How does Beam work and what does it do with the data?
This document will explain how Beam works, and what it does with the various data it collects. It is important to note that there are two sources of data:
Beam users Visitor data to websites run by Beam users. We start first by looking at how Beam stays GDPR compliant with how it manages visitor data to websites run by Beam users.
1. HTML Script on your site
You create an account with us because you’re interested in analytics about your users, but want to stay GDPR compliant.
After logging in, you’re taken to the landing page where you’re asked to embed a script onto your web page. The script looks like:
<script src="https://beamanalytics.b-cdn.net/beam.min.js" data-token="abc" async></script>
where the data-token is unique for each user.
This JavaScript embed script is loaded from Bunny.net, our global content delivery network (CDN). Bunny.net is a Slovenian owned company based in Slovenia.
2. Page view request
Our technology doesn't use cookies, so you won't need an annoying cookie consent banner taking up half of your page.
Instead of using cookies, once the script is loaded, a pageview request is sent to Hertzner, our EU-owned and located data processing server. It doesn’t matter if the visitor is in the EU or outside the EU - all visitor data is processed on EU-owned and located servers.
This request will contain details about the page your user is on and the website that referred them. The browser will also send our servers your user’s IP Address and User-Agent (which contains details about the browser they’re using and device type).
3. Hashing your user PII data
Using the Hertzner servers, we process the data. Specifically, we hash it to anonymize it.
hash(salt + pepper + useragent + ip) = anonymized hash data
This basically says we first salt the raw IP address and user agent data. Then we pepper it. Then we put it through a one way hashing function. From this, the user data is transformed into unique, but untraceable, fingerprint (basically anonymized hash data). This hashing process also allows us to establish if your user is a new daily visitor.
We also rely on Hertnzer for DNS and load balancing.
4. Caching the anonymized hash data and storing session data
After the PII data is anoymized, it is cached in Render, along with session data. But that anonymized user data is not permanently stored anywhere. With our method, we effectively rotate the salt after 30m of user inactivity. After 30 minutes of user inactivity, that anonymized PII data is cleared from the cache.
Only session data is stored in our our managed database - Tinybird. So this provides an extra layer of security to protect user privacy.
5. Beam user data
We use Vercel for the frontend development and Supabase for the backend development.
Beam users give us information like their email address. We store this data on Supabase, an open source Firebase alternative. Supabase is based in Singapore and we use Supabase servers that are EU-located. No visitor data to websites run by Beam users is stored on Supabase.
No data is stored with Vercel.
GDPR Compliance
-
Adequate Country: We are incorporated in the UK. The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679, whether a country outside the EU offers an adequate level of data protection. The European Commission recognizes the UK as an Adequate Country. Read more here.
-
Data Protection Officer (DPO): The European Commission has indicated that a DPO is required if sensitive data on a large scale is processed. The definition of sensitive data can be found at this European Commission site and Beam does not process any of this type of data.
Summary: What data does Beam collect?
| Data Point | Example |
|---|---|
| Page URL | www.stackoverflow.com |
| Page referrer | www.twitter.com |
| Browser | Chrome |
| Operating system | macOS 12.5 |
| Device type | Desktop |
| Continent, country, city | Europe, France, Paris |
| Title | Beam - Google Analytics alternative that is GDPR compliant |
Who are Beam's data sub-processors?
Business User Data
| Sub-processor | Processing Location* | Description |
|---|---|---|
| Supabase | EU | Managed database used to store Beam’s business user data |
| Vercel | Worldwide | Hosts the Beam website |
| Stripe | Worldwide | Payment processing SaaS |
| Crisp | Worldwide | Helpdesk / messaging platform |
| Google Workspace | Worldwide | Email, File Storage, Calendar, Authentication |
| Bunny | Slovenia | Content Delivery Network |
| GraphJSON | Worldwide | Log data about how business users interact with Beam |
End User Data
| Sub-processor | Processing Location* | Description |
|---|---|---|
| Herztner | Germany | Used to hash and salt end user data to produce an anonymized hash |
| Tinybird | EU | Managed service for Clickhouse. All anonymized end user data is logged here. |
| Render | EU | Used as ephemeral cache |
If you are a customer and would like to sign our Data Processing Agreement(DPA), you can send it back to hi@beamanalytics.io.