Privacy Policy

Beam Data Privacy Policy

At Beam Data Ltd. (“Beam Data”), [a data analytics and processing company duly registered and headquartered in Toronto, Canada] we acknowledge our dual role as both a data controller and a data processor. This Privacy Policy outlines our approach to the management, processing, and protection of personal information entrusted to us by individuals and organizations (“our Clients”), and our commitment to upholding data protection principles in line with Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable global regulations such as the EU General Data Protection Regulation (GDPR) where relevant.

Purpose

Beam Data collects, uses, and discloses personal data solely for specific, legitimate purposes, which may include:

  • Delivering and facilitating services to our Clients via our platforms.
  • Processing personal data as mandated in our contractual agreements.
  • Ensuring compliance with applicable laws and regulatory obligations.
  • Sending newsletters and updates, where consent is provided.
  • Recruitment, including background checks and job application reviews.
  • Managing employment contracts, benefits, and compliance.

Legal Basis for Data Processing

We process personal data based on the following lawful grounds:

  • Contractual necessity: For the performance of a contract with our Clients.
  • Legal obligations: To comply with legal and regulatory duties.
  • Legitimate interests: To pursue our legitimate business operations, such as improving services and safeguarding our systems.
  • Vital interests: Where processing is necessary to protect life or safety.
  • Public interest: For tasks carried out in the public interest under law.
  • Consent: When consent is required and obtained, we ensure data subjects are informed and retain the right to withdraw consent.

Expected Outcomes

Our data protection approach seeks to ensure:

  • Efficient, scalable, and secure data management.
  • Compliance with PIPEDA, GDPR (where applicable), and other regulations.
  • Enhanced client trust through transparent and secure data practices.
  • Risk reduction and effective incident response.
  • Opportunities for innovation through privacy-conscious data analytics.

Definitions

  • Data Controller: Beam Data when we determine the purposes and means of processing.
  • Data Processor: Beam Data when acting on behalf of Clients.
  • Data Subject: Any individual whose data is processed by us.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation on personal data including collection, use, disclosure, storage, and destruction.
  • Sensitive Personal Data: Data revealing health, biometric, financial, or other highly personal information.

Legal Framework

This policy aligns with:

  • PIPEDA and other Canadian provincial privacy laws.
  • GDPR General Data Protection Regulations (e.g., data subjects in the EU).
  • CCPA (California Consumer Privacy Act)
  • Any international privacy laws applicable based on Client or data subject location.

Data Collection and Use

We collect the following categories of personal data:

  • Contact Information: Name, email, phone number, address.
  • Demographic Data: Date of birth, occupation.
  • Sensitive Data: Biometric or health information, only when required and with appropriate safeguards.
  • Financial Data: For payroll or contractual obligations.
  • Government-issued IDs: As required by law or Client agreements.

Sharing and Disclosure

We do not sell personal data. Data may be disclosed:

  • To government authorities where legally required.
  • To third-party vendors and subcontractors under data protection agreements.
  • For legal compliance and enforcement.
  • In emergencies for public safety.
  • With explicit consent.
  • For anonymized statistical purposes.

Rights of Data Subjects (Aligned with PIPEDA, CCPA, GDPR, and other applicable regulations):

Beam Data acknowledges the fundamental rights of individuals regarding their personal information. As both Data Controller and Data Processor, we implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data. The following rights are exercisable by Data Subjects under applicable data protection laws:

  • Right to be Informed
    Data Subjects have the right to receive clear, concise, and transparent information about how their personal data is collected, used, shared, and stored. Beam Data ensures this information is made available at the time of data collection and thereafter upon request.
  • Right of Access
    Data Subjects have the right to request access to their personal data, including confirmation of whether data is being processed and access to the data itself and associated information (e.g., processing purposes, data recipients, retention periods).
  • Right to Correct Personal Information (Right to Rectification)
    Data Subjects have the right to request corrections to inaccurate, incomplete, or outdated personal data. Beam Data will promptly update personal data as required to ensure accuracy and reliability.
  • Right to Erasure (Right to Be Forgotten)
    Data Subjects may request the deletion of their personal data in the following circumstances:
    1. The data is no longer necessary for the original purposes.
    2. The legal basis for processing no longer applies (e.g., withdrawal of consent or expiration of contract).
    3. The data was unlawfully processed.
    4. The data must be erased to comply with a legal obligation.
  • Right to Restrict Processing
    Data Subjects may request the restriction of processing when:
  • The accuracy of the data is contested.
  • The processing is unlawful, but the Data Subject opposes erasure.
  • The data is no longer needed, but the Data Subject requires it for legal claims.
  • The Data Subject has objected to processing pending verification of legitimate grounds.
  • Right to Withdraw Consent
    Where processing is based on consent, Data Subjects have the right to withdraw their consent at any time. Withdrawal does not affect the lawfulness of prior processing based on consent.
  • Right to Object to Processing
    Data Subjects may object to the processing of their personal data for reasons related to their particular situation, including direct marketing, profiling, or where the processing is based on legitimate interests. Beam Data will assess such objections in accordance with legal exceptions and obligations.
  • Right to Lodge a Complaint
    Data Subjects have the right to lodge a complaint with the appropriate supervisory authority if they believe their data rights have been violated. In Canada, complaints may be submitted to the Office of the Privacy Commissioner of Canada (OPC) via: https://www.priv.gc.ca/en/
  • Right to Data Portability
    Data Subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible. This applies to data provided by the Data Subject and processed based on consent or contract.

To exercise any of these rights, please contact Beam Data’s Privacy Officer at privacy@beamdata.com. We are committed to responding to your request within the timelines required by applicable data protection laws.

Data Retention

We retain personal data only as long as necessary for the stated purposes or as required by law. Retention periods are defined in our internal policies and data processing agreements.

Privacy by Design and Privacy by Default

Beam Data objective is to ensure that our processes and systems are designed such that the collection and processing (including use, disclosure, retention, transmission and disposal) are limited to what is necessary for the identified purpose.

  1. Limit collection

Beam Data shall ensure that the collection of Personal Information is limited to what is relevant, proportionate, and necessary for clearly identified purposes. The organization shall collect only the minimum amount of PII required to achieve legitimate business or operational objectives.

Personal information collected, whether directly from the individual or indirectly through means such as system logs, web analytics, or background monitoring, must be adequate and justifiable in relation to the intended purpose.

In alignment with the principle of privacy by default, any optional features that involve the collection or processing of Personal Information must be turned off by default. These features may only be activated through the clear and informed choice of the individual whose data is being collected.

This policy applies to the design, development, and operation of all systems, services, and business processes that involve the handling of PII.

  1. Limit processing

Beam Data shall ensure that the processing of Personal Information is limited to what is adequate, relevant, and necessary in relation to the purposes that have been clearly identified and documented.

This limitation applies to all forms of processing, including the use, disclosure, storage duration, and access to Personal Information. Each processing activity must be justified by a specific business or legal need and must not exceed what is required to fulfill that purpose.

Processing shall be governed through established information security and privacy policies, as well as documented procedures that support implementation and ensure compliance. These procedures shall include controls to:

  • Restrict disclosure of Personal Information to authorized and necessary parties only.
  • Limit the duration of Personal Information storage to the minimum period required to achieve the purpose.
  • Control access to Personal Information, ensuring that individuals only have access to their own information, unless otherwise authorized by law or contractual obligation.

All systems and processes must be configured to apply these restrictions by default, in line with the principle of privacy by design and privacy by default.

  1. Accuracy and Quality

Beam Data is committed to ensuring that all Personal Information processed by the organization is accurate, complete, and up to date, as required for the purposes for which it is collected and used. This requirement applies throughout the entire lifecycle of the Personal Information, as supported by the controls defined in our internal policy for Protection of Records.

