Privacy Policy

1. Data Controller

Pulse (“we”, “us”, “our”) is the data controller responsible for your personal data. You can contact us at hello@getpulse.uk.

2. Data We Collect

We collect and process the following categories of personal data:

• Identity data: full name, date of birth, profile photo
• Contact data: email address, phone number, postcode
• Professional data: NMC PIN, NMC expiry, nursing band, specialisms, years of experience
• Compliance data: DBS certificate details (number, type, date), Right to Work documents, indemnity insurance status
• Financial data: bank account details (collected and processed by Stripe), payment history, hourly rate expectations
• Usage data: login timestamps, pages visited, shift applications, timesheet submissions
• Agency data: company name, CQC registration number, insurance documents, Companies House number

3. Legal Basis for Processing

We process your data under the following legal bases (UK GDPR Article 6):

• Contract performance: to provide our marketplace services, match you with shifts, process applications, and facilitate payments
• Legal obligation: to comply with UK employment, tax, and healthcare regulations including NMC verification, DBS checks, and Right to Work requirements
• Legitimate interests: to improve our platform, prevent fraud, ensure safety of healthcare environments, and communicate service updates

4. Special Category Data

DBS certificates may reveal information about criminal records. We process this data solely for compliance verification purposes as required by UK healthcare regulations. This processing is necessary for reasons of substantial public interest under UK GDPR Article 9(2)(g) and Schedule 1, Part 2 of the Data Protection Act 2018.

5. How We Share Your Data

We share data with the following service providers, all of whom are bound by data processing agreements:

• Stripe — payment processing and bank account management
• Supabase — database hosting and authentication
• Resend — transactional email delivery
• Inngest — background job processing
• Vercel — application hosting

When a nurse applies for a shift, limited profile information (name, compliance status, experience, ratings) is shared with the relevant agency. We never sell your personal data to third parties.

6. Data Retention

• Active accounts: data retained for the duration of your account
• Payment and financial records: retained for 7 years after the relevant transaction as required by UK tax law (HMRC)
• Compliance documents: retained for the duration of your account plus 2 years
• Shift records: retained for 7 years
• Account deletion: upon request, personal data is anonymised; financial records are retained as required by law with all personally identifiable information removed

7. Your Rights

Under UK GDPR, you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your data (subject to legal retention requirements)
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request restricted processing while a complaint is resolved

To exercise any of these rights, contact us at hello@getpulse.uk. We will respond within 30 days.

8. Complaints

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of any material changes by email or through a notice on the platform. Your continued use of Pulse after changes are posted constitutes acceptance of the updated policy.