Book a Demo

Privacy Policy

We’re committed to protecting your privacy and ensuring transparency about how we collect, use, and safeguard your personal information on our website.

Website beady.ai

Effective Date: May 1, 2026    |    Last Updated: May 1, 2026

This Privacy Policy explains how We Good Solutions Limited, a legal entity incorporated in Hong Kong, with registered address at Unit 1603, 16th Floor, The L. Plaza, 367–375 Queen’s Road Central, Sheung Wan, Hong Kong, collects, uses, discloses, transfers, stores and otherwise processes personal data in connection with the use of the beady.ai website, including web pages, contact forms, newsletters, information materials, and related services, or other interactions with us.

beady.ai is a website that provides information about our risk analytics services and solutions. We offer business intelligence services to help companies identify and manage various risks.

Please read this Policy carefully. By accessing the Website or Services, you acknowledge that you have read and understood this Policy.

1. CONTROLLER AND CONTACT INFORMATION

For the purposes of the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the Hong Kong Personal Data (Privacy) Ordinance (PDPO), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws, the controller of the personal data described in this Policy is:

We Good Solutions Limited

Registered address: Unit 1603, 16th Floor, The L. Plaza, 367–375 Queen’s Road Central, Sheung Wan, Hong Kong.

Privacy email: legal@beady.ai

Data subject requests: legal@beady.ai

2. SCOPE AND APPLICATION

This Policy applies to: the Website and any subdomains operated by us; beady.ai dashboards, web application, mobile and desktop applications, APIs, newsletters (including those delivered by email or through messengers such as Telegram, WhatsApp, Viber, Discord, etc.), exported reports and any other components of the Services; communications between us and any User or potential client; and personal data of Data Subjects of Interest collected from open sources.

3. KEY DEFINITIONS

Personal data means any information relating to an identified or identifiable natural person within the meaning of the GDPR, UK GDPR, PDPO and other applicable laws.

Processing means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment or combination, restriction, deletion or destruction.

Open source means any source of information freely available to the general public without circumventing any technical or contractual access restrictions, including news websites, public social media posts, government and corporate registries, court and arbitration databases, sanctions and watchlists, regulator websites and other open online resources.

Client means a legal entity that has entered into a subscription agreement or other agreement with us for access to the Services.

End User means an individual authorized by a Client to access and use the Services on its behalf.

Observation means a structured signal, alert, data point or analytical record generated by the Services in connection with an observed company or individual.

4. CATEGORIES OF PERSONAL DATA WE PROCESS

4.1 Personal Data of Users (potential clients, client contact persons and end users)

We collect and process the following categories of personal data about Users:

• Identification and contact data: first and last name, corporate email address.

• Account data: username, multi-factor authentication identifiers, role and access permissions, organizational affiliation, settings and preferences, alert configuration, watchlists configured by the User.

• Communications data: content of emails, support requests and similar interactions with us.

• Technical and usage data: IP address, device identifiers, browser type and version, operating system, language, referrer, pages and screens viewed, features used, queries to conversational AI agent, timestamps, session and log data, crash and diagnostic data, cookies and similar identifiers (see Section 9).

4.2 Personal Data of Data Subjects of Interest (collected from open sources for monitoring purposes)

To provide the Services, we collect, organize, enrich, analyze and provide to the relevant Client information about Data Subjects of Interest from open sources. Such information may include:

• Identification data: name, alternative names, transliterations, date and place of birth (when publicly disclosed), nationality, country of residence, public profile photos, identifiers used in public registries and public reporting.

• Professional and corporate data: current and previous employers, positions, director positions, ownership stakes, business connections, professional licenses, registrations in public registries, publicly disclosed resumes and CVs.

• Public behavior and statements: publicly available posts and content on social media and developer platforms, public comments, blog posts, press statements, participation in hackathons, grant applications and similar publicly observable professional activity.

• Reputation and risk data: negative mentions in news (adverse media), mentions of investigations, regulatory actions, fines, sanctions, judicial and arbitration proceedings, bankruptcy, liquidation or cessation events, publicly available reviews and ratings, sentiment indicators, allegations made in public, fraud and impersonation indicators.

• Special categories of data (only when strictly necessary): if an open source discloses information relating to Article 9 GDPR, we process such data on a limited basis, only to the extent that it is manifestly made public by the data subject, or strictly necessary for the substantial public interest of preventing fraud, money laundering, terrorist financing, sanctions evasion or other unlawful activity.

5. SOURCES OF PERSONAL DATA

We obtain personal data from the following sources: directly from you when contacting sales or support, configuring monitoring in the Services or other communications with us; from our Clients when a Client uploads, transmits, configures or otherwise provides personal data for monitoring through the Services; from open sources such as news resources, search engines, public social media platforms, public corporate, judicial, regulatory and sanctions databases, government and intergovernmental registries, public blacklists and other freely accessible online resources.

6. PURPOSES OF PROCESSING AND LEGAL BASES

6.1 Provision and operation of Services

We process personal data of Users to create and administer accounts, authenticate Users, provide access to Services, display dashboards, newsletters, reports, configure and conduct monitoring of companies and individuals selected by the Client, generate Observations and risk signals, ensure collaborative functions and otherwise perform our contract with the Client. Legal basis: contract performance (Article 6(1)(b) GDPR) or, if the User is not a contracting party, our legitimate interests (Article 6(1)(f) GDPR).

6.2 Account security, fraud prevention and platform integrity

We process technical data, usage data and account data to monitor and protect the Services from abuse, including unauthorized access, scraping, mass extraction, denial of service, credential stuffing, account takeover, infringement of our intellectual property rights and other malicious actions. Legal basis: legitimate interests in protecting our Services, our clients and third parties (Article 6(1)(f) GDPR), as well as compliance with legal obligations (Article 6(1)(c) GDPR).

6.3 Communications, customer support and administrative functions

We process contact data and communications data to respond to inquiries, provide customer support, send service notifications, manage billing and contracts, maintain accounting and tax records, and manage day-to-day operations. Legal basis: contract performance, legitimate interests and compliance with legal obligations.

6.4 Processing of Data Subjects of Interest data for risk analytics

We process personal data of Data Subjects of Interest collected from open sources for: (i) creating and maintaining subject profiles and historical archives of observations; (ii) conducting continuous automated monitoring; (iii) identifying, deduplicating, classifying, summarizing and assessing the relevance, sentiment and risk of public mentions; (iv) matching observations to the correct subject using our proprietary matching algorithms; (v) providing the relevant Client with risk signals, alerts, dashboards and reports; and (vi) improving, training and evaluating analytical models used in the Services, using aggregated or anonymized data where possible. Legal basis: our legitimate interests and interests of our Clients in conducting risk screening, anti-fraud, anti-money laundering, anti-sanctions evasion, brand protection and counterparty due diligence (Article 6(1)(f) GDPR), as well as compliance with legal obligations to which we or our Clients are subject (Article 6(1)(c) GDPR).

7. AUTOMATED PROCESSING AND PROFILING

The Services substantially rely on automated processing, including the use of artificial intelligence and machine learning models, to filter, deduplicate, classify, assess and summarize data from open sources, match observations to subjects and assess sentiment, relevance and risk indicators. These automated results are intended to support, not replace, decision-making by our Clients. The Services do not render legally binding decisions or decisions of comparable significance regarding Data Subjects of Interest. Clients are contractually obligated to conduct human review of Observations and risk signals before making any decision that may affect a Data Subject of Interest.

8. DISCLOSURE AND TRANSFER OF PERSONAL DATA

We may disclose personal data to the following categories of recipients: Clients and authorized end users: Publicly available personal data about Data Subjects of Interest is disclosed to the Client who configured the relevant monitoring and its authorized end users, in the form of dashboards, alerts, exports, reports and API outputs. Government authorities and regulators: when we are required to do so under applicable law, court order or other lawful process, or when we believe in good faith that disclosure is necessary to protect our rights, the security of the Services or the rights of others. We do not sell personal data within the meaning of CCPA/CPRA and do not transfer personal data for cross-context behavioral advertising purposes.

9. COOKIES AND SIMILAR TECHNOLOGIES

The Services use cookies, local storage, pixel tags and similar technologies for functionality, security and improvement of our offering. We use strictly necessary cookies that are required for the operation of the Services (e.g., for authentication, session management and security). Where required by applicable law, we will request your consent before placing optional cookies through our cookie banner. You can manage your preferences at any time through browser settings or, where available, through our cookie management center.

