Privacy Policy

BeaconIR ("we," "us," or "our") operates an investor relations infrastructure platform that enables companies to build, host, and manage IR websites, publish press releases and SEC filings, and communicate with investors. This Privacy Policy explains how we collect, use, disclose, and protect information in two distinct contexts:

• —Platform Customers — companies and individuals who create a BeaconIR account and use the Platform to build and manage their IR site.
• —IR Site Visitors — investors, shareholders, media, and members of the public who visit IR sites hosted and served by BeaconIR on behalf of our Customers.

By using the Platform or visiting a BeaconIR-hosted IR site, you consent to the practices described in this policy. If you do not agree, please discontinue use of the applicable service. This policy does not apply to third-party websites linked from BeaconIR or Customer IR sites.

When you create a BeaconIR account or use the Platform, we collect:

Account & Identity

• —Name and email address provided during registration or onboarding
• —Company name, ticker symbol, stock exchange, and IR contact information
• —Profile information entered into the admin panel (team members, roles)
• —Authentication data (passwords are hashed; magic link tokens are single-use)

Billing & Payment

• —Billing contact information and subscription plan selection
• —Payment card details — processed and stored exclusively by Stripe. BeaconIR does not store raw card numbers or CVV codes.
• —Transaction history, invoices, and subscription status

Platform Usage

• —Admin panel usage logs (pages visited, actions taken, timestamps)
• —Content uploaded to the Platform (press releases, SEC filings, images, documents)
• —Configuration preferences (template selection, colors, fonts, domain settings)
• —Support requests and communications with our team

When investors and members of the public visit a Customer's BeaconIR-hosted IR site, BeaconIR collects certain data on behalf of the Customer to power analytics and platform features. This data is aggregated and used to provide analytics to the Customer.

Analytics Data

• —Page URL and referrer URL
• —Browser type, operating system, and device category (desktop/mobile)
• —Country and region derived from IP address — IP addresses themselves are not stored
• —Session duration and page views
• —Events such as document downloads and press release views

IR site analytics are provided by Umami, a privacy-focused, cookieless analytics tool. Umami does not use cookies, does not track visitors across sites, and collects no personally identifiable information. No consent banner is required for Umami analytics under standard GDPR guidance.

Investor Email Alert Subscriptions

• —If an IR site visitor subscribes to investor alerts, we collect their email address with double opt-in confirmation.
• —Subscriber email addresses are stored in BeaconIR's database and are visible to the IR site's Customer in their admin panel.
• —Subscribers may unsubscribe at any time via the link included in every alert email. Unsubscribe requests are processed immediately.
• —Subscriber data is used solely to send investor alerts on behalf of the Customer. We do not use subscriber email addresses for BeaconIR marketing without separate consent.

• —Providing and operating the Platform. Hosting your IR site, managing your admin panel, processing payments, sending transactional emails (magic links, account notices, billing receipts).
• —Customer support. Responding to support requests, troubleshooting issues, and communicating about your account.
• —Analytics and product improvement. Aggregated and anonymized usage data is used to improve Platform features, performance, and reliability.
• —Security and fraud prevention. Monitoring for suspicious activity, unauthorized access attempts, and abuse of the Platform.
• —Legal compliance. Retaining records required by applicable law, responding to lawful requests from regulators or courts, and enforcing our Terms of Service.
• —Marketing (with consent). If you have opted in to marketing communications, we may send product updates, feature announcements, or relevant content. You may opt out at any time.

For customers and IR site visitors in the European Economic Area, United Kingdom, or Switzerland, we process personal data on the following legal bases under the GDPR:

• —Contract performance. Processing account data, billing information, and platform usage to deliver the Services you have contracted for.
• —Legitimate interests. Security monitoring, fraud prevention, product analytics, and improving the Platform — where such interests are not overridden by your rights.
• —Consent. Marketing communications and investor alert subscriptions. You may withdraw consent at any time without affecting prior processing.
• —Legal obligation. Retaining billing and transaction records as required by applicable tax and financial regulations.

