Your data, treated with care.

Welcome to ReferralPulse. This policy explains how your personal information is collected, used, and shared when you use the ReferralPulse web application, mobile apps, and any related services.

By using these services you agree to the collection, use, and disclosure of your information as described below. If you do not agree, please do not use ReferralPulse.

ReferralPulse is a referral management platform built for professionals including attorneys, financial advisors, CPAs, and insurance agents. The platform helps you manage your professional referral network, track referrals, and strengthen business relationships.

2.1 Account information

When you create an account, ReferralPulse collects:

• Name and email address
• Profile photograph (optional)
• Professional title and business type
• Company name and business address
• Phone number (optional)
• Professional license information (when applicable)

2.2 Professional network information

To provide referral management services, ReferralPulse collects:

• Information about your referral partners, including name, contact details, and business information
• Referral history and status updates
• Notes and communications related to referrals
• Meeting transcripts, when you use the meeting recording features
• LinkedIn profile URLs and publicly available professional information

2.3 Behavioral and usage data

ReferralPulse automatically collects:

• Device information such as browser type, operating system, and device identifiers
• Log data including IP addresses, access times, and pages viewed
• Feature usage patterns
• AI chat conversations and voice commands

2.4 Third-party integrations

When you connect third-party services like a CRM, calendar, or email mailbox, ReferralPulse may receive data from those services in accordance with the authorization you grant. Connecting a Gmail mailbox, for example, means ReferralPulse can read messages between you and your partners and send drafts you approve on your behalf. See section 6 for full detail on Google integrations, including the optional Calendar and Gmail connections, and section 5 for the complete list of third-party services in use.

3.1 Service delivery

• Provide, maintain, and improve the referral management platform
• Match you with relevant referral partners
• Track and manage referral status and outcomes
• Generate AI-powered insights and recommendations
• Process meeting recordings and generate summaries

3.2 Communications

• Send transactional emails such as account verification, password resets, and referral notifications
• Provide customer support
• Send product updates and announcements, with your consent
• Generate and send AI-drafted communications on your behalf, with your approval

3.3 Compliance and legal

• Support compliance features for regulated professionals, including referral fee tracking and 1099 preparation
• Maintain audit logs for compliance purposes
• Respond to legal requests and enforce the Terms of Service

3.4 Improvement and analytics

• Analyze usage patterns to improve the service
• Develop new features and functionality
• Conduct research and analysis using aggregated, de-identified data

4.1 AI features

ReferralPulse uses artificial intelligence to enhance your experience:

• Partner matching. Analyzing your network to suggest optimal referral matches.
• Email drafting. Generating personalized introduction and follow-up emails.
• LinkedIn summarization. Creating professional summaries from LinkedIn profiles.
• Meeting analysis. Transcribing and summarizing meeting recordings.
• Voice commands. Processing natural-language queries about your network.
• Proactive recommendations. Suggesting actions to strengthen relationships.

4.2 Data sent to AI providers

When you use AI features, the following may be processed by AI providers such as OpenRouter, OpenAI, and Anthropic:

• Partner information including names, business details, and relationship history
• Your queries and commands
• Meeting transcripts, when using meeting analysis features
• LinkedIn profile content, when using enrichment features
• Email message content, when a connected mailbox is in use. Bulk and automated mail is filtered out before any AI step. Messages that pass the filter are first classified by a lightweight model and only the small fraction that appears relevant to your referral network is passed to a stronger extraction model. The extracted output (a short summary, detected partners, referrals, action items, and signature shape) is what ReferralPulse keeps. See section 6.3 for the corresponding mailbox-level controls.

4.3 Automated decision-making

ReferralPulse AI systems make the following automated assessments:

• Match scores. Calculating compatibility between you and potential referral partners.
• Reciprocity analysis. Identifying imbalances in referral relationships.
• Follow-up recommendations. Suggesting when to reconnect with partners.
• Network gap analysis. Identifying missing expertise in your network.

These assessments are recommendations only. No automated decisions are made without your review and approval.

4.4 Opting out of AI features

You can disable AI features in your privacy settings. When disabled:

• Your data will not be sent to AI providers
• AI-powered features for matching, drafting, and analysis will be unavailable
• Core referral tracking functionality remains available

ReferralPulse uses the following third-party services:

Google OAuth

Authentication (Sign in with Google)

Name, email address, profile picture

Google Calendar API

Optional calendar integration

Event titles, times, attendee emails (last 12 months)

Gmail API

Optional mailbox connection (read inbox, send on your behalf)

Message subjects, headers, bodies, sent drafts

OpenRouter / OpenAI / Anthropic

AI features

Partner info, queries, transcripts, filtered email content

LeadMagic

LinkedIn enrichment

LinkedIn URLs

Clio CRM

Contact sync (when connected)

Contacts, matters

Recall.ai

Meeting recording

Audio, video, transcripts

Resend

Email delivery

Email addresses, message content

Vercel Blob

File storage

Uploaded files

Upstash Redis

Caching

Session data (anonymized)

Neon PostgreSQL

Database

All account data

Vercel

Hosting

Application logs

Each service operates under its own privacy policy. You are encouraged to review those policies directly.

ReferralPulse offers Sign in with Google as an authentication option. This section describes how data received from Google APIs is handled, in compliance with the Google API Services User Data Policy, including the Limited Use requirements.

6.1 Data accessed from Google

When you sign in with Google, ReferralPulse requests access to basic profile information only:

• Name. Your display name, used to personalize your account.
• Email address. Used as your account identifier and for transactional communications.
• Profile picture. Displayed inside ReferralPulse as your avatar.

ReferralPulse does not request access to Google Drive or any other Google services beyond basic authentication, except for two optional integrations that are never requested during sign-in: the Google Calendar integration (section 6.2) and the Gmail mailbox integration (section 6.3). Each integration is a separate, deliberate connect step from the settings or onboarding page, with its own consent screen, and either can be revoked independently.

6.2 Optional Google Calendar integration

If you choose to connect Google Calendar from your settings page, ReferralPulse requests read-only access to your primary calendar (calendar.readonly scope). You can disconnect at any time and Google will also show the connection at myaccount.google.com where you can revoke it directly.

• What is accessed. Events from your primary calendar over the last 12 months, including event titles, times, and attendee email addresses. No other calendars are scanned and no events are created, modified, or deleted.
• Why. To suggest potential referral partners from people you have met with more than once.
• How it is used. Attendee emails are filtered (internal colleagues, large meetings, resource calendars, and scheduling bots are excluded) and scored. Candidates surface for your review on the Partners suggestions page, and nothing becomes a Partner until you explicitly approve it.
• Retention. Meeting titles are shown on the review page only so you can recognize who a suggestion is. The moment you approve or ignore a suggestion, those meeting titles are dropped from our database. Aggregate numbers (how many times you met, first and last meeting date) are kept so the same person is not surfaced again. Sample event titles used internally for debugging sync quality are removed after 30 days. You can delete your account at any time to remove all of this data.
• Revocation. Disconnect from the settings page or revoke access at myaccount.google.com. Once revoked, no further calendar data is read.

6.3 Optional Gmail integration

If you choose to connect your Gmail mailbox from the settings or onboarding page, ReferralPulse requests the gmail.modify OAuth scope. This is the single scope that allows ReferralPulse to read messages from your mailbox and send messages on your behalf. It does not include Gmail settings, account configuration, or any other Google service. You can disconnect at any time, and Google will also show the connection at myaccount.google.com where you can revoke it directly.