To support this commitment, the organization has implemented documented policies, procedures, and technical mechanisms that are designed to:

  • Minimize the risk of processing inaccurate or incomplete Personal Information.
  • Validate and verify Personal Information at the point of collection and during key stages of processing.
  • Enable individuals to request corrections or updates to their Personal Information when necessary.
  • Ensure that updates are promptly and accurately reflected across all relevant systems.

These controls are documented and maintained as part of the organization’s information management system. They are applied consistently across all departments and functions that handle PII and are enforced throughout the Personal Information lifecycle, from initial collection to final disposal.

Beam Data also maintains clear procedures to detect and respond to instances of inaccurate Personal Information. These include logging and tracking inaccuracies, notifying affected parties where appropriate, and applying corrective actions to prevent recurrence.

All personnel responsible for processing Personal Information shall be trained on the importance of data accuracy and the procedures required to maintain it, ensuring ongoing compliance with legal, regulatory, and contractual obligations.

Data Minimization

Beam Data is committed to the principle of data minimization and ensure that we only collect, use, and retain personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

  1. Objectives
    • To limit the collection of personal data to what is strictly necessary for specified, explicit, and legitimate purposes.
    • To avoid over-collection, unnecessary retention, or processing of personal data.
    • To reduce risks associated with personal data by applying appropriate de-identification measures where possible.
  2. Implementation and Practices

To achieve our data minimization objectives, we:

  • Regularly review forms, applications, and systems to ensure only necessary personal data fields are collected.
  • Conduct Data Protection Impact Assessments (DPIAs) for new products, services, or processes to evaluate the necessity of data collected.
  • Apply de-identification, anonymization, or pseudonymization techniques when full identification of individuals is not required, particularly in data analytics, research, or testing environments.
  • Enforce data retention schedules to ensure personal data is not held longer than necessary and is securely disposed of once no longer required.
  1. Examples of Data Minimization Measures
    • Personal data used for reporting or analytics is aggregated or anonymized.
    • For customer feedback forms, we collect only first names and email addresses unless further identification is essential.
    • Access to detailed personal data is restricted based on job role and operational need.

We continuously monitor and improve our data minimization practices to align with evolving legal, regulatory, and business requirements.

Data Security

We implement technical and organizational safeguards, including:

  • Data encryption in transit and at rest
  • Role-based access controls
  • Anonymization and pseudonymization
  • Regular security audits
  • Incident response plans
  • Staff training

International Data Transfers

Where data is transferred outside Canada, Beam Data ensures appropriate safeguards are in place, such as:

  • Transfer to jurisdictions with adequate protection (e.g., EU, UK)
  • Standard Contractual Clauses (SCCs)
  • Data Processing Agreements (DPAs)

Withdrawal of Consent

You have the right to withdraw your consent to the processing of your personal data at any time where we rely on your consent as the legal basis for processing.

If you choose to withdraw your consent, this will not affect the lawfulness of any processing carried out prior to the withdrawal. Upon receiving your request, we will promptly stop processing your personal data for the purposes for which consent was originally given, unless we are required or permitted by law to retain certain data.

If you withdraw your consent or object to processing, we will inform all third parties with whom we have shared your information, where required, to ensure your preferences are respected.

You can withdraw your consent by:

  • Updating your preferences in your account or settings (where applicable);
  • Clicking the “unsubscribe” or “opt-out” link provided in our communications (e.g., emails, SMS);
  • Contact us directly at privacy@beamdata.com.

Limitation of Liability

Beam Data is not liable for damages arising from:

  • Unauthorized third-party access
  • Client misuse or misconfiguration
  • Force majeure events Our liability is limited to the value of the services rendered in connection with the claim.

Changes to this Policy

This Privacy Policy may be updated periodically. Material changes will be communicated via our website or other appropriate channels. Continued use of our services indicates acceptance of the updated terms.

Contact

For questions, requests, or complaints regarding this policy or our data practices, please contact:

Privacy Officer
Beam Data Inc.
Toronto, ON, Canada
Email: privacy@beamdata.com