PRIVACY POLICY

‍Last Updated:  August 8, 2025

‍

BY ACCESSING OR USING THE SERVICE YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY POLICY AND UNDERSTAND OUR PRACTICES. WHERE REQUIRED BY APPLICABLE LAW WE WILL REQUEST YOUR EXPLICIT CONSENT.

ARTICLE I: INTRODUCTION AND SCOPE

1.1 Company Identity

This Privacy Policy ("Policy") is issued by Impulsum Me LLC, a limited liability company duly organized and existing under the laws of the United States, with its principal business address at 6045 Oakbend st. APT 12205 Orlando FL. US 32835, and operating the software-as-a-service (SaaS) platform accessible via www.impulsum.me ("Website" or "Platform"). Throughout this document, Impulsum Me LLC is referred to as "Impulsum," "we," "our," or "us."

1.2 Purpose of this Privacy Policy

This Policy outlines how Impulsum collects, uses, discloses, stores, and protects your personal data when you interact with our Platform, products, and services (collectively, the "Services"). It also explains your privacy rights and choices under applicable privacy laws, including but not limited to:

1. U.S. Federal and State Privacy Laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), and other state-level laws.

2. General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) for residents of the European Economic Area (EEA) and the United Kingdom (UK GDPR).

3. Children’s Online Privacy Protection Act (COPPA) and similar child data protection laws.

In accordance with Article 27 of the GDPR, if Impulsum lacks a physical establishment in the European Union but offers services to EU residents, we will appoint a designated EU Representative. Details of the representative can be provided upon request, and, where required by law or upon significant expansion of our EU user base, the name and contact information of such representative will be explicitly included in this Policy.

1.3 Scope of the Policy

This Policy applies to all visitors, registered users, and customers of our Services. It governs all data processing activities conducted by Impulsum, including the data collected through:

1. The Impulsum Platform (web and mobile interfaces)

2. Integrations with third-party project management tools (e.g., Jira, Trello, Asana, ClickUp, Monday.com)

3. API interactions

4. Communication channels (e.g., email support, chat)

This Policy does not apply where Impulsum acts solely as a data processor on behalf of enterprise customers who use our Services for their employees or contractors. In such cases, the customer’s privacy policy governs the use of personal data.

ARTICLE II: DEFINITIONS

2.1 "Personal Data"

Any information that identifies, relates to, describes, or can reasonably be linked, directly or indirectly, to an identified or identifiable individual (e.g., name, email address, IP address, project data synchronized from integrated tools).

2.2 "Processing"

Any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, deletion, or transfer.

2.3 "Controller" and "Processor"

1. Controller: The entity that determines the purposes and means of processing Personal Data.

2. Processor: The entity that processes Personal Data on behalf of the Controller.

2.4 "Third-Party Integrations"

External services and software applications integrated with Impulsum, such as Jira (Atlassian), Trello, Asana, ClickUp, Monday.com, OpenAI GPT-4, Anthropic models, Google Gemini, and other third-party APIs or AI model providers that may be used to power certain features of the Platform. These integrations and AI providers may change from time to time to improve functionality, performance, or compliance with applicable laws, including AI-related bias risk assessments required under certain state laws such as the Tennessee Information Protection and Privacy Act (TIPRA).

ARTICLE III: PERSONAL DATA WE COLLECT

3.1 Data You Provide Directly

We collect Personal Data you voluntarily provide when using our Services, including but not limited to:

1. Account Information: Name, email address, company name, username, password, and account preferences.

2. Billing Information: Payment card details, billing addresses, and transaction histories when you subscribe to paid services.

3. Support and Communication Data: Content of communications with our customer support team, including emails, chat messages, and support tickets.

4. Project and Integration Data: Data synchronized from third-party platforms you connect (e.g., Jira project metadata, task names, deadlines, assigned users, and other project-specific information).

5. Inputs and Content: Any text, files, or other data you submit to the Platform as inputs for analysis or AI-driven insights.