• What is read. Messages in your mailbox over the last 6 months at the initial backfill, and any new inbound and outbound messages on an ongoing basis after that. Subjects, sender and recipient addresses, message content, attachment filenames, and timestamps are read. Attachments themselves are not downloaded or stored.
• Why. To populate your partner timeline with real conversation history, automatically detect introductions and referrals worth tracking, propose updates to your network, and learn your writing style so that AI-drafted emails sound like you wrote them.
• How content is processed. Every message passes through a three-tier filter. Most messages (mailing lists, automated mail, transactional notifications) are dropped immediately without any AI processing. A small subset that looks relevant is classified by a lightweight model, and only the smaller fraction that appears to relate to your referral network reaches a stronger extraction model. The extraction produces a short summary, detected partner emails, detected referrals, action items, and a signature shape.
• What is sent on your behalf. When you approve a draft inside ReferralPulse for a partner or introduction, that draft is sent through your connected Gmail account so it arrives from your real email address and threads correctly into existing conversations. ReferralPulse never sends a message without an explicit click from you. There is no auto-send mode.
• What is never done. ReferralPulse does not modify, delete, label, move, or archive existing messages in your mailbox. It does not read or write your Gmail filters, vacation responder, signature configuration, contacts, or any other mailbox setting. The gmail.modify scope is used only to read messages and to insert new messages you have approved.
• Retention. The original body of each message is encrypted with a key generated specifically for your account (AES-256-GCM, with the per-account key wrapped under a ReferralPulse master key) and stored in a separate vault table. Every vault entry is automatically and permanently deleted 30 days after it was read. The structured fields extracted from each message (sender, recipient, subject, AI summary, detected partners, referrals, action items, signature shape, and writing-style features) are kept for as long as your account is active, since these are what populate the timeline and power AI drafts. Section 8 lists the full retention schedule.
• View original. When ReferralPulse shows a mailbox-derived message inside the application, the "View original" link opens that message in Gmail directly. The original body is not displayed inside ReferralPulse's own UI.
• Controls. From the settings page you can pause sync (keeping the connection but skipping new processing), exclude specific email domains, individual partner addresses, or keywords from ever being read, purge the entire encrypted vault on demand, or disconnect the integration. Disconnecting wipes your per-account encryption key, which makes any remaining vault content unreadable even before the daily purge runs.
• Revocation. Disconnect from the settings page or revoke access at myaccount.google.com. Once revoked, no further mailbox data is read or sent.

6.4 How Google user data is used

• To create and authenticate your ReferralPulse account
• To display your name and profile picture within the application
• To send you account-related notifications and service communications
• For additional uses tied to the optional integrations, see sections 6.2 (Calendar) and 6.3 (Gmail) above.

6.5 Storage and protection

Google profile data (name, email, profile picture URL) is stored in a secure database hosted on Neon PostgreSQL with encryption at rest. Access is restricted to authenticated sessions tied to your account.

Gmail message bodies receive an additional layer of protection. Each connected account has its own randomly generated 256-bit encryption key, which is itself wrapped under a ReferralPulse master key (envelope encryption). Message bodies are encrypted with AES-256-GCM before being written to the vault, and the only process that can decrypt them is the ReferralPulse pipeline running in memory when generating drafts or extracting partner data. The vault table is wiped on a daily schedule for entries older than 30 days, and disconnecting your mailbox immediately destroys your per-account key.

6.6 Limited Use disclosure

Specifically, ReferralPulse confirms that:

• Google user data is only used to provide and improve user-facing features of ReferralPulse
• Google user data is not transferred to third parties except as necessary to provide the service, with user consent, or as required by law
• Google user data is not used for advertising, including retargeting, personalized, or interest-based advertising
• Humans do not read Google user data unless you have given affirmative consent, it is necessary for security purposes, or it is required to comply with applicable law
• Google user data is not used to train AI or machine-learning models

6.7 Revoking access

You can revoke ReferralPulse access to your Google account at any time through your Google Account permissions. You can also delete your ReferralPulse account from within the app, which will remove all stored Google user data. Calendar and Gmail can be revoked individually from the settings page; revoking either does not disconnect the other and does not sign you out.

ReferralPulse does not sell your personal information. Information may be shared in the following circumstances.

7.1 With your consent

• When you explicitly authorize sharing, such as connecting CRM integrations
• When you choose to share your profile with other ReferralPulse users

7.2 Service providers

With third-party service providers who perform services on behalf of ReferralPulse (see section 5), subject to confidentiality obligations.

7.3 Legal requirements

• To comply with applicable laws, regulations, or legal processes
• To protect the rights, privacy, safety, or property of ReferralPulse, its users, or the public
• To enforce the Terms of Service

7.4 Business transfers

In connection with a merger, acquisition, or sale of assets, your information may be transferred. You will receive notice before your information becomes subject to a different privacy policy.

