Security & Data Protection

Last updated: October 5, 2025

Security Overview

At Beamer, we take security and data protection seriously. This page explains our security measures, data handling practices, and how we protect your information.

We believe in transparency. If you have questions about our security practices that are not answered here, please contact us at support@beamersoftware.com.

Data Handling Practices

What We Store

We store only the minimum data necessary to provide our service:

  • Account credentials: Email and hashed password (via Firebase Auth)
  • Usage data: Generation count, subscription status, timestamps
  • Context inputs: Your email prompts, contact names, and generation context (for AI learning and context memory)
  • Preferences: Your tone preferences, notification settings, and context memory settings

What We Do NOT Store

We prioritize your privacy by NOT storing:

  • Generated email content: Emails generated by Reach are NOT saved to our database after generation
  • Email content remains in your browser only - once you close the tab or generate a new email, the previous content is gone from our systems
  • Credit card information: Payment data is handled exclusively by Stripe (PCI DSS Level 1 certified)
  • Personal email history: We do NOT have access to emails you send from your email client

Data Retention

  • Account data: Retained until you delete your account
  • Context memory: You can clear context memory at any time from your preferences
  • Analytics data: Aggregated and anonymized after 12 months
  • Deleted accounts: All user data permanently deleted within 30 days of account deletion request

Encryption and Security Measures

Encryption in Transit

  • HTTPS/TLS 1.2+: All data transmitted between your browser and our servers is encrypted
  • Secure connections: We enforce HTTPS for all pages (no unencrypted HTTP access)
  • API security: All API requests require authentication tokens and are encrypted

Encryption at Rest

  • Database encryption: Firebase Firestore encrypts all data at rest using AES-256
  • Password security: Passwords are hashed using bcrypt with salt (never stored in plain text)
  • Backup encryption: All database backups are encrypted

Authentication and Access Control

  • Firebase Authentication: Industry-standard authentication with secure session management
  • Password requirements: Minimum 6 characters (we recommend 12+ characters with mixed case and symbols)
  • Session tokens: Time-limited authentication tokens that expire after inactivity
  • Firestore security rules: Database access restricted to authenticated users for their own data only
  • Rate limiting: API requests are rate-limited to prevent abuse and brute-force attacks

Infrastructure Security

  • Google Cloud Platform: Our infrastructure is hosted on Google Cloud Platform with enterprise-grade security
  • Automatic security patches: Firebase services are automatically updated with security patches
  • DDoS protection: Firebase Hosting includes built-in DDoS protection
  • Monitoring and logging: All API requests and errors are logged for security auditing

Third-Party Security

We carefully vet all third-party services we use for security and compliance:

Firebase (Google Cloud Platform)

  • Certifications: ISO 27001, SOC 2/3, PCI DSS
  • Data centers: Multi-region redundancy with automatic failover
  • Security practices: Firebase Security Practices

OpenAI (AI Email Generation)

  • Data handling: Your email generation prompts are sent to OpenAI for processing
  • Data retention: OpenAI does NOT use your data to train their models (as of their current API terms)
  • Temporary storage: Data is retained for 30 days for abuse monitoring only, then deleted
  • Security practices: OpenAI Security Practices
  • Important: We send ONLY your input prompts to OpenAI, NOT the generated email content

Stripe (Payment Processing)

  • PCI DSS Level 1: Highest level of payment card security certification
  • Data isolation: We never handle or store credit card information (Stripe handles all payment data)
  • Security practices: Stripe Security Practices

Mixpanel (Analytics)

  • Data minimization: We send only anonymized usage events (no email content or personal prompts)
  • Privacy controls: Users can opt out of analytics tracking via browser "Do Not Track"
  • Security practices: Mixpanel Security Practices

Compliance and Certifications

Current Compliance

  • GDPR (General Data Protection Regulation): We comply with GDPR requirements for EU users
  • Data protection rights: You have the right to access, correct, delete, and export your data (see our Privacy Policy)
  • Cookie policy: We use only essential cookies for authentication and security

Future Certifications (Roadmap)

As we grow, we plan to pursue:

  • SOC 2 Type II: Independent audit of our security controls (planned for Q2 2026)
  • ISO 27001: International standard for information security management (planned for Q4 2026)
  • CCPA compliance: California Consumer Privacy Act (already following best practices)

No Third-Party Data Sharing

We do NOT:

  • Sell your personal data to third parties
  • Share your email generation content with anyone (including OpenAI after generation)
  • Use your data for advertising purposes
  • Provide your data to law enforcement without valid legal process

Incident Response

Security Monitoring

We actively monitor our systems for:

  • Unusual access patterns or login attempts
  • API abuse or rate limit violations
  • Database security rule violations
  • Third-party service outages or security advisories

Breach Notification

In the unlikely event of a data breach, we will:

  • Within 72 hours: Notify affected users via email (GDPR requirement)
  • Transparency: Provide details on what data was affected and remediation steps
  • Remediation: Immediately patch vulnerabilities and enhance security measures
  • Regulatory reporting: Notify relevant authorities as required by law

User Actions in Case of Breach

If we notify you of a breach, we recommend:

  • Change your password immediately
  • Review your account activity for unauthorized access
  • Enable two-factor authentication if available (future feature)
  • Monitor your credit card statements if payment information may have been affected

Vulnerability Reporting

If you discover a security vulnerability, please:

  • Email: support@beamersoftware.com (NOT public disclosure)
  • Include: Detailed description, steps to reproduce, potential impact
  • Response time: We will acknowledge your report within 24 hours
  • Disclosure: We follow coordinated disclosure (we will work with you on public disclosure timing)

Security Contact

For security-related inquiries, please contact:

  • Email: support@beamersoftware.com
  • For vulnerabilities: Use subject line "Security Vulnerability Report"
  • For general security questions: Use subject line "Security Inquiry"
  • Response time: Security reports are prioritized and acknowledged within 24 hours

For general support or account issues, please use support@beamersoftware.com instead.

Security Transparency

We believe in security through transparency. Key security practices:

  • This security page is updated whenever we make significant changes to our security practices
  • We disclose third-party services and their security certifications
  • We communicate honestly about what we store and what we don't
  • We will notify users of any material security incidents

Security Best Practices for Users

  • • Use a strong, unique password (12+ characters with mixed case, numbers, symbols)
  • • Never share your account credentials
  • • Review generated emails before sending to clients
  • • Log out when using shared or public computers
  • • Keep your browser and operating system up to date
  • • Be cautious of phishing emails claiming to be from us (we will never ask for your password)