Beamprobe Beamprobe v1.0
Start free
Privacy Policy

How we handle your data.

Last updated: 5 May 2026 · Effective: 5 May 2026

1. Who we are

Beamprobe Ltd ("Beamprobe", "we", "us", "our") is a company registered in England and Wales. We operate the website at beamprobe.com and the related virtual data room service.

Registered office: London, United Kingdom.
ICO registration: ZB123456 (placeholder — replace with actual).
Data Protection contact: dpo@beamprobe.com

2. Scope

This policy explains what personal data Beamprobe collects, why, on what legal basis, where it is stored, who it is shared with, and your rights under UK GDPR and the Data Protection Act 2018.

It applies to:

  • Visitors to the Beamprobe website
  • Account holders ("Customers") who create rooms and upload documents
  • End viewers ("Recipients") who access rooms shared by a Customer

3. Data we collect

3.1 From Customers (account holders)

  • Account email and name
  • Hashed password (bcrypt cost 12)
  • Stripe customer ID and subscription metadata (no card numbers — we never see them)
  • IP addresses on login and administrative actions
  • Logs of administrative activity

3.2 From Recipients (people accessing a room shared with them)

  • Name and email when an NDA gate or email gate is enabled by the Customer
  • IP address
  • User-agent (browser identifier)
  • Documents accessed, pages viewed, dwell time per page
  • Timestamp of each access event

3.3 From documents Customers upload

Beamprobe stores the documents Customers upload to their rooms. We do not inspect document contents except as required to render them in the viewer (e.g. extracting page count, generating thumbnails). Documents are encrypted at rest with AES-256 and stored in AWS eu-west-2 (London).

3.4 Cookies and analytics

See our Cookie Policy for the full list. Briefly: we use strictly necessary cookies only (session, CSRF). No third-party analytics, no advertising trackers.

4. Legal basis

Under UK GDPR Article 6, our legal bases are:

  • Contract (Article 6(1)(b)) — to provide the service Customers subscribe to
  • Legitimate interests (Article 6(1)(f)) — for security logging, fraud prevention, product improvement
  • Legal obligation (Article 6(1)(c)) — to retain certain data for tax and audit purposes
  • Consent (Article 6(1)(a)) — for any optional marketing communications

For Recipients accessing a Customer's room: the Customer is the data controller for the personal data captured at access; Beamprobe is the data processor acting on the Customer's instructions.

5. Where data is stored

All Customer data, document files, and Recipient access logs are stored in AWS eu-west-2 (London region). Backups are also in eu-west-2. We do not transfer data outside the United Kingdom.

Email is delivered via an EU-region email provider (currently Resend, EU endpoint).

Stripe processes payments. Stripe stores card data on Stripe's infrastructure under their own DPA; we never store or transmit raw card numbers.

6. Who we share with

We share personal data only with:

  • Sub-processors as listed in our Data Processing Agreement — currently AWS (hosting), Stripe (billing), Resend (transactional email)
  • Law enforcement where compelled by valid UK or EU legal process
  • Successor entity in the event of a merger, acquisition, or asset sale, with notice to affected Customers

We do not sell personal data. We do not share personal data with advertisers. We do not run advertising on Beamprobe.

7. Retention

  • Customer account data: retained while subscription is active, plus 30 days after cancellation
  • Document files: deleted within 30 days of room deletion or subscription cancellation
  • Recipient access logs: retained for the duration the Customer's account is active, exportable to CSV by the Customer at any time
  • NDA acceptance records: retained for 6 years after the last access (UK statute of limitations for contract claims)
  • Billing records: retained for 7 years (UK tax law)

8. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion ("right to be forgotten") subject to lawful retention requirements above
  • Restrict processing — request we limit how we process your data
  • Portability — receive your data in a structured, machine-readable format
  • Object — to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent
  • Complain to the ICO — at ico.org.uk if you believe we have mishandled your data

To exercise any of these, email dpo@beamprobe.com. We respond within 30 days, usually faster.

9. Security

  • Encryption in transit: TLS 1.2+ enforced. HSTS preload.
  • Encryption at rest: AES-256 (S3 SSE-S3) for documents. Database encryption at rest enabled.
  • Authentication: bcrypt password hashing (cost 12). Optional Google OAuth.
  • Access controls: principle of least privilege. Production access restricted to named engineers.
  • Audit logging: every administrative action logged.
  • Backups: daily, encrypted, retained 30 days.
  • SOC 2: Type 2 audit in progress (target: 2026).

10. Breach notification

In the event of a personal data breach affecting Customer data, we will:

  • Notify the ICO within 72 hours of becoming aware (UK GDPR Article 33)
  • Notify affected Customers without undue delay where there is a likely high risk to rights and freedoms
  • Document the breach in our internal breach register
  • Provide affected Customers with the information required to comply with their own notification obligations

11. Children

Beamprobe is not intended for use by anyone under 18. We do not knowingly collect data from children. If you believe we have collected data from a child, contact dpo@beamprobe.com and we will delete it.

12. Changes

We may update this policy. Material changes will be notified to Customers by email at least 30 days before they take effect. The "Last updated" date at the top of this page shows the current version date.

13. Contact

Privacy and data protection: dpo@beamprobe.com
Security: security@beamprobe.com
General: hello@beamprobe.com

Postal address available on written request to the email above.

14. Supervisory authority

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
ico.org.uk · 0303 123 1113