We do not sell personal data. We share data with the following third-party service providers to operate the Platform, each bound by data processing agreements:

• —Stripe. Payment processing, subscription billing, and invoice management. Stripe stores payment card data under PCI DSS compliance.
• —Vercel. Cloud hosting, edge serving, and infrastructure for the Platform and all Customer IR sites. Customer content and site assets are stored on Vercel's infrastructure.
• —Alpha Vantage. Market data API for stock price widget functionality. Your company ticker symbol may be sent to Alpha Vantage to retrieve market data.
• —Umami. Privacy-first, cookieless analytics for IR site visitor data. No PII is collected or shared through Umami.
• —EmailIt (or equivalent transactional email provider). Sending transactional emails including magic link authentication, billing receipts, and investor alert notifications.
• —Third-party newswire networks. When you purchase press distribution, the press release content and your company details are transmitted to distribution partners.

We may also disclose information if required by law, court order, or regulatory authority; to protect the rights, safety, or property of BeaconIR, our Customers, or the public; or in connection with a merger, acquisition, or sale of assets, in which case we will notify affected users.

Platform admin panel. The BeaconIR admin panel uses session cookies and local storage to maintain your logged-in state and store UI preferences. These are technically necessary for the Platform to function. No third-party advertising or behavioral tracking cookies are set by BeaconIR.

Customer IR sites. IR sites hosted on BeaconIR use Umami for analytics, which is cookieless and does not set any tracking cookies on IR site visitors. IR sites may also store a session preference for light/dark mode in the visitor's browser local storage — this data never leaves the visitor's device.

If a Customer embeds third-party scripts (e.g. via custom code injection, if offered), those scripts may set their own cookies subject to the Customer's own privacy policy. BeaconIR is not responsible for third-party cookies introduced by Customer customizations.

• —Account data. Retained for the duration of your Subscription and for up to 30 days after account termination to allow recovery requests.
• —Customer Content. Retained while your account is active and for up to 30 days after termination, after which it is deleted from our systems.
• —Billing records. Retained for a minimum of 7 years from the transaction date as required by applicable financial regulations.
• —IR site analytics. Aggregated, anonymized analytics data may be retained indefinitely. Raw event data is retained for up to 24 months.
• —Investor alert subscriber emails. Retained until the subscriber unsubscribes or the Customer account is terminated. Unsubscribe requests are processed immediately.
• —Support communications. Retained for up to 3 years to maintain a record of support history.

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at legal@beaconir.com. We will respond within 30 days (or the timeframe required by your applicable law).

• —Access. Request a copy of the personal data we hold about you.
• —Rectification. Request correction of inaccurate or incomplete personal data.
• —Erasure. Request deletion of your personal data, subject to our legal retention obligations (e.g. billing records).
• —Data portability. Request your data in a structured, machine-readable format.
• —Restriction. Request that we restrict processing of your data in certain circumstances.
• —Objection. Object to processing based on legitimate interests or for direct marketing purposes.
• —Opt-out of marketing. Unsubscribe from marketing emails at any time using the link in any marketing message, or by emailing us.
• —California (CCPA). California residents have the right to know what personal information is collected, the right to delete it, and the right to opt out of sale. We do not sell personal information.

BeaconIR is operated from the United States. If you are located outside the US, your personal data will be transferred to and processed in the United States and potentially other countries where our third-party service providers operate.

For transfers from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) with our data processors where required. Our key infrastructure providers (Vercel, Stripe) maintain GDPR-compliant data processing agreements and appropriate transfer mechanisms.

We implement industry-standard technical and organizational security measures to protect personal data, including:

• —Encryption of data in transit via TLS on all Platform endpoints and IR sites
• —Password hashing using bcrypt (passwords are never stored in plaintext)
• —Magic link authentication to reduce password-based attack surfaces
• —Tenant isolation — each Customer's data is logically separated from all other Customers
• —Least-privilege access controls in the admin panel enforced by role-based permissions

No method of transmission over the internet or electronic storage is 100% secure. While we take security seriously, we cannot guarantee absolute security of your data. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

The Platform and Customer IR sites are intended for business use by adults. We do not knowingly collect personal information from individuals under the age of 16. If you believe that a child under 16 has provided personal information to us, please contact us at legal@beaconir.com and we will promptly delete such information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify Platform Customers via email and/or a notice in the admin panel at least 14 days before the changes take effect. The "Last Updated" date at the top of this page indicates when the policy was most recently revised. Continued use of the Platform or any IR site after the effective date constitutes acceptance of the updated policy.

For privacy questions, data subject requests, or to report a security concern:

For EEA/UK users who believe their rights have not been addressed, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national data protection authority in the EU).