Features

Solutions

Pricing

Resources

Customer Stories

Free HR Tools

Help Center

Support

Log In

Book a Demo

Privacy Policy

Last updated 31 March 2026

1. Introduction

Welcome to FeedbackPulse. We respect your privacy and are committed to protecting personal data. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our employee engagement and performance management platform (the "Service").

2. Information Collection

When you use our Service, we may collect and process the following categories of information:

  • Account and Contact Information: such as your name, email address, employer, and other contact details when you register, are invited to the Service, or contact us.
  • Employee Profile Information: such as job title, department, manager relationship, employee number, work contact details, employment status, and other profile information your organisation chooses to store in the Service.
  • Survey, Review, and Feedback Data: including survey responses, peer review responses, performance review content, recognition submissions, comments, and related metadata processed through the Service on behalf of your organisation.
  • Authentication and Integration Data: such as session information, API token metadata, OAuth client metadata, and, where applicable, authentication data associated with supported integrations.
  • Usage Data: information about how the Service is used, such as features accessed, timestamps, pages viewed, and operational events.
  • Marketing Site Data: information collected on our marketing website through cookies and similar technologies, including analytics and website performance data.
  • AI-Processed Data: when AI-powered features are used, relevant survey, review, or feedback data may be processed by third-party AI service providers to generate summaries or support enabled integrations.

3. Purpose of Collection

We use personal data for the following purposes:

  • To provide, operate, maintain, and secure the Service.
  • To authenticate users and manage access rights.
  • To support employee surveys, peer reviews, performance reviews, recognitions, reporting, and related workflows.
  • To provide customer support and respond to requests.
  • To send transactional communications related to accounts, invitations, surveys, reviews, recognitions, and service operations.
  • To monitor performance, troubleshoot issues, prevent abuse, and improve the Service.
  • To understand usage of our marketing website and measure the effectiveness of marketing activity.
  • To provide AI-powered features and integrations where those features are used by authorised users or enabled by a customer organisation.

4. Data Sharing

We do not sell personal information. We may share personal data in the following circumstances:

  • With your organisation and authorised users of your organisation's account.
  • With third-party service providers and sub-processors that help us operate, secure, support, and improve the Service. See our Sub-Processors page.
  • With third-party AI providers when AI-powered features are used.
  • With connected third-party applications or AI clients authorised by your organisation or its users.
  • To comply with legal obligations, lawful requests, or enforce our rights.
  • In connection with a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.
  • With your consent or at your direction.

5. Cookies and Tracking

We use cookies and similar technologies on our marketing website to understand how visitors interact with the site, improve website performance, and measure the effectiveness of marketing efforts.

We may use third-party analytics and website optimisation tools on the marketing site only. Those tools may use cookies or similar technologies in accordance with their own documentation and privacy practices.

You can manage cookies through your browser settings. Where required by applicable law, non-essential cookies will be used only in accordance with the choices presented to you.

6. User Rights

Depending on your location and the applicable law, you may have rights to:

  • access personal data;
  • correct inaccurate or incomplete personal data;
  • request deletion of personal data;
  • object to certain processing;
  • request restriction of processing;
  • request transfer of personal data where portability applies;
  • withdraw consent where processing is based on consent.

Where FeedbackPulse acts as a processor on behalf of your organisation, your organisation is typically the primary point of contact for rights requests relating to employee survey, review, recognition, and related workplace data. You may also contact us at [email protected] and we will direct or assist the request as appropriate.

7. Data Security

We use administrative, technical, and organisational measures designed to protect personal data, including encryption in transit, access controls, logging, and security monitoring. No method of transmission or storage is completely secure, but we work to protect personal data using measures appropriate to the nature of the data and the risks involved.

8. Data Storage and Retention

We retain personal data for as long as necessary to provide the Service, comply with contractual and legal obligations, resolve disputes, enforce agreements, and maintain security and operational records.

Retention periods vary by data category, customer configuration, security requirements, and legal obligations. Certain records may be deleted, anonymised, or retained for limited periods after account termination or user deletion, including records needed for security, audit, fraud prevention, or backup lifecycle management.

If your organisation requires specific retention terms, please contact us about contractual retention commitments and available data processing terms.

