Privacy Policy

Last updated: 2026-04-30

This Privacy Policy explains how MALUR — IT Consulting & Services Ltd ("we", "us", "MALUR") handles personal data when you visit www.beaconry.app or use the Beaconry WordPress plugin. We comply with the EU General Data Protection Regulation (GDPR) and UK GDPR.

1. Data Controller

MALUR — IT Consulting & Services Ltd
Limnaria 1, Westpark Village, Shop 20
8042 Paphos, Cyprus
Company Registration: HE 430277
VAT ID: CY10430277A
Email: info@beaconry.app

2. Data We Collect on This Website

We dogfood the privacy posture we sell. www.beaconry.app does not run any analytics, tracking pixel, or third-party advertising script. There are no cookies set on this site. Server access logs (IP address, user agent, timestamp, requested URL) are stored by our hosting provider for up to 14 days for security and capacity-planning purposes; they are not aggregated or used for profiling.

The only outbound JavaScript that runs is a tiny error-reporting beacon. It sends uncaught exceptions and unhandled promise rejections to our status dashboard so we can detect and fix bugs. The beacon does not send IP addresses, user agents or content — only the error stack and the page URL.

3. Data We Collect When You Buy a License

Checkout, payment processing, license issuance and tax/VAT collection are handled by Polar (Polar Software Inc., 2261 Market Street #4480, San Francisco, CA 94114, USA) acting as our Merchant of Record. When you purchase a license:

  • Polar collects your name, email, billing address, payment data, and (where required) tax ID.
  • Polar issues a license key and sends you an order confirmation by email.
  • Polar shares the email address, country, and license key with us so we can provide support and validate license activations.

For Polar's own privacy practices see polar.sh/legal/privacy. Polar's role is data processor; for the purposes of MoR-handled checkout, Polar is the merchant of record and independent controller of the payment transaction.

4. Data Processed by the Beaconry Plugin

The Beaconry plugin runs on your own WordPress installation. We do not receive any of the events your site sends — they go directly from your server to Google Analytics 4 and Meta. Specifically:

  • The plugin validates your license key against Polar's License Key API once on activation and once daily afterwards. The validation request includes your license key, your site URL, and your plugin version. No visitor data is included.
  • Optionally the plugin polls a JSON manifest at www.beaconry.app/downloads/beaconry.json to check for plugin updates. The polling request includes your plugin version and your site URL — no visitor data.
  • All event data (pageviews, form submissions, WooCommerce events) flows from your server directly to Google Analytics 4 (Measurement Protocol) and Meta (Conversions API). MALUR has no access to that data.

5. Google API Services (Beaconry Plugin only)

If you connect your Google Ads account through the Beaconry plugin, the plugin uses Google's Ads API to upload click conversions to your own account. The disclosure below applies only to that integration; it does not apply to visitors of www.beaconry.app.

What data is processed via the Google API

  • Conversion data sent to Google's uploadClickConversions endpoint: gclid, conversion action ID, conversion value, currency, transaction ID, plus optionally hashed PII (email, phone, first name, last name as SHA-256 per Google's spec; postal code unhashed per Google's spec).
  • OAuth tokens: the access_token and refresh_token issued by Google are stored in the Beaconry OAuth broker (a Cloudflare Worker on oauth.beaconry.app) inside an EU-region KV store. Your WordPress site only ever sees an HMAC-signed site-bearer JWT — never the real Google tokens.

Purpose limitation

  • Used exclusively for: uploading your customer's click conversions to their own Google Ads account through uploadClickConversions.
  • Never used for: reading campaigns, viewing ad spend, querying keyword performance, creating Customer Match lists, or accessing any other Google Ads API resource.

Retention

  • Refresh tokens: kept until you click "Disconnect" or until Google revokes the token.
  • Aggregate conversion counters (anonymous, non-personal): 35 daily buckets retained for quota monitoring.

Sharing

  • Conversion data is forwarded only to the Google Ads API. There are no other recipients.
  • MALUR (the data controller) does not inspect conversion contents — the worker proxy is stateless and the KV store holds only OAuth tokens and counters.

Account deletion

  • You can disconnect at any time from the WordPress plugin via "Disconnect from Google Ads". The Beaconry worker then revokes the refresh_token at Google and deletes the KV entry.
  • Alternatively, revoke the Beaconry connection directly at myaccount.google.com/permissions.

Limited Use Disclosure

Beaconry's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. The data we receive is used only to upload click conversions to your own Google Ads account on your behalf — never for advertising, never for human reading except as required for security or to comply with applicable law, never sold or transferred to third parties for AI/ML training, and never used to develop, improve, or train generalised/non-personalised AI/ML models.

  • Art. 6(1)(b) — Contract: processing your purchase, issuing and validating your license key.
  • Art. 6(1)(f) — Legitimate Interest: security log retention, error beacon, update-manifest polling. Our interest is keeping the service stable and secure; we balance this against your interests by minimising the data collected and keeping retention short.
  • Art. 6(1)(c) — Legal Obligation: tax record retention as required by Cypriot and EU tax law (10 years for invoices).

7. Sub-processors and Third-Party Services

  • Polar Software Inc. (USA) — checkout, payments, MoR, license issuance. Standard Contractual Clauses in place.
  • Cloudflare, Inc. (USA) — DNS, edge caching, TLS termination for www.beaconry.app. SCCs in place.
  • MXroute (USA) — transactional email (support, license-related notifications).
  • GitHub, Inc. (USA) — code repository hosting; not a data processor for visitor data.
  • DigitalOcean (USA / EU) — server hosting in Frankfurt, Germany.

8. Data Retention

  • Server access logs: 14 days.
  • Error-beacon entries: 14 days.
  • License records (email, license key, purchase metadata): retained for the lifetime of the license plus 10 years after for tax compliance.
  • Support emails: 3 years after the last interaction.

9. Your Rights (GDPR Art. 15-22)

You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent at any time. To exercise any of these rights, email info@beaconry.app. We respond within 30 days. You also have the right to lodge a complaint with the Cypriot Data Protection Commissioner (dataprotection.gov.cy) or any supervisory authority in your country of residence.

10. International Transfers

Some sub-processors are based outside the EU/EEA (US, UK). We rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework for these transfers.

11. Children's Privacy

Beaconry is a B2B developer tool. We do not knowingly collect personal data from anyone under 16. If you are under 16, do not submit personal data to us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The version date at the top of this page reflects the most recent revision. Material changes will be communicated to active license holders by email.

13. Contact

For privacy-related questions, please email info@beaconry.app.