Privacy Policy — Full Legal Text

Last updated: March 2026

For a simplified overview, see our user-friendly privacy summary.

1. Introduction and Data Controller

This Privacy Policy explains how Beacon ("we," "us," or "our") collects, uses, discloses, and protects your personal data when you use our mobile application and website (collectively, the "Service").

Data Controller:
Beacon
Email: security@usebeacon.social

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws.

2. Categories of Personal Data We Collect

2.1 Data You Provide Directly

CategoryData ElementsPurpose
Account IdentifiersEmail address, usernameAccount creation, authentication, communication
Profile InformationDisplay name, bio, profile photo (optional)Personalization, display to friends
User Content Beacons (title, description, location name), comments, friend groups Core service functionality
Social ConnectionsFriend relationships, group membershipsFriend-based beacon visibility

2.2 Data Collected Automatically

CategoryData ElementsPurpose
Authentication DataSession tokens, passkey public keys, OAuth tokensSecure authentication
Device InformationUser agent string (browser/OS type)Service optimization, security
Push Notification DataPush subscription endpoint, encryption keysDelivering notifications you opt into
Usage AnalyticsFeature usage events (e.g., beacon created, friend added)Service improvement
Error LogsCrash reports, error messages (no PII included)Bug fixes, stability

2.3 Data from Third-Party Authentication

If you sign in via Google or Apple:

  • Google: Email address, name, profile picture
  • Apple: Email address (may be a private relay address), name

We do not receive or store your password from these providers.

2.4 Data We Do Not Collect

  • Precise geolocation (GPS coordinates)
  • Phone contacts or address book
  • Browsing history outside the Service
  • Advertising identifiers (IDFA, GAID)
  • Biometric data (passkey biometrics remain on your device)
  • Financial or payment information
  • Health data
  • Racial or ethnic origin, political opinions, religious beliefs

3. Legal Bases for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

Legal BasisProcessing Activities
Contract Performance
(Art. 6(1)(b))		 Account creation, authentication, beacon functionality, friend connections, displaying your content to friends
Consent
(Art. 6(1)(a))		 Push notifications, optional profile information (bio, photo), marketing communications (if any)
Legitimate Interests
(Art. 6(1)(f))		 Service security, fraud prevention, aggregated analytics for improvement, error logging for stability
Legal Obligation
(Art. 6(1)(c))		Compliance with applicable laws, responding to lawful requests

4. How We Use Your Personal Data

  • Providing the Service: Creating and managing your account, enabling beacon creation and discovery, facilitating friend connections
  • Communication: Sending transactional emails (OTP codes, account security), push notifications you've opted into
  • Improvement: Analyzing aggregated, anonymized usage patterns to improve features and user experience
  • Security: Detecting and preventing fraud, abuse, and unauthorized access; rate limiting; monitoring for security threats
  • Support: Responding to your inquiries and providing customer support
  • Legal Compliance: Meeting our legal obligations and enforcing our Terms of Service

5. Data Sharing and Disclosure

5.1 Sharing with Other Users

Your profile information, beacons, and activity are visible to your accepted friends. This is the core functionality of Beacon. You control your friend list and can remove friends or block users at any time.

5.2 Service Providers

We use the following third-party service providers:

ProviderPurposeData Processed
CloudflareHosting, CDN, database (D1)All service data
SentryError monitoringError logs (PII excluded)
Google (OAuth)AuthenticationAuth tokens during sign-in
Apple (OAuth)AuthenticationAuth tokens during sign-in

These providers process data on our behalf under data processing agreements that ensure appropriate safeguards.

5.3 We Do Not Sell Your Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We do not share data for cross-context behavioral advertising.

For California residents: Under the CCPA/CPRA, we confirm that we do not "sell" or "share" (as those terms are defined under California law) your personal information.

5.4 Legal Requirements

We may disclose your data if required by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

6. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States and other countries where our service providers operate.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Service providers certified under the EU-U.S. Data Privacy Framework

7. Data Retention

Data TypeRetention Period
Account dataUntil account deletion + 30 days
BeaconsVisible for 12 hours; stored until account deletion
Email OTP codes10 minutes or until verified (whichever is first)
Session dataUntil logout or 30 days of inactivity
Analytics events12 months (aggregated/anonymized thereafter)
Error logs90 days

8. Your Rights

8.1 Rights Under GDPR (EEA, UK, Switzerland)

  • Access (Art. 15): Request a copy of your personal data
  • Rectification (Art. 16): Correct inaccurate or incomplete data
  • Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Restriction (Art. 18): Request limited processing in certain circumstances
  • Data Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Objection (Art. 21): Object to processing based on legitimate interests
  • Withdraw Consent: Where processing is based on consent, withdraw at any time
  • Lodge a Complaint: File a complaint with your local data protection authority

8.2 Rights Under CCPA/CPRA (California Residents)

  • Right to Know: Request disclosure of what personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your data, so this does not apply
  • Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA
  • Non-Discrimination: We will not discriminate against you for exercising your rights

8.3 Rights Under Other U.S. State Laws

Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights to access, delete, correct, and port their data. We honor these requests consistent with applicable law.

8.4 How to Exercise Your Rights

You can exercise most rights directly in the app:

  • Access/Edit: Profile settings
  • Delete account: Settings → Delete Account
  • Push notifications: Disable in device settings

For other requests, contact us at security@usebeacon.social. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing requests.

9. Security Measures

We implement appropriate technical and organizational measures including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Secure authentication (passkeys, OAuth 2.0, rate-limited OTP)
  • Rate limiting to prevent brute force attacks
  • Regular security reviews
  • Principle of least privilege for data access
  • Incident response procedures

No system is 100% secure. If you discover a security vulnerability, please report it to security@usebeacon.social.

10. Children's Privacy

Beacon is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at security@usebeacon.social and we will delete it.

For users in the EEA, the age threshold may be higher (up to 16) depending on your country's implementation of the GDPR.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. Beacon matching is based solely on mutual friend connections and explicit beacon activity, not algorithmic profiling.

12. Cookies and Similar Technologies

We use minimal, essential cookies and local storage for:

  • Authentication: Session cookies to keep you logged in
  • Preferences: Local storage for app settings (e.g., theme preference)

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not participate in cross-site tracking.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email notification to your registered email address
  • In-app notification
  • Updating the "Last updated" date at the top of this page

Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

14. Governing Law

This Privacy Policy is governed by the laws of the Republic of Estonia, without regard to conflict of law principles. For EU residents, this does not affect your rights under mandatory consumer protection laws in your country of residence.

15. Contact Us

For privacy-related inquiries:

Email:security@usebeacon.social

General inquiries:team@usebeacon.social

For EEA residents, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.