9. GDPR and Data Protection

Controller vs. Processor: FeedbackPulse generally acts as a data processor when handling employee survey, review, recognition, and related workplace data on behalf of a customer organisation, which acts as the data controller. FeedbackPulse generally acts as a data controller for its own account, billing, support, security, marketing, and website analytics data.

Legal Bases (Art. 6 GDPR): We process personal data under one or more of the following legal bases, depending on the context:

  • Contract: where processing is necessary to provide the Service or perform our contractual obligations.
  • Legitimate Interests: where processing is necessary for security, service operations, fraud prevention, product improvement, support, or internal analytics, and those interests are not overridden by the rights of individuals.
  • Consent: where processing is based on consent, such as certain marketing communications or similar optional activities.
  • Legal Obligation: where processing is required to comply with applicable law.

International Transfers: Our service providers and sub-processors may process data in the United States and other countries outside the EEA, UK, or Switzerland. Where required, we use appropriate safeguards for international transfers, which may include Standard Contractual Clauses or other recognised transfer mechanisms.

Sub-Processors: We use third-party sub-processors for infrastructure, communications, support, monitoring, payments, analytics, and AI-powered features. A current list is maintained on our Sub-Processors page.

Data Retention: Retention depends on the data category, contractual requirements, legal obligations, security needs, and backup lifecycle. We do not apply a single retention period to all data.

Right to Lodge a Complaint: If you are in the EEA, UK, or Switzerland, you may have the right to lodge a complaint with the relevant supervisory authority.

Data Processing Agreement: Our Data Processing Agreement is available for customers that require processor terms.

10. AI Features

FeedbackPulse may use third-party AI service providers, including OpenAI and Anthropic, for certain product features such as summaries, insights, and enabled integrations.

  • Feature-dependent: AI processing occurs only when a relevant AI-powered feature is used.
  • Role- and configuration-dependent: Some AI-related capabilities are optional or administrator-enabled, while others may be available to authorised users within the product based on account configuration and permissions.
  • Third-party processed: When AI-powered features are used, relevant data may be sent to third-party AI providers for processing.

Customers should evaluate whether AI-powered features are appropriate for the categories of data they choose to process in the Service.

11. API and MCP Access

FeedbackPulse offers API access via the Model Context Protocol (MCP), allowing compatible clients and AI assistants to query and, where authorised, act on an organisation's feedback data.

Opt-in for MCP: MCP access is disabled by default. A tenant administrator must explicitly enable it for the organisation and grant access to individual users.

Data readable via MCP may include:

  • survey metadata, results, completion statistics, and generated summaries;
  • performance review cycle summaries and review-related details;
  • peer review aggregate statistics;
  • recognition statistics;
  • employee directory information and hierarchy data;
  • turnover and department-level analytics.

Actions available via MCP may include (subject to role and permissions):

  • creating survey templates;
  • creating surveys and selecting recipients;
  • creating performance review cycles;
  • sending reminders for active surveys and review cycles.

Access control:

  • tenant administrators control which users may use MCP access;
  • users authenticate with personal API tokens or OAuth 2.0;
  • access is scoped to the authenticated user's permissions;
  • write actions require the same underlying permissions as the web application.

Token lifecycle:

  • personal API tokens and OAuth authorisations can be revoked by administrators;
  • OAuth access tokens are short-lived and refresh tokens have a longer expiry period;
  • personal API tokens may remain active until revoked or until an optional configured expiry, if any.

Data minimisation: MCP tools are designed to return only the data needed for the requested operation. FeedbackPulse does not store third-party AI conversation history by default merely because a customer uses MCP access.

International transfers and third-party clients: If your organisation connects third-party AI clients or external applications through MCP, those providers may receive data in accordance with your organisation's configuration, permissions, and agreements with those providers.

For questions about MCP access, contact [email protected].

12. Legal Compliance

We seek to comply with applicable data protection and privacy laws, including GDPR where applicable.

13. Children's Privacy

The Service is not intended for children, and we do not knowingly collect personal data from children through the Service.

14. Changes to the Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated version on this page and update the effective "last updated" date. Where required, we will provide additional notice.

15. Contact Information

For privacy-related questions, contact [email protected] or [email protected].