Privacy Policy — AUM Pulse

01Introduction

AUM Pulse, Inc. ("AUM Pulse," "we," "us," "our") provides a pre-call intelligence platform for independent financial advisors. The product joins prospect meetings as a named participant, synthesizes a structured pre-call brief from each conversation, and surfaces relationship intelligence on the advisor's prospect record for the next meeting. This Privacy Policy describes how AUM Pulse collects, uses, retains, and shares information in the course of providing the service.

This Policy is written primarily for advisors who use AUM Pulse, advisors' firms, and the compliance and security reviewers who evaluate AUM Pulse on those firms' behalf.

Two roles, one platform

For advisor account data — the information an advisor or their firm provides to set up and use AUM Pulse — AUM Pulse acts as data controller. This Policy describes what we collect, how we use it, and the rights advisors have with respect to that data.

For prospect data — the information that flows into AUM Pulse on behalf of the firm's prospects — AUM Pulse acts as data processor. The advisor's firm is the data controller. AUM Pulse processes prospect data on the firm's documented instructions, subject to the terms of the Data Processing Agreement executed between AUM Pulse and the firm.

This Policy is one part of AUM Pulse's compliance documentation set, which also includes the Terms of Service, the Data Processing Agreement, the recording consent flow documentation, the firm compliance brief, and the data architecture document. Documents are available on request.

02Information AUM Pulse Collects

2.1 Advisor account data (AUM Pulse as controller)

Account identification. Advisor name, email address, authentication metadata, and firm record.
Firm-level configuration. Firm name, fee-model defaults, annual AUM and revenue targets where recorded, branded meeting-type names, and similar configuration.
Integration credentials. OAuth tokens for Calendly, Google Calendar, and Outlook Calendar; webhook secrets for OnceHub. Stored scoped to the advisor and accessible only to the advisor's authenticated session via row-level security.
Advisor preferences. IANA timezone and personal video-meeting URL, both advisor-supplied via Settings.
Optional team-member emails. Used solely to route inbound booking events to the correct advisor record.
Application interaction data. Server-side timestamps for prospect creation, edits, meeting bookings, and synthesis events; anonymized user identifier for error monitoring.

2.2 Prospect data (AUM Pulse as processor)

Contact information. Prospect first name, last name, email address, and optionally phone number.
Advisor-supplied estimates. An estimate of the prospect's investable assets typed by the advisor. AUM Pulse does not query any custodian, brokerage, or banking system.
Advisor-authored notes. Free-text notes equivalent in scope to a standard CRM notes field.
Booking context. Booking platform, platform event identifier, UTM tracking parameters from trackable booking links, and advisor-recorded referral relationships.
Meeting metadata. Meeting date, time, type, duration, scheduling platform, and lifecycle timestamps.
Synthesized intelligence from meetings. A pre-call brief, a "don't do" note, a psychological-state routing signal, structured claim arrays (goals, concerns, financial picture) each with a brief verbatim excerpt capped at 280 characters, and a per-meeting talk-ratio aggregate.
Vital™ metric. A relationship-health score derived from non-conversational signals — meeting recency, stage progression, meeting outcomes, and engagement patterns. Computed without reading any meeting transcript or synthesized text content.
Audit trail. A record of advisor corrections to synthesized claims, retained as adviser-prepared recordkeeping evidence consistent with SEC Rule 204-2(a)(11).

2.3 What AUM Pulse does not collect

Government-issued identifiers. No Social Security numbers, tax IDs, dates of birth, or other government-issued identifiers.
Custodial financial data. No account numbers, holdings, positions, balances, transaction history, or any time-series financial data.
Actual transferred assets at close. Only closure status and timestamp are recorded.
Meeting audio. Never retained on AUM Pulse infrastructure.
Raw meeting transcripts. Exist only in edge-function memory during synthesis; never written to any database, log, or external destination.
Uploaded files. AUM Pulse provides no file-upload interface.
Protected Health Information (PHI). AUM Pulse is not configured as a HIPAA-covered service.
Home addresses or precise geolocation. No such columns exist on the prospect record.

