Privacy Policy

Last Updated: April 24, 2026

Overview

Pulse Endpoint is a client-side macOS application that monitors system performance metrics locally on your device. We are committed to collecting the minimum amount of data necessary to operate the software and enforce licensing. This policy explains exactly what data Pulse Endpoint collects, what it does not collect, and how we handle the limited data we do receive.

Qlab Software LLC (a California limited liability company) is the data controller for the purposes of this Privacy Policy.

In plain language: Qlab Software does not sell, rent, trade, or share your personal information with any third party for marketing, advertising, or any other purpose.

At a glance

Performance metrics stay on your device. They are stored locally and are only sent to destinations you explicitly configure (e.g., a Splunk HEC endpoint).

The only data Qlab Software receives is a once-per-24-hour license heartbeat, which activates automatically after your license is installed. Each heartbeat contains:

  • your license email,
  • a hashed hardware identifier (HMAC-SHA256 of your Mac's hardware UUID, keyed by your license email — the raw UUID is never transmitted),
  • the app version, and
  • the license tier.

No performance metrics, user activity, process names, or personal data are ever sent to Qlab Software. Full details in Sections 1 and 2 below.

1. What Pulse Endpoint Collects Locally

Pulse Endpoint collects the following system performance metrics on each device where it is installed:

  • CPU usage, load averages, and thermal state
  • Memory utilization, pressure levels, and swap usage
  • Disk read/write operations and utilization
  • Network traffic (bytes and packets in/out)
  • GPU utilization
  • Battery level, power source, and charging status
  • Running process names, process IDs, parent process IDs, and associated usernames
  • System information including hostname, macOS version, hardware model, and uptime

This data is stored locally on your device in JSONL format at ~/Library/Application Support/Pulse Endpoint/metrics/ and is subject to configurable retention and size limits. Pulse Endpoint does not transmit this data to Qlab Software. It is only sent to destinations you explicitly configure (e.g., a Splunk HEC endpoint), over HTTPS.

2. What Qlab Software Receives

After a valid license key is activated, Pulse Endpoint sends a lightweight heartbeat to our licensing server (licensing.pulseformac.dev) once every 24 hours over HTTPS. This heartbeat is used solely for device visibility, fleet management, and license seat counting.

The heartbeat contains only the following:

FieldPurposeLegal basis (GDPR)
License emailIdentify the licensed organizationPerformance of contract
Hashed device IDHMAC-SHA256 of hardware UUID — the raw UUID is never transmitted. Used for seat counting.Legitimate interests (license enforcement)
App versionSupport and update trackingLegitimate interests (product support)
License typeTier identification (e.g., Trial, Beta, Starter, Business, Enterprise)Performance of contract

The heartbeat is fire-and-forget and never blocks the application. If the licensing server is unreachable, all monitoring functionality continues to operate normally. A non-blocking informational banner appears after 30 days of no connectivity.

In addition to heartbeat data, Qlab Software may receive emails you send to support@pulseformac.com for support, billing, or general inquiries. These emails and any personal information contained within them are processed solely to respond to your request.

2.1 How the Hashed Hardware Identifier Works

Every Mac contains a built-in hardware UUID (the macOS IOPlatformUUID) — a unique identifier assigned at the factory. Pulse Endpoint never transmits this raw UUID. Instead, it computes an HMAC-SHA256 hash using your license email as the cryptographic key, and only that one-way hash is sent in the heartbeat.

This design has three properties worth calling out:

  • Irreversible. The raw hardware UUID cannot be recovered from the hash.
  • Deterministic per license. The same Mac under the same license always produces the same hash, which is what allows seat counting.
  • Scoped to your license. Because the hash is keyed by your license email, the same Mac produces a different hash under a different license — Qlab Software cannot correlate a device across different customers.

The hashed identifier is used solely for license seat counting and fleet visibility under your license. It is not sold, not shared with third parties, and not used for advertising, cross-site tracking, or any purpose outside the licensing relationship described in the EULA.

Qlab Software collects only the data described in this section. No other data is collected or transmitted to us. Heartbeat data and performance metrics are entirely separate — no performance metrics, process information, or system telemetry is included in heartbeat transmissions.

3. What We Do Not Collect

To be explicit:

  • We do not collect performance metrics, process names, user activity, or system telemetry.
  • We do not use analytics SDKs, advertising SDKs, or tracking pixels.
  • We do not sell or share your personal information with third parties for marketing or advertising purposes.
  • We do not set cookies or use browser storage in the application.
  • We do not profile you or make automated decisions about you.

