Legal
Privacy Policy
Effective date: May 1, 2026 · Last updated: May 1, 2026
Draft for attorney review. Launch-minimum draft pending the flat-fee attorney pass (TASK-75). Based on Eleanor's TASK-65 research and the TASK-12 PII inventory. Not legal advice.
1. Who this policy covers
This Privacy Policy describes how Beam Networks Stream ("Beam Networks," "we," "us") handles personal information in connection with the Beam Networks Stream service at beamnetworks.stream (the "Service"). It covers:
- Customers: the churches and organizations that sign up for an account. You are our direct counterparty.
- Visitors: people who browse our public website without an account.
- End users: congregants and other viewers whose voices and images may appear in streams you send to us.
Customers who stream content containing other people's personal information (such as a video of a worship service) act as the controller for that content. We process it on your behalf as a processor. You are responsible for having an appropriate lawful basis to stream and record those individuals.
2. Information we collect
2.1 From Customers (directly)
- Account data: your name, email, password (hashed by our auth provider — we never see it), MFA factors, and profile info you give us.
- Organization data: your organization name, team members you invite, roles, and billing address.
- Billing data: handled by Stripe. We see your billing name, address, card brand, and last-4 digits. We never see full card numbers.
- Usage data: the streams you create, destinations you configure, API keys you generate (we store only a hash of the secret), and product-analytics events.
- Support data: anything you send us by email, ticket, or chat.
2.2 Stream content (from Customers, on behalf of End users)
- Video segments uploaded through our ingest endpoint. Stored in Cloudflare R2.
- Stream metadata: stream names, destination names, timestamps, technical attributes (bitrate, codec).
Stream content may contain the voices, images, and speech of congregants, guests, and volunteers. We treat this as sensitive content and store it under the retention settings you choose.
2.3 Automatically
- Log data: IP address, browser type, pages visited, timestamps. Standard web logs.
- Cookies: see Section 7.
2.4 From third parties
- Clerk passes us authentication metadata when you sign in.
- Stripe passes us billing status and payment events.
3. How we use your information
- To provide the Service — run your account, ingest and relay your streams, transcode, store segments for the retention period you choose, bill you, and deliver support.
- To secure the Service — detect abuse, investigate security events, enforce our Terms and Acceptable Use policy.
- To communicate — send service emails (outages, billing, security notices), respond to support requests, and occasionally share product updates. You can opt out of non-essential emails in settings.
- To comply with law — respond to valid legal requests, enforce our DMCA process, and meet tax and accounting obligations.
We do not sell your personal information. We do not share it for cross-context behavioral advertising. We do not use your stream content or account data to train AI models.
4. Our processors and where your data lives
We use a small set of third-party providers ("processors") to run the Service. Each processes data only on our documented instructions.
| Processor | What they handle | Purpose |
|---|---|---|
| Clerk (clerk.com) | Email, display name, password hash, session cookies, IP at sign-in, MFA factors | Authentication, session management |
| Stripe (stripe.com) | Billing name, billing address, payment card metadata (we never see full card numbers), subscription state | Payment processing, subscription lifecycle |
| Cloudflare (cloudflare.com) | Stream segments (R2 object storage), database records (D1), application code (Workers), stream ingest and routing (Durable Objects), DNS, network edge | Hosting, storage, compute, network |
Each of these is a reputable processor with its own privacy, security, and compliance documentation. Cloudflare operates a global network; to deliver streams efficiently, content may be cached and transmitted through edge locations outside your home country.
The current sub-processors are listed in the table above. We will update this page when our processor list changes.
5. Data retention
We keep different categories of data for different periods. Our working defaults:
| Data category | Default retention | Notes |
|---|---|---|
| Account data (profile, organization) | Until you delete the account, plus 30 days | The 30-day grace lets us reverse accidental deletions and resolve billing disputes. |
| Stream segments and stream metadata | Varies by plan (see table below) | Default retention is set by your plan. You may select a longer retention period within the limits of your plan. |
| Billing records | 7 years | Tax and accounting obligations. Stored in Stripe and in our database. |
| Logs (application, system) | 30 days | Standard operations logging. |
| Support communications | 2 years from last contact | Lets us respond to follow-up questions. |
Stream segment retention by plan: Default retention varies by plan. Customers may select a longer retention period within the limits of their plan. The defaults are:
| Plan | Default stream retention |
|---|---|
| Sunday | 7 days post-stream |
| Starter | 30 days post-stream |
| Pro | 90 days post-stream |
| Business | 365 days post-stream |
On tenant churn (customer cancels or we terminate the account): we retain stream metadata and database records associated with the tenant for 30 days so the customer can resubscribe without data loss, then hard-delete. Billing records remain for the 7-year window described above but are marked closed.
You can request an immediate deletion; see Section 6.
6. Your rights
We extend the following rights to all users, regardless of where you live, because it is simpler and more respectful than running jurisdiction-specific logic. Some of these rights map to rights under the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA / CPRA); we honor them either way.
- Access — get a copy of the personal information we hold about you.
- Correction — ask us to fix inaccurate data.
- Deletion — ask us to delete your account and associated personal data. We will comply within 30 days, subject to legal retention obligations (e.g., billing records).
- Portability — get your account data in a structured, machine-readable format.
- Objection / restriction — ask us to stop or limit processing that is not essential to the Service.
- Withdraw consent — where we relied on consent (e.g., marketing emails), you can withdraw it at any time. Withdrawal does not affect past processing.
- Non-discrimination — we will not penalize you for exercising any of these rights.
- Complaint — you have the right to complain to your local data-protection authority.
How to exercise these rights: email privacy@beamnetworks.stream with your request. We may need to verify your identity before acting. Most requests are completed within 30 days.
California residents specifically: we do not sell or share personal information for cross-context behavioral advertising. The CCPA's "Do Not Sell or Share My Personal Information" link is therefore not applicable; our position is built-in.
If you are an End user (e.g., a congregant whose image appears in a stream uploaded by a Customer), please direct requests first to the Customer (your church), because they are the controller of that content. If they are unresponsive, contact us and we will help coordinate.
7. Cookies
We use a small number of cookies. None of them are used for advertising.
- Essential cookies — set by our auth provider, Clerk, to keep you signed in. Without these, the Service cannot function. These are exempt from consent requirements under standard ePrivacy and GDPR analysis.
- Stripe cookies — set during the payment flow to prevent fraud and manage the checkout session. Essential when billing.
- Cloudflare cookies — may include
__cf_bm(bot management) or similar network-layer cookies. These support site security. - Analytics cookies — none at launch. Plan is to run analytics-free or with cookieless analytics only.
Our Cookie Notice summarizes this in a banner on your first visit.
8. Security
We rely on:
- Clerk for authentication, MFA, and session management.
- Stripe for payment handling (PCI SAQ-A scope — we never touch full card data).
- Cloudflare for network and application-layer protection, TLS at the edge, and DDoS mitigation.
- Our own controls: hashed API secrets, least-privilege operational access, encrypted storage of stream segments in R2, and logging of administrative actions.
No system is perfectly secure. If we learn of a security incident that affects your personal data, we will notify you and any regulator we are legally required to notify, within the timeframes the applicable law specifies.
9. International transfers
We are a US-based company serving primarily US customers. If you access the Service from outside the US, your information will be transferred to and processed in the US and in the global Cloudflare network. Where applicable, transfers from the EEA, UK, or Switzerland rely on Standard Contractual Clauses (SCCs) or equivalent safeguards as maintained by our processors.
10. Children
The Service is not directed to children under 13 (US) or 16 (EEA/UK). We do not knowingly collect personal information directly from children in those age ranges. If a church streams a service that captures children's images, the church is responsible for having the appropriate consent from parents or guardians.
If you believe we have collected information from a child in a way that violates this policy, contact privacy@beamnetworks.stream.
11. Changes to this policy
We may update this policy. Material changes get at least 30 days' notice by email or in-app notice. The "Last updated" date at the top tells you when the current version took effect. Prior versions are available on request.
12. Contact
- Privacy questions and data-subject requests: privacy@beamnetworks.stream
- Security incidents: security@beamnetworks.stream
- Copyright notices: dmca@beamnetworks.stream (see DMCA Policy)
- General legal: legal@beamnetworks.stream