Urban Pulse Privacy Policy
Last updated: 8 July 2026 Version: 1.8 Effective from: 8 July 2026
1. Who we are and how to contact us
This policy is issued by:
- Urban Pulse Strategies Pty Ltd (ABN 82 650 700 226; ACN 650 700 226), trading as Urban Pulse.
- Postal address: PO Box 81, Aspley QLD 4034.
- We are the entity responsible for the personal information described in this policy.
Privacy enquiries, access requests, corrections and complaints:
- Attention: Privacy Officer.
- Email: privacy@urbanpulse.com.au
- Postal: PO Box 81, Aspley QLD 4034.
2. The Urban Pulse business
Urban Pulse is a software-as-a-service platform for the Australian construction industry. The platform includes document transmittal and e-signature workflows, site and planning intelligence, project-management tools, marketplace features, payments, referrals, support, and related business services.
3. What personal information we collect
We collect the categories of personal information below where they are relevant to how you use Urban Pulse. Personal information embedded in a document you upload is collected as document content, not as a separate structured profile field.
3.1 Identity, account and authentication information
- Full name.
- Email address.
- Username and hashed password.
- Session tokens and sign-in event records.
- Role, business name, ABN, ACN, licence numbers, business address and contact details where you provide them or where they are needed for a workspace, profile, project, marketplace, payment, referral or document workflow.
- Multi-factor authentication factors if we offer them and you choose or are required to use them.
Passwords are hashed. We record successful and unsuccessful sign-in outcomes with the time, outcome and a pseudonymised one-way hash of the attempted identifier.
3.2 Documents, envelopes and signing records
We collect documents and related metadata you upload or generate through Urban Pulse, including:
- Contracts, quotes, variations, dilapidation reports, building inspection reports, photographs, drawings, project files and supporting attachments.
- Filename, file type, size, integrity hash, upload time, uploader, malware-scan result and storage pointers.
- Personal information embedded in those documents, such as counterparty names, addresses, signatures, contract values or project details.
When a sender prepares an envelope, they may add more than one participant and may mark some participants as notification-only CC recipients. For each participant, we collect the name, email address and, where the sender chooses to provide it, phone number. For signers, we also store which signature or initials fields are assigned to that person, the document page, and the normalised placement coordinates for each field. We use this only to route, evidence and audit the signing workflow for that envelope.
For e-signature events, we collect signer name, email address, time signed, signing-context metadata, a truncated network prefix and a one-way hash of the browser type against the signature and consent record.
3.3 Payments, subscriptions and referrals
We collect billing name and address, payment references, receipts, subscription plan and billing status, Stripe customer/subscription identifiers, and records needed to reconcile invoices, refunds, chargebacks and tax obligations. Stripe tokenises card details in your browser before they reach us.
If you take part in our referral program, we collect:
- Your referral code and the link between that code and your account and organisation.
- For referred sign-ups, a one-way hash of the referred email address and, once the account exists, account and organisation identifiers needed to attribute the referral.
- Where a cash-payout option is enabled and you choose it, the account name, BSB and bank account number, and either your ABN or a "Statement by a supplier" declaration. These details are used to make and evidence the payout.
3.4 Project, planning, marketplace and collaboration content
Where you use project-management, town-planning, marketplace or property-intelligence features, we collect the information you create or provide in those workflows, including:
- Project names, addresses, tasks, milestones, RFIs, variations, defects, claims, daily logs, comments, notes and attachments.
- Planning-site addresses, assessment records, zoning and overlay context, due-diligence packs, planner briefs and related project records.
- Marketplace profiles, jobs, bids, messages, ratings, claims and dispute records.
- Marketplace contract documents and signatory details, including buyer and seller names and email addresses used to prepare a contract for signature.
- Listing enquiries, including the listing, subject line, message text and a one-way hash of the network address used for rate-limiting and abuse prevention.
Free-text fields may contain personal information if you choose to include it.
3.5 Communications and support
We collect the content of emails, SMS messages, in-app messages, live chats, support tickets, feature requests and other communications you send to us or via the platform. If you send a listing enquiry, your message and account email address are sent to the person or team handling that listing so they can respond.