4. License Validation

License validation is performed entirely offline on your device using RSA cryptographic signature verification. Your license key is never sent to a server for validation. The key is stored locally in macOS UserDefaults, protected by file system permissions and FileVault disk encryption when enabled.

The once-per-24-hour heartbeat described in Section 2 is a separate mechanism used only for seat counting and fleet visibility. It does not validate the license and the app does not block or degrade if it cannot reach the heartbeat endpoint.

5. Data Security

In Transit

All heartbeat communications use HTTPS with TLS 1.2 or higher. macOS App Transport Security enforces certificate validation and prevents plaintext fallback.

At Rest

Heartbeat data stored on Qlab Software's servers is encrypted at rest using AES-256 encryption. Local metrics data is protected by macOS file system permissions and FileVault disk encryption when enabled.

Breach Notification

If Qlab Software becomes aware of any unauthorized access to heartbeat data affecting your license, we will notify the affected license holder without undue delay, and in any event within 72 hours of becoming aware of the incident.

6. Data Retention

  • Heartbeat data: Retained for the duration of your active license plus 90 days after expiration, then automatically deleted.
  • Support correspondence: Retained for 2 years from the date of last correspondence, to allow resolution of warranty, billing, and support disputes.
  • Local metrics data: Retention is configurable within the application and subject to the limits you set. Qlab Software never has access to this data.

7. International Data Transfers

Qlab Software is based in the United States. If you are located in the European Economic Area (EEA) or the United Kingdom and a heartbeat is transmitted to our licensing server, your data will be transferred to the United States. These transfers are made in reliance on appropriate safeguards, including the European Commission's Standard Contractual Clauses, available upon request. Given the minimal nature of heartbeat data (license email, hashed device ID, app version, license type), the privacy impact of such transfers is limited.

8. Third-Party Services

Pulse Endpoint does not embed any third-party analytics, advertising, or tracking SDKs. The only external communication is the heartbeat described in Section 2 and any upload destinations you explicitly configure (e.g., Splunk HEC endpoints). Payments for commercial licenses are processed by Stripe; Qlab Software does not store or receive your payment card details, and Stripe's use of your payment information is governed by its own privacy policy.

9. Your Rights

Rights Available to All Users

You may contact us at support@pulseformac.com to:

  • Access the heartbeat data we hold associated with your license email.
  • Correct inaccurate heartbeat data.
  • Delete heartbeat data associated with your license email. Upon receiving your request, we will delete all heartbeat records within 30 days.
  • Export a copy of your heartbeat data in a portable format.
  • Object to or restrict certain processing.

Additional Rights for EEA and UK Residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the additional right to lodge a complaint with your local data protection supervisory authority. You can find your authority at edpb.europa.eu/about-edpb/about-edpb/members_en (EEA) or ico.org.uk (UK).

The legal basis for our processing of your personal information is set out in Section 2.

Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know what personal information we collect, how we use it, and whether we disclose it to third parties. This Privacy Policy is the primary source of that information.
  • Right to delete the personal information we have collected about you, subject to limited exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt-out of sale or sharing. We do not sell or share your personal information within the meaning of the CCPA. No opt-out is required.
  • Right to limit the use of sensitive personal information. We do not collect or process sensitive personal information as defined by the CCPA.
  • Right to non-discrimination for exercising your privacy rights.

Categories of personal information collected in the preceding 12 months: identifiers (license email, hashed device ID). No other CCPA-defined categories are collected.

Categories of sources: directly from you (license registration) and from the Software running on your device (heartbeat telemetry).

Business purposes for collection: performing the license agreement, enforcing license seat counts, and providing product support.

Categories of third parties to whom personal information is disclosed: none, other than service providers strictly necessary to operate the service (e.g., our hosting and payment processors), who act under contractual restrictions consistent with CCPA's “service provider” definition.

How to Exercise Your Rights

To exercise any of the rights above, email support@pulseformac.com from the email address associated with your license, or include sufficient information for us to verify your identity. We will respond within 30 days for heartbeat deletion requests and within 45 days for other CCPA/GDPR requests, as required by applicable law.

10. Children's Privacy

Pulse Endpoint is enterprise software designed for organizational use. It is not directed at individuals under the age of 16, and we do not knowingly collect data from children. If we learn that we have collected data from a child, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last Updated” date. Material changes will be communicated by email to the address associated with your license at least 30 days before taking effect. Consistent with California law, we review and update this Privacy Policy at least once every 12 months. We encourage you to review this policy periodically.

12. Contact

For questions about this Privacy Policy or to exercise your data rights, contact:

Qlab Software LLC
Email: support@pulseformac.com
Website: pulseformac.dev

Copyright 2026 Qlab Software LLC. All rights reserved.