Skip to content

Privacy Policy

Last updated: May 23, 2026

CorePulse ("CorePulse," "we," "us") is a paid continuous-monitoring tool for landing-page performance, built for marketing operations teams. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

1. Information we collect

When you use CorePulse, we collect:

  • Account information. When you sign in with Google, we receive your name, email address, and Google profile identifier through standard OAuth scopes (openid, email, profile).
  • Webflow integration data. If you connect a Webflow site, we use the OAuth scopes sites:read, pages:read, and authorized_user:read to list your sites and pages, and register a site_publish webhook so we can react to publishes. We do not read CMS content, form submissions, or end-user data.
  • HubSpot integration data. If you connect a HubSpot portal, we use the content, oauth, and settings.users.read scopes to list CMS landing pages and site pages, and to resolve the name of whoever last edited a page for the blame line on alerts. We do not read contact records, deals, marketing email, or any other CRM data.
  • Google Tag Manager data. If you connect GTM, we use the tagmanager.readonly OAuth scope to read container configuration metadata (tags, triggers, variables, versions) solely to run weekly health audits. We never write to or modify your container.
  • Monitored page data. The URLs and labels of pages you choose to monitor, plus the results of every synthetic Lighthouse test we run against them — Core Web Vitals (LCP, CLS, INP), performance scores, and the list of network resources the page loads (used for change-attribution).
  • Alert and audit history. Records of alerts dispatched, audit runs, GTM findings, and weekly digest emails sent. Used to render dashboards, power de-duplication, and produce digests.
  • Billing information. Stripe customer and subscription identifiers. Card numbers and bank details are handled entirely by Stripe — CorePulse never sees or stores them.
  • Operational logs. Standard server logs (timestamps, IP addresses, user agents, error traces) are retained for short periods for debugging and security.

2. What CorePulse does not do

  • No script on your site. CorePulse never injects JavaScript, pixels, or tags into the pages you monitor. We test from our own infrastructure using the same methodology as Google's PageSpeed Insights.
  • No end-user tracking. We do not see, collect, or store your end users' identifiers, IPs, cookies, or behavior. CorePulse only ever knows what a Lighthouse run can see.
  • No sale of personal data. We do not sell personal information to third parties.
  • No long-term raw audit retention. Raw Lighthouse JSON payloads are retained for 90 days. After that we keep only the summary metrics + the resource list we need for change-attribution.

3. How we use Google user data

CorePulse's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access GTM container data only to generate the audits you configured. We do not use Google user data to serve ads, do not sell it, and do not transfer it to third parties except as needed to provide the service (hosting, database) or to comply with applicable law.

4. Sub-processors

We rely on a small set of third-party providers to operate the service. Each processes data on our behalf under their own security commitments:

  • Stripe — billing, payment processing.
  • Resend — transactional email (alerts, weekly digests).
  • Neon — managed PostgreSQL database.
  • Vercel — application hosting, serverless compute, scheduled cron.
  • Google — OAuth identity, the Tag Manager API, and the PageSpeed Insights API used for synthetic Lighthouse runs.
  • Webflow — CMS integration (only when you connect a Webflow site).
  • HubSpot — CMS integration (only when you connect a HubSpot portal).
  • PostHog — product analytics across the marketing site and the authenticated application. We use it to capture page views, click events, form events, scroll-into-view events on key sections, and to produce aggregated heatmaps. PostHog sets a first-party cookie on corepulse.dev so sessions stitch across page loads. Session replay is not enabled. A Data Processing Agreement is in place. We do not sell analytics data.

5. Security

  • Data in transit. All connections use TLS 1.2 or higher.
  • Data at rest. OAuth access and refresh tokens for Google, Webflow, HubSpot, GTM, and Slack integrations are encrypted at rest using AES-256-GCM. The encryption key lives only in the runtime environment and never in the database.
  • Billing. Payment card data is handled entirely by Stripe. CorePulse never stores card numbers.
  • SOC 2. Not yet certified. Target: Type II audit in 2027.
  • Responsible disclosure. Found a security issue? Email hello@corepulse.dev with details. We respond within 48 hours.

6. Data retention

  • Account data is retained for the lifetime of your subscription.
  • Audit results (metrics + resource lists) are retained for the lifetime of your subscription so the report and history views remain populated.
  • Raw Lighthouse JSON is retained for 90 days, then deleted.
  • OAuth tokens are retained while the integration is connected, and deleted when you disconnect.
  • Operational logs are retained for a short period for debugging and then discarded.

7. Your choices and rights

  • Disconnect an integration at any time from /settings/integrations. Doing so deletes our OAuth tokens for that provider.
  • Revoke Google access at myaccount.google.com/permissions.
  • Delete your data. Email hello@corepulse.dev and we will remove your account and all associated data within 30 days.
  • Data Processing Agreements are available on request to organizations subject to GDPR. Email the address above.
  • Access and correction. If you would like a copy of the personal information we hold about you, or want to correct it, contact us at the address below.

8. Children

CorePulse is a business tool and is not directed to children under 13, and we do not knowingly collect personal information from them.

9. International users

CorePulse is operated from the United States. If you access the service from outside the United States, you understand that your information may be processed in the United States and in countries where our service providers operate.

10. Changes to this policy

We may update this Privacy Policy as the product evolves. When we make material changes, we will update the "Last updated" date above and, when appropriate, notify users by email.

11. Contact

Questions or requests about this policy or your data: hello@corepulse.dev. CorePulse is operated by Grove Labs LLC, a Tennessee limited liability company.

Back to home