Miru Pulse Privacy Policy

1. Accountability

Miru Pulse, Inc. ("Miru Pulse," "we," "us," or "our") is a software company based in Ontario, Canada that provides an AI-powered employee engagement platform measuring real-time human connection and energy dynamics in workplace communications (the "Services"). Our platform analyzes meeting interactions to provide insights on Return on Energy (ROE), Human Connection Score (HCS), and other engagement metrics to organizations that have entered into a written agreement with Miru Pulse (each a "Client").

We are responsible for the personal information under our control. In accordance with PIPEDA, we have designated a Privacy Officer who is accountable for our compliance with this Policy and Canada's privacy laws. Our Privacy Officer can be contacted at:

2. Scope and Identifying Purposes

2.1 What This Policy Covers

This Policy applies to personal information we collect through our website, our platform, and our direct interactions with you, including when you visit our website, communicate with us, attend our events, or apply for employment with us.

2.2 Client Data Processing

When we process meeting transcripts, communications, and related data on behalf of our Clients, we act as a data processor. This processing is governed by our agreements with the applicable Client. If you are an employee or participant whose meeting data is processed through a Client's use of our Services, please contact your employer directly for information about their privacy practices.

We may only access, process, or otherwise handle data submitted to us by or on behalf of a Client as provided in our agreement with that Client, as instructed by the Client, or as required by law. We are not responsible for the privacy or data security practices of our Clients.

2.3 Purposes for Collection

We identify the purposes for which we collect personal information at or before the time of collection. We collect and use personal information for the following purposes:

• Providing Services: To deliver and improve our platform, respond to inquiries, and provide customer support.
• Analytics and Insights: To generate engagement metrics, ROE calculations, HCS scores, and other analytics for our Clients.
• Communications: To send you information about our services, updates, and marketing communications (with your consent).
• Research and Development: To improve our platform, develop new features, and enhance our analytical models.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.
• Security: To protect our Services, detect fraud, and ensure the security of our platform.

If we intend to use your personal information for a purpose not previously identified, we will seek your consent before doing so.

3. Consent

We obtain your knowledge and consent before collecting, using, or disclosing your personal information, except where permitted or required by law. Consent may be express (written or verbal) or implied, depending on the sensitivity of the information and the reasonable expectations of the individual.

3.1 Express Consent

We obtain express consent when collecting sensitive personal information, using personal information for purposes outside your reasonable expectations, or when required by law.

3.2 Implied Consent

In some circumstances, your consent may be implied through your actions, such as providing personal information to us for a stated purpose or continuing to use our Services after being notified of changes to this Policy.

3.3 Withdrawing Consent

You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. Upon receiving notice of withdrawal, we will inform you of the likely consequences, which may include our inability to provide certain services. To withdraw consent, contact our Privacy Officer using the information provided in Section 1.

4. Limiting Collection

We limit the collection of personal information to what is necessary for the purposes we have identified. We collect information by fair and lawful means.

4.1 Information You Provide Directly

Depending on how you interact with us, we may collect: your name, email address, job title, company information, mailing address, telephone number, professional information, and any other information you choose to provide.

4.2 Information Collected Through Our Services

When Clients use our platform, we process meeting data including transcripts from Zoom, Microsoft Teams, and Google Meet integrations. This data is analyzed using our proprietary Miru Pulse Engine™ to calculate engagement metrics. The specific data processed is determined by our Client's configuration and their agreement with us.

4.3 Device and Usage Information

When you visit our website, we may automatically collect information including: your IP address, browser type, operating system, referring URLs, pages viewed, and the date and time of your visit.

4.4 Cookies and Similar Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities. You can control cookies through your browser settings.

5. Limiting Use, Disclosure, and Retention

5.1 Use and Disclosure

We use and disclose personal information only for the purposes for which it was collected, except with your consent or as required or permitted by law. We may share personal information in the following circumstances:

• Service Providers: With third-party vendors who perform services on our behalf, such as cloud hosting, data processing, and customer support, subject to confidentiality obligations and contractual requirements to protect your information.
• Clients: We provide analytics and insights derived from meeting data to the Client organization that engaged our Services.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
• Legal Requirements: When required by law, legal process, or government request, or to protect our rights, property, or safety.
• With Consent: With your consent or at your direction.

5.2 Retention

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, resolve disputes, and enforce our agreements. When personal information is no longer required, we securely destroy, erase, or anonymize it. Retention periods for Client data are governed by our agreements with each Client.

