

See it for your own teams.

Start a trial and log in as one of your own people to see the self view first-hand.

Start free trial