ListPulse
Last updated April 2026

Privacy Policy

We built ListPulse so we can't read your contact lists. Here's exactly what that means.

What we collect

  • Email-list data you upload. Email addresses, names, and any other CSV columns. Encrypted with AES-256-GCM at rest the moment we receive the file.
  • Account data. Your email, hashed password (bcrypt), company name (if provided), and a Stripe customer ID once you subscribe.
  • Usage data. API call counts, credit ledger entries, IP and user-agent of the device that uploaded each file (for abuse prevention).
  • What we do NOT collect. Tracking cookies, cross-site identifiers, ad-network pixels.

How your list data is protected

  • Every uploaded CSV is encrypted with a per-upload AES-256-GCM data encryption key (DEK). DEKs are themselves encrypted with a server master key stored outside the database in an environment variable.
  • Email addresses in indexed columns are stored only as HMAC-SHA256 hashes for deduplication. The plaintext never appears in any indexable column.
  • The original CSV file is deleted from temporary storage immediately after processing — only the encrypted row data is persisted.
  • If you don't subscribe within 48 hours of a free Pulse Report, your data is purged automatically. The encrypted blobs and the DEK are wiped together.

Third-party processors

We share only what's necessary to deliver the service:

  • Stripe — handles all payments. We send Stripe your billing email and a customer ID; we never see or store your card details.
  • Mailgun — performs paid email verifications. When you call our verify API, the email being checked is sent to Mailgun. Mailgun's privacy policy applies to that one address per call.
  • Hosting provider — runs the servers. They have access to encrypted data only.

Your rights

  • Access. Email support for a copy of your account data.
  • Deletion. Delete your account and we wipe everything within 30 days. No archives, no backups beyond that window.
  • Portability. Cleaned lists are exportable as CSV from your dashboard at any time.
  • Withdrawal. Cancel your subscription from the Stripe Customer Portal at any time. No phone calls, no retention forms.

Cookies

We use one cookie: a session ID for keeping you logged in. No analytics, no advertising, no cross-site tracking. Stripe sets its own cookies on the Checkout page they host (covered by their policy).

Contact

Privacy questions or data requests: contact us. We reply to data requests within 5 business days.