Beacon

Privacy Policy

Effective date: April 5, 2026

Beacon ("Company", "we", "us", "our") operates Beacon (the "Service"). This Privacy Policy describes how we collect, use, share, and protect information when you use the Service. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you sign in using a third-party OAuth provider (such as Google or GitHub), we receive your name, email address, and profile identifier from that provider. We do not receive or store your OAuth provider password.

Workspace and Service Data

As you use the Service, we store the data you create and manage within your workspaces, including:

  • Status pages, components, and component groups
  • Incidents, incident updates, and scheduled maintenance records
  • Monitoring configuration and uptime check results
  • Subscriber lists and notification preferences
  • Team membership, roles, and workspace settings
  • Audit logs of administrative actions within your workspaces

Usage Data

We automatically collect technical information when you interact with the Service, including page views, API call metadata (endpoint, timestamp, response status), IP addresses, browser type, operating system, and referring URLs. This information is used for security, performance optimization, and to improve the Service.

Payment Data

Payment processing is handled entirely by Stripe, our third-party payment processor. When you subscribe to a paid plan, your payment card details are submitted directly to Stripe and are never transmitted to or stored on our servers. We receive and store only limited billing metadata from Stripe, such as the last four digits of your card number, card brand, billing email, and subscription status.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and operate the Service: host your status pages, execute uptime monitors, deliver incident notifications, and process API requests
  • Send notifications: deliver incident alerts, maintenance notices, team invitations, and account-related emails
  • Process billing: manage subscriptions, issue invoices, and handle payment-related communications through Stripe
  • Improve the Service: analyze usage patterns to identify bugs, optimize performance, and develop new features
  • Ensure security: detect and prevent fraud, abuse, and unauthorized access
  • Comply with legal obligations: respond to lawful requests from public authorities and comply with applicable laws

3. How We Share Your Information

We do not sell your personal information to third parties. We share information only with the following categories of service providers, and only to the extent necessary to operate the Service:

  • Stripe: payment processing and subscription management. Stripe processes your payment information under its own privacy policy.
  • Email service provider: delivery of transactional emails including incident notifications, team invitations, and billing receipts.
  • Infrastructure provider: hosting of the application, database, and related services.

We may also disclose information if required by law, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4. Cookies

We use only essential cookies required for the operation of the Service, including session management and cross-site request forgery (CSRF) protection. We do not use advertising or tracking cookies. For detailed information about the specific cookies we use, please refer to our Cookie Policy.

5. Data Retention

We retain your account data for as long as your account remains active. If you delete your account or request deletion of your personal data, we will remove your personal information from our active systems within thirty (30) days. Some information may be retained in encrypted backups for a limited period in accordance with our backup rotation schedule.

When a workspace is deleted, all associated data is removed, including status pages, incident history, component configurations, monitoring data, subscriber lists, and audit logs. This deletion is permanent and cannot be reversed after the 30-day data export period described in our Terms of Service.

We may retain anonymized, aggregated data that cannot be used to identify you for analytical and operational purposes indefinitely.

6. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • All data transmitted between your browser and the Service is encrypted using TLS (Transport Layer Security)
  • Sensitive fields, including API tokens and webhook secrets, are encrypted at rest
  • Passwords are hashed using bcrypt and are never stored in plaintext
  • Regular automated backups with encryption are maintained
  • Access to production systems is restricted and monitored

For more detail on our security practices, please refer to our Security Policy.

7. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you
  • Correction: request correction of inaccurate or incomplete personal data
  • Deletion: request deletion of your personal data, subject to legitimate retention needs
  • Export: request a portable copy of your data in a machine-readable format
  • Objection: object to certain processing of your personal data
  • Restriction: request that we limit certain processing activities

To exercise any of these rights, please contact us using the information in the Contact section below. We will respond to your request within thirty (30) days or within the timeframe required by applicable law.

8. Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information promptly. If you believe we have collected information from a child under 16, please contact us immediately.

9. International Data Transfers

Your information may be processed and stored in jurisdictions other than your own. These jurisdictions may have data protection laws that differ from those in your country of residence. By using the Service, you consent to the transfer of your information to these jurisdictions. Where required by applicable law, we implement appropriate safeguards to ensure your data receives an adequate level of protection regardless of where it is processed.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will post the revised policy on this page with an updated effective date. For material changes, we will provide notice through the Service or by sending an email to the address associated with your account. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.

11. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us: