Privacy Policy

BeaconIR ("we," "us," or "our") operates an investor relations infrastructure platform that enables companies to build, host, and manage IR websites, publish press releases and SEC filings, and communicate with investors. This Privacy Policy explains how we collect, use, disclose, and protect information in two distinct contexts:

• —Platform Customers — companies and individuals who create a BeaconIR account and use the Platform to build and manage their IR site.
• —IR Site Visitors — investors, shareholders, media, and members of the public who visit IR sites hosted and served by BeaconIR on behalf of our Customers.

By using the Platform or visiting a BeaconIR-hosted IR site, you consent to the practices described in this policy. If you do not agree, please discontinue use of the applicable service. This policy does not apply to third-party websites linked from BeaconIR or Customer IR sites.

BeaconIR operates in two distinct capacities depending on the data and context involved. Understanding this distinction is important for determining your rights and the applicable obligations under GDPR and similar privacy laws.

• —Data Controller — Platform Customer data. When BeaconIR collects and processes data about Platform Customers (account holders, authorized officers, team members, and billing contacts), we act as a data controller. We determine the purposes and means of processing that data and are directly responsible to those individuals under applicable privacy law.
• —Data Processor — IR site visitor data. When BeaconIR collects analytics data, investor alert subscriber email addresses, or other data from visitors to a Customer's hosted IR site, we act as a data processor on behalf of the Customer. The Customer is the data controller for that visitor data and is responsible for providing its own privacy disclosures to IR site visitors, obtaining any required consents, and responding to visitor data subject requests.

Where BeaconIR acts as a data processor for a Customer's IR site visitor data, we process that data solely on the Customer's documented instructions and in accordance with our Data Processing Addendum. A Data Processing Addendum (DPA) is available upon written request to legal@beaconir.com. The DPA sets out the subject matter, duration, nature, and purpose of processing, and the types of personal data and categories of data subjects involved, as required by GDPR Article 28.

When you create a BeaconIR account or use the Platform, we collect:

Account & Identity

• —Name and email address provided during registration or onboarding
• —Company name, ticker symbol, stock exchange, and IR contact information
• —Profile information entered into the admin panel (team members, roles)
• —Authentication data (passwords are hashed; magic link tokens are single-use)

Billing & Payment

• —Billing contact information and subscription plan selection
• —Payment card details — processed and stored exclusively by Stripe. BeaconIR does not store raw card numbers or CVV codes.
• —Transaction history, invoices, and subscription status

Platform Usage

• —Admin panel usage logs (pages visited, actions taken, timestamps)
• —Content uploaded to the Platform (press releases, SEC filings, images, documents)
• —Configuration preferences (template selection, colors, fonts, domain settings)
• —Support requests and communications with our team

Before a Customer may publish IR content on a BeaconIR-hosted site, BeaconIR performs Know Your Customer (KYC) and Know Your Business (KYB) verification to confirm issuer identity and authority. This process involves collection of sensitive personal and corporate data.

KYC — Individual Identity Verification

• —Government-issued identification documents (e.g. passport, national ID, driver's license) submitted by the authorized officer completing verification
• —Full legal name and date of birth as they appear on the submitted identity document
• —Facial biometric data: Didit's verification process may capture and process a facial image or liveness check for biometric comparison against the submitted ID document
• —Verification outcome and status flags retained in BeaconIR's database (e.g. verified, pending, rejected)

KYB — Company Verification

• —Corporate registration certificates and articles of incorporation
• —Tax identification documents and business registration numbers
• —Authorization letters confirming the signatory's authority to act on behalf of the company
• —Beneficial ownership information where required by applicable compliance frameworks

Biometric Data & State Law Notice

The facial biometric data processed during KYC is handled by Didit (didit.me) and may be subject to state biometric privacy laws depending on the jurisdiction of the individual being verified, including:

• —Illinois Biometric Information Privacy Act (BIPA)
• —Texas Capture or Use of Biometric Identifier Act (CUBI)
• —Washington My Health My Data Act

By submitting to the KYC process, you acknowledge that your biometric data will be processed by Didit for identity verification purposes. Biometric data is not used for any other purpose and is not sold. BeaconIR does not receive or store raw biometric identifiers from Didit — only the verification result. For details on Didit's biometric data practices, please review Didit's privacy policy at didit.me.

Verification Data Retention

Verification records (KYC/KYB documents and associated data) are retained for a minimum of 7 years from submission or account termination, whichever is later, or as required by applicable law. Raw identity documents are not retained by BeaconIR after the verification process is complete — document review and storage during the verification window is handled by Didit subject to their data retention policies.

When investors and members of the public visit a Customer's BeaconIR-hosted IR site, BeaconIR collects certain data on behalf of the Customer to power analytics and platform features. This data is aggregated and used to provide analytics to the Customer.

Analytics Data

• —Page URL and referrer URL
• —Browser type, operating system, and device category (desktop/mobile)
• —Country and region derived from IP address — IP addresses themselves are not stored
• —Session duration and page views
• —Events such as document downloads and press release views

IR site analytics are provided by Umami, a privacy-focused, cookieless analytics tool. Umami does not use cookies, does not track visitors across sites, and collects no personally identifiable information. No consent banner is required for Umami analytics under standard GDPR guidance.

Investor Email Alert Subscriptions

• —If an IR site visitor subscribes to investor alerts, we collect their email address with double opt-in confirmation.
• —Subscriber email addresses are stored in BeaconIR's database and are visible to the IR site's Customer in their admin panel.
• —Subscribers may unsubscribe at any time via the link included in every alert email. Unsubscribe requests are processed immediately.
• —Subscriber data is used solely to send investor alerts on behalf of the Customer. We do not use subscriber email addresses for BeaconIR marketing without separate consent.

Email Compliance — CAN-SPAM & CASL

• —CAN-SPAM (United States). For US recipients, investor alert emails comply with the CAN-SPAM Act. Each email includes a physical mailing address, clear identification as coming from BeaconIR or the applicable issuer, and a functioning unsubscribe link honored within 10 business days.
• —CASL (Canada). Investor alert subscriptions for Canadian recipients comply with the Canadian Anti-Spam Legislation (CASL). We obtain express consent before sending commercial electronic messages to Canadian recipients. Each alert email contains a clear and prominent unsubscribe mechanism. Unsubscribe requests are honored within 10 business days as required by CASL.

• —Providing and operating the Platform. Hosting your IR site, managing your admin panel, processing payments, sending transactional emails (magic links, account notices, billing receipts).
• —Identity and company verification. Performing KYC and KYB checks on authorized officers and company entities to verify issuer identity and authority before IR content is published.
• —Customer support. Responding to support requests, troubleshooting issues, and communicating about your account.
• —Analytics and product improvement. Aggregated and anonymized usage data is used to improve Platform features, performance, and reliability.
• —Security and fraud prevention. Monitoring for suspicious activity, unauthorized access attempts, and abuse of the Platform.
• —Legal compliance. Retaining records required by applicable law, responding to lawful requests from regulators or courts, and enforcing our Terms of Service.
• —Marketing (with consent). If you have opted in to marketing communications, we may send product updates, feature announcements, or relevant content. You may opt out at any time.

For customers and IR site visitors in the European Economic Area or Switzerland, we process personal data on the following legal bases under the GDPR:

• —Contract performance. Processing account data, billing information, and platform usage to deliver the Services you have contracted for.
• —Legitimate interests. Security monitoring, fraud prevention, product analytics, and improving the Platform — where such interests are not overridden by your rights.
• —Consent. Marketing communications and investor alert subscriptions. You may withdraw consent at any time without affecting prior processing.
• —Legal obligation. Retaining billing and transaction records as required by applicable tax and financial regulations, and retaining KYC/KYB verification records as required by applicable compliance frameworks.

United Kingdom

For users in the United Kingdom, we process data in accordance with the UK GDPR as incorporated into UK law by the Data Protection Act 2018. International transfers of personal data from the UK are made pursuant to the International Data Transfer Agreement (IDTA) or other UK-approved transfer mechanisms where applicable.

Canada (PIPEDA / Quebec Law 25)

For customers located in Canada or whose customers include Canadian individuals, BeaconIR processes personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, including Quebec's Law 25 (Bill 64). We collect only the personal information necessary for the purposes described in this policy, with knowledge and consent. Canadian individuals may contact legal@beaconir.com to access, correct, or withdraw consent for processing of their personal information, subject to legal and contractual restrictions.

We do not sell personal data. We share data with the following third-party service providers to operate the Platform, each bound by data processing agreements:

• —Stripe. Payment processing, subscription billing, and invoice management. Stripe stores payment card data under PCI DSS compliance.
• —Vercel. Cloud hosting, edge serving, and infrastructure for the Platform and all Customer IR sites. Customer content and site assets are stored on Vercel's infrastructure.
• —Didit (didit.me). Identity verification (KYC) services. When an authorized officer completes identity verification, their government-issued ID documents and associated biometric data are processed by Didit subject to Didit's privacy policy and terms. BeaconIR does not store raw identity documents after verification is complete.
• —Alpha Vantage. Market data API for stock price widget functionality. Your company ticker symbol may be sent to Alpha Vantage to retrieve market data.
• —Umami. Privacy-first, cookieless analytics for IR site visitor data. No PII is collected or shared through Umami.
• —EmailIt (or equivalent transactional email provider). Sending transactional emails including magic link authentication, billing receipts, and investor alert notifications.
• —Third-party newswire networks. When you purchase press distribution, the press release content and your company details are transmitted to distribution partners.

A list of our current sub-processors is available upon written request to legal@beaconir.com. We will provide reasonable advance notice of any changes to our sub-processors that may affect processing of Customer personal data.

We may also disclose information if required by law, court order, or regulatory authority; to protect the rights, safety, or property of BeaconIR, our Customers, or the public; or in connection with a merger, acquisition, or sale of assets, in which case we will notify affected users.

