Privacy Policy

What we collect, what we don't, and why.

Effective May 5, 2026 · Northbeam Pte Ltd

1. Who we are

Northbeam Pte Ltd ("Northbeams", "we", "our") provides Northbeams, a SaaS product that helps organizations discover and govern AI tool use by their employees. This policy explains how we handle information when you visit our website (northbeams.com), use our dashboard (monitor.northbeams.com), install our browser extension, or install our desktop apps for Mac or PC.

2. Information we collect

Marketing site (northbeams.com)

• IP address & user-agent string - captured by our hosting provider (Vercel) in standard server logs for abuse prevention. Retained for at most 30 days.
• Marketing analytics & ad-platform pixels (opt-in) - on the marketing site only, we use Google Analytics 4, the Meta (Facebook) Pixel, the LinkedIn Insight Tag, and the Reddit Pixel to measure marketing reach and audience overlap. Everything runs under Google Consent Mode v2 with all storage defaulted to denied. No cookies are written and no data is sent to any of these platforms until you click "Accept" in the consent banner shown on your first visit. You can change your mind at any time by clearing the nb_consent entry in your browser's site storage, by using your browser's "do not track" setting, or by opting out directly with each platform (Your Online Choices, NAI, Meta opt-out). We enable IP anonymization on GA4. We never run any of these pixels on the dashboard (monitor.northbeams.com) or the browser extension. We do not pass form-field contents (email, name, company) to any of these platforms; we only pass aggregated pixel-fire signals that the visit happened.
• Live chat (Crisp, functional) - the Crisp chat widget is loaded only on /pricing, /it-lead, and /cfo so visitors can ask sales and account questions. Crisp sets a session cookie to maintain the conversation across page loads. We treat this as a functional service (the same category as a sign-in cookie) and do not gate it behind the analytics consent banner. No chat content is sent to advertising platforms. If you would rather not engage, simply do not open the widget. See Crisp's privacy notice for details.

Dashboard (monitor.northbeams.com)

• Account info - email and display name from your Google account, used for authentication via Firebase Auth.
• Workspace info - the workspace name you choose at onboarding, plus an internal workspace identifier.
• Cookies / session tokens - required for sign-in. No third-party tracking or advertising cookies.

Browser extension

• AI tool visit events - when an employee opens an AI tool URL we recognize (e.g., chat.openai.com), we record the hostname, page title (truncated), tool identifier, and timestamp.
• Sensitive content findings - when an employee submits a prompt on a supported AI tool site, the extension's in-browser classifier scans the prompt locally. If it matches one or more sensitive-content categories (credentials, PII, source code, customer data, contracts), we record:
  • the category labels matched (e.g., ["credentials","sourceCode"]);
  • per-pattern match counts (numbers only);
  • a redacted snippet ≤200 characters with detected secrets masked as [REDACTED:type];
  • tool, hostname, timestamp, prompt char-count, and the user label configured in the extension's settings.
• How the extension identifies AI tool pages: the extension maintains a catalogue of AI tool hostnames that is refreshed from our servers every 6 hours. To support this live catalogue without requiring a browser-extension update each time a new AI tool is added, the extension requests permission to access all websites (<all_urls>). The in-page classifier script is injected only on pages whose hostname matches the current catalogue. No scripts are injected, and no data is read, on pages that do not match.
• What we do NOT collect: the original prompt text, page DOM, full URL paths or query strings, keystrokes, or any data from pages that are not in our AI tool catalogue. Users can disable sensitive-content classification entirely from the extension's options page.

Desktop apps (Northbeams for Mac and Northbeams for PC)

• AI tool process events - when an employee runs a recognized AI desktop app (e.g., Claude Desktop, ChatGPT Desktop, Cursor, Granola) or a recognized AI CLI tool (e.g., Claude Code, Aider) on the same laptop, we record the process name (not the full command line), the matched tool identifier, the user label, and a timestamp.
• Outbound connection events - when the laptop opens a network connection to a recognized AI service host (matched against a bundled catalogue of AI service signatures), we record the destination hostname, the matched tool identifier, and a timestamp. We never see, store, or transmit the contents of the connection.
• Device metadata - operating system family (macOS or Windows), OS major version, and an installation identifier we generate so the dashboard can show this laptop as a Connected surface. No hardware serial numbers, no MAC addresses, no user-account names.
• What we do NOT collect from desktop: prompt content, AI tool responses, keystrokes, clipboard contents, screen contents, file contents, full command lines, browsing history, or traffic to non-AI hosts. The desktop app does not act as a network proxy and does not install a TLS interception certificate.

3. How we use your information

• To operate the dashboard, show your team's AI usage, and surface sensitive-content findings.
• To prevent abuse (rate limiting, anomaly detection).
• To communicate with you about your account, billing, and material product changes.

4. How we do not use your information

• We do not sell your data, ever.
• We do not train AI models - ours or anyone else's - on customer data.
• We do not share data with advertising networks.
• We do not run third-party trackers or analytics that profile users inside the dashboard, browser extension, or desktop apps. The marketing site uses opt-in Google Analytics 4 plus the Meta, LinkedIn, and Reddit ad-platform pixels for visit measurement only, all gated behind explicit consent (see Section 2).

5. Where data is stored

Customer data is stored in Google Cloud's Firestore (us-east1 region) via the Firebase platform. Sign-in is handled by Firebase Auth. Outbound transactional email (sign-in notifications, billing receipts) is sent via Resend. Hosting for the dashboard and marketing site is provided by Vercel.

6. Data retention

• Visit events and sensitive-content findings are retained for 365 days by default. Workspace owners can request earlier deletion via email.
• Account and workspace records are retained while your account is active, and deleted within 30 days of account closure.

7. Your rights

Depending on where you live (e.g., EU/UK GDPR, California CCPA), you may have rights to access, correct, export, or delete the personal information we hold about you. To exercise these rights, email privacy@northbeams.com. We respond within 30 days.

8. Security

Workspace keys (used by the browser extension to authenticate to our backend) are stored only in your local browser via chrome.storage.local. Desktop install tokens are short-lived, signed, and consumed once at first launch; the desktop app then holds a per-device bearer token in the OS keychain (Keychain on Mac, Credential Manager on PC). All bearer tokens live in our backend's secure Firestore collection (admin-SDK access only). All traffic uses TLS. We use Firebase Auth for sign-in and follow Google's recommended security practices.

9. Changes to this policy

We will email customers and update the "Effective" date at the top of this page if we make material changes. Continued use of Northbeams after the effective date constitutes acceptance of the updated policy.

10. Contact

Privacy questions: privacy@northbeams.com
General contact: hello@northbeams.com
Northbeam Pte Ltd, Singapore

← Home Support Resources Contact Terms