Privacy Policy
What we collect, why we collect it, and how we protect it.
AccessPulse is operated by Thomas Madathiparambil, trading as AccessPulse (accesspulse.io). This policy explains what data we collect, why, and how we protect it.
Last updated: April 2026.
Section 1 - What data we collect
Two types:
Account data (you provide)
- Your name and email address when you sign up
- Your organisation name
Microsoft 365 data (we read via Graph API with your permission)
- User display names and email addresses
- Account status (enabled or disabled)
- MFA registration status (yes or no)
- Admin role assignments
- Last sign-in date
- Microsoft licence assignments
- Guest user status
Section 2 - What we do NOT collect
- Email content, calendar data, files or documents
- Passwords or credentials of any kind
- Payment card details (handled by Stripe)
- Any data from Microsoft services other than those listed above
Section 3 - Why we collect it
- To calculate your SOC2 readiness score
- To detect access control risks
- To generate audit evidence reports
- To send you transactional emails (account confirmation, reports)
Section 4 - Where data is stored
- Database: Supabase (PostgreSQL) hosted in the EU
- Microsoft OAuth tokens: encrypted with AES-256-GCM before storage
- Authentication: Supabase Auth
- We do not sell or share your data with third parties
Section 5 - How long we keep it
- Microsoft 365 snapshot data: 12 months rolling
- Account data: retained while your account is active
- On account deletion: all data is permanently deleted within 30 days
Section 6 - Your rights (UK GDPR)
You have the right to:
- Access the data we hold about you
- Request correction of inaccurate data
- Request deletion of your data
- Withdraw consent at any time by deleting your account
To exercise any right, email thomas@accesspulse.io
Section 7 - Cookies
We use Google Analytics (GA4) for anonymous usage analytics. No advertising cookies. No cross-site tracking.
Section 8 - Third-party services
- Supabase: database and authentication (supabase.com/privacy)
- Resend: transactional email (resend.com/privacy)
- Stripe: payment processing (stripe.com/privacy)
- Google Analytics: anonymous usage data (policies.google.com/privacy)
- Microsoft: OAuth and Graph API (privacy.microsoft.com)
Section 9 - Contact
- Thomas Madathiparambil
- thomas@accesspulse.io
- accesspulse.io