Beam9 Privacy Policy
Last updated date: 23 Jan 2025
Beam9 Pty Ltd (“Beam9,” “we,” “us,” or “our”) provides security, governance, and compliance tooling for organizations that build or deploy AI agents. Protecting the privacy and security of the data you entrust to us is foundational to that mission. This Privacy Policy explains in detail:
- What personal information we collect, for what purposes, and on what legal bases
- How we use, share, and safeguard that information
- The choices and rights available to you, including how to exercise them
- Where and how we store data, and the measures we take to help keep it secure
For questions, contact privacy@beam9.com.
1 Who We Are
Beam9 Pty Ltd is an Australian corporation headquartered at Level 10, 555 Collins St, Melbourne VIC 3000, Australia. We develop cloud-based software that inspects, filters, and monitors prompts, outputs, and telemetry flowing to and from large language models and other AI systems (“Services”).
2 Scope of This Policy
| Context | Our role | Governing document |
|---|---|---|
| Visitors to beam9.com or our microsites, webinar attendees, event registrants, job applicants, and business contacts | Controller | This Privacy Policy |
| Customers who transmit prompts, model outputs, or related metadata through our platform (“Customer Data”) | Processor / Service Provider | Master Subscription Agreement (MSA) and Data Processing Addendum (DPA) |
If any provision of the DPA or MSA conflicts with this Privacy Policy, the contractual terms prevail for Customer Data.
3 Key Definitions
- Personal information / personal data – Information that identifies, relates to, describes, or could reasonably be linked to an identified or identifiable person.
- Sensitive personal information – Data revealing racial or ethnic origin, union membership, biometric templates, precise geolocation, or other categories protected under applicable law.
- Customer Data – Prompts, outputs, files, and any identifiers or metadata that a customer (or its users) submits to the Services.
- Controller & Processor – As defined in GDPR/UK GDPR. In some laws (e.g., CPRA) “controller” is synonymous with “business” and “processor” with “service provider” or “contractor.”
4 Information We Collect
| Category | Examples | Collected from |
|---|---|---|
| Identifiers | Name, email address, organization, account username, IP address, device ID, job title, phone number | Directly from you or your organization |
| Commercial & contract info | Billing contacts, purchase history, subscription tier, signed agreements | Your organization |
| Usage & telemetry | API endpoints called, latency, model type, token counts, policy evaluations, error codes, browser type, referring URL | Automatically via our Services and cookies |
| Customer Data | Prompts, responses, embeddings, attached files, hashed user IDs, channel names | Your organization or its end-users |
| Support & feedback | Ticket contents, crash reports, screenshots, satisfaction scores | Directly from you |
| Marketing engagement | Email open/click rates, webinar attendance, event scans | Cookies, pixels, registration forms |
| Recruitment data | CV/résumé, cover letter, interview notes, immigration status, compensation expectations | You or your recruiter |
We do not intentionally collect information from children under 16 years of age and do not sell or share personal information for cross-context behavioural advertising.
5 How We Collect Information
- Directly from you – Account registration, contact forms, demo requests, chat, email, phone, or events.
- Automatically – Cookies, web beacons, SDKs, server logs, and in-product instrumentation.
- From your organization – Admins may supply user lists, identity-provider assertions (e.g., SAML/SCIM), or audit-trail exports.
- From third parties – Publicly available sources (e.g., LinkedIn), channel partners, or recruitment agencies, all in compliance with law.
6 How We Use Information
| Purpose | Typical activities |
|---|---|
| Deliver the Services | Authenticate users, route traffic to chosen LLM endpoints, apply guardrail policies, maintain audit logs, provide dashboards, fulfil contractual obligations |
| Research & development | Debug crashes, benchmark latency, develop new threat-detection heuristics, conduct anonymised statistical analysis |
| Security & abuse prevention | Detect unusual traffic, prevent prompt injection, investigate suspected violations, protect rights and safety |
| Marketing & relationship management | Send product updates, whitepapers, and invites; personalise website content; measure campaign effectiveness; maintain suppression lists |
| Business operations | Billing, collections, accounting, legal compliance, mergers or acquisitions, corporate governance |
| Recruitment | Evaluate candidates, schedule interviews, background checks (where lawful) |
| Legal compliance | Respond to subpoenas, satisfy reporting obligations, enforce contracts, resolve disputes |
We never use Customer Data to train general-purpose foundation models or permit sub-processors to use your personal information for their own marketing or analytics.
7 Legal Bases for Processing (EEA/UK/CH)
| Legal basis | Examples |
|---|---|
| Contract performance (Art 6 (1)(b)) | Creating user accounts, processing API traffic under the MSA |
| Legitimate interests (Art 6 (1)(f)) | Improving security, preventing fraud, B2B direct marketing, internal analytics |
| Consent (Art 6 (1)(a)) | Non-essential cookies, promotional email (where required) |
| Legal obligation (Art 6 (1)(c)) | Tax and accounting records, sanctions screening |
| Vital interests / public task | Rare—only to protect life or comply with government mandate |
Where we rely on legitimate interests we balance those interests against your rights and expectations and document the assessment.
8 How We Share & Disclose Information
- Service providers & sub-processors – Cloud hosting, email/SMS delivery, support ticketing, analytics, penetration testers; all bound by confidentiality and data-processing terms.
- Integration partners – At your instruction we may transmit prompts or outputs to model hosts, SIEMs, or ticketing tools you select.
- Affiliates – Controlled entities of Beam9 for internal administration, all subject to equivalent safeguards.
- Business transfers – In merger, acquisition, or asset sale (with prior notice).
- Legal & compliance – Courts, regulators, auditors, or law-enforcement agencies when required or permitted by law.
- With your consent – Any other disclosure you explicitly approve in writing.
We do not disclose personal information for monetary or other valuable consideration, nor for cross-context behavioural advertising.
9 International Data Transfers
- Primary data centres: Sydney (AWS ap-southeast-2) and Oregon (US-west-2).
- Mechanisms for EEA/UK/Swiss data:
- Standard Contractual Clauses (SCCs) 2021/914/EU, modules 2/3, plus UK International Data Transfer Addendum
- Data Privacy Framework-certified sub-processors (where applicable)
- Additional safeguards: Encryption in transit and at rest, least-privilege access, zero-trust controls, data-residency options on request.
10 Cookies & Similar Technologies
| Type | Purpose | Retention |
|---|---|---|
| Strictly necessary | Session authentication, CSRF protection, load balancing | Session / 24 h |
| Preferences | Remember language, dark-mode | 6 months |
| Analytics | Measure site traffic, improve UX | 13 months (anonymised) |
| Marketing | Track email opens/clicks, retarget ads (only with consent) | 6 months |
You may adjust browser settings to refuse or delete cookies, opt out of analytics or marketing cookies via our banner, and send Global Privacy Control or Do Not Track signals where applicable law requires us to honour them.
11 Data Security
Beam9 maintains an ISO 27001-aligned information-security program that includes:
- Encryption – TLS 1.2+ for data in transit; AES-256 for data at rest
- Access control – SSO/SAML, MFA, just-in-time privileged access, quarterly access reviews
- Network security – Segmentation, WAF, continuous vulnerability scanning, DDoS protection
- Monitoring & logging – 24×7 SIEM, anomaly detection, immutable audit logs retained for at least 90 days
- Secure development – Static/dynamic code scanning, supply-chain security, threat-model reviews
- Incident response – Documented plan with 24-hour breach-notification commitment where legally required
- Employee safeguards – Background checks, mandatory security training, confidentiality agreements
12 Data Retention
| Data set | Default retention | Rationale / overrides |
|---|---|---|
| Customer Data (prompts/outputs) | 0–30 days (customer-configurable) | Support troubleshooting, replay analysis; permanent deletion within 30 days of contract termination |
| Usage telemetry & audit logs | 1 year | Security investigations, billing reconciliation |
| Account & billing records | Contract term + 7 years | Statutory bookkeeping and audit |
| Support tickets | 3 years after closure | Quality assurance, legal defence |
| Marketing engagement | 24 months since last interaction | Audience segmentation, unless you opt out sooner |
| Recruitment records | 12 months after hiring decision | Anti-discrimination defence; extended with permission |
Back-ups may be retained longer in encrypted archives that are automatically purged on a rolling basis.
13 Your Privacy Rights & Choices
Depending on your location, you may have rights to:
| Right | What it means |
|---|---|
| Access / Know | Confirm whether we process your data and receive a copy |
| Rectification / Correction | Fix inaccurate or incomplete data |
| Erasure / Deletion | Request deletion of data, subject to exemptions |
| Portability | Obtain data in a structured, machine-readable format |
| Restrict / Object | Limit or object to processing in certain circumstances |
| Opt-out of marketing | Stop receiving promotional emails or analytics cookies |
| Limit use of sensitive PI (California) | Direct us to use it only for authorised purposes |
| No retaliation (California) | Receive equal service/price after exercising rights |
How to exercise: Email privacy@beam9.com with the subject “Privacy Request” or use the Data Subject Request Portal in your account settings. We verify identity and respond within legal timeframes (30 days for GDPR, 45 days for CPRA). You may authorise an agent to act on your behalf where permitted.
14 Children’s Privacy
The Services are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided data to us, contact privacy@beam9.com and we will delete it promptly.
15 Automated Decision-Making
Beam9 performs no automated processing that produces legal or similarly significant effects on individuals (GDPR Art 22). Guardrail decisions are configurable by customers and can be overridden by human administrators.
16 Third-Party Services & Links
Our website and documentation may reference third-party tools (e.g., GitHub, Slack). Your interactions with those services are governed by their own privacy statements; Beam9 is not responsible for their practices.
17 Changes to This Policy
We may update this Privacy Policy to reflect changes in technology, law, or business operations. We will update the “Effective date,” post the revised policy on beam9.com/privacy, and provide at least 30 days’ advance notice via email or in-product banner if changes materially affect your rights or obligations. Continued use of the Services after the effective date constitutes acceptance.
18 Contact Details
| Privacy Officer / Data Protection Officer | Beam9 Pty Ltd, Level 10, 555 Collins St, Melbourne VIC 3000, Australia |
| privacy@beam9.com | |
| EEA/UK Representative (GDPR Art 27) | DataRep, The Cube, Monahan Road, Cork T12 P6NN, Ireland |
You have the right to lodge a complaint with your local supervisory authority (e.g., OAIC in Australia, ICO in the UK, or your EU data-protection authority).
19 Jurisdiction-Specific Disclosures
Australia (Privacy Act 1988 & APPs)
- You may contact the Office of the Australian Information Commissioner (OAIC) if you are unsatisfied with our response.
- We comply with the Notifiable Data Breaches Scheme and will notify you and the OAIC of eligible data breaches.
California (CPRA)
- We have not sold or shared personal information in the past 12 months.
- Categories of personal information collected, disclosed, or retained correspond to §1798.140(v)(1)(A)–(K).
- You may designate an authorised agent to submit a request using a signed permission letter or power of attorney.
Other U.S. State Laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA)
- We process personal data solely to provide the Services, comply with law, or with your consent.
- We offer opt-out rights for targeted advertising, sale, or profiling (none of which we currently perform).
Brazil (LGPD)
- Data subjects may exercise the rights set forth in Art. 18 of LGPD by emailing privacy@beam9.com.
- Our legal bases include Art. 7, I (consent), II (contract), and IX (legitimate interest).