BeaconHQ — Privacy Policy
Data controller: Aitronyx Ltd (company number 16965157), trading as BeaconHQ Registered office: Grove House, Lutyens Close, Chineham Court, Basingstoke, Hampshire RG24 8AG ICO registration number: ZC159675 Contact for data protection matters: legal@aitronyx.com Effective from: 1 June 2026 Last updated: 1 June 2026
This Privacy Policy explains how Aitronyx Ltd ("Aitronyx", "we", "us") collects, uses, shares and protects personal data in connection with the BeaconHQ platform (the "Service"). It is written for the businesses that subscribe to BeaconHQ and for the individuals whose personal data we process. It forms part of, and should be read alongside, our Terms of Service, AI Output Disclaimer and Data Processing Agreement.
1. Our role: controller and processor
Our role under the UK General Data Protection Regulation (UK GDPR) depends on the data in question:
- For the personal data we hold to operate your account and run our business — for example the name, email address and billing details of the people who register and use the Service — we are the controller, and this Privacy Policy governs that processing.
- For any third-party personal data contained within the contracts and documents you upload to the Service — for example the names, addresses, signatories or contact details of your counterparties — you (our business customer) are the controller and we act as your processor. That processing is governed by our Data Processing Agreement, not by this Policy.
2. The personal data we collect
We collect and process the following categories of personal data:
- Registration and account data — name, business email address, Organisation name, job role, and the credentials used to access your account.
- Billing data — billing name, billing address, subscription tier, payment-method tokens (handled by our payment processor; we do not store full card numbers), and invoice and transaction records.
- Usage data — records of the Reviews you run, features you use, and activity within your account, including audit records of billing and administrative actions.
- Uploaded content — the contracts and documents you submit for analysis, which may contain personal data relating to third parties. We process this content on your behalf as your processor (see section 1 and our Data Processing Agreement).
- Technical and log data — IP address, browser and device information, session tokens, and diagnostic data generated when you use the Service or when an error occurs.
- Communications — the content of messages you send us, for example support enquiries or feedback.
3. How we use personal data, and our legal bases
We use personal data for the following purposes, relying on the following legal bases under Article 6 UK GDPR:
- To provide and operate the Service — creating and managing your account, running Reviews, delivering Output, and providing support. Legal basis: performance of our contract with you.
- To take payment and manage billing — processing subscription and overage charges, issuing invoices, and managing renewals and cancellations. Legal basis: performance of our contract; compliance with a legal obligation (for tax and accounting records).
- To secure and maintain the Service — authentication, fraud prevention, monitoring, troubleshooting, and protecting the integrity of the platform. Legal basis: our legitimate interests in operating a secure and reliable service.
- To improve the Service — analysing usage and using anonymised, aggregated or de-identified data to monitor performance and develop the Service. Legal basis: our legitimate interests in improving our product.
- To communicate with you — sending service-related messages, responding to enquiries, and (where relevant) sending business-to-business information about the Service. Legal basis: performance of our contract; our legitimate interests; or your consent where required.
- To comply with the law — meeting our legal, regulatory and tax obligations, and responding to lawful requests. Legal basis: compliance with a legal obligation.
We do not use the content of your uploaded contracts for our own purposes beyond providing the Service to you, and we do not sell personal data.
4. Uploaded contracts and AI processing
When you submit a contract for analysis, the text of that document is processed by AI in order to produce the Output. This processing involves transmitting the document text to our third-party AI model provider, Anthropic, PBC, in the United States. Where your uploaded contracts contain personal data relating to other people, you remain the controller of that data and should account for this processing and transfer in your own records. The content you submit for analysis is not used by our AI model provider to train its models, in accordance with that provider's applicable terms. Further detail is set out in our Data Processing Agreement.
5. Where we store and process your data
We store your data, and carry out the substantive processing of it, within the European Union:
| What | Where | Provider |
|---|---|---|
| All customer accounts, uploaded contract content, billing metadata and audit logs (our sole persistent store) | EU West — Ireland | Supabase |
| Application, account, billing and administrative functions | EU — Dublin, Ireland | Vercel |
| Contract-analysis processing (your uploaded document is analysed and the results written back to the database; nothing is retained on this tier) | EU West — Amsterdam, Netherlands | Railway |
We have deliberately chosen single-region EU hosting in preference to multi-region failover, in order to keep your data within the European Union.
One exception you should be aware of. Lightweight authentication and request-routing checks are performed on a global edge network operated by our hosting provider, at the location nearest to you when you make a request. These checks read only your session token, your authenticated user identifier and the address (URL) you are requesting; they do not access your uploaded contracts, your account records or your billing data. For this limited purpose, this technical metadata may be processed outside the European Union. We therefore describe our processing as taking place primarily within the European Union, with this narrow edge-network exception.
6. International transfers
Some of the providers we rely on (listed in section 7) are established in, or process data in, the United States or other countries outside the UK and European Economic Area (EEA). Where personal data is transferred outside the UK/EEA in the course of providing the Service, that transfer is protected by an appropriate safeguard under Article 46 UK GDPR — the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, as incorporated in that provider's published data processing agreement. The most significant transfer is to Anthropic, PBC in the United States, as described in section 4.
7. Sub-processors
We use the following sub-processors to deliver the Service. Each is engaged under a written contract incorporating the data-protection obligations required by Article 28 UK GDPR and, where personal data is transferred outside the UK/EEA, the transfer safeguard described in section 6. We review this list and the currency of each provider's terms at least annually and whenever we make a material change to the Service.
| Sub-processor | Purpose | Personal data processed | Location & transfer |
|---|---|---|---|
| Supabase | Database, authentication and file storage | Account email, authentication credentials, and all data you store in the platform | Hosted in the EU (Ireland); provider group is US-headquartered |
| Anthropic, PBC | AI analysis of uploaded contracts | Contract text — may include third-party personal data such as counterparty names, addresses, signatories and contact details | United States — international transfer |
| Stripe, Inc. (contracting via Stripe Payments UK Limited) | Billing, payment processing and invoicing | Billing name, email and address, payment-method tokens, subscription and usage records | United States, with UK/EEA processing per Stripe's DPA — international transfer |
| Resend, Inc. | Transactional email (sign-in codes, verification, account notifications) | Email address, one-time/verification codes, account-event metadata | United States — international transfer |
| Sentry (Functional Software, Inc.) | Application error monitoring | Error context, which may include user identifiers, request URLs and partial diagnostic data | United States — international transfer |
| Vercel, Inc. | Application hosting, edge network and deployment | Session token (at the edge), request URL, IP address (in logs), request/response metadata | Application compute in the EU (Dublin); global edge network; provider is US-headquartered |
| Railway Corp. | Hosting for the contract-analysis worker | Contract content in transit during analysis (not retained) | Compute in the EU (Amsterdam); provider group is US-headquartered |
| Cloudflare, Inc. | Bot-detection on public forms | IP address, browser/client signals, challenge-interaction data | Global; provider is US-headquartered — international transfer |
| Formspree, Inc. | Receipt of public-form submissions (enquiries, applications) | Name, email, company name and the message content you submit | United States — international transfer |
8. Data retention
We retain personal data only for as long as necessary for the purposes for which it was collected:
- Account and uploaded content — retained for the duration of your Subscription and for up to twelve (12) months following termination, after which it is permanently deleted, unless you have separately agreed indefinite retention or a longer period is required by law. Following termination, you may export your data for a period of thirty (30) days (see our Terms of Service, clause 16).
- Billing and transaction records — retained for as long as required to meet our tax, accounting and legal obligations (typically six years).
- Support communications and log data — retained for as long as necessary to operate, secure and support the Service.
9. How we keep your data secure
We take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, taking into account the nature of the data and the risks involved. Because BeaconHQ handles business-contract data rather than consumer financial or health data, our measures are calibrated accordingly. In summary:
- Encryption. All connections to the platform, and all traffic between the systems that make up the Service, are encrypted in transit. Your stored data is held by our database provider in encrypted form at rest. The parts of our system that handle requests and run analysis do not retain your data.
- Access control. Access to accounts is authenticated by a one-time passcode delivered to your registered email address, with repeated attempts rate-limited. Within the platform, database-level controls restrict each record so that it is visible only to the organisation and user it belongs to. Operator access to the platform is restricted to a small number of named, authorised personnel.
- Credentials. The keys and credentials that protect the Service are held in managed, encrypted secret stores, are never stored in our source code, and are rotated on defined triggers.
- Monitoring and audit. We log system activity and monitor for errors. Billing changes, subscription changes and operator actions are recorded in an audit log, and an automated reconciliation process runs regularly to surface anomalies.
- Resilience. Our database is backed up automatically with point-in-time recovery, and our systems can be redeployed from source at any time.
- Incidents. If we suspect a personal-data breach we will assess it without undue delay, notify the Information Commissioner's Office within 72 hours where the threshold under Article 33 UK GDPR is met, and notify affected customers in accordance with Article 34 where a breach is likely to result in a high risk to individuals.
We keep these measures under review and update them as the Service develops. The detailed measures applicable to data we process on your behalf are set out in our Data Processing Agreement.
10. Your rights
Under UK data protection law you have the following rights in respect of your personal data: the right to be informed; to access your data; to rectification of inaccurate data; to erasure in certain circumstances; to restrict processing; to data portability; to object to processing based on legitimate interests; and rights relating to automated decision-making. Where our processing relies on consent, you may withdraw that consent at any time.
To exercise any of these rights, contact us at legal@aitronyx.com. Where the personal data in question is contained within contracts you have uploaded, you are the controller and we will assist you, as your processor, in responding to requests from the individuals concerned, as set out in our Data Processing Agreement.
We will respond to requests within the timeframes required by law (generally one month). If you are not satisfied with how we handle your personal data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk, or by calling 0303 123 1113. We would, however, appreciate the chance to address your concerns first.
11. Cookies
We use cookies and similar technologies to operate the Service, keep you signed in, and understand how the Service is used. Full details, including the categories of cookies we use and how to manage them, are set out in our Cookie Policy.
12. Children
The Service is a business-to-business product intended for use by businesses and their authorised staff. It is not directed at children, and we do not knowingly collect personal data relating to children.
13. Changes to this Policy
We may update this Privacy Policy from time to time. Where a change is material, we will notify subscribers by email or through the Service. The "Last updated" date at the top of this Policy indicates when it was most recently revised.
14. How to contact us
For any question about this Policy or about how we handle personal data, contact our data protection contact at legal@aitronyx.com, or write to Aitronyx Ltd, Grove House, Lutyens Close, Chineham Court, Basingstoke, Hampshire RG24 8AG.
Aitronyx Ltd, trading as BeaconHQ. Company number 16965157. ICO registration number ZC159675.