Platform admin panel. The BeaconIR admin panel uses session cookies and local storage to maintain your logged-in state and store UI preferences. These are technically necessary for the Platform to function. No third-party advertising or behavioral tracking cookies are set by BeaconIR.

Customer IR sites. IR sites hosted on BeaconIR use Umami for analytics, which is cookieless and does not set any tracking cookies on IR site visitors. IR sites may also store a session preference for light/dark mode in the visitor's browser local storage — this data never leaves the visitor's device.

If a Customer embeds third-party scripts (e.g. via custom code injection, if offered), those scripts may set their own cookies subject to the Customer's own privacy policy. BeaconIR is not responsible for third-party cookies introduced by Customer customizations.

• —Account data. Retained for the duration of your Subscription and for up to 30 days after account termination to allow recovery requests.
• —Customer Content. Retained while your account is active and for up to 30 days after termination, after which it is deleted from our systems.
• —Verification records (KYC/KYB). Retained for a minimum of 7 years from submission or account termination, whichever is later, or as required by applicable law. Raw identity documents are handled by Didit and are not retained by BeaconIR after verification is complete.
• —Billing records. Retained for a minimum of 7 years from the transaction date as required by applicable financial regulations.
• —IR site analytics. Aggregated, anonymized analytics data may be retained indefinitely. Raw event data is retained for up to 24 months.
• —Investor alert subscriber emails. Retained until the subscriber unsubscribes or the Customer account is terminated. Unsubscribe requests are processed immediately.
• —Support communications. Retained for up to 3 years to maintain a record of support history.

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at legal@beaconir.com. We will respond within 30 days (or the timeframe required by your applicable law).

• —Access. Request a copy of the personal data we hold about you.
• —Rectification. Request correction of inaccurate or incomplete personal data.
• —Erasure. Request deletion of your personal data, subject to our legal retention obligations (e.g. billing records and verification records required by compliance law).
• —Data portability. Request your data in a structured, machine-readable format.
• —Restriction. Request that we restrict processing of your data in certain circumstances.
• —Objection. Object to processing based on legitimate interests or for direct marketing purposes.
• —Opt-out of marketing. Unsubscribe from marketing emails at any time using the link in any marketing message, or by emailing us.
• —Automated decision-making. You have the right not to be subject to a decision based solely on automated processing that produces significant legal effects. BeaconIR uses automated identity verification tools (Didit) as part of the KYC process. If automated verification produces an adverse result, you may request human review by contacting legal@beaconir.com.
• —California (CCPA). California residents have the right to know what personal information is collected, the right to delete it, and the right to opt out of sale. We do not sell personal information.
• —Canada (PIPEDA). Canadian individuals have the right to access, correct, and withdraw consent for processing of their personal information, subject to legal and contractual restrictions. Contact legal@beaconir.com to exercise these rights.

BeaconIR is operated from the United States. If you are located outside the US, your personal data will be transferred to and processed in the United States and potentially other countries where our third-party service providers operate.

For transfers from the European Economic Area or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) with our data processors where required. Our key infrastructure providers (Vercel, Stripe) maintain GDPR-compliant data processing agreements and appropriate transfer mechanisms.

For transfers from the United Kingdom, we rely on the International Data Transfer Agreement (IDTA) or other UK-approved transfer mechanisms where applicable. Our processing of UK personal data is governed by the UK GDPR as incorporated into UK law by the Data Protection Act 2018.

We implement industry-standard technical and organizational security measures to protect personal data, including:

• —Encryption of data in transit via TLS on all Platform endpoints and IR sites
• —Encryption of verification data and sensitive records at rest
• —Password hashing using bcrypt (passwords are never stored in plaintext)
• —Magic link authentication to reduce password-based attack surfaces
• —Multi-factor authentication (MFA/TOTP) available and required for verified issuer accounts
• —Tenant isolation — each Customer's data is logically separated from all other Customers
• —Least-privilege access controls in the admin panel enforced by role-based permissions
• —Audit logs for all account access events and material data changes, retained for compliance purposes

No method of transmission over the internet or electronic storage is 100% secure. While we take security seriously, we cannot guarantee absolute security of your data. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

The Platform and Customer IR sites are intended for business use by adults. Because use of the Platform requires the capacity to enter into binding contracts, we do not knowingly collect personal information from individuals under the age of 18. If you believe that a person under 18 has provided personal information to us, please contact us at legal@beaconir.com and we will promptly delete such information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify Platform Customers via email and/or a notice in the admin panel at least 14 days before the changes take effect. The "Last Updated" date at the top of this page indicates when the policy was most recently revised. Continued use of the Platform or any IR site after the effective date constitutes acceptance of the updated policy.

For privacy questions, data subject requests, DPA requests, sub-processor lists, or to report a security concern:

For EEA users who believe their rights have not been addressed, you have the right to lodge a complaint with your national data protection authority. For UK users, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.