Last updated: 10 July 2026. This Privacy Policy explains what Northbeams Inc. ("Northbeams", "we", "us") collects, how we use it, and the choices you have. It covers the Northbeams marketing site at northbeams.com and the Northbeams application at monitor.northbeams.com, together with the browser extension and desktop apps that make up the product.
Northbeams inspects AI activity on the device. It is not a proxy, and it does not install a man in the middle certificate. Raw prompts, MCP argument values, keystrokes, and your non-AI browsing never leave the machine. Only category labels, counts, severity, a redacted and hashed snippet, and the per-user attribution needed to show an admin who did what ever leave the device.
The browser extension and desktop apps classify AI activity on the device. From that inspection, only the following leaves the endpoint and reaches your organization's Northbeams tenant:
The following never leaves the device: raw prompt text, MCP argument values, keystrokes, and your non-AI browsing history. There is no proxy and no MITM certificate, so traffic is not decrypted in the network path.
Within a customer organization, the organization is the controller of its users' product data, and Northbeams is the processor acting on its instructions.
We use a small set of vendors to run the service, including Google Cloud for infrastructure and Stripe for payments. The current list, with purpose and location, is on our Sub-processors page.
Customer data is stored on Google Cloud (Firestore and Cloud Storage). Enterprise customers can request US or EU data residency. [TODO: confirm with Joe: default storage region and the exact residency options offered per tier.]
Event history is retained for the life of your subscription, so that admins keep an unbroken audit trail. Enterprise plans include 7-year retention for signed logs. Account and billing records are kept while your account is active, and for the period afterward required by law. [TODO: confirm with Joe: exact retention numbers for the Sentinel tier, and the deletion timeline after an account is closed.]
Depending on where you live, you may have rights under the GDPR, the UK GDPR, and the CCPA and CPRA, including the right to access, correct, delete, or port your personal data, and to object to or restrict certain processing. Where Northbeams processes data on behalf of a customer, we route requests to that customer as the controller. To exercise a right, or to ask who the controller is for your data, email privacy@northbeams.com.
We do not sell personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under California law.
Where personal data is transferred out of the EEA or the UK, we rely on appropriate safeguards, such as the Standard Contractual Clauses. [TODO: confirm with Joe: transfer mechanism and any UK addendum, to be finalized with counsel.]
How we protect data (encryption in transit and at rest, on-device inspection, access controls, signed logs, and our SOC 2 posture) is described on our Security page.
Northbeams is a workplace product and is not directed to children. We do not knowingly collect data from anyone under 16.
We will update this policy as the product and the law change, and we will post the new version here with a fresh "last updated" date. We will tell account admins about material changes.
Northbeams Inc. is a Delaware C-corporation. For privacy questions, or to reach our data protection contact, email privacy@northbeams.com. [TODO: confirm with Joe: registered mailing address, and the name of the Data Protection Officer or EU / UK representative if one is appointed.]