Legal

Privacy Policy

What we collect, how we use it, and the choices you have. The short version: inspection runs on the device, and your raw prompts never leave it.

Draft for review. This document is being finalized with counsel for Northbeams Inc. It is not yet the authoritative version. Questions: privacy@northbeams.com.

Last updated: 10 July 2026. This Privacy Policy explains what Northbeams Inc. ("Northbeams", "we", "us") collects, how we use it, and the choices you have. It covers the Northbeams marketing site at northbeams.com and the Northbeams application at monitor.northbeams.com, together with the browser extension and desktop apps that make up the product.

The short version

Northbeams inspects AI activity on the device. It is not a proxy, and it does not install a man in the middle certificate. Raw prompts, MCP argument values, keystrokes, and your non-AI browsing never leave the machine. Only category labels, counts, severity, a redacted and hashed snippet, and the per-user attribution needed to show an admin who did what ever leave the device.

What we collect

Account data

  • Identity: name, work email, and organization, provided at sign-up or through your single sign-on provider.
  • Authentication: SSO identifiers (SAML) and SCIM directory attributes, where your admin enables provisioning.
  • Billing: for paid plans, the billing contact and subscription details. Card data is handled by Stripe. Northbeams never sees or stores full card numbers.
  • Support: messages you send us through in-app chat or email.

Product data (from the endpoint)

The browser extension and desktop apps classify AI activity on the device. From that inspection, only the following leaves the endpoint and reaches your organization's Northbeams tenant:

  • Category labels (for example: credentials, PII, source code, customer data, contract).
  • Counts and a severity rating for each detection.
  • A redacted, hashed snippet that lets an admin recognize the pattern without exposing the underlying text.
  • Per-user attribution: which user, which tool, which model, and when.

The following never leaves the device: raw prompt text, MCP argument values, keystrokes, and your non-AI browsing history. There is no proxy and no MITM certificate, so traffic is not decrypted in the network path.

How we use it

  • To run the product: show admins the AI tools in use, attribute activity to a user, and enforce the policies your organization sets.
  • To secure the service: detect abuse, investigate incidents, and keep signed, immutable audit logs.
  • To bill paid plans and to support customers.
  • To improve the product in aggregate. We do not sell personal data, and we do not use customer prompt content to train models.

Within a customer organization, the organization is the controller of its users' product data, and Northbeams is the processor acting on its instructions.

Sub-processors

We use a small set of vendors to run the service, including Google Cloud for infrastructure and Stripe for payments. The current list, with purpose and location, is on our Sub-processors page.

Where your data lives

Customer data is stored on Google Cloud (Firestore and Cloud Storage). Enterprise customers can request US or EU data residency. [TODO: confirm with Joe: default storage region and the exact residency options offered per tier.]

How long we keep it

Event history is retained for the life of your subscription, so that admins keep an unbroken audit trail. Enterprise plans include 7-year retention for signed logs. Account and billing records are kept while your account is active, and for the period afterward required by law. [TODO: confirm with Joe: exact retention numbers for the Sentinel tier, and the deletion timeline after an account is closed.]

Your rights

Depending on where you live, you may have rights under the GDPR, the UK GDPR, and the CCPA and CPRA, including the right to access, correct, delete, or port your personal data, and to object to or restrict certain processing. Where Northbeams processes data on behalf of a customer, we route requests to that customer as the controller. To exercise a right, or to ask who the controller is for your data, email privacy@northbeams.com.

We do not sell personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under California law.

International transfers

Where personal data is transferred out of the EEA or the UK, we rely on appropriate safeguards, such as the Standard Contractual Clauses. [TODO: confirm with Joe: transfer mechanism and any UK addendum, to be finalized with counsel.]

Security

How we protect data (encryption in transit and at rest, on-device inspection, access controls, signed logs, and our SOC 2 posture) is described on our Security page.

Children

Northbeams is a workplace product and is not directed to children. We do not knowingly collect data from anyone under 16.

Changes

We will update this policy as the product and the law change, and we will post the new version here with a fresh "last updated" date. We will tell account admins about material changes.

Contact

Northbeams Inc. is a Delaware C-corporation. For privacy questions, or to reach our data protection contact, email privacy@northbeams.com. [TODO: confirm with Joe: registered mailing address, and the name of the Data Protection Officer or EU / UK representative if one is appointed.]