Legal · Privacy
Privacy Policy
Last updated: 2026-06-11
One policy, every product. The Company tab covers practices common to all products; each product tab describes what is specific to it. For our B2B products the customer organisation is the data controller and XenithPulse is a processor — see Trust & compliance for the full picture.
Applies to every product
Company-wide data practices
This policy explains how XenithPulse (XenithPulse Software) handles personal data across every product we ship. The general practices below — who the controller is, where data lives, who our sub-processors are, and how we secure it — apply to all products. Each product then has its own tab on the left describing what is specific to it.
Controller identity & contact
Data controller for our own consumer products: XenithPulse (XenithPulse Software), operating from Doha, Qatar. For our B2B products, the customer organisation is the controller and we act as a processor (see the relevant product tab).
Privacy contact: WhatsApp +974 55911793. We answer privacy and data-subject requests within 30 days.
XenithPulse Software is operated as a sole proprietorship and is not yet incorporated as a separate legal entity. Any future change in entity structure will be reflected here and announced in release notes.
Governing law
This policy and our customer contracts are governed by the laws of the State of Qatar, with exclusive venue in the Courts of Doha, Qatar. Without prejudice to any mandatory consumer-protection rights you have under the laws of your country of habitual residence (including, where applicable, the European Union and the United Kingdom).
Where your data lives
Production infrastructure for our hosted products runs on:
- Compute: Render (us-east region)
- Database: MongoDB Atlas (AWS us-east-1)
- Object storage: AWS S3 (us-east-1)
- Realtime: Pusher Channels (eu / ap clusters depending on tenant)
- Push delivery: Apple APNs, Google FCM, Expo Application Services
Where personal data of users in the EU/EEA, the UK, or other jurisdictions with cross-border transfer rules is moved outside their region, transfers are made under Standard Contractual Clauses (SCCs) with each sub-processor.
Sub-processors
We use third-party sub-processors only where necessary to deliver the service. Each is bound by contract to act on our instructions and to apply security controls at least as protective as our own.
- Render — application compute & deployment.
- MongoDB Atlas — primary database for tenant data.
- Amazon Web Services — object storage, logs, secrets.
- Pusher Channels — realtime delivery (tenant-scoped opaque payloads).
- Expo, Apple APNs, Google FCM — push notification delivery.
- Stripe — payment processing for paid subscriptions.
- Meta Platforms (WhatsApp Business) — customer messaging on tenants that opt in.
The full sub-processor register, with purposes and regions, is on the Trust & compliance page.
Security
- All traffic encrypted with TLS 1.2 or higher.
- Passwords stored as bcrypt hashes; plaintext never written or logged.
- Multi-tenant isolation enforced server-side from the JWT — never from the URL or a client header.
- Production secrets held in a managed secret store and rotated on a schedule.
Your rights
Depending on where you live, you may have the right to access, correct, delete, restrict, port, or object to processing of your personal data, and to lodge a complaint with your local supervisory authority. To exercise any of these rights for a product where we are the controller, contact WhatsApp +974 55911793. Where we are a processor, contact the customer organisation that operates the tenant; we will assist them in fulfilling your request.
Users in the European Union, the United Kingdom, the State of Qatar, and any other jurisdiction with mandatory data-subject rights retain those rights regardless of any other term in this policy.
Children
Our products are workplace and business tools, not directed to children. We do not knowingly collect personal data from anyone under the age of 13 (or 16 where local law sets a higher threshold). If you believe a minor's data has been collected, contact us and we will delete it.
Changes to this policy
We may update this policy when product behaviour or legal requirements change. Material changes are communicated through release notes, in-app notices, and the website. The “last updated” date above reflects the latest revision.
EOS Companion — Privacylive
EOS Companion is a read-only mobile companion to the Banquet ERP for banquet hall operators, published by XenithPulse (XenithPulse Software). For this app, XenithPulse is the data controller.
Data we collect
EOS Companion collects only the data needed to authenticate you, deliver notifications, and detect abuse:
- Account credentials — username (chosen by your tenant administrator) and a bcrypt-hashed password. The plaintext password is never stored or logged.
- Tenant binding — the workspace slug your account is provisioned in, resolved server-side from your JWT.
- Device identifiers — an app-generated install ID (not IDFA, not GAID, not the device serial number).
- Push notification token — an opaque token issued by Expo / APNs / FCM, used solely to deliver tenant-scoped notifications.
- Sign-in audit log — the IP address and User-Agent string at sign-in time, retained for security monitoring.