6. Accuracy

We take reasonable steps to ensure that personal information is accurate, complete, and up-to-date as necessary for the purposes for which it is used. If you believe that the personal information we hold about you is inaccurate or incomplete, please contact our Privacy Officer to request a correction. We will update or correct information within a reasonable timeframe and, where appropriate, notify any third parties to whom we have disclosed the information.

7. Safeguards

We protect personal information with security safeguards appropriate to the sensitivity of the information. Our security program is designed in alignment with industry-recognized frameworks, including the SOC 2 Trust Services Criteria established by the American Institute of Certified Public Accountants (AICPA). While we have not yet obtained formal SOC 2 certification, we have implemented controls and practices consistent with the SOC 2 framework across the five Trust Services Criteria:

• Security: We implement technical and organizational measures to protect against unauthorized access, including encryption of data in transit and at rest, access controls, and regular security assessments.
• Availability: We maintain systems designed to ensure our Services remain available as committed in our service agreements.
• Processing Integrity: We implement controls to ensure data processing is complete, valid, accurate, and timely.
• Confidentiality: We restrict access to confidential information to authorized personnel only and maintain confidentiality obligations with our service providers.
• Privacy: We collect, use, retain, disclose, and dispose of personal information in conformity with this Policy and applicable privacy laws.

7.1 Security Measures

Our security measures include:

• Encryption of data in transit using TLS and at rest using AES-256
• Role-based access controls and multi-factor authentication
• Regular security assessments and vulnerability testing
• Employee security training and awareness programs
• Incident response and breach notification procedures
• Secure cloud infrastructure with industry-leading providers

Please be aware that despite these measures, no method of transmission over the Internet or electronic storage is completely secure. We continuously work to enhance our security posture and are committed to pursuing formal third-party security certifications as our organization grows.

8. Openness

We are committed to being open about our policies and practices for managing personal information. This Privacy Policy is publicly available on our website and describes the types of personal information we hold, the purposes for which we use it, and how individuals can access their information or raise concerns.

Upon request, we will provide you with information about:

• The types of personal information we collect and hold
• How we use and disclose personal information
• How to access or correct your personal information
• How to make a complaint about our privacy practices

9. Individual Access

Upon request, you have the right to be informed of the existence, use, and disclosure of your personal information and to access that information. You may also challenge the accuracy and completeness of the information and have it amended as appropriate.

9.1 Submitting an Access Request

To request access to your personal information, please submit a written request to our Privacy Officer with sufficient detail to identify the information you are seeking. We may require you to verify your identity before processing your request.

9.2 Response Time

We will respond to your access request within 30 days. If we require an extension, we will notify you in writing explaining the reasons for the delay and the expected date of response.

9.3 Exceptions

In certain circumstances, we may be unable to provide access to all personal information, such as when disclosure would reveal confidential commercial information, when the information is protected by solicitor-client privilege, or when disclosure could reasonably be expected to threaten the life or security of another individual. If we refuse a request, we will explain the reasons for refusal and inform you of any recourse available.

9.4 Cost

We will provide access to personal information at minimal or no cost. If a fee is required, we will inform you in advance.

10. Challenging Compliance

You have the right to challenge our compliance with this Policy and PIPEDA. Complaints or inquiries should be directed to our Privacy Officer.

10.1 Complaint Procedure

To file a complaint:

• Submit your complaint in writing to our Privacy Officer at info@mirupulse.com
• Include your contact information and a detailed description of your concern
• We will acknowledge receipt of your complaint within 5 business days

10.2 Investigation and Resolution

We will investigate all complaints and take appropriate measures to resolve them. We will inform you of the outcome of our investigation and any corrective actions taken. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada:

11. International Data Transfers

Your personal information may be transferred to and processed in countries other than Canada, including the United States, where we or our service providers operate. When we transfer personal information internationally, we implement appropriate safeguards to ensure it remains protected in accordance with PIPEDA and this Policy.

Our safeguards for international transfers include: contractual agreements requiring recipients to protect personal information to a comparable standard; due diligence assessments of third-party service providers; and ongoing monitoring of data handling practices. We remain accountable for personal information transferred to third parties for processing, regardless of location.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. When we make material changes, we will notify you by posting the updated Policy on our website with a new "Last Updated" date. We may also notify you directly if the changes significantly affect how we handle your personal information. We encourage you to review this Policy periodically.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or want to make a complaint, please contact our Privacy Officer: