Privacy policy

1. Who we are (Controller)

The Beacon (the “Service”) is operated by the entity identified on the imprint page (the “Controller”, “we”, “us”). This policy explains what personal data we collect when you use the Service, why we collect it, on what lawful basis, how long we keep it, who else handles it on our behalf, and the rights you have under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, and other applicable data-protection laws.

For data-protection questions, contact info@enon.md.

2. What we collect, why, and on what basis

(a) Account data. When you create an account: your email address, a salted hash of your password (we never store the plaintext), and account timestamps (created, last sign-in).
Purpose: identifying you, signing you in, sending you the alerts you subscribe to.
Lawful basis: performance of the contract you enter when you sign up (Art. 6(1)(b) GDPR).

(b) Subscription preferences. The regulators, jurisdictions, types of items, firms, or banks you have asked to be alerted about, plus your preferred delivery channel and cadence.
Purpose: deciding which alerts to send you.
Lawful basis: performance of the contract.

(c) Marketing-email opt-in. If you opt in to the newsletter or product-update emails, a record of your consent (timestamp, IP, source) and your subsequent choices.
Purpose: sending you the emails you asked for and demonstrating that we have your consent.
Lawful basis: consent (Art. 6(1)(a) GDPR), withdrawable at any time without affecting the lawfulness of processing carried out before withdrawal.

(d) API usage. If you hold an API key, per-day request counts, the endpoints called, response status, and approximate request size — keyed to the API key, not to your IP.
Purpose: rate-limit enforcement, abuse detection, billing reconciliation.
Lawful basis: performance of the contract and our legitimate interest (Art. 6(1)(f) GDPR) in preventing abuse of the Service.

(e) Payment data.Where you purchase a paid tier, our payment processor (see the “Processors” section) collects your card or bank details on its own infrastructure. We receive only a tokenised reference, the amount, the currency, the timestamp, and the country code reported by the processor for tax purposes. We never see your full card number.
Lawful basis: performance of the contract; compliance with our tax-record-keeping obligations (Art. 6(1)(c)).

(f) Server and access logs. Standard HTTP access logs containing the requested URL, the HTTP method, the response code, the request size, the user agent, the referrer, and the source IP address (last octet truncated for non-authenticated traffic).
Purpose: security monitoring (detecting scraping abuse, brute-force attempts, DDoS), debugging, and aggregate audience analytics.
Lawful basis: our legitimate interest in operating a secure Service (Art. 6(1)(f)).
Retention: 30 days.

(g) Email-delivery telemetry.If you receive emails from us, our email processor logs delivery status (delivered, bounced, complaint) and one-click unsubscribe events. We do not insert tracking pixels and do not record “email opened” events.
Purpose: maintaining sender reputation, honouring unsubscribes, identifying bad addresses.
Lawful basis: legitimate interest, balanced against your privacy expectations as a recipient.

(h) Contact and correction messages. Emails you send us at any of the @beacon.enon.md addresses, retained for as long as the related matter is open plus the limitation period applicable to any resulting dispute.

3. What we do NOT collect

• We do not use third-party advertising cookies or audience-measurement cookies that profile you across sites.
• We do not fingerprint your browser, your device, or your network.
• We do not place tracking pixels in emails.
• We do not sell, lease, or trade personal data to anyone, for any purpose.
• We do not request, store, or process special-category personal data (Art. 9 GDPR: racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, sex life, sexual orientation).

4. Cookies

We use a small number of strictly-necessary cookies (session, CSRF, theme preference). We do not use any analytics or advertising cookies. Full details are on the cookie policy page.

5. How long we keep your data

• Active accounts: for the life of the account.
• Closed accounts: 30 days after closure (a soft-delete grace window), after which we retain only the minimum required to comply with legal obligations — chiefly tax-record retention (typically 7–10 years depending on jurisdiction).
• Server logs: 30 days, then deleted.
• Marketing-consent records: for as long as the consent is active, plus 3 years after withdrawal to evidence past consent in case of regulatory enquiry.
• Correction-request correspondence: as long as the underlying matter is open, plus the statutory limitation period.

6. Who else processes your data (Processors)

We use the following processors. A Data Processing Agreement is in place with each. None has independent permission to use your data; each processes it only on our documented instructions.

• Vercel Inc.— site hosting and edge delivery. Data may be processed in the EU; some control- plane data is processed in the United States under Vercel’s certified Standard Contractual Clauses (SCCs).
• Neon (Databricks Inc.) — Postgres database. The compute and storage we use is located in the EU (eu-central-1 / Frankfurt).
• Fly.io Inc. — worker host (ingestion, scoring, email send). The worker VM is in the EU (fra region / Frankfurt).
• Resend Inc. — transactional and marketing email delivery. Processed in the EU under SCCs.
• Cloudflare Inc. — DDoS mitigation, edge caching, and object storage (R2) for press snapshots. Edge nodes globally; the EU GDPR DPA and SCCs are in place.
• Stripe Payments Europe Ltd. — card and SEPA payment processing for paid tiers (where offered). Stripe is the controller for the payment transaction itself; we receive only tokens and metadata.
• DeepL SE — automated translation of non-English regulator notices. We send only the public regulator text; no personal data is transmitted.

7. International transfers

Personal data is processed in the EU by default. Where a processor has US infrastructure that is incidentally involved (for example, Vercel and Cloudflare control planes), the transfer is covered by EU Commission Standard Contractual Clauses (Decision 2021/914) and, where the recipient is self-certified, by the EU-US Data Privacy Framework adequacy decision (Decision 2023/1795). We have carried out transfer-impact assessments for each non-EU processor.

8. Personal data of third parties named in items

Items we aggregate sometimes name individuals — typically because the originating regulator has named them in a public warning, final notice, or licence-action page. We re-publish what the regulator has already made public, for the purpose of journalism (Art. 85 GDPR; and in the UK, the journalistic exemption under Schedule 2 Part 5 of the Data Protection Act 2018; and equivalent journalistic exemptions in other Member States).

If you are named in an item and consider that the underlying regulator notice has been corrected, set aside, or appealed, write to info@enon.md. We review every such request and respond within two business days. Where the regulator has formally withdrawn or amended the underlying notice, we follow suit. We do not de-list items that simply reproduce a still-public regulator finding, as the journalistic interest in the public regulatory record applies.

9. Your rights

Subject to the conditions set out in the GDPR/UK GDPR, you have the right to:

• Access — obtain a copy of the personal data we hold about you (Art. 15);
• Rectification — correct inaccurate or incomplete data (Art. 16);
• Erasure — have your data deleted in the circumstances set out in Art. 17;
• Restriction — have processing paused while a dispute is resolved (Art. 18);
• Portability — receive your account data in a machine-readable format (Art. 20);
• Object — object to processing based on legitimate interest (Art. 21), including direct marketing — which we will always honour;
• Withdraw consent — at any time, for processing based on consent (Art. 7(3));
• Not be subject to automated decisions that produce legal or similarly significant effects on you (Art. 22). We do not take such decisions.

To exercise any of these rights, email info@enon.md. We may need to verify your identity before responding, and we will respond within one month (extendable by two further months for complex requests, in which case we will tell you).

You also have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for this Service is named on the imprint page. You can also complain to the supervisory authority in your country of habitual residence, your place of work, or the place where the alleged infringement occurred.

10. Security

We apply industry-standard organisational and technical measures, including: encryption in transit (TLS 1.3) and at rest, principle-of-least-privilege access controls, argon2id password hashing, environment-segregated secrets, daily encrypted backups with point-in-time recovery, and intrusion logging. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where the risk is high, you directly without undue delay.

Suspected security issues should be reported to info@enon.md. We do not pursue researchers who act in good faith within the bounds of our responsible-disclosure expectations.

11. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has provided personal data to us, contact info@enon.md and we will delete it.

12. Changes to this policy

We may update this policy from time to time. The “last updated” date at the top reflects the most recent version. Material changes will be communicated to registered users by email at least 30 days before they take effect. Past versions are available on request.