3.2 Data Collected Automatically

When you use the Services, we automatically collect certain technical and usage information, such as:

1. Device Information: IP address, device type, operating system, browser type, and version.

2. Usage Data: Pages visited, time spent on the Platform, features used, links clicked, and referring URLs.

3. Cookies and Similar Technologies: We use cookies, pixels, and local storage to maintain user sessions, remember preferences, analyze usage, and personalize the user experience (see Article IX).

4. Log Data: Diagnostic and performance logs, including error reports, access timestamps, and security audit trails.

3.3 Data from Third-Party Sources

We may collect Personal Data from external sources, including:

1. Integrated Platforms: Jira/Atlassian, Trello, Asana, ClickUp, Monday.com, or any other project management tools you authorize, including but not limited to the listed examples, as Impulsum may expand integrations over time, and other connected applications.

2. Analytics and Marketing Partners: Third-party analytics services (e.g., Google Analytics, Supabase) and marketing platforms.

3.4 Sensitive Data

We strictly prohibit the submission of sensitive categories of Personal Data (e.g., health data, government-issued IDs, financial account numbers, biometric identifiers). The Platform is not HIPAA-compliant or PCI-certified, and users must not submit Protected Health Information (PHI) or payment card details via our Services. Any such data, if detected, will be promptly deleted or anonymized without liability to Impulsum.

3.5 Children’s Data

Impulsum does not knowingly collect or process data from children under the age of 18. If we discover that we have inadvertently collected Personal Data from a child, we will delete it promptly.

ARTICLE IV: PURPOSES AND LEGAL BASES FOR PROCESSING

4.1 Purposes

We process Personal Data for the following purposes:

1. To provide and maintain the Services: Including account management, integrations, and data synchronization.

2. To personalize and improve user experience: Deliver AI-powered insights, dashboards, and predictive analytics.

3. To communicate with you: Send updates, service notifications, security alerts, and marketing communications (where permitted by law).

4. To process payments and manage billing.

5. To monitor and secure the Platform: Detect, prevent, and mitigate fraudulent or unauthorized activity.

6. To comply with legal obligations: Satisfy regulatory requirements, enforce contracts, and respond to lawful requests.

7. To conduct research and product development: Improve algorithms, enhance features, and develop new services.

4.2 Legal Bases (GDPR and other applicable laws)

1. Consent: For activities like marketing emails or optional integrations requiring user approval.

2. Contractual Necessity: To fulfill obligations under our Terms of Service or Subscription Agreement.

3. Legitimate Interests: Improve services, protect security, and analyze usage, provided such interests are not overridden by user rights.

4. Legal Obligations: Compliance with applicable laws and regulatory requirements.

4.3 Automated Decision-Making

Impulsum does not use Personal Data for any automated decision-making that produces legal or similarly significant effects on individuals, as defined under Article 22 of the GDPR. Under laws like the Colorado Privacy Act (CPA), we take steps to mitigate AI bias risks through internal assessments; however, no automated decisions are made that would produce legal effects or comparably significant impacts on individuals.

ARTICLE V: THIRD-PARTY INTEGRATIONS AND DATA SHARING

5.1 Third-Party Integrations

Our Platform allows you to connect to external project management tools (e.g., Jira, Trello, Asana, ClickUp, Monday.com, or any other project management tools you authorize). When you authorize an integration:

1. We access and process only the data necessary to deliver the requested functionality.
   
   
2. The third-party provider’s terms and privacy policy govern their handling of your data.
   
   
3. You may revoke integration access at any time through your Impulsum account settings.

5.2 Data Sharing with Third Parties

We may share Personal Data with:

1. Service Providers: Cloud hosting (e.g., AWS, Supabase), analytics, payment processors (e.g., Stripe), email delivery services, and customer support tools.

