Privacy Policy

1. Who is the data controller

The data controller for personal data processed in connection with the Service is Release Guard Labs Limited, a private company limited by shares incorporated in Ireland under company number 652820. We are not required by Article 37 GDPR to designate a Data Protection Officer. Privacy queries can be sent to hello@bessmap.com.

For our full technical and organisational security measures see the Security page.

2. Scope

This Privacy Policy applies to personal data we process about visitors to our website, account holders, paying subscribers, recipients of our emails, and people who contact us. It does not apply to third-party websites that we link to, or to data published by Irish public bodies (such as ESB Networks substation locations, planning records, or property price data) that we ingest into the Service: that data relates to physical assets, applications, and transactions and does not, in itself, identify you.

3. The personal data we collect

We collect and process the following categories of personal data:

• Account data. Your name, email address, country (optional, may be captured at checkout), password (stored only as a bcrypt hash, never in plain text), and authentication provider (email + password, or Google). If you sign in with Google we also receive your Google account identifier and, where you have set one, your profile picture URL.
• Subscription and billing data. The Stripe customer identifier we hold against your account, your subscription status, current tier, plan, and renewal date. We do not store, see, or process your full payment-card number or CVV; that data is collected and processed directly by our payment processor (Stripe).
• Service activity. Watchlist items you create (substation references, your alert preferences for those entries, notes you add), generated PDF reports (site coordinates, site name, score, grade, generation timestamp), email alert history (which alerts were sent to you and when), and your notification preferences.
• Communications. Your marketing-email opt-in choice, the content of any email you send to us, and metadata about transactional and marketing emails we send you (delivered, opened, clicked, bounced) as reported by our email provider.
• Technical and security data. IP address, browser type, device type, operating system, referrer URL, pages requested, response status, error logs, and the contents of authentication cookies. We use this data to operate, secure, and debug the Service, and to detect abuse.
• Password-reset tokens. When you request a password reset we generate a one-time token and store only its SHA-256 hash against your account, with a short expiry. The plain-text token exists only in the email link sent to you.

We do not knowingly collect special-category personal data (such as health, religion, biometric, or political-opinion data). Please do not include such data in messages or watchlist notes. We do not collect personal data from children: the Service is restricted to users aged 18 or over.

4. How we collect your personal data

• Directly from you, when you create an account, sign in, configure preferences, contact us, generate a report, create a watchlist item, or subscribe to a paid plan.
• Automatically, as you interact with the Service, through server logs and authentication cookies.
• From third-party services we use: Google (when you choose Google sign-in, Google provides your verified email, profile name, account identifier, and avatar URL), Stripe (when you subscribe, Stripe provides webhooks containing your customer identifier, subscription status, plan, period dates, and country for tax purposes), and Resend (which reports delivery and engagement metadata for emails we send you).

5. Why we use your personal data and our lawful bases

Under Article 6 GDPR we may only process personal data where we have a lawful basis. The bases we rely on are:

• Performance of a contract (Article 6(1)(b)). Creating and managing your account, authenticating you, providing the Service tier you have subscribed to, generating reports, sending watchlist alerts you have configured, processing subscription payments, sending transactional emails (welcome messages, password resets, billing receipts, alert digests, and service notices), and providing customer support.
• Legitimate interests (Article 6(1)(f)). Securing the Service against fraud and abuse, monitoring for unauthorised access, debugging and improving the Service, analysing aggregated usage trends, defending and enforcing our legal rights, and communicating with business contacts in the course of our operations. We have weighed these interests against your rights and freedoms and consider them proportionate; you may object as described in Section 9.
• Consent (Article 6(1)(a)). Sending you marketing emails about new features, market insights, and product updates, but only if you have ticked the marketing opt-in box at signup or elsewhere. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email or by toggling marketing off in your notification settings; withdrawal does not affect the lawfulness of processing before withdrawal.
• Legal obligation (Article 6(1)(c)). Retaining records of subscription transactions for tax, accounting, and audit purposes, and complying with lawful requests from competent authorities.

6. Sub-processors and recipients

We do not sell your personal data. We share it only with the following categories of recipient and only to the extent necessary for the purposes set out above:

• Vercel Inc. (United States) hosts the Service and processes incoming requests. Production traffic is served from Vercel's Dublin (dub1) region.
• [Database hosting provider - to be confirmed at launch] hosts our managed PostgreSQL database in the European Union. We will update this Policy with the named provider before the Service is opened to paying customers.
• Stripe Payments Europe, Ltd. (Ireland) and its affiliates (United States) process subscription payments. Stripe acts as an independent controller for some of its processing (see Stripe's own Privacy Policy). We share your email, name, and country with Stripe at checkout; Stripe never shares full payment card details back to us.
• Resend Inc. (United States) sends transactional and (where you have opted in) marketing emails on our behalf. Resend processes your email address, the email content, and delivery metadata.
• PostHog Inc. (EU cloud, Frankfurt) provides product analytics so we can understand how visitors use the site and improve conversion and feature priority. Data does not leave the EU: requests are routed via the same-origin /ingest endpoint on bessmap.com, which proxies to eu.i.posthog.com. PostHog processes pageviews, click events, and session recordings (with email and password fields masked, plus any element we mark with data-ph-mask); if you have signed in and accepted analytics, your user ID, email, and subscription tier are also associated with the captured events. The lawful basis for this processing is your consent (Article 6(1)(a) GDPR): nothing is captured until you accept the consent banner, and you can withdraw consent at any time from Settings → Profile → Privacy and analytics. The PostHog Data Processing Addendum is published at posthog.com/dpa. Retention follows PostHog defaults (currently 1 year for events, 30 days for session recordings); we have not extended these.
• Google LLC (United States), only where you choose to sign in via Google. Google receives the fact that you are authenticating to BESS Map; we receive your verified email, account identifier, name, and avatar URL.
• Professional advisors (legal, accounting, audit) on a need-to-know basis where required for the operation of our business or to comply with legal obligations.
• Acquirers and successors in the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, in which case personal data may be transferred to the acquiring entity subject to equivalent confidentiality protections.
• Competent authorities where we are required to disclose by law, court order, regulatory request, or to enforce our Terms or protect rights, property, or safety.

Each sub-processor we engage is required by written contract to process personal data only on our instructions, to apply appropriate technical and organisational measures, and to assist us in meeting our GDPR obligations.

7. International transfers

Some of our sub-processors are based in the United States. Where we transfer personal data outside the European Economic Area we rely on appropriate safeguards under Articles 45 to 49 GDPR, which may include the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum (where relevant), the EU-US Data Privacy Framework certification of the recipient, and supplementary technical and organisational measures. You may request a copy of the relevant safeguards by emailing hello@bessmap.com.

8. Retention

We keep personal data for the periods set out below:

• Account, watchlist, alert history, and generated reports: for as long as your Account is active. When you delete your Account from Settings → Privacy, we irreversibly delete your user record and all linked rows (watchlist items, alert history, generated reports, subscription records, password-reset tokens) by database cascade. Any active paid subscription is set to cancel at the end of the current billing period; no refund is issued.
• Password-reset tokens: retained only until used or expired (a short window measured in hours), then deleted.
• Transactional email metadata held by Resend: retained according to Resend's own retention schedule, typically measured in months.
• Server access logs: retained for a short period (typically up to 30 days) for security and debugging.
• Tax, accounting, and billing records: retained for the periods required by Irish tax and company law (currently six years from the end of the accounting period).
• Backups: personal data may persist in encrypted backups for a limited period after deletion from the live database; data in backups is restored only in disaster-recovery scenarios and is overwritten on the backup rotation schedule.
• Legal hold: we may retain specific data for longer where necessary to defend or pursue legal claims, or to comply with a legal obligation, court order, or regulatory request.

9. Your rights

Subject to applicable law and to the conditions set out in the GDPR, you have the following rights in respect of your personal data:

• Access (Article 15): to obtain confirmation whether we process your data and a copy of it. You can also self-serve a JSON export at any time from Settings → Privacy → Download my data.
• Rectification (Article 16): to have inaccurate data corrected. Most fields are editable in your profile.
• Erasure (Article 17): to have your data deleted where the conditions for erasure are met. You can self-serve account deletion at any time from Settings → Privacy → Delete my account.
• Restriction (Article 18): to restrict processing in defined circumstances.
• Portability (Article 20): to receive your data in a structured, commonly used, machine-readable format. Our JSON export satisfies this right.
• Objection (Article 21): to object to processing based on legitimate interests, and to object at any time to direct-marketing processing (which you can do in one click via any marketing-email unsubscribe link).
• Withdrawal of consent: where processing is based on consent (such as marketing emails), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Lodge a complaint: with your local supervisory authority. Our lead supervisory authority is the Irish Data Protection Commission (21 Fitzwilliam Square South, Dublin 2, D02 RD28; www.dataprotection.ie). You may also complain to the supervisory authority in the EEA member state of your habitual residence, place of work, or where the alleged infringement took place.

To exercise any of these rights, contact us at hello@bessmap.com. We will respond within one month, with the possibility of a two-month extension for complex requests, and will tell you within one month if we cannot satisfy a request and the reason. We may need to verify your identity before responding. We do not charge a fee unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.

10. United Kingdom users

If you access the Service from the United Kingdom, the UK General Data Protection Regulation and the Data Protection Act 2018 also apply. The rights and lawful bases described above apply equivalently. Your supervisory authority is the Information Commissioner's Office (ico.org.uk).

11. California users (CCPA / CPRA notice)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you the following rights, subject to its conditions:

• the right to know what personal information we have collected, used, disclosed, and sold or shared about you, and the categories of sources, purposes, and recipients;
• the right to request deletion of your personal information;
• the right to correct inaccurate personal information we hold about you;
• the right to opt out of any "sale" or "sharing" of your personal information for cross-context behavioural advertising;
• the right to limit the use and disclosure of any sensitive personal information;
• the right not to receive discriminatory treatment for exercising any of these rights.

We do not sell your personal information for monetary value, and we do not share it for cross-context behavioural advertising. The self-service tools described in Section 9 (data download and account deletion) cover the right-to-know, right-to-delete, and right-to-portability rights. For any other CCPA/CPRA request, contact us at hello@bessmap.com; we will verify your request and respond as required by law.

12. Cookies and similar technologies

We use a small number of strictly necessary cookies and similar storage to operate the Service:

• an authenticated session cookie ("bess_session") that holds a signed JWT identifying you to the Service after sign-in;
• a short-lived OAuth state cookie used to protect the Google sign-in flow against cross-site request forgery;
• local-storage entries we use to remember non-personal interface preferences (such as your light/dark theme choice).
• an analytics-consent cookie ("bess_consent") and a matching local-storage entry ("bess_consent_v1") that record whether you have accepted or declined product analytics. The cookie carries no personal data (only the literal string "accepted" or "declined") and is retained for one year so we do not re-prompt you on every visit.

When you accept analytics through the consent banner, PostHog (see Section 6) sets additional first-party cookies under our domain to maintain a consistent visitor identifier. We do not set advertising cookies and we do not share any data with third-party advertising networks.

13. Security

We apply technical and organisational measures appropriate to the risk, including TLS in transit, password hashing using bcrypt with per-account salts, parameterised database queries to prevent injection, signed and short-lived JWT session cookies, OAuth state token verification, principle-of-least-privilege access to production systems, and dependency monitoring. No service is perfectly secure; you are responsible for keeping your account credentials confidential and for using a unique, strong password.

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Irish Data Protection Commission within 72 hours where required by Article 33 GDPR, and notify affected users where required by Article 34.

14. Automated decision-making and profiling

The Service generates site viability scores and rankings using a deterministic algorithm. These outputs are statistical characterisations of geographic locations and Third-Party Data; they do not produce legal or similarly significant decisions about you personally and accordingly do not constitute solely automated decision-making within the meaning of Article 22 GDPR.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version is identified by an effective date and version identifier at the top of this page. We will give reasonable notice of material changes by email or in-Service notice. Continued use of the Service after the effective date of the updated Policy means you accept the updated Policy.

16. Contact

For any privacy question or to exercise any right described above, contact us at hello@bessmap.com. The data controller is Release Guard Labs Limited, registered in Ireland under company number 652820.