Privacy Policy

1. Overview

PulseTheory is an internal client reporting platform operated by DontMatter, a digital marketing agency based in Thessaloniki, Greece. It is accessible at pulsetheory.eu.

This platform aggregates advertising and web analytics data from third-party APIs (Meta Marketing API, Google Analytics 4, Google Search Console, Google Ads) and generates branded PDF performance reports for agency clients. Access is restricted to authorised DontMatter staff.

2. Data Controller

3. Data We Collect

3.1 Account Credentials (Internal Users)

For DontMatter staff who log in to PulseTheory, we store:

• Full name and email address
• Hashed password (bcrypt — never stored in plain text)
• Session tokens (stored server-side, expire on logout)

3.2 OAuth Access Tokens

When a Meta or Google account is connected to the platform, we store the OAuth access token and refresh token required to call those APIs on behalf of the connected account. These tokens are encrypted at rest using Laravel's AES-256-CBC encryption.

3.3 Advertising and Analytics Metrics

We retrieve and store the following aggregate performance data — no personal data belonging to end users of our clients' platforms is ever stored:

• Meta Ads Daily impressions, reach, clicks, spend, CPM, CPC, CTR; campaign-level breakdowns; age/gender demographic aggregates
• Google Analytics 4 Daily sessions, users, new users, engaged sessions, engagement rate, bounce rate, average session duration, conversions, revenue
• Search Console Daily clicks, impressions, CTR, average position; top search queries (anonymised by Google); Discover and News surface data
• Google Ads Daily impressions, clicks, cost, conversions, CTR, average CPC, conversion rate, ROAS; campaign-level breakdowns

3.4 Client Information

We store basic client business information provided by DontMatter staff: client name, website URL, social media profile URLs, brand colour, and optionally a client logo. This information is used solely for report generation and branding.

3.5 Email Delivery Events

When monthly reports are sent via Mandrill (Mailchimp Transactional), we log delivery event metadata (sent, delivered, opened) for audit purposes. We do not store email body content.

4. Third-Party APIs and Services

Meta Marketing API

We use the Meta Marketing API in read-only mode to retrieve ad performance insights for connected ad accounts. We request only the ads_read permission. We do not access personal profiles, friend lists, messages, or any non-advertising data. Meta's data policy applies to all data obtained through their API: facebook.com/privacy/policy

Google APIs

We use the following Google APIs in read-only mode:

• Google Analytics 4 Data API — analytics.readonly scope — retrieve aggregate session and conversion data for connected GA4 properties
• Google Search Console API — webmasters.readonly scope — retrieve organic search performance data for connected web properties
• Google Ads API — adwords scope — retrieve campaign and cost data for connected Google Ads accounts

We do not access user identity, contacts, email, Drive, Calendar, or any Google service beyond the three scopes listed above. Google's privacy policy applies: policies.google.com/privacy

Mandrill (Mailchimp Transactional)

Outbound emails (monthly report delivery) are sent via Mandrill SMTP. Mandrill processes recipient email addresses and delivery events on our behalf. Mandrill's privacy policy: mailchimp.com/legal/privacy

Hosting (Jelastic / Scaleforce)

The application and database are hosted on Scaleforce / Jelastic PaaS infrastructure in the EU. Data is not transferred outside the European Economic Area.

5. Purpose and Legal Basis

All data processing is carried out for the following purposes:

• Legitimate interest / Contractual necessity — generating advertising performance reports for clients of DontMatter as part of our service delivery
• Account management — maintaining connected API credentials so that automated data synchronisation can run daily without manual intervention
• Compliance — logging email delivery events and processing data deletion requests as required by Meta and applicable privacy regulation

Under GDPR (EU) 2016/679, our legal basis for processing is Article 6(1)(b) (performance of a contract) for client reporting, and Article 6(1)(f) (legitimate interests) for internal analytics metrics.

6. Data Retention

• Advertising and analytics metrics — retained indefinitely to support historical trend analysis. PDF exports older than 12 months are automatically deleted.
• OAuth access tokens — retained until the connected account is disconnected or the token is revoked. Tokens are invalidated by revoking access in Meta/Google account settings.
• User accounts — retained for the duration of employment at DontMatter. Accounts are disabled upon departure.
• Email event logs — retained for 12 months.

7. Data Sharing

We do not sell, rent, or share any data collected through PulseTheory with third parties except:

• The third-party API providers listed in Section 4 (Meta, Google, Mandrill, Scaleforce) who process data as data processors under our instruction
• Where required by law or regulatory obligation

Aggregate advertising metrics may be included in client-facing PDF reports delivered by email — this is the primary purpose of the platform.

8. Security

• All traffic to pulsetheory.eu is encrypted via HTTPS/TLS
• OAuth tokens and sensitive settings are encrypted at rest using AES-256-CBC
• Passwords are hashed using bcrypt (never stored in plain text)
• Access to the platform requires authentication — it is not publicly accessible
• The application is hosted on EU-based infrastructure with restricted access

9. Your Rights

Under GDPR, individuals whose personal data we hold have the right to:

• Access — request a copy of the data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Restriction — request that we limit how we use your data
• Objection — object to processing based on legitimate interests
• Portability — receive your data in a structured, machine-readable format

To exercise any of these rights, contact us at info@dontmatter.gr. We will respond within 30 days.

You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA): dpa.gr

10. Data Deletion Requests

If you have authorised PulseTheory to access your Meta or Google account and wish to have your data deleted from our system, you may:

• Revoke app access directly from your Facebook Settings → Apps and Websites, or your Google Account → Third-party apps with account access. This immediately invalidates the stored access token.
• Contact us at info@dontmatter.gr and we will manually remove all associated data within 30 days.

Meta's platform also supports automated data deletion callbacks. When triggered, we remove the associated access token and log the deletion request with a confirmation code. You can check the status of a deletion request at:

https://pulsetheory.eu/deletion-status/{confirmation_code}

11. Cookies

PulseTheory uses only one cookie: a session cookie (pulsetheory_session) that keeps you logged in. This cookie is:

• Strictly necessary for the application to function
• HTTP-only (not accessible via JavaScript)
• Deleted when you log out or close your browser

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

12. Policy Changes

We may update this policy as the platform evolves or as required by regulation. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of PulseTheory after a policy update constitutes acceptance of the revised policy.

13. Contact Us

For any questions, requests, or concerns related to this Privacy Policy or our data practices: