This policy explains what personal data we collect when you use Beacon, what we do with it, and the rights you have. Beacon is operated by Arixa Ltd, a company registered in England & Wales under company number 14399344 (“Arixa”, “we”, “us”). For the purposes of UK GDPR we are the data controller for personal data about you that we hold to operate the service, and a data processor for personal data inside Customer Data you choose to share with us.
What we collect
We collect three categories of data:
- Account data - your name, email, business name, role, and the password hash we use to authenticate you. Provided by you when an account is created.
- Customer data - the business records you upload (sales, transactions, customer lists, etc.) plus any text you type into the dashboard or chat. This may include personal data about your customers, suppliers, or staff.
- Service data - sign-in timestamps, browser type, IP address, and basic usage telemetry (pages opened, errors encountered) needed to operate the service securely.
How we use it
We process the data above to:
- provide the dashboard and the analysis you signed up for;
- secure the service and detect or prevent abuse;
- respond to your support requests;
- send transactional emails (invites, password resets, important service notifications);
- comply with our legal obligations.
We do not use your raw business data to train general-purpose models. We do not sell your data. We do not share it with advertisers.
Lawful basis
We process account and service data on the basis of legitimate interest (operating and improving a contracted service) and contract (delivering the service to you). Customer data is processed on your instructions as data processor.
Where we send marketing emails (only ever to existing customers and only about the service itself), we rely on legitimate interest, with a clear unsubscribe option in every message.
Who we share data with
We use a small number of trusted infrastructure providers to host and operate the service. These partners process data on our behalf under contracts that bind them to data-protection obligations no weaker than ours. Categories include:
- tier-1 cloud hosting and database services (UK / EU regions);
- transactional email delivery;
- error monitoring and uptime alerting;
- AI inference providers used to power the dashboard's analytical features.
We will share specific provider details on request. We don't publish the list publicly to keep our security posture tight.
We will share data with law-enforcement bodies, regulators, or other authorities where we're legally compelled to. Where we're legally permitted to, we'll let you know first.
Where data is stored
Customer data is stored at rest in the United Kingdom or the European Economic Area. Some sub-processors may operate from other regions under approved transfer mechanisms (Standard Contractual Clauses or UK Addendum) where required. Data in transit is encrypted using industry-standard TLS.
How long we keep it
Account and service data is kept for as long as you have an active account, then for up to 12 months after closure for legal, accounting, and dispute-resolution purposes. Customer data is kept for as long as you instruct us to (i.e. while you use the service). On account closure or written request, we delete or anonymise it within 60 days unless we're legally required to retain specific records.
Security
We take protection of your data seriously. Measures we apply include:
- encryption in transit (TLS) and at rest;
- strict access controls - only named staff with a need to access data can;
- logged and audited administrative actions;
- row-level isolation between customers so one tenant's data is never visible to another;
- regular review of our infrastructure providers and their security posture;
- password hashing with industry-standard algorithms - we never see or store your password in clear.
No system is bulletproof. If we ever suffer a personal-data breach that meaningfully affects you, we'll let you know and report it to the ICO within the timelines required by UK GDPR.
Your rights
Under UK GDPR, you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data deleted (subject to legal retention obligations);
- restrict or object to certain processing;
- receive a copy of your data in a portable format;
- withdraw consent at any time where consent is the basis we rely on;
- complain to the Information Commissioner's Office (ico.org.uk) if you think we've handled your data badly.
To exercise any of these rights, email hello@arixa.co.uk. We'll respond within one calendar month.
Cookies
Beacon uses a small number of cookies to keep you signed in and remember your preferences (theme, last conversation). We do not use third-party advertising or analytics cookies.
Changes to this policy
We may update this policy from time to time. If we make material changes, we'll let you know by email and post the new version on this page. The date at the top of this document shows when it was last revised.
Contact
Questions about how we handle your data? hello@arixa.co.uk. Postal correspondence to: Arixa Ltd, United Kingdom (specific address provided on request).