Privacy Policy

Information you provide directly:

• Account registration: name, email address, phone number, password
• Seeker profile: zip code, insurance status, service preferences, care needs
• Provider profile: professional credentials, NPI number, license numbers, services offered, availability, biography, and photo
• Organization profile: business name, address, contact details, NPI (Type 2), and Nevada business license
• Messages sent through the Platform messaging system
• Care plan goals and notes (seeker accounts)
• Payment information submitted during subscription checkout (processed by Stripe — we do not store full card numbers)

Information collected automatically:

• Usage data: pages visited, features used, search terms entered, provider profiles viewed
• Device and browser information: browser type, operating system, screen resolution, IP address
• General location: inferred from IP address or provided zip code — we do not collect GPS-level location without your explicit consent
• Session and authentication data managed by Supabase

• Match seekers with appropriate providers based on service needs, location, and availability
• Facilitate messaging and communication between seekers and providers
• Verify provider credentials against public databases including NPPES and OIG LEIE
• Display provider and organization listings in the public directory
• Send service-related notifications via email and SMS (with your consent)
• Process subscription payments and manage billing
• Improve search relevance, matching quality, and platform features
• Detect and prevent fraud, abuse, and policy violations
• Apply content moderation to messages including crisis detection and PHI screening
• Comply with legal obligations

GuidingLight™ uses AI and automated processing in the following ways:

• Directory assistant: An AI chat assistant helps you navigate provider search. Your messages to the assistant are sent to a third-party large language model (LLM) provider for processing. Do not share personally identifying information or PHI with the AI assistant.
• Content moderation: Outbound messages are screened by an automated system using keyword matching