1. Introduction
Beacon (ibeacon.ai) is an SEO and AI-visibility platform that shows you how search engines and AI assistants (ChatGPT, Gemini, Perplexity and others) present your website and brand. We are committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data-protection laws.
Data controller: Youlinker SIA, a limited-liability company registered in the Republic of Latvia (Reg. No. — available on request), Riga, Latvia, is the data controller for personal data processed through Beacon. For any question about data processing, contact
privacy@ibeacon.ai.
2. Data we collect
Account information. Name, email address and a hashed password (we never store passwords in plain text). If you sign in with Google, we receive your name, email address and profile picture from Google — we never see your Google password.
Billing information. Subscriptions are processed by Stripe. Your card number never touches our servers; we store only your Stripe customer reference, plan and billing status.
Project data. The website URLs you add, the AI prompts you track, competitors you follow, tasks and notes you create, and the settings you choose.
Crawl & analysis data. When you run an audit, Beacon crawls the publicly available pages of the website you specified — the same content any visitor or search engine sees. We do not access private or logged-in areas.
Usage data. Standard server logs (IP address, browser type, pages requested) kept for security and debugging.
3. Third-party processors
To provide the service we share the minimum necessary data with these processors:
- Google (Gemini API) — site content excerpts and your tracked prompts are sent to generate AI-visibility analysis. Google processes this under its API data-use terms (not used to train models).
- DataForSEO — your project's domain name is sent to retrieve public SEO metrics (traffic estimates, backlinks).
- Stripe — payment processing (PCI-DSS Level 1 certified).
- DigitalOcean — our servers are hosted in Frankfurt, Germany (EU).
- MongoDB Atlas — encrypted database hosting in the EU.
- Wikipedia, Hacker News, GitHub (public APIs) — we query these with your project's brand name or domain to find public mentions. No personal data is sent.
We never sell personal data, and we never share it with advertisers.
4. Legal basis for processing
- Contract (Art. 6(1)(b) GDPR) — operating your account, running audits, billing.
- Legitimate interest (Art. 6(1)(f)) — service security, fraud prevention, product improvement.
- Consent (Art. 6(1)(a)) — optional email digests and product updates; withdrawable at any time in Settings → Notifications.
- Legal obligation (Art. 6(1)(c)) — accounting and tax records.
5. How we use your data
- Run the audits, AI-visibility checks and reports you request.
- Send transactional email (verification, password reset, audit alerts) and — only if enabled — weekly digests.
- Process subscription payments and prevent abuse.
- Improve the product using aggregated, de-identified usage patterns.
6. How we protect it
- All traffic is encrypted in transit (TLS 1.2+); the site enforces HTTPS and HSTS.
- Passwords are hashed with bcrypt; sessions use signed, HTTP-only cookies.
- Databases are encrypted at rest and hosted in the EU.
- Access to production systems is restricted to authorized personnel with key-based authentication.
7. Cookies & tracking
Beacon uses only functional cookies:
- Session cookie — keeps you signed in (HTTP-only, expires on logout).
- Preference cookies — your language and theme choice.
We do not use advertising cookies, cross-site trackers or fingerprinting. Because we only set strictly necessary cookies, no cookie-consent banner is required.
8. Your rights
Under the GDPR you can at any time:
- Access a copy of the personal data we hold about you.
- Rectify inaccurate data (most of it directly in Settings).
- Erase your account and all associated data ("right to be forgotten").
- Export your data in a portable format.
- Object to or restrict specific processing, and withdraw consent.
Email privacy@ibeacon.ai — we respond within 30 days. You also have the right to lodge a complaint with the Latvian Data State Inspectorate (dvi.gov.lv) or your local supervisory authority.
9. Data retention
- Account & project data — kept while your account is active; deleted within 30 days of account deletion.
- Crawl & audit history — kept while the related project exists, so your trend charts stay accurate.
- Billing records — retained as required by Latvian accounting law (currently 5 years).
- Server logs — rotated after 30 days.