Privacy Policy

What we collect, how we use it, and what we don’t do.

Beacon is built around the principle that you can’t lose patient data you never stored. This page describes what information we do collect, how we handle it, and the rights you have over it.

Last updated: June 2026.

Who we are

Beacon ("we", "us") provides multi-tenant practice-intelligence software for independent dental practices. This policy describes how we handle information about practice owners, team members, advisors, and visitors to our website.

Information we collect

We collect only what's needed to run the product. Specifically:

  • Account information you give us: name, email address, hashed password (we never see it in plaintext), the practice you belong to, and your role.
  • Practice operating data you upload: aggregate metrics derived from your PMS exports. Before any export touches our database, our PHI sanitizer strips columns we recognize as patient-identifying (name, DOB, SSN, phone, email, address, MRN, insurance ID, etc.) and masks identifier-shaped values in surviving columns.
  • Integration data you connect: when you authorize QuickBooks Online or Google (Search Console / Analytics / Business Profile), we sync the aggregate metrics those APIs return. OAuth tokens are encrypted at rest with AES-256-GCM.
  • Technical information from your browser: IP address, user agent, and pages visited, retained in logs for a short window for debugging and abuse prevention.

What we don't collect

By architectural design, Beacon does not store individual patient records. The sanitizer drops PHI columns before parsing, so no patient names, dates of birth, social-security numbers, MRNs, or other patient identifiers are persisted to our database — not even encrypted. We also do not share aggregate practice data with other practices on our platform; tenant isolation is enforced at the database level via Row-Level Security.

How we use information

We use the information we collect to:

  • Operate, maintain, and improve Beacon — the dashboards, AI insight cards, integrations, and core features.
  • Authenticate you and protect your account from unauthorized access.
  • Send you account-related and transactional email: invite confirmations, password resets, billing, daily/weekly digests if you opt in.
  • Provide AI-generated insights — practice metrics (never patient records) are sent to our LLM provider (Anthropic) to produce the synthesis cards on your dashboard. Practice data sent to the model is not used to train it.
  • Respond to support requests and security inquiries.
  • Detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activity.

How we share information

We share information only with the service providers needed to run Beacon, and only the minimum each needs to do its job:

  • Supabase — database, authentication, and file storage.
  • Vercel — application hosting.
  • Anthropic — AI model provider (receives aggregate metrics only, never PHI).
  • Resend — transactional email delivery.
  • Inngest — background job scheduling.

Google user data

When you connect Google (Search Console, Analytics, or Business Profile), Beacon's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. Specifically:

  • We access this data solely to display your practice's own aggregate marketing metrics inside Beacon — we request read-only scopes and never write to your Google accounts.
  • We do not transfer Google user data to third parties except as needed to provide and improve this feature, and never for advertising.
  • We do not use Google user data for serving advertisements, and we do not allow humans to read it except with your explicit consent, for security purposes, to comply with applicable law, or as part of our internal operations after the data has been aggregated and de-identified.
  • You can disconnect Google at any time from Settings → Integrations, which revokes our access and deletes the stored OAuth tokens.

Where information is stored

Practice data is stored in databases hosted in the United States. We do not transfer or process EU practice data outside the EU at this time; if we begin offering Beacon to EU practices we will update this section and offer the appropriate transfer mechanisms.

Data retention

We keep practice operating data for as long as your account is active. If you delete your account or close your practice on Beacon, we remove the practice's aggregate metrics, tasks, goals, and integration tokens from our active databases within 30 days. Anonymized logs (no email, no practice identifier) used for debugging and abuse prevention may be retained longer.

Your rights

You can:

  • Access the information we have about you — most of it is visible directly in the app (your account, your practice's data).
  • Change your email address and password from Settings → My account.
  • Delete your account from Settings → My account. If you're the sole owner of a practice, you'll need to invite another owner first or contact support to fully close the practice.
  • Request a copy of your practice's data — email us and we'll export the aggregate metrics.
  • Request deletion of specific data — email us; we'll honor the request unless we have a legal obligation to retain it.

Security

We take security seriously. Practice data is encrypted in transit (TLS 1.2+) and at rest (Supabase + Vercel managed encryption). OAuth tokens for integrations are encrypted application-side with AES-256-GCM before storage. Access to production systems is restricted, audited, and requires multi-factor authentication. See our /security page for full details on the technical and organizational measures we use.

Cookies

We use only the cookies needed to keep you signed in (session cookie set by Supabase) and remember your theme preference. We do not run third-party analytics, advertising, or tracking cookies.

Children

Beacon is a B2B product designed for dental-practice teams. We do not knowingly collect information from anyone under 16. If you believe we have, contact us and we will delete it.

Changes to this policy

If we make material changes, we'll notify account owners by email and post the updated policy here with a revised "Last updated" date. Continued use after a material change constitutes acceptance.

Contact

Privacy questions, requests, or concerns: email contact@beaconkpi.com.

Related