03How AUM Pulse Uses Information

To provide and operate the service. Authenticating advisors, displaying prospect records, generating synthesized briefs, computing the Vital™ relationship-health metric, and maintaining the advisor-correction audit trail.
To facilitate scheduled meetings. Using booking metadata to create prospect records, schedule the meeting bot, and prepare briefs in advance.
To improve advisor effectiveness. Synthesized intelligence is advisor-facing. It is not investment advice, not a recommendation, and not a clinical or diagnostic assessment of the prospect.
To send service-related communications. Transactional and operational communications about the account or material changes to documentation.
To monitor service health and security. Error events captured by Sentry — method, URL pathname, and stack trace only. No request body, headers, query string, IP, or prospect content.
To comply with legal obligations. Including retention of the advisor-correction audit trail consistent with SEC Rule 204-2(a)(11).

AI-output disclaimer. Synthesized intelligence is generated by a large language model from a meeting transcript. It is informational input to the advisor's professional judgment — not advice or a directive. AUM Pulse does not provide investment, legal, tax, or accounting advice. Synthesized output may contain errors or omissions; advisors are expected to verify synthesized claims against their own knowledge before relying on any output to inform client-facing action.

04Data Architecture Overview

No audio retained · Transcript deleted post-synthesis · AES-256 at rest · TLS in transit

AUM Pulse joins the meeting via Recall.ai as a named participant ("AUM Pulse Assistant"). Audio is processed in transit only — no audio is retained on AUM Pulse infrastructure. After the meeting ends, Recall.ai generates a transcript via async transcription. The transcript is then processed by Claude to extract advisor-facing relationship notes (no PII, no financial identifiers, no holdings, no investment recommendations) and immediately deleted from AUM Pulse systems. Audio is configured to expire automatically within 24 hours on Recall.ai's infrastructure; in normal operation AUM Pulse instructs Recall.ai to delete the audio immediately after the transcript is consumed, typically within minutes of meeting end. Only synthesized narrative is retained, equivalent to handwritten advisor notes. The synthesized notes include brief verbatim excerpts of prospect speech as evidence underneath each captured claim; these excerpts are capped at 280 characters, equivalent in scope and shape to advisor-handwritten meeting notes. AUM Pulse separately maintains a relationship-health metric (Vital™) that is computed from non-conversational signals — meeting recency, stage progression, meeting outcomes recorded by the advisor, and engagement patterns — without reading any conversational content. AUM Pulse acts as data processor; the advisor's firm remains data controller. Recall.ai is SOC 2 Type 2 and ISO 27001 certified, and is GDPR and CCPA compliant. Recall.ai does not use customer data to train or fine-tune AI models. All data is encrypted at rest (AES-256) and in transit (TLS).

05Sharing and Subprocessors

AUM Pulse does not sell prospect data. AUM Pulse does not share prospect data with third parties for advertising or marketing purposes. AUM Pulse uses the following subprocessors:

Subprocessor	Function	Compliance
Recall.ai	Meeting-bot platform. Audio ≤24 hours; transcripts deleted post-synthesis.	SOC 2 Type 2, ISO 27001, GDPR, CCPA
Supabase	Managed database, edge-function runtime, authentication.	SOC 2 Type 2, ISO 27001, HIPAA-capable
Anthropic	Synthesis API (Claude). Transcript in transit only; 7-day commercial API log retention. No model training on customer data.	Commercial Terms
Vercel	Frontend hosting.	SOC 2 Type 2, ISO 27001, GDPR/CCPA
Sentry	Error monitoring. Method, URL pathname, stack trace only — no payloads, no IPs, no prospect content.	SOC 2 Type 2
Calendly	Booking webhook source.	Calendly trust center
OnceHub	Alternative booking webhook source.	OnceHub trust center
Google LLC	Advisor-opt-in Google Calendar integration — read calendar busy-time signals and create/update/delete post-call follow-up events.	SOC 2 Type 2, ISO 27001/27017/27018, GDPR/CCPA
Microsoft Corporation	Advisor-opt-in Outlook Calendar integration — read calendar busy-time signals and create/update/cancel post-call follow-up events via Microsoft Graph.	SOC 2, ISO 27001, ISO 27018, GDPR/CCPA
Cloudflare	DNS-only proxy. No payload visibility.	Cloudflare trust center

AUM Pulse will provide firms with thirty (30) days advance notice before adding any new subprocessor that materially affects the processing of prospect data.