ReferralPulse retains your information for as long as necessary to provide the service and fulfill the purposes described in this policy. Specific retention periods:

Account information

Duration of account, plus 30 days after a deletion request

Referral records

7 years, for tax and compliance purposes

Payment and fee tracking records

7 years, IRS requirement for 1099 reporting

Meeting recordings

90 days, or until manually deleted

Email message bodies (encrypted vault)

30 days, then permanently deleted (extracted summaries and partner data are retained)

AI conversation history

90 days

Audit logs

7 years, compliance requirement

Application logs

30 days

Regardless of your location, you have the following rights over your personal information:

• Access. Request a copy of the personal information held about you.
• Correction. Request correction of inaccurate or incomplete information.
• Deletion. Request deletion of your personal information, subject to legal retention requirements.
• Export. Request your data in a portable, machine-readable format.
• Restrict processing. Request that ReferralPulse limit how your data is used.
• Withdraw consent. Withdraw previously given consent at any time.
• Opt out of AI. Disable AI-powered features in your settings.

To exercise these rights, contact privacy@referralpulse.ai or use the controls in your account settings. Responses are provided within 30 days.

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act.

10.1 Categories of information collected

• Identifiers such as name, email, and phone number
• Professional information including job title, company, and licenses
• Commercial information including referral history and transaction records
• Internet activity such as usage data and browsing history within the service
• Inferences such as match scores and recommendations

10.2 Your California rights

• Right to know. Request details about categories and specific pieces of information collected.
• Right to delete. Request deletion of your information.
• Right to correct. Request correction of inaccurate information.
• Right to opt out of sale or sharing. See the note below.
• Right to non-discrimination. ReferralPulse will not discriminate against you for exercising your rights.

10.3 Do not sell or share my personal information

10.4 Global Privacy Control (GPC)

ReferralPulse honors Global Privacy Control signals. If your browser sends a GPC signal, it is treated as a valid opt-out request.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation.

11.1 Lawful bases for processing

ReferralPulse processes your data based on:

• Contract. To provide the service as agreed in the Terms of Service.
• Legitimate interests. To improve the service, prevent fraud, and communicate with you.
• Consent. For optional features like marketing communications and AI processing.
• Legal obligation. To comply with applicable laws and regulations.

11.2 Your GDPR rights

In addition to the rights in section 9, you have:

• Right to object. Object to processing based on legitimate interests.
• Right to restrict. Request restriction of processing in certain circumstances.
• Right to portability. Receive your data in a structured, machine-readable format.
• Right to lodge a complaint. File a complaint with your local supervisory authority.

11.3 Data protection contact

For GDPR-related inquiries, contact the data protection representative at dpo@referralpulse.ai.

ReferralPulse is based in the United States. If you access the service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where the service providers operate.

For transfers from the EEA, UK, or Switzerland to countries not deemed adequate by the European Commission, ReferralPulse relies on:

• Standard Contractual Clauses approved by the European Commission
• Data processing agreements with appropriate safeguards
• Binding corporate rules where applicable

You may request a copy of the relevant transfer mechanism by contacting privacy@referralpulse.ai.

13.1 Types of cookies in use

• Essential cookies. Required for authentication and core functionality.
• Functional cookies. Remember your preferences and settings.
• Analytics cookies. Help ReferralPulse understand how the service is used.

13.2 Managing cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the service.

13.3 Do Not Track

ReferralPulse honors Do Not Track browser signals. When DNT is enabled, non-essential tracking is disabled.

ReferralPulse implements industry-standard security measures to protect your information:

• Encryption in transit. All data transmitted between you and the service uses TLS 1.3 encryption.
• Encryption at rest. Sensitive data is encrypted using AES-256 encryption.
• Access controls. Role-based access controls limit who can access your data.
• Authentication. Secure authentication via Google OAuth and email or password with bcrypt hashing.
• Monitoring. Continuous security monitoring and logging.
• Regular audits. Periodic security assessments and penetration testing.

No system is completely secure. If you believe your account has been compromised, contact security@referralpulse.ai immediately.

This policy may be updated from time to time to reflect changes in practices or for legal, operational, or regulatory reasons.

When changes are made:

• The Updated date at the top of this policy will change
• For material changes, you will be notified by email or through a prominent notice inside the service
• At least 30 days' notice will be given before material changes take effect

Continued use of the service after the changes take effect constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this policy or data practices, the ReferralPulse privacy team is available at the addresses below.