- Anonymous crash diagnostics — stack traces and OS version, not linked to your username.
Data we do not collect
- Precise or coarse location
- Contacts
- Photos, camera, or microphone
- Calendar
- Advertising identifier (IDFA / GAID)
- Browsing history outside the app
- Biometrics, health, or fitness data
- Email address (the app does not ask for one)
Why we process each data class
- Username & hashed password — authentication and account security (legal basis: performance of contract).
- Install ID & push token — app functionality and push routing (performance of contract).
- IP & User-Agent audit logs — security monitoring, fraud and abuse detection (legitimate interest).
- Anonymous crash diagnostics — reliability and bug fixing (legitimate interest).
We do not use any data for advertising, cross-app tracking, profiling, or sale to third parties.
Retention & deletion
Account data is retained while your account is active. After a valid deletion request, personal account data is removed within 30 days. The detailed timeline (immediate deactivation, 30-day grace window, day-30 hard purge) is documented at /account-deletion. Sign-in audit logs are kept for 12 months and then aggregated (IP truncated) for security trend analysis.
EOS sub-processors
In addition to the company-wide sub-processors in the Overview tab, EOS Companion relies on Expo Application Services (push token vending) and Apple APNs / Google FCM for delivering push notifications to your device.
Banquet & Event Management ERP — Privacylive
Banquet & Event Management ERPis a business product licensed to organisations (tenants). For the personal data of the customer's own staff and end-customers processed inside a Banquet ERP tenant, the customer is the data controller and XenithPulse Software acts as a data processor— processing personal data only on the customer's documented instructions under the per-tenant agreement / Data Processing Addendum (DPA).
What we process
- Business and operational records the customer enters or uploads into the tenant.
- Authentication data and audit logs for the tenant's authorised users.
- Any end-customer contact details the customer chooses to store (for messaging, invoicing, or fulfilment).
B2B web ERP for banquet halls and event venues. Licensed to organisations per tenant.
Legal basis & purpose
We process this data solely to provide the contracted service. The legal basis flows from the customer's instructions and the service contract; the customer is responsible for establishing a lawful basis with its own data subjects.
Infrastructure, sub-processors & security
Banquet ERP runs on the same infrastructure and sub-processors described in the Overview tab, with the same encryption, tenant-isolation, and secret-management controls. We engage no product-specific sub-processor without flowing down equivalent obligations under contract.
Retention & data-subject requests
Retention follows the customer agreement. On termination, tenant data is exported or returned to the customer and then deleted per contract. End users wishing to exercise data-subject rights should contact the customer organisation (the controller); we assist the controller in responding.
Request a DPA or contract
To request a Data Processing Addendum or the full processing terms for Banquet & Event Management ERP, contact us on WhatsApp +974 55911793.
E-commerce Suite Management — Privacylive
E-commerce Suite Managementis a business product licensed to organisations (tenants). For the personal data of the customer's own staff and end-customers processed inside a E-commerce Suite tenant, the customer is the data controller and XenithPulse Software acts as a data processor— processing personal data only on the customer's documented instructions under the per-tenant agreement / Data Processing Addendum (DPA).
What we process
- Business and operational records the customer enters or uploads into the tenant.
- Authentication data and audit logs for the tenant's authorised users.
- Any end-customer contact details the customer chooses to store (for messaging, invoicing, or fulfilment).
Storefront, B2B and back-office commerce platform. Licensed to merchants per tenant.
Legal basis & purpose
We process this data solely to provide the contracted service. The legal basis flows from the customer's instructions and the service contract; the customer is responsible for establishing a lawful basis with its own data subjects.
Infrastructure, sub-processors & security
E-commerce Suite runs on the same infrastructure and sub-processors described in the Overview tab, with the same encryption, tenant-isolation, and secret-management controls. We engage no product-specific sub-processor without flowing down equivalent obligations under contract.
Retention & data-subject requests
Retention follows the customer agreement. On termination, tenant data is exported or returned to the customer and then deleted per contract. End users wishing to exercise data-subject rights should contact the customer organisation (the controller); we assist the controller in responding.
Request a DPA or contract
To request a Data Processing Addendum or the full processing terms for E-commerce Suite Management, contact us on WhatsApp +974 55911793.
Business Suite Management — Privacyavailable
Business Suite Managementis a business product licensed to organisations (tenants). For the personal data of the customer's own staff and end-customers processed inside a Business Suite tenant, the customer is the data controller and XenithPulse Software acts as a data processor— processing personal data only on the customer's documented instructions under the per-tenant agreement / Data Processing Addendum (DPA).
