Legal · privacy notice

How we handle your data.

We collect as little information as we can, for as long as we need it, and no longer. This notice explains what we do, why, and the rights you can exercise under GDPR and India's DPDP Act.

Last updated
22 April 2026
/ draft — pending legal review /

This document describes Beanshoot’s current practice and is intended to be accurate. It has not yet been reviewed by counsel under GDPR (EU), the UK GDPR, or India’s DPDP Act, 2023. If you are relying on it for a procurement decision, please email hello@beanshoot.ai and we will share the reviewed version before contract.

Who we are

Beanshoot is a trading name of Beanshoot AI Technologies LLP, a limited liability partnership registered in India with its office in Chennai, India. For the purposes of the EU and UK General Data Protection Regulation and India’s Digital Personal Data Protection Act, 2023, we are the data controller for the personal data described in this notice.

You can reach us on any data-protection matter at hello@beanshoot.ai.

What we collect and why

Audit-request form

When you submit the form on our contact page we receive the name, work email, company, role (if you share it), the domain you selected, and the message you wrote. We also record the date, time, and the IP address the request came from.

We use this information for a single purpose: to reply to your enquiry, assess whether it is a fit, and, if it is, to schedule a 60-minute executive session. The legal basis is your consent (GDPR Art. 6(1)(a)) and our legitimate interest in responding to unsolicited business enquiries (GDPR Art. 6(1)(f)). Under the DPDP Act we rely on the consent you give on the form.

Email correspondence

If you email us directly, the content of that email — and any metadata your email client shares — sits in our mailbox and in our mail provider’s logs. We do not use the content for anything other than the thread it belongs to.

Analytics and cookies

We do not set any advertising or third-party tracking cookies. If we enable first-party, privacy-preserving analytics (e.g. Plausible) we will do so only after you accept the analytics option in our consent banner, and will describe exactly what is collected on the cookies page.

Where your data is stored

Form submissions are emailed to our hello@ mailbox through Resend, a transactional email provider. The mailbox itself is hosted in the European Union. The infrastructure that serves this site (Vercel / Cloudflare) processes request metadata — including IP addresses — at globally distributed edge nodes; that processing is governed by those providers’ data-processing agreements, which we have accepted on your behalf.

For transfers from the EU / UK to third countries, we rely on the Standard Contractual Clauses adopted by the European Commission and the UK International Data Transfer Addendum.

How long we keep it

  • Audit-request submissions that do not lead to an engagement: 24 months, then deleted.
  • Correspondence that leads to an engagement: retained for the duration of the engagement plus seven years, in line with Indian Companies Act record-keeping requirements.
  • Server logs containing IP addresses: 30 days on the edge, then aggregated.

Who we share it with

We do not sell your data. We do not share it with advertisers. We share it only with service providers who help us deliver this site and respond to you:

  • Resend — transactional email. Receives form payloads as part of the email body.
  • Vercel / Cloudflare — hosting and CDN. Processes request metadata to serve pages.
  • Our professional advisors (lawyers, accountants, auditors) when they have a clear need to see specific information.

We will also disclose personal data if required to do so by a law enforcement authority acting with proper jurisdiction and a valid order.

Your rights

Under GDPR, the UK GDPR, and the DPDP Act, you have the right to:

  • Ask for a copy of the personal data we hold about you.
  • Have inaccurate data corrected.
  • Ask us to delete your data (subject to legal retention rules).
  • Withdraw consent at any time, with no impact on processing that took place before the withdrawal.
  • Object to or restrict processing in certain circumstances.
  • Receive your data in a portable, machine-readable format.
  • Under the DPDP Act, nominate another person to exercise these rights on your behalf.

To exercise any of these rights, email hello@beanshoot.ai and we will respond within 30 days. You also have the right to complain to a supervisory authority — the relevant Data Protection Board of India, your local EU DPA, or the UK Information Commissioner’s Office.

Security

We use TLS for all traffic to this site, encrypt data at rest with our hosting providers, and limit access to personal data to the people who need it to do their work. Rate-limiting and honeypot fields on the contact form reduce spam and automated attacks. No system is perfectly secure; if a breach occurs that is likely to result in a risk to your rights we will notify you and the relevant authority within the statutory window.

Changes to this notice

We update this notice when our practices change. The “last updated” date at the top always reflects the most recent revision. Material changes will be announced on our site homepage for at least 30 days before taking effect.