If an email bounces, is reported as spam, or is unsubscribed from, we record the affected address and event so we can honour suppression and opt-out obligations.
3.6 Technical, usage, location and cookie information
We collect technical and usage information needed to operate, secure and improve the service, including:
- IP address, browser type, device type, operating system, pages viewed, features used, buttons clicked and timing data.
- For recipients viewing a document via a secure link, a truncated network identifier and a one-way browser fingerprint.
- Error logs and crash reports, scrubbed to remove credential-shaped values and known personal-information fields before they leave our infrastructure.
- Cookie and analytics information described in Section 11.
Where a map is displayed on a property or site-intelligence surface, the property address or map area being viewed is used to draw that map. The map provider receives standard technical information from your browser as part of loading the map. See Section 6.7.
3.7 AI-assisted features
Where you use AI-assisted features, we process the prompts, uploaded documents, extracted text, project records or planning context needed to generate the requested draft or answer. AI outputs are draft assistance only. A person remains responsible for reviewing the result before relying on it, sending it, lodging it, signing it or using it in a professional workflow.
Planned Anthropic-backed document extraction and contract-reading features are not active today. We will update this policy and our cross-border disclosure register before customer document text, party names, property addresses or contract terms are sent to Anthropic for those features.
4. How we collect personal information
We collect personal information:
- Directly from you when you create an account, complete onboarding, upload a document, send an envelope, use planning/project/marketplace tools, make or receive a payment, contact support, or reply to a message.
- From your counterparties when another Urban Pulse user nominates you as a recipient, collaborator, payer, contractor, consultant, lister or project participant.
- From your device through cookies, logs and browser interactions.
- From service providers such as Stripe, Google, Intercom, Resend and our authentication provider where those providers return information needed for the service. When activated, this may also include planned analytics, error-monitoring and transactional-SMS providers.
Where we collect your personal information from someone else, we take reasonable steps to make you aware of this policy, including by linking it from recipient and account surfaces.
5. Why we use your personal information
We use personal information where it is reasonably necessary for our functions or activities, where you have consented, where you would reasonably expect the use, or where the use is required or authorised by Australian law.
5.1 To deliver the Urban Pulse service
This includes creating and securing accounts, operating workspaces, sending envelopes, capturing signatures, storing documents, processing payments, managing referrals, providing planning/project/marketplace tools, running support and keeping transaction records.
5.2 To process payments, referrals and prevent fraud
This includes verifying payment methods, settling funds through Stripe, reconciling payments and refunds, detecting suspicious activity, administering referral rewards and preventing self-referral or abuse.
5.3 To comply with Australian law
This includes responding to lawful requests from courts, regulators and law-enforcement agencies, meeting tax record-keeping obligations, meeting consumer-protection obligations, and complying with privacy, spam and notifiable-data-breach requirements.
5.4 To improve and secure the product
This includes analysing aggregated and de-identified usage data, measuring feature usage, fixing bugs, monitoring errors, improving security controls and developing product improvements.
5.5 To communicate with you
This includes service notifications, sign-in alerts, document-status updates, payment receipts, security notices, support replies, feature-request updates and marketing where you have opted in.
6. Who we share your personal information with
We share personal information only with the third parties listed below, and only to the extent necessary. Overseas recipients are identified by country. For overseas processors, we take reasonable steps to ensure they handle personal information consistently with the Australian Privacy Principles, including through data-processing terms, vendor security commitments, contractual safeguards and an internal cross-border disclosure register reviewed before materially new overseas processing is activated.
6.1 Stripe, Inc. (United States) — payments and subscriptions
We use Stripe to process card payments, subscription billing, payment disputes and related account-credit workflows. Stripe receives payment and billing information such as cardholder name, billing address, email address, payment-method token, amount, invoice references and subscription identifiers. Your full card number is tokenised by Stripe before it reaches us.
6.2 Resend (United States control plane; Amazon SES Tokyo, Japan data plane) — transactional email
We use Resend to deliver transactional emails, including sign-in confirmations, invoices, document-ready notifications, recipient notifications, support updates and internal signup notifications. Resend receives the recipient email address, message body and delivery metadata. Resend's control plane operates in the United States, and outbound email delivery and bounce processing are routed through Amazon SES in Tokyo, Japan.