What we process
- Business and operational records the customer enters or uploads into the tenant.
- Authentication data and audit logs for the tenant's authorised users.
- Any end-customer contact details the customer chooses to store (for messaging, invoicing, or fulfilment).
Unified admin console for sales, billing and finance. Licensed to organisations per tenant.
Legal basis & purpose
We process this data solely to provide the contracted service. The legal basis flows from the customer's instructions and the service contract; the customer is responsible for establishing a lawful basis with its own data subjects.
Infrastructure, sub-processors & security
Business Suite runs on the same infrastructure and sub-processors described in the Overview tab, with the same encryption, tenant-isolation, and secret-management controls. We engage no product-specific sub-processor without flowing down equivalent obligations under contract.
Retention & data-subject requests
Retention follows the customer agreement. On termination, tenant data is exported or returned to the customer and then deleted per contract. End users wishing to exercise data-subject rights should contact the customer organisation (the controller); we assist the controller in responding.
Request a DPA or contract
To request a Data Processing Addendum or the full processing terms for Business Suite Management, contact us on WhatsApp +974 55911793.
Restaurant POS — Privacylive
Restaurant POSis a business product licensed to organisations (tenants). For the personal data of the customer's own staff and end-customers processed inside a Restaurant POS tenant, the customer is the data controller and XenithPulse Software acts as a data processor— processing personal data only on the customer's documented instructions under the per-tenant agreement / Data Processing Addendum (DPA).
What we process
- Business and operational records the customer enters or uploads into the tenant.
- Authentication data and audit logs for the tenant's authorised users.
- Any end-customer contact details the customer chooses to store (for messaging, invoicing, or fulfilment).
Multi-user restaurant point of sale. Licensed to operators per tenant.
Legal basis & purpose
We process this data solely to provide the contracted service. The legal basis flows from the customer's instructions and the service contract; the customer is responsible for establishing a lawful basis with its own data subjects.
Infrastructure, sub-processors & security
Restaurant POS runs on the same infrastructure and sub-processors described in the Overview tab, with the same encryption, tenant-isolation, and secret-management controls. We engage no product-specific sub-processor without flowing down equivalent obligations under contract.
Retention & data-subject requests
Retention follows the customer agreement. On termination, tenant data is exported or returned to the customer and then deleted per contract. End users wishing to exercise data-subject rights should contact the customer organisation (the controller); we assist the controller in responding.
Request a DPA or contract
To request a Data Processing Addendum or the full processing terms for Restaurant POS, contact us on WhatsApp +974 55911793.
School ERP (eSM) — Privacydevelopment
School ERP (eSM)is a business product licensed to organisations (tenants). For the personal data of the customer's own staff and end-customers processed inside a School ERP tenant, the customer is the data controller and XenithPulse Software acts as a data processor— processing personal data only on the customer's documented instructions under the per-tenant agreement / Data Processing Addendum (DPA).
What we process
- Business and operational records the customer enters or uploads into the tenant.
- Authentication data and audit logs for the tenant's authorised users.
- Any end-customer contact details the customer chooses to store (for messaging, invoicing, or fulfilment).
Academic and administrative lifecycle ERP for schools. In development; licensed per tenant.
Legal basis & purpose
We process this data solely to provide the contracted service. The legal basis flows from the customer's instructions and the service contract; the customer is responsible for establishing a lawful basis with its own data subjects.
Infrastructure, sub-processors & security
School ERP runs on the same infrastructure and sub-processors described in the Overview tab, with the same encryption, tenant-isolation, and secret-management controls. We engage no product-specific sub-processor without flowing down equivalent obligations under contract.
Retention & data-subject requests
Retention follows the customer agreement. On termination, tenant data is exported or returned to the customer and then deleted per contract. End users wishing to exercise data-subject rights should contact the customer organisation (the controller); we assist the controller in responding.
Request a DPA or contract
To request a Data Processing Addendum or the full processing terms for School ERP (eSM), contact us on WhatsApp +974 55911793.
Windows Thermal Printer Service — Privacylive
Windows Thermal Printer Serviceruns entirely on-premise on the user's own Windows machine. It is a local printing bridge between a web application and a connected ESC/POS printer.
No personal data reaches our servers
- Print jobs are sent from the browser to the local service over
localhostand forwarded to the printer. - There is no account, no sign-in, and no telemetry that identifies a person.
- XenithPulse Software does not receive, store, or have access to the contents of any print job.
Questions
For questions about Thermal Printer Service, contact us on WhatsApp +974 55911793.