Privacy Policy

Effective Date: 11 February 2025

This Privacy Policy explains how BookBeam ("we", "us", "our"), accessible at bookbeam.app, collects, uses, and protects your personal data. It applies to all users of the service, including authors (account holders) and readers (people who download books).

1. Data We Collect

From Authors (Account Holders)

Data Purpose
Name and email address Account creation, login, and communication
Password Authentication (stored as a bcrypt hash, never in plain text)
Two-factor authentication secrets Stored encrypted if you enable 2FA
Team name Team workspace management
IP address and user agent Session management, rate limiting, and security
Book files (EPUB, MOBI, PDF) Distribution to your readers
Cover images Display on download pages
Book metadata (title, description) Display on download pages
Newsletter webhook URL Sending reader data to your chosen newsletter service

We do not store your credit card details. Payment information is collected and processed directly by LemonSqueezy (see Section 5).

From Readers

Data Purpose
Email address Magic link authentication to access downloads
IP address and user agent Session management and rate limiting
Download activity Tracking which files were downloaded and when

Readers do not create accounts. Access is granted via temporary signed email links that expire after 24 hours.

Automatically Collected Data

  • Session data: Stored in our database, including IP address, user agent, and last activity timestamp. Sessions expire after 120 minutes of inactivity.
  • Signup link view counts: We count page views on download pages (aggregate only, not tied to individual visitors).
  • Download counts: We track the number of times each file is downloaded.

Data We Do Not Collect

We do not use cookies for advertising or tracking. We do not embed third-party analytics (no Google Analytics, no tracking pixels). We do not collect demographic data, location data, or device fingerprints beyond what is stored in the session.

2. How We Use Your Data

We use personal data only to operate and improve the service:

  • Authenticate you and maintain your session
  • Process payments via LemonSqueezy
  • Store and deliver your book files to readers
  • Send transactional emails: password resets, magic download links, and team invitations
  • Fire webhooks to newsletter URLs you configure, containing reader email, book title, author name, and signup timestamp
  • Enforce rate limits and prevent abuse
  • Generate download and signup statistics visible in your dashboard

We do not use your data for advertising, profiling, or automated decision-making.

3. Cookies

BookBeam uses a single essential session cookie (bookbeam-session) to maintain your login state and protect against cross-site request forgery (CSRF). This cookie:

  • Is HttpOnly (not accessible to JavaScript)
  • Uses the SameSite "lax" attribute
  • Expires when your session ends or after 120 minutes of inactivity

We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

4. Data Sharing Between Authors and Readers

When a reader provides their email address to download a book, that email address is shared with the author (team) who created the book project. Authors can:

  • View reader email addresses in their dashboard
  • Export reader data as CSV
  • Send reader data to third-party newsletter services via configured webhooks

Authors are the data controllers for reader email addresses they collect. BookBeam acts as a data processor. Authors are responsible for complying with applicable privacy laws when using reader data.

5. Third-Party Services

We share data with the following third-party services to operate BookBeam:

LemonSqueezy (Payment Processor)

  • Data shared: Your email address and payment information (entered directly on their checkout page)
  • Purpose: Processing payments, managing subscriptions, issuing receipts
  • Data stored by BookBeam from LemonSqueezy: Order details (amounts, currency, status), subscription status, last four digits of card number and card brand
  • Their privacy policy: lemonsqueezy.com/privacy

Amazon Web Services (File Storage)

  • Data shared: Book files and cover images you upload
  • Purpose: Secure cloud storage and content delivery
  • Access: Book files are stored privately and served via temporary signed URLs that expire after 60 minutes. Cover images may be served via CloudFront CDN.

Email Service Provider

  • Data shared: Recipient email address, email subject and body
  • Purpose: Delivering transactional emails (password resets, magic links, team invitations)
  • Note: The specific provider depends on our operational configuration (e.g. SMTP, Amazon SES, Postmark, or Resend)

Bunny Fonts

  • Data shared: Standard HTTP request headers
  • Purpose: Serving web fonts. Bunny Fonts is a privacy-focused alternative to Google Fonts and does not track users.

Author-Configured Webhook Services

  • Data shared: Reader email address, book title, author/team name, signup link URL, and timestamp
  • Purpose: Newsletter and email list integration as configured by the author
  • Note: BookBeam validates webhook URLs to prevent requests to private/internal networks, but the author is responsible for the privacy practices of the receiving service

6. Data Retention

Data Retention
User accounts Until you delete your account
Book files and metadata Until deleted by you or upon team deletion
Reader email addresses Retained indefinitely (not deleted when an author deletes their account)
Download records Deleted when the associated signup link or book project is deleted
Signup events and webhook logs Deleted when the associated signup link is deleted
Payment and subscription data Retained for legal and accounting purposes, even after account deletion
Sessions Expired sessions are periodically purged
Password reset tokens Expire after use or after the configured timeout

7. Account Deletion

You can delete your account at any time from your profile settings. When you delete your account:

  • Your user profile, password, and authentication data are permanently deleted
  • All teams you own are deleted, along with their book projects, files, signup links, and download records
  • Your membership in teams owned by others is removed
  • Your API tokens are revoked and deleted
  • Your profile photo (if any) is deleted from storage

What is not deleted: Reader records (email addresses) collected through your signup links are retained, as readers may have relationships with other authors on the platform. LemonSqueezy retains its own records of your payment history independently.

8. Data Security

We implement the following measures to protect your data:

  • Passwords are hashed using bcrypt (12 rounds)
  • Two-factor secrets and recovery codes are encrypted at rest
  • Book files are stored with private visibility and served via time-limited signed URLs
  • Magic links are cryptographically signed and expire after 24 hours
  • File download URLs are cryptographically signed and expire after 60 minutes
  • CSRF protection is enabled on all forms
  • Rate limiting is applied to login, download, and magic link endpoints
  • Session cookies are HttpOnly and use the SameSite attribute
  • Webhook URLs are validated to prevent server-side request forgery

No system is perfectly secure. We cannot guarantee the absolute security of your data.

9. Your Rights Under GDPR

If you are in the European Economic Area (EEA) or United Kingdom, you have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data (subject to the retention terms above)
  • Restriction: Request that we limit processing of your data
  • Portability: Request your data in a structured, machine-readable format (authors can export reader data as CSV)
  • Objection: Object to processing of your data
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise these rights, contact us at hello@bookbeam.app. We will respond within 30 days.

For readers: If you wish to exercise your rights regarding email data held by a specific author, you should contact the author directly, as they are the data controller. If you wish to have your email address removed from BookBeam's systems entirely, contact us at the address above.

10. International Data Transfers

BookBeam is hosted on infrastructure that may be located outside your country of residence. Book files are stored on Amazon Web Services. Payments are processed by LemonSqueezy. By using the service, you consent to the transfer of your data to these jurisdictions. We ensure that appropriate safeguards are in place for any international transfers.

11. Children's Privacy

BookBeam is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the service. The "Effective Date" at the top of this page indicates when the policy was last revised.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at hello@bookbeam.app.