06Retention and Deletion

Application-level retention. Advisor account data is retained for the duration of the account plus a commercially reasonable period thereafter. Prospect records are retained until the advisor explicitly deletes the prospect or the prospect is archived after a firm-configurable staleness threshold.
Database backups. Eight (8) days of daily physical backups managed by Supabase, encrypted at rest.
Audit-trail retention. The advisor-correction audit trail is append-only and is retained across prospect deletion as recordkeeping evidence consistent with SEC Rule 204-2(a)(11).
Deletion mechanics. Advisor-invoked deletion executes a Postgres function that cascades through six tables: the prospect record, meeting history, notes, document state, related events, and stage checklist completions. Google Calendar and Outlook Calendar follow-up events are cancelled via organizer-initiated cancellation before the meeting record is removed, so cancellation propagates to any attendee copies.

Deletion takes effect immediately at the application layer; data persists in backups for up to eight days, after which it is unrecoverable.

07Security Measures

Row-level security. Every table in AUM Pulse's Postgres database is protected by row-level security policies that scope reads and writes to the user's firm at the database layer. A formal audit was conducted April 19, 2026; four CRITICAL findings were identified and closed before any external advisor accessed the system.
Encryption at rest. AES-256, managed by Supabase, covering all database files, indexes, write-ahead logs, and backups.
Encryption in transit. TLS 1.2 or higher for all HTTP traffic to and from AUM Pulse.
Authentication and access control. Managed by Supabase Auth. Service-role credentials are stored as Edge Function Secrets and never exposed to the frontend or advisor sessions.
Observability PII discipline. Sentry captures only HTTP method and URL pathname — never request bodies, headers, query strings, or client IP addresses. Session Replay is intentionally disabled.
Personal data breach notification. AUM Pulse will notify affected firms within seventy-two (72) hours of becoming aware of a personal data breach.

08Your Rights

8.1 Advisor rights (AUM Pulse as controller)

Access. Request a copy of the account data AUM Pulse holds.
Correction. Correct or update account information within the application or by contacting AUM Pulse.
Deletion. Request deletion of your account, subject to retention obligations described in Section 6.
Portability. Where applicable law requires, AUM Pulse will provide account data in a structured, commonly used format.
Objection and restriction. Object to certain processing or request restriction to the extent provided by applicable law.

8.2 Prospect rights (firm as controller)

For prospect data, AUM Pulse acts as processor on the firm's behalf. Data subject requests from prospects are routed through the advisor's firm. AUM Pulse provides reasonable assistance including access production, deletion execution, and correction recording through the advisor-correction audit-trail mechanism.

8.3 Audit and compliance review

Firms may, upon request and not more than once per twelve-month period, review subprocessor attestation reports, AUM Pulse's own attestation reports, and the data architecture and row-level-security audit documentation. AUM Pulse will respond to security questionnaires within thirty (30) days on a reasonable-efforts basis.

09International Data Transfers

AUM Pulse's primary infrastructure and the infrastructure of its subprocessors are operated in the United States. Where personal data is transferred internationally, the transfer is made subject to applicable legal protections, including, where required, the Standard Contractual Clauses approved by the European Commission. Firms with EU, UK, or Swiss data subjects should reach out during onboarding to confirm the applicable transfer mechanism.

10Children's Privacy

AUM Pulse is a business-to-business service intended for use by independent financial advisors. The service is not directed at children, and AUM Pulse does not knowingly collect personal information from children under thirteen (13) years of age. If AUM Pulse becomes aware that it has inadvertently collected personal information from a child, AUM Pulse will delete that information.

11Changes to This Policy

AUM Pulse may update this Policy from time to time. Material changes will be communicated to advisors and firms through the application or through email to the address on file before they take effect. The effective date of the current version is at the top of this document; prior versions are retained internally and are available on request.

12Contact

Questions about this Policy, or requests to exercise the rights described in Section 8, may be directed to:

AUM Pulse, Inc.

Attn: Privacy

4802 E. Ray Road Ste #31

Phoenix, AZ 85044

admin@aumpulse.com

This Policy is governed by the laws of the State of Arizona, without regard to its conflict-of-laws principles. Any dispute arising under this Policy is subject to the dispute-resolution provisions of the Terms of Service.