2. AI Model Providers: OpenAI GPT-4, Anthropic models, Google Gemini, or other similar AI providers for natural language processing and related AI-driven functionality. Data is transmitted securely and used solely to generate requested outputs. For AI providers such as OpenAI, prompts are retained temporarily only for abuse monitoring purposes and are not used for training, in accordance with contractual “zero-retention” riders. For customers operating in regulated environments, we recommend enabling Confidential Mode to further restrict prompt and output persistence. Where applicable under laws such as the Colorado Privacy Act (CPA) or the Tennessee Information Protection and Privacy Act (TIPRA), we take additional steps to conduct and document bias risk assessments of AI model outputs to mitigate potential discriminatory or adverse impacts.

3. Corporate Transactions: Successors in the event of a merger, acquisition, or sale of assets.

4. Legal Authorities: Government agencies, regulators, or law enforcement when legally required.

5. Subprocessors: We enter into Data Processing Agreements (DPAs) with all subprocessors, including but not limited to OpenAI, Anthropic, Google, Atlassian, and other third-party providers, to ensure compliance with Article 28 GDPR. These agreements require subprocessors to process Personal Data solely on our documented instructions, implement appropriate safeguards, and maintain confidentiality.

With regard to AI service providers (such as OpenAI), prompts may be retained for up to 30 days solely for abuse monitoring and are not used to train models. Our agreement with OpenAI includes contractual restrictions limiting data use and retention ("zero-retention" provisions where applicable).

5.3 Data Disclosure Controls

We require all third parties who process Personal Data on our behalf to:

1. Act only on documented instructions.

2. Implement industry-standard security measures.

3. Refrain from using Personal Data for their own purposes.

ARTICLE VI: DATA SECURITY MEASURES

6.1 Security Practices

We maintain administrative, technical, and physical safeguards designed to protect your Personal Data, including:

1. End-to-end encryption of data in transit (TLS 1.2 or higher).

2. Encryption of data at rest using AES-256.

3. Access controls based on the principle of least privilege.

4. Multi-factor authentication for internal administrative accounts.

5. Regular security audits and penetration tests.

6.2 Breach Notification

In the event of a data breach likely to result in significant harm, we will notify affected individuals and applicable regulators as required by law.

ARTICLE VII: USER RIGHTS

7.1 Rights Under GDPR and Similar Laws

Depending on your jurisdiction, you may have the following rights:

1. Right of Access: Request a copy of the Personal Data we hold about you.

2. Right to Rectification: Correct inaccurate or incomplete data.

3. Right to Erasure ("Right to be Forgotten").

4. Right to Data Portability: Receive your data in a structured, machine-readable format.

5. Right to Restrict or Object to Processing.

6. Right to Withdraw Consent: Where processing is based on consent.

7. Where applicable under U.S. state laws (e.g., VCDPA), you have the right to appeal if your request to exercise privacy rights is denied. If unsatisfied with the appeal outcome, you may contact the state’s Attorney General. Under certain state laws, such as the Maryland Online Data Privacy Act (MODPA), you also have the right to opt out of targeted advertising, profiling, or automated decision-making involving AI that produces legal or similarly significant effects.

7.2 CCPA/CPRA Rights (California Residents)

1. Right to Know: Categories of Personal Data collected, sources, purposes, and third parties with whom it is shared.

2. Right to Delete: Request deletion of Personal Data, subject to exceptions.

3. Right to Opt Out of Sale/Sharing: We do not sell or share Personal Data for cross-context behavioral advertising.

4. Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

7.3 Exercising Your Rights

To exercise any of these rights, please contact us at info@impulsum.me. We may require identity verification before fulfilling your request. We will respond to verified requests within forty-five (45) days of receipt. This period may be extended once by an additional forty-five (45) days when reasonably necessary, in accordance with applicable law. If we deny your request, we will inform you of the reasons and provide information on how to submit an appeal (where applicable).

ARTICLE VIII: DATA RETENTION

8.1 Retention Periods

We retain Personal Data only as long as necessary for the purposes described in this Policy or as required by law. For example:

1. Account Data: Retained for the life of your account plus a reasonable period for auditing and dispute resolution.

2. Integration Data: Deleted promptly upon revocation of integration access.

3. Billing Data: Retained for the legally required period (typically 7 years).

8.2 Deletion Procedures

When data is no longer required, we will securely delete or anonymize it in compliance with applicable regulations.

8.3 De-identification of Data

Where possible and appropriate, we apply de-identification or anonymization techniques to Personal Data before using it for analytics, research, or service improvement. De-identified data cannot reasonably be linked to an identified or identifiable individual, and Impulsum will not attempt to re-identify such data except as necessary to verify effectiveness of de-identification measures.

ARTICLE IX: COOKIE AND TRACKING TECHNOLOGIES

9.1 Use of Cookies

We use cookies and similar technologies to:

1. Authenticate users and maintain sessions.

2. Store user preferences.

3. Analyze usage patterns and improve performance.

9.2 Consent Management

For users in jurisdictions requiring consent (e.g., EU), we will present a cookie banner allowing you to accept or reject non-essential cookies.

9.3 Third-Party Analytics

We use third-party analytics tools (e.g., Google Analytics) to collect aggregated usage statistics. These providers may set cookies of their own.

9.4 U.S. Cookie Opt-Out

For U.S. users, you may opt out of non-essential cookies, including those used for targeted advertising, through your account settings or by following the “Do Not Sell or Share My Personal Information” link available in the website footer. We honor browser-based Global Privacy Control (GPC) signals where required by applicable law.

ARTICLE X: INTERNATIONAL DATA TRANSFERS

10.1 Cross-Border Transfers

Your data may be transferred to servers located in the United States or other jurisdictions. We implement appropriate safeguards, such as:

1. Standard Contractual Clauses (SCCs) for transfers from the EEA/UK.

2. Data processing agreements with all international service providers.

In the absence of an adequacy decision, international data transfers are based on your explicit consent, and we implement Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK Addendum or International Data Transfer Agreement (IDTA). Additional safeguards, including end-to-end encryption and pseudonymization, are applied where appropriate to secure your data during and after the transfer.

ARTICLE XI: CHILDREN’S PRIVACY

Our Services are not directed to children under 18. We do not knowingly collect Personal Data from minors. If you believe we have inadvertently collected data from a child, please contact us immediately.

ARTICLE XII: CHANGES TO THIS POLICY

We may update this Policy from time to time. Changes will be posted on our Website with the “Last Updated” date revised. For material changes, including changes to categories of data collected, purposes of processing, or third-party sharing practices, we will provide at least thirty (30) days’ advance notice via email or in-platform notification before such changes take effect. Your continued use of the Services following the effective date constitutes acceptance of the revised Policy.

ARTICLE XIII: CONTACT INFORMATION

If you have any questions, concerns, or complaints regarding this Policy or our data practices, you may contact us at:

Email: info@impulsum.me

Mail: 6045 OAKBEND ST, APT 12205, ORLANDO, FL. US 32835

We will respond to verified requests within the timeframes required by applicable law.

ARTICLE XIV: SUPPLEMENTAL DISCLOSURES FOR SPECIFIC JURISDICTIONS

14.1 California (CCPA/CPRA)
Please see Article VII for specific California consumer rights.

14.2 European Economic Area (GDPR)

Our lawful bases for processing, international transfer mechanisms, and Data Protection Officer contact details are available upon request.

14.3 Other U.S. States

Residents of Virginia (VCDPA), Colorado (CPA, including provisions related to AI and bias risk mitigation), Connecticut (CTDPA), Delaware (DPDPA), Iowa (ICDPA), Nebraska (NDPA), New Hampshire (NHPA), New Jersey (NJPA), Minnesota (MCDPA), Tennessee (TIPRA), Maryland (MODPA), and other states with similar privacy legislation may have rights similar to those described above, subject to applicable thresholds and exemptions. Please contact us for details.