How does Beam work and what does it do with the data?
This document will explain how Beam works, and what it does with the various data it collects. It is important to note that there are two sources of data:
Beam users Visitor data to websites run by Beam users. We start first by looking at how Beam stays GDPR compliant with how it manages visitor data to websites run by Beam users.
1. HTML Script on your site
You create an account with us because you’re interested in analytics about your users, but want to stay GDPR compliant.
After logging in, you’re taken to the landing page where you’re asked to embed a script onto your web page. The script looks like:
<script src="https://beamanalytics.b-cdn.net/beam.min.js" data-token="abc" async></script>
where the data-token is unique for each user.
2. Page view request
Instead of using cookies, once the script is loaded, a pageview request is sent to Hertzner, our EU-owned and located data processing server. It doesn’t matter if the visitor is in the EU or outside the EU - all visitor data is processed on EU-owned and located servers.
This request will contain details about the page your user is on and the website that referred them. The browser will also send our servers your user’s IP Address and User-Agent (which contains details about the browser they’re using and device type).
3. Hashing your user PII data
Using the Hertzner servers, we process the data. Specifically, we hash it to anonymize it.
hash(pepper(salt(ip address + user agent data))) = anonymized hashed data
This basically says we first salt the raw IP address and user agent data. Then we pepper it. Then we put it through a one way hashing function. From this, the user data is transformed into unique, but untraceable, anonymized hash data. This hashing process also allows us to establish if your user is a new daily visitor.
We also rely on Hertnzer for DNS and load balancing.
4. Storing the anonymized hash data
We build our product using Tinybird’s managed service for Clickhouse. Tinybird is a Spanish owned company. Tinybird uses AWS to store this data. AWS is owned by Amazon, a US-owned company, though we have chosen EU located AWS servers. In short, this means the anonymized hash data is ultimately stored on AWS servers in the EU, but AWS is a US owned company.
5. Beam user data
We use Vercel for the frontend development and Supabase for the backend development.
Beam users give us information like their email address. We store this data on Supabase, an open source Firebase alternative. Supabase is based in Singapore and we use Supabase servers that are EU-located. No visitor data to websites run by Beam users is stored on Supabase.
No data is stored with Vercel.
Summary: What data does Beam collect?
|Operating system||macOS 12.5|
|Continent, country, city||Europe, France, Paris|
|Title||Beam - Google Analytics alternative that is GDPR compliant|
Who are Beam's data sub-processors?
Business User Data
|Supabase||EU||Managed database used to store Beam’s business user data|
|Vercel||Worldwide||Hosts the Beam website|
|Stripe||Worldwide||Payment processing SaaS|
|Crisp||Worldwide||Helpdesk / messaging platform|
|Google Workspace||Worldwide||Email, File Storage, Calendar, Authentication|
|Bunny||Slovenia||Content Delivery Network|
|GraphJSON||Worldwide||Log data about how business users interact with Beam|
End User Data
|Herztner||Germany||Used to hash and salt end user data to produce an anonymized hash|
|Tinybird||EU||Managed service for Clickhouse. All anonymized end user data is logged here.|
|Render||EU||Payment processing SaaS|
If you are a customer and would like to sign our Data Processing Agreement(DPA), you can send it back to firstname.lastname@example.org.