BEACON HQBack to Dashboard

Privacy Policy

Beacon HQ | Aitronyx Ltd

Version 1.0 • Effective date: 1 May 2026

1. Who We Are

Aitronyx Ltd (company number 16965157), registered at Gibson House, Old Chapel Lane, Charter Alley, Hampshire RG26 5PX, is the controller of personal data processed through Beacon HQ and is responsible for this policy. You can contact us at legal@aitronyx.com. Our ICO registration number will be published here once issued.

2. Scope

This policy applies to personal data relating to (a) Authorised Users of the Platform, (b) individuals named in documents uploaded to the Platform ("Third-Party Individuals"), and (c) any person who corresponds with us about the Platform.

Where we process personal data on behalf of a Customer through the Platform, we act as a processor and the Customer is the controller. The Data Processing Addendum in Annex 1 applies to that processing.

3. Data We Collect

3.1 Account and Billing Data

Name, business email, phone number, company name, business address, VAT number, role and preferences. Payment card details are handled directly by Stripe; we receive only a token and limited metadata (last four digits, expiry, card brand).

3.2 Uploaded Content

Contracts and documents that you upload, AI Outputs generated from those documents, and notes or comments you add. Uploaded documents may contain personal data about Third-Party Individuals (for example, named contract parties or contacts).

3.3 Usage Data

Logins, features used, number of analyses performed, IP address, browser and device information, approximate location derived from IP, and error and performance telemetry.

3.4 Communications

Support tickets, demo requests, feedback and transactional email correspondence.

3.5 Cookies

We use strictly necessary cookies for session management, preference storage and security. We do not use advertising or cross-site tracking cookies. Further detail is in our Cookie Notice at /cookies.

4. How We Use Data and Lawful Bases

  • Providing the Platform — lawful basis: performance of contract (Article 6(1)(b) UK GDPR).
  • Processing payments and managing subscriptions — lawful basis: performance of contract.
  • Transactional and service communications — lawful basis: performance of contract and legitimate interests.
  • Security, fraud prevention and service improvement — lawful basis: legitimate interests.
  • Processing Third-Party Individual data in uploads — where we act as controller, lawful basis: legitimate interests; where we act as processor, we act on your documented instructions.
  • Responding to correspondence — lawful basis: legitimate interests.
  • Marketing our own services to business users — lawful basis: legitimate interests and, where applicable, PECR Regulation 22(3) "soft opt-in" for existing customers.
  • Legal obligations — lawful basis: Article 6(1)(c) UK GDPR (accounting, tax, regulatory).
  • Establishing, exercising or defending legal claims — lawful basis: legitimate interests.

We do not use your uploaded documents or AI Outputs to train or fine-tune any artificial intelligence model. We do not use them for product demonstrations, marketing or benchmarking. Synthetic contracts are used for demos.

5. Sharing

5.1 Sub-processors

We use the following trusted sub-processors to operate the Platform:

  • Anthropic PBC (United States) — Claude large language model for AI analysis. Commercial terms prohibit training on customer inputs.
  • Supabase Inc (EU / UK) — managed PostgreSQL database, authentication and file storage.
  • Vercel Inc (US / EU) — application hosting and content delivery.
  • Railway Corp (EU) — background job processing for long-running analyses.
  • Stripe Payments UK Ltd (UK / US) — payment processing.
  • Resend Inc (US) — transactional email delivery.

A current sub-processor list is maintained at /subprocessors. We will give 30 days advance notice of any material change to our sub-processors.

5.2 Other Recipients

We may share personal data with our professional advisers (lawyers, accountants, insurers) under duties of confidence, with authorities and courts where required by law, and with a successor entity in the event of a corporate transaction.

5.3 No Sale of Personal Data

We do not sell personal data. We do not participate in advertising networks.

6. International Transfers

Where personal data is transferred to the United States, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the UK Extension to the EU-US Data Privacy Framework where the recipient is certified. We carry out transfer risk assessments for each cross-border flow. Documentation is available on request.

7. Retention

  • Account data — duration of subscription plus 12 months.
  • Uploaded content and AI Outputs — duration of subscription. Deleted 30 days after termination. Removed from backups within 60 days after termination.
  • Billing records — 6 years (UK tax law).
  • Support correspondence — 3 years.
  • Marketing preferences — until you unsubscribe or request deletion.

You may request earlier deletion of any data that we are not required to retain by law.

8. Your Rights

Under UK data protection law you have the following rights in relation to your personal data:

  • access to the data we hold about you;
  • rectification of inaccurate or incomplete data;
  • erasure in certain circumstances;
  • restriction of processing in certain circumstances;
  • portability of data you have provided to us;
  • objection to processing based on legitimate interests or direct marketing;
  • withdrawal of consent where consent is the lawful basis;
  • to lodge a complaint with the Information Commissioner Office (ico.org.uk).

To exercise any of these rights, contact legal@aitronyx.com. We will respond within one calendar month. We may need to verify your identity before acting on a request.

9. Security

We protect personal data using TLS 1.2 or higher in transit, encryption at rest, role-based access control, multi-factor authentication for all staff accounts, the principle of least privilege, logging and monitoring, and a documented incident response plan. We will notify the Information Commissioner Office within 72 hours of becoming aware of a personal data breach that meets the notification threshold, and affected individuals without undue delay where required.

10. Children

The Platform is a business-to-business service and is not directed at or intended for use by anyone under the age of 18.

11. Changes to this Policy

We will notify you by email at least 30 days in advance of any material change to this policy. Minor changes (clarifications, typos, updated sub-processor contact details) may be made without individual notice.

12. Contact

Aitronyx Ltd
Gibson House, Old Chapel Lane, Charter Alley, Hampshire RG26 5PX
legal@aitronyx.com

Annex 1: Data Processing Addendum

This Annex applies where Aitronyx Ltd processes personal data on behalf of a Customer through the Platform. It forms part of the agreement between the parties.

1. Definitions

Terms not defined here have the meaning given in the UK GDPR. "Customer" is the controller. "Aitronyx" is the processor.

2. Roles and Scope

The Customer is the controller of personal data processed through the Platform. Aitronyx is the processor. This Annex applies to all processing of personal data that Aitronyx carries out on behalf of the Customer in providing the Platform.

3. Processor Obligations

Aitronyx will:

  • process personal data only on the documented instructions of the Customer, including as set out in the Terms of Service and this Annex;
  • ensure that all personnel authorised to process personal data are under an obligation of confidentiality;
  • implement appropriate technical and organisational measures as set out in Appendix B;
  • assist the Customer in responding to data subject rights requests, security incidents, data protection impact assessments and regulator consultations;
  • allow the Customer to conduct audits or provide audit evidence on reasonable request, no more than once per year unless a serious incident requires otherwise;
  • on termination, delete or return all personal data at the Customer choice within 30 days and delete any copies unless retention is required by law.

4. Sub-processors

The Customer grants general authorisation for Aitronyx to engage sub-processors as listed in clause 5.1 of the Privacy Policy. Aitronyx will give 30 days advance notice of any addition or replacement. The Customer may reasonably object, in which case the parties will work in good faith to find an alternative or the Customer may terminate the affected service with a pro-rata refund.

5. International Transfers

Where personal data is transferred outside the UK, Aitronyx will put in place appropriate transfer mechanisms as set out in section 6 of the Privacy Policy.

6. Breach Notification

Aitronyx will notify the Customer without undue delay and in any event within 48 hours of becoming aware of a personal data breach affecting Customer data, providing sufficient information for the Customer to meet its own notification obligations.

7. Liability

Liability under this Annex is subject to the limitation of liability provisions in clause 11 of the Terms of Service.

Appendix A: Description of Processing

  • Subject matter: provision of the Beacon HQ Platform for subcontract risk analysis and related commercial workflows.
  • Nature and purpose of processing: storage, AI-assisted analysis, generation of reports and correspondence, delivery via the Platform to Authorised Users.
  • Duration: for the term of the Customer subscription plus the retention periods set out in section 7 of the Privacy Policy.
  • Categories of data subject: Authorised Users, Third-Party Individuals named in uploaded contracts (counterparties, contacts, signatories).
  • Types of personal data: identity and contact details, business role, company affiliation, correspondence content. No special category data should be uploaded.

Appendix B: Technical and Organisational Measures

  • Encryption in transit (TLS 1.2 or higher) and at rest.
  • Pseudonymisation where appropriate.
  • Role-based access control and principle of least privilege.
  • Multi-factor authentication for all staff accounts.
  • Network segmentation between production, staging and development environments.
  • Logging and monitoring of access and administrative actions.
  • Regular backup and disaster-recovery testing.
  • Documented incident response plan with 72-hour ICO notification commitment.
  • Ongoing staff training on data protection and information security.
  • Contractual obligations imposed on sub-processors substantially equivalent to this Annex.