6.3 Twilio (future state; United States API infrastructure; Australian contracting entity and carrier edge) — transactional SMS
We plan to use Twilio to deliver transactional SMS, such as verification codes and urgent document-status notifications. This SMS integration is not active today. Before it is switched on, we will update our cross-border disclosure register and confirm this policy remains current. When active, Twilio will receive the destination phone number, message content and delivery metadata. Twilio's API platform is operated from the United States; Twilio Australia Pty Ltd is the contracting entity for Australian customers; SMS delivery occurs through mobile carriers.
6.4 Urban Pulse signing records — built-in e-signature ceremony
Send & Sign envelopes are signed inside Urban Pulse's own signing ceremony. Signature images, consent records, signing metadata, completed signed PDFs and signing certificates are stored through the Australian hosting, storage and database providers described in Section 6.5.
6.5 Amazon Web Services Australia and Neon — hosting, storage and database
We use AWS Sydney (ap-southeast-2) for compute, file storage, secrets management and supporting infrastructure. We use Neon as our managed Postgres database provider, configured in the Sydney region. Account data, document metadata, audit rows and most customer records reside on Australian infrastructure.
6.6 Better Auth via Neon Auth and Google LLC — authentication
We use Better Auth, hosted via Neon Auth, to manage account credentials and sessions. Sign-up and sign-in flows are handled through Urban Pulse servers and our authentication service.
When you choose "Continue with Google", your browser is sent to Google to approve the sign-in and then returned to us. Google returns a signed token containing your email address, whether that email address is verified, and basic profile information such as your name. We use that information to authenticate you and create or match your Urban Pulse account.
6.7 Google LLC (United States) — map display and Google sign-in
Where we display a Google map on a property or site-intelligence surface, the map is loaded directly from Google's servers in your browser. Google receives the map location being displayed and standard technical information, including IP address, browser type and device type. Google may set or read its own cookies in that embedded map.
6.8 Anthropic, PBC (United States) — planned AI assistance
We intend to use Anthropic's Claude API for AI-assisted features, including document extraction, contract-reading summaries and related draft outputs. That Anthropic integration is not active today. Before it is switched on, we will update our cross-border disclosure register and this policy.
Once available, Anthropic may receive prompts, extracted text, document text, project records, planning context, property addresses, party names, contract terms or other information embedded in the content you ask the AI feature to process. Anthropic operates under a Zero Data Retention amendment with us.
6.9 Sentry (Functional Software, Inc.) — planned server-side error monitoring
We may use Sentry for server-side error monitoring and diagnostics. This integration is not active on the current Urban Pulse platform today. Before activation, we will confirm the relevant error-payload scrubber controls and update our cross-border disclosure register and this policy if required. When active, Sentry may receive stack traces, request URLs, IP addresses, user-agent strings and bounded user or organisation identifiers captured in an error context.
6.10 PostHog (PostHog, Inc.) — planned product analytics
We may use PostHog to measure product usage. This integration is not active on the current Urban Pulse platform today. Before activation, we will confirm the analytics wrapper, allowlisted event schema and cross-border register entry. When active, PostHog may receive an anonymous or pseudonymous user identifier, page path, campaign/source parameters, event name, event properties, IP address and user-agent.
6.11 Intercom (Intercom, Inc., United States) — in-product support chat
We use Intercom to provide in-product live chat, support messaging and help workflows for signed-in customers. We verify your identity to Intercom using a short-lived signed token created on our server. Intercom receives your email address, display name, stable account identifier, organisation identifier and role, chat message content you send, and standard technical information such as IP address, browser type and timestamps. When you open support, we also send a coarse allowlisted page route and product surface for the page where support was opened. We do not send arbitrary project/property slugs as Intercom support context.
6.12 Other situations in which we may share information
- Counterparties you nominate. When you send a document, enquiry, project item, marketplace job or related message via Urban Pulse, the nominated recipient receives the information needed to view, respond, sign, quote, pay or collaborate.
- Professional advisers. Our lawyers, accountants, auditors and insurers may receive information where reasonably necessary and under duties of confidentiality.
- Regulators and law enforcement. We may disclose information where required or authorised by Australian law.
- A successor business. If Urban Pulse Strategies Pty Ltd is sold or restructured, your information may pass to the acquirer under equivalent privacy commitments.
7. Where your information is stored and how we secure it
7.1 Storage location
Urban Pulse stores customer personal information in Australia by default:
- Database: Neon, Sydney region.
- File storage: AWS S3, Sydney (
ap-southeast-2). - Compute: AWS ECS, Sydney (
ap-southeast-2). - Secrets: AWS Secrets Manager, Sydney (
ap-southeast-2).
Where personal information is disclosed to an overseas processor listed in Section 6, that disclosure is the ordinary path by which the information leaves Australia to operate the service.
7.2 Security measures
We take reasonable steps to protect personal information from loss, misuse, unauthorised access, modification or disclosure, including:
- Encryption in transit: TLS 1.2 or higher for browser-to-server, server-to-server and server-to-database traffic.
- Encryption at rest: encrypted file storage and encrypted managed database storage.
- Identity and access management: role-based access control, multi-factor authentication on staff cloud and code-hosting accounts, and least-privilege IAM roles.
- Audit logging: state-changing actions against envelopes, documents, payments and key workflow records are recorded in durable audit logs.
- Secret management: credentials and API keys are stored in AWS Secrets Manager with least-privilege access controls.
- Code-level controls: runtime scrubbing of credential-shaped values, CI gates against secret commits, bounded payloads and tenant-isolation controls.
- Incident response: a defined incident-response process, independent security reviews and remediation tracking.
If we become aware of a data breach that meets the threshold for notification under Part IIIC of the Privacy Act, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law.
7.3 Keeping your information accurate
We take reasonable steps to ensure the personal information we collect, use and disclose is accurate, up to date and complete, having regard to the purpose. Please tell us if your details change.
8. How long we keep your information
| Category | Retention period |
|---|---|
| Transactional and financial records, including envelopes, signatures, payments, referral payouts and invoices | 7 years after the transaction completes, in line with Australian tax and consumer-protection record-keeping conventions. |
| Document files you uploaded | For as long as the associated project or envelope is active, plus 7 years where the document forms part of a regulated transaction record. |
| Audit log of state-changing actions | 7 years from the date of the action. |
| Account profile and contact details | Standalone profile data is purged within approximately 90 days after account closure, allowing for account recovery and pending reconciliation. Contact details embedded in transactional and financial records follow the 7-year retention above. |
| Web-tier session and request logs | 90 days rolling. |
| Sign-in and sign-up outcome events | Recorded in the append-only security audit log and retained 7 years with other audit records. |
| Recipient view links | Valid for 14 days by default; the sender can shorten or extend this per envelope from 1 hour to 30 days. |
| Recipient comments and sender-supplied recipient details | Retained with the associated envelope record. |
| Project collaboration content | Retained for as long as the associated project is active and thereafter with the project record where it forms part of a regulated transaction record. |
| Referral attribution records | Retained for the life of the referral relationship and for a reasonable period afterwards to administer the program and evidence anti-abuse checks, then deleted or de-identified. |
| Conveyancer matters and drafted contract summaries | Retained for as long as the matter is active; on request we delete a matter and its summaries to the extent we are not required by law to retain them. |
| Marketing consent and opt-out records | Retained for the life of the marketing relationship plus a reasonable period to evidence the opt-out. |
| Analytics events | 24 months, anonymised or de-identified where practical, per our internal retention policy. |
Where the law requires us to keep information for longer, the legal obligation overrides the table above. Where you exercise your right to deletion (Section 9), we honour it to the extent permitted, subject to legal-retention exceptions.
9. Your rights
Australian privacy law gives you a right to access and a right to correct the personal information we hold about you. We also offer deletion and data-portability commitments as a matter of our own policy.
- Right to access the personal information we hold about you.
- Right to correct information you believe is inaccurate, out of date, incomplete, irrelevant or misleading.
- Deletion. To the extent we are not required by law to retain it, we will delete your personal information on request.
- Data portability. Where technically practicable, we will provide a structured, commonly used, machine-readable export of the personal information you have provided to us.
- Right to object to direct marketing. See Section 10.
- Right to complain. See Section 14.
To exercise any of these rights, email privacy@urbanpulse.com.au. We will respond within a reasonable period, no later than 30 days for an access or correction request. We may need to verify your identity before acting on a request.
10. Marketing communications
We send marketing emails or SMS only where you have expressly consented through a clearly labelled opt-in.
10.1 Emails
Every marketing email we send will:
- Be clearly identifiable as a commercial electronic message sent on behalf of Urban Pulse Strategies Pty Ltd.
- Include our ABN and physical Australian postal address in the footer.
- Include a working unsubscribe link that processes your opt-out within five business days.
- Reference this Privacy Policy in the footer.
10.2 SMS
Every marketing SMS we send will:
- Identify Urban Pulse as the sender.
- Include an opt-out instruction, typically "Reply STOP to opt out".
- Process opt-outs within five business days.
You can manage your marketing preferences at any time by emailing privacy@urbanpulse.com.au.
Service messages, such as sign-in alerts, document-ready notifications, payment receipts and security notices, are not marketing and will continue while you have an active account.
11. Cookies and similar technologies
We use cookies and similar technologies for:
- Strictly necessary functions. These keep you signed in, remember security preferences and protect against attacks.
- Analytics. Where analytics are enabled, the implementation is configured to use memory persistence rather than analytics cookies or localStorage.
- Embedded maps. Where a Google map is displayed, Google may set or read its own cookies in the embedded map frame. Those cookies are controlled by Google.
Your browser settings let you inspect and clear cookies. Clearing strictly necessary cookies will sign you out and clear security preferences.
12. Children's privacy
Urban Pulse is a business-to-business and business-to-consumer construction-services platform intended for users aged 18 and over. It is not directed at children. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a child, email privacy@urbanpulse.com.au and we will delete it.
13. Changes to this policy
We update this policy from time to time. When we do, we change the "Last updated" date and version number. For material changes that affect what we collect, who we share it with, or your rights, we will notify you by email or in-app notice at least 14 days before the change takes effect.
The updated policy applies from its effective date. Where law requires consent for a change, we will ask for it separately. You may close your account and ask us to delete your personal information to the extent permitted by law.
14. Complaints
If you believe we have mishandled your personal information, please contact us first so we can try to resolve the issue:
- Email: privacy@urbanpulse.com.au
- We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If it will take longer, we will explain why and give you a revised timeline.
If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001.
15. Spam Act 2003 (Cth) — commercial electronic messages
To comply with the Spam Act 2003 (Cth) and ACMA's industry guidance:
- Marketing emails and SMS are sent only where you have consented.
- Every commercial electronic message identifies Urban Pulse Strategies Pty Ltd as the sender, includes our ABN, includes a current physical Australian postal address, and includes a functional unsubscribe or opt-out facility.
- Unsubscribe and opt-out requests are honoured within five business days.
- We retain consent and opt-out records sufficient to evidence compliance with the Spam Act.
16. Legal framework references
This policy is drafted with reference to:
- Privacy Act 1988 (Cth), including the Australian Privacy Principles and the notifiable data breaches scheme.
- Spam Act 2003 (Cth) and Spam Regulations 2021 (Cth).
- ACMA Industry Guidance Note for SMS marketing (2021).
- OAIC Australian Privacy Principles Guidelines, current edition.
This policy does not modify any rights you have under those laws.
17. Document control
- Last updated: 8 July 2026.
- Version: 1.8.
- Effective from: 8 July 2026.
- Privacy Officer of record: Privacy Officer, contactable at privacy@urbanpulse.com.au.
- Change note: Version 1.8 implements counsel's 8 July 2026 simplification recommendations by removing repetitive summary callouts, removing italicised explanatory sidebars, tightening current/conditional processor disclosures, and keeping the multi-recipient Send & Sign participant and signing-field placement disclosure from Version 1.7.
Questions about this policy: privacy@urbanpulse.com.au.