10. INTERNATIONAL TRANSFER OF PERSONAL DATA

Our headquarters is located in Hong Kong, and we operate globally. Personal data may be processed and stored in countries outside the European Economic Area (EEA), the United Kingdom, Hong Kong or your country of residence, including in jurisdictions whose data protection laws may differ from those of your country. When transferring personal data from the EEA, UK or Switzerland to third countries for which the relevant authorities have not adopted adequacy decisions, we rely on appropriate safeguards, including European Commission Standard Contractual Clauses (SCC), UK International Data Transfer Agreement or UK Addendum to SCC, and where necessary additional measures (such as encryption in transit and at rest, access controls and contractual obligations) to ensure a substantially equivalent level of protection.

11. RETENTION PERIODS

We store personal data for as long as necessary to achieve the purposes for which it was collected and to comply with our legal, regulatory, accounting and reporting obligations, after which we delete or anonymize it.

11.1 Users

Personal data of Users is stored for the duration of the contract between us and the relevant Client, as well as for an additional period after its termination, as required by applicable law (particularly limitation periods and accounting rules) or to ensure enforcement or protection against legal claims.

11.2 Data Subjects of Interest

In accordance with the operational design of the Services, we apply the following principles for storing information about Data Subjects of Interest collected from open sources: Operational window: the full stream of public observations (including negative, neutral and positive elements) is stored while the monitoring subject is under User observation, to ensure visibility of recent activity. Curated historical archive: individual historical records that previously required attention, including risk-relevant Observations, may be stored for up to 24 months from the date of collection for contextual and trend analysis. Basic profile during onboarding: during initial profiling of a subject, we may collect curated historical Observations for a period of up to twelve (12) preceding years, which are then stored based on the above rules. Client-specific retention: if a Client requests a longer or shorter retention period in the Services, our storage will follow such configuration to the extent permitted by applicable law.

12. SECURITY

We implement and maintain appropriate technical and organizational measures to protect personal data from unauthorized or unlawful processing and from accidental loss, destruction, damage, alteration or disclosure. Depending on the level of risk, these measures include: data encryption in transit (HTTPS and TLS) and at rest where appropriate; strict access controls, role model, multi-factor authentication and the principle of least privilege for our personnel; network segmentation, logging, monitoring and intrusion detection tools; vulnerability management and regular testing of our infrastructure; vendor screening and contractual security obligations with service providers; personnel measures, including confidentiality obligations and security training; and business continuity and disaster recovery. No security measure is perfect or impenetrable. While we strive to protect personal data, we cannot guarantee the security of any information transmitted to us or stored by us, and any such transmission is at your own risk.

13. DATA SUBJECT RIGHTS

In accordance with applicable data protection legislation, data subjects have the following rights. We ensure their implementation taking into account the specifics of open source data processing (OSINT) activities and limitations expressly permitted by applicable legislation:

Right of access. Data subjects have the right to obtain confirmation whether their personal data is being processed, information about categories of data processed, purposes and legal bases for processing, retention periods, categories of recipients and sources of data. We reserve the right to limit the scope of information provided where disclosure may: violate the rights and legitimate interests of third parties, including our clients and other data subjects; disclose confidential processing methodologies, information sources or other information constituting trade secrets; hinder the prevention, detection, investigation or prosecution of offenses; violate our confidentiality obligations to clients or other third parties; affect national security, public safety or other legally protected interests.

Right to rectification. Data subjects have the right to request correction of inaccurate personal data and, taking into account the purposes of processing, completion of incomplete data. When processing data from public sources, we may retain the original data with a note of the data subject’s objection if such data accurately reflects the content of the primary source and correction is required with respect to the primary source itself.

Right to erasure. Data subjects have the right to request deletion of their personal data in circumstances provided by applicable law. This right is not absolute and does not apply (in whole or in part) in cases where processing is necessary: for the exercise of the right to freedom of expression and information; for compliance with our legal obligations; for purposes representing the public interest, including combating fraud, money laundering, terrorism financing, conducting compliance checks and due diligence; for the establishment, exercise or defense of legal claims; for archival, research or statistical purposes.

Right to restriction of processing. Data subjects have the right to request restriction of processing in cases expressly provided by applicable law, including during the period of verification of the accuracy of disputed data or the lawfulness of processing, as well as when an objection to processing is declared – for the period of our assessment of the validity of such objection.

Right to object. Data subjects have the right to object to processing carried out on the basis of our legitimate interests or the interests of third parties. We cease processing unless we prove the existence of compelling legitimate grounds for its continuation, prevailing over the interests, rights and freedoms of the data subject, or if processing is necessary for the establishment, exercise or defense of legal claims. Data subjects have the right to unconditionally object to processing for direct marketing purposes at any time.

Right to data portability. Data subjects have the right to obtain personal data provided by them to our company in a structured, commonly used machine-readable format provided that processing is based on consent or contract and is carried out by automated means. The right to portability does not extend to data obtained by us from public sources or from third parties, as well as to derivative data, analytical conclusions and other processing results created by us.

Right to withdraw consent. If processing is based on the data subject’s consent, it may be withdrawn at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal and does not prevent processing carried out by us on other legal grounds.

Right to lodge a complaint. Data subjects have the right to lodge a complaint with the competent supervisory authority — in particular, with the supervisory authority of an EU member state at their usual place of residence, place of work or place of alleged infringement, with the UK Information Commissioner’s Office (ICO), with the Hong Kong Privacy Commissioner for Personal Data (PCPD), and in other cases — with the relevant competent data protection authority in the data subject’s jurisdiction.

13.1 Additional rights for California residents

If you are a California resident, you may additionally have the following rights under CCPA/CPRA, subject to certain limitations: the right to know what personal information we collect, use, disclose or share; the right to request deletion or correction; the right to limit the use of sensitive personal information; the right to opt out of any sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising purposes); and the right not to be discriminated against for exercising privacy rights.

13.2 How to exercise your rights

To exercise your rights, send us a written request at dsr@beady.ai. We may need to verify your identity before responding, particularly by requesting additional information that allows us to confirm that the request comes from the relevant data subject. We will respond within the timeframes provided by applicable law. If we cannot satisfy the request, we will explain the reasons in our response.

13.3 Requests from Data Subjects of Interest

If the request relates to personal data that we process on behalf of and at the instruction of our clients as processor – for example, when a client has uploaded personal data of their employees, counterparties or other persons for verification or monitoring – we act as follows: Request redirection: We immediately (no later than 72 hours from receipt) redirect your request to the relevant client acting as data controller, as they bear primary responsibility for compliance with your rights as a data subject. Assistance in preparing a response: At the request of the client-controller, we provide technical and organizational assistance in preparing a response to your request within our technical capabilities and in accordance with the data processing agreement concluded with such client. Direct response in exceptional cases: We may respond to your request directly without redirecting to the client in cases where: the client has ceased using our services and is no longer available; the client does not respond to the redirected request within a reasonable time; the request concerns a data security breach on our part; or when such direct response is directly prescribed to us by the competent supervisory authority.

14. CHILDREN’S DATA

The Services are intended exclusively for use by business clients and authorized professionals. The Services are not directed at children and are not intended for use by children. We do not knowingly collect personal data directly from children. If we become aware that we have collected personal data from a child without an appropriate legal basis, we will take steps to delete such data.

15. CHANGES TO THIS POLICY

We may periodically update this Policy to reflect changes in our practices, Services, applicable law or for other operational, legal or regulatory reasons. The “Last Updated” date at the top of this Policy indicates when it was last revised. If the changes are material, we will provide additional notice (such as by email to Client account administrators or notification on the Website, Website or in the Services). Your continued use of the Services after the effective date of the updated Policy constitutes your acceptance of the updated Policy.

16. CONTACT INFORMATION

If you have any questions, comments or concerns about this Policy or our processing of personal data, please contact us:

We Good Solutions Limited

Registered address: Unit 1603, 16th Floor, The L. Plaza, 367–375 Queen’s Road Central, Sheung Wan, Hong Kong.

Email: legal@beady.ai

Data subject requests: legal@beady.ai