Privacy Policy

1. Company Information

Beacon Technology Group is a cybersecurity company providing predictive threat intelligence, endpoint security validation, and cyber risk analytics platforms.

Legal Entity: GreyIP Technologies Inc. d/b/a Beacon Technology Group
Address: 4900 S. University Drive, Suite 200B, Davie, FL 33328, United States
Contact: privacy@gobeacon.ai

2. Scope of This Policy

This Privacy Policy applies to:

• Our corporate website (detect.solutions)
• The CYFAX threat intelligence platform (cyfax.ai)
• The PREVENT endpoint security platform (prevent.gobeacon.ai)
• The ARETE predictive analytics platform
• Any other services, applications, or websites that link to this policy

This policy does not apply to third-party websites, services, or applications that may be linked from our platforms.

3. Website Data Collection

Information You Provide

When you interact with our websites, we may collect information you voluntarily provide, including:

• Contact form submissions (name, email, company, message)
• Demo or consultation requests
• Newsletter subscriptions
• Event registrations
• Account registration information
• Free-tier scan requests (corporate email address, target domain — see Section 16)

Automatically Collected Information

We automatically collect certain information when you visit our websites:

• IP address (anonymized where required by law)
• Browser type and version
• Operating system
• Referring URLs and pages visited
• Date and time of access
• Device identifiers

Cookies and Similar Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze website traffic, and understand visitor behavior. You can control cookie preferences through your browser settings. See our Cookie Policy for details.

4. Platform Data Collection

PREVENT Platform

The PREVENT endpoint security platform collects telemetry data from deployed agents to provide breach and attack simulation, network detection, and asset lifecycle management services. This includes:

• System configuration and security settings
• Installed software inventory
• Network connection metadata (not packet contents)
• Security control validation results
• Asset inventory information

CYFAX Platform

The CYFAX threat intelligence platform provides external attack surface management and dark web monitoring. Customer-provided data includes:

• Domain names and IP ranges for monitoring
• Email addresses for credential exposure monitoring
• Brand keywords for dark web surveillance

See Section 5 for information about how we collect threat intelligence data, and Section 6 for VIP monitoring specifically.

5. Threat Intelligence Data Collection

Sources of Threat Intelligence

Our threat intelligence is derived from:

• Publicly indexed paste sites and code repositories
• Open-source intelligence (OSINT) feeds
• Publicly accessible forums and marketplaces
• Breach notification databases and public disclosures
• Security researcher publications and threat reports
• Honeypot and deception technology deployments operated by Beacon

Deception Technology

Beacon employs proprietary deception technology and collection methodologies to gather threat intelligence from sources where criminal actors trade stolen data. This includes:

• Honeypot infrastructure designed to attract and document threat actor behavior
• Monitoring of publicly accessible underground forums and marketplaces
• Analysis of leaked data posted to public repositories

Data Processing

Threat intelligence data is processed to identify potential risks to our customers and the broader internet community. When compromised credentials or sensitive information are detected:

• Data is matched against customer-provided monitoring parameters and free-tier scan requests
• Alerts are generated with masked/redacted output (e.g., "j***n@company.com")
• Raw compromised data is not displayed in full in any standard interface
• Intelligence is enriched with threat actor attribution where available

Security Research and Publication

Beacon's threat intelligence methodology and findings are the subject of documented research, including the publication: Vazquez, H. B. (2025). Underground Economy Signals as Temporal Predictors of Cybersecurity Breaches: A Retrospective Multi-Case Assessment Across Critical Infrastructure Sectors. Zenodo. https://doi.org/10.5281/zenodo.19600291. Processing of threat intelligence data is conducted for both operational security purposes and scientific research purposes within the meaning of GDPR Article 89 and Recital 159.

6. VIP & Executive Monitoring

For customers utilizing our VIP or executive monitoring services, the following data practices apply:

Customer-Provided Data

Customers provide identity information (such as email addresses) for individuals they wish to monitor for credential exposure. This data is provided under the terms of our End User License Agreement, which includes mutual hold harmless provisions.

Data Flow

1. Input: Customer provides VIP identities under contractual agreement
2. Processing: Identities are loaded into our scanning infrastructure
3. Matching: Scanners compare against threat intelligence sources
4. Output: Results are masked/redacted (e.g., "g****s@domain.com | x****1")

Data Minimization

Consistent with privacy by design principles, output displayed to users is masked to show only enough information to enable identification and remediation, while minimizing exposure of the full compromised credential.

7. Consumer Reporting Agency Disclaimer

Our services are designed exclusively for cybersecurity, fraud prevention, and threat intelligence purposes. Our platforms and the information we provide:

• Are NOT intended for use in determining eligibility for credit, insurance, employment, housing, or any other purpose covered by the FCRA
• Do NOT constitute "consumer reports" as defined by the FCRA
• May NOT be used to make decisions about consumers' eligibility for any product or service

All users — including customers, paid subscribers, channel partners, and users of the free-tier scan — agree, as a condition of service, not to use any information obtained from Beacon platforms for FCRA-regulated purposes. Unauthorized use for any FCRA-regulated purpose is a material breach of these terms and the user's End User License Agreement (if applicable), and will result in immediate termination of access and may expose the user to legal liability.

8. Data Security & Certifications

Beacon Technology Group has invested significant resources in obtaining and maintaining internationally recognized security certifications:

Certifications are independently assessed and issued by ASIB (Europe). Certification documentation is available upon request.

Security Measures

We implement comprehensive technical and organizational security measures, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for platform access
• Role-based access controls and least-privilege principles
• Regular security assessments and penetration testing
• 24/7 security monitoring and incident response
• Employee security awareness training
• Comprehensive audit logging of platform access and data queries

Privacy by Design

Our platforms are architected with privacy guardrails at the foundation. This architectural choice enhances security and simplifies compliance with regulatory frameworks including PCI DSS, GDPR, and HIPAA.

9. Data Retention

We retain data only as long as necessary for the purposes described in this policy:

Data Type	Retention Period
Website analytics	26 months
Contact form submissions	Duration of business relationship + 3 years
Customer account data	Duration of subscription + 30 days
VIP monitoring identities	Duration of subscription
PREVENT endpoint telemetry	Rolling 90-day window (configurable)
Free-tier scan requests (requester email, IP, target)	24 months for audit and abuse-prevention purposes
Threat intelligence data	Subject to periodic review; retained for the period operationally necessary to provide early warning and attribution services, with documented legitimate-interest assessment

Upon termination of services, customer data is deleted or returned in accordance with contractual agreements, typically within 30 days unless legal retention requirements apply.

10. GDPR & International Data Rights

For individuals in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data in compliance with the General Data Protection Regulation (GDPR) and UK GDPR.

Lawful Basis for Processing

We rely on the following lawful bases depending on the specific processing activity:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide subscribed services to customers
• Legitimate Interests (Art. 6(1)(f)): Processing for network and information security purposes, threat intelligence, fraud prevention, and service improvement (as recognized under GDPR Recital 49). We have conducted and maintain documented Legitimate Interest Assessments balancing our interests against the rights and freedoms of data subjects.
• Consent (Art. 6(1)(a)): Marketing communications and non-essential cookies (where required)
• Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws, including security-breach notification obligations
• Scientific Research (Art. 89 / Recital 159): A portion of Beacon's threat intelligence processing is conducted for documented scientific research purposes, including published research on temporal breach prediction methodology. Where personal data is processed for research purposes, appropriate safeguards under Article 89 are applied including pseudonymization, data minimization, and access controls.

Your Rights

Under GDPR and UK GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request limitation of processing
• Portability: Receive your data in a structured format
• Object: Object to processing based on legitimate interests, including profiling
• Withdraw Consent: Where processing is based on consent
• Lodge a Complaint: File a complaint with your national supervisory authority if you believe we have processed your personal data unlawfully. A list of EU supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk.

How to Exercise Your Rights

To exercise any of the rights above, contact us at privacy@gobeacon.ai. We will respond to verified data subject requests within 30 days of receipt, as required by Article 12(3). In complex cases, this period may be extended by a further two months, in which case we will notify you of the extension and the reasons for it within the initial 30-day period.

Recipient Categories

We may share personal data with the following categories of recipients:

• Cloud hosting providers (Amazon Web Services, Microsoft Azure)
• Email and communication service providers for transactional and marketing communications
• Analytics providers operating under data processing agreements
• Payment processors (for paid services only; we do not store payment card data)
• Professional advisors (legal, accounting, insurance) under confidentiality obligations
• Competent authorities where required by law, subpoena, or court order
• Acquiring or investing entities in connection with any actual or contemplated merger, acquisition, or financing, under confidentiality obligations

Data Controller vs. Data Processor

Beacon acts in different capacities depending on the processing activity:

• Data Processor: When processing customer-provided data through our paid platforms (PREVENT telemetry, CYFAX monitoring inputs, VIP identities), Beacon acts on behalf of our customers, who are the Data Controllers. Data subject requests relating to such customer data should be directed to the relevant customer organization, who will coordinate with Beacon as necessary.
• Data Controller: For threat intelligence we independently collect (OSINT, honeypot data, public breach sources), for the free-tier scan service, and for data we collect through our corporate website and marketing activities, Beacon acts as the Data Controller and determines the purposes and means of processing.

International Transfers

Data may be transferred to and processed in the United States and other jurisdictions. For transfers from the EEA, UK, or Switzerland to the United States, we rely on the EU-U.S. Data Privacy Framework, the UK Extension to the Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework where applicable, as well as Standard Contractual Clauses (SCCs) with supplementary measures where required. Copies of applicable safeguards are available on request.

Automated Decision-Making

Our ARETE predictive analytics engine produces organization-level risk scoring and threat forecasting. ARETE does not make automated decisions producing legal or similarly significant effects on individual data subjects within the meaning of GDPR Article 22. Risk scoring is applied at the organization level; any action taken on the basis of ARETE output is made by human security decision-makers at the customer organization.

11. California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: What personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate information
• Right to Opt-Out: Opt out of "sales" or "sharing" of personal information
• Right to Non-Discrimination: Not be discriminated against for exercising rights

12. Third-Party Services

We use select third-party services to operate our business:

• Cloud Hosting: Amazon Web Services (AWS) and Microsoft Azure
• Analytics: Privacy-respecting analytics tools
• Payment Processing: PCI-compliant payment processors (we do not store payment card data)
• Communication: Email service providers for transactional and marketing communications

All third-party service providers are contractually bound to protect data and use it only for specified purposes.

13. Children's Privacy

Our services are directed exclusively to businesses and are not intended for individuals under the age of digital consent in their jurisdiction (16 in most EEA member states; 13 in the United States under COPPA). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, contact privacy@gobeacon.ai.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will post the updated policy on this page with a revised "Last Updated" date. Material changes will be communicated via email or prominent notice on our website. Your continued use of our services after changes become effective constitutes acceptance of the revised policy.

15. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Beacon Technology Group is proud to share any of our compliance certifications and detailed audit documentation under NDA. Contact us to learn more about our security posture and compliance program.

---

16. Free-Tier Scan Terms

Access to the Beacon free-tier external risk assessment ("Free-Tier Scan") is governed by the following additional terms. By submitting a scan request, the requester ("Requester") agrees to the following conditions in addition to the general terms of this Privacy Policy:

16.1 Corporate Email and Domain Scope

The Free-Tier Scan is limited to the organizational domain associated with the Requester's corporate email address. The service is provided solely for the Requester's own organization and is not intended as a means of assessing third-party organizations without authorization. Requests submitted with personal, consumer, or anonymous email addresses may be refused.

16.2 Authorization Representation

By submitting a scan request, the Requester represents and warrants that:

• The Requester is employed by, or otherwise lawfully associated with, the organization whose domain is being scanned;
• The Requester is authorized by that organization to request the scan and receive the results; and
• The Requester's use of the results will comply with applicable law and the Requester's own organization's policies.

Beacon relies on this representation in providing the Free-Tier Scan. Beacon does not independently verify authorization and assumes no responsibility for disputes arising from a Requester's lack of authority.

16.3 Accuracy, "As Is" Basis, and No Consumer Report

Free-Tier Scan results are derived from publicly available sources and Beacon's threat intelligence collection as described in Section 5. Results are provided on an "as is" and "as available" basis, without warranty of any kind, and may contain false positives, false negatives, or outdated information. Free-Tier Scan results are not a "consumer report" within the meaning of the Fair Credit Reporting Act and may not be used for any FCRA-regulated purpose (see Section 7).

16.4 Permitted and Prohibited Use

Free-Tier Scan results are licensed solely for the Requester's internal use within the organization whose domain was scanned. The Requester may not:

• Redistribute, resell, publish, or otherwise make Free-Tier Scan results available to any third party, except internal personnel of the Requester's organization with a legitimate need to know;
• Use Free-Tier Scan results as part of any unsolicited outreach, sales campaign, or marketing activity directed at any party other than the Requester's own organization;
• Use Free-Tier Scan results to make decisions about any individual's eligibility for credit, insurance, employment, housing, or any other FCRA-regulated purpose;
• Scrape, bulk-download, or automate submission of scan requests;
• Attempt to reverse engineer the underlying threat intelligence sources, methodologies, or scoring models;
• Use the Free-Tier Scan service to gather information about any organization other than the one whose domain is associated with the Requester's submitted email.

16.5 Link Expiration and Result Security

Results are delivered via a unique, time-limited, single-use link. It is the Requester's responsibility to access and, where desired, save the results within the validity window. Beacon is not obligated to re-issue expired links.

16.6 Audit Logging

Beacon maintains audit logs of all Free-Tier Scan requests, including the Requester's email, IP address, target domain, and timestamp, for the retention period stated in Section 9. These logs are used for abuse prevention, security, and legal compliance purposes.

16.7 Indemnification

The Requester agrees to indemnify, defend, and hold harmless Beacon Technology Group, GreyIP Technologies Inc., and their respective officers, directors, employees, and agents from and against any third-party claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to: (a) the Requester's breach of these Free-Tier Scan terms; (b) the Requester's misrepresentation of authorization; (c) the Requester's unauthorized or unlawful use of Free-Tier Scan results; or (d) any third-party claim that the Requester's use of the results infringed or harmed such third party.

16.8 Termination

Beacon may suspend, restrict, or terminate access to the Free-Tier Scan at any time, with or without notice, including for suspected abuse, suspected misrepresentation of authorization, or any violation of these terms.

16.9 Governing Law

These Free-Tier Scan terms are governed by the laws of the State of Florida, without regard to conflict-of-laws principles. Exclusive jurisdiction and venue for any dispute lie in the state and federal courts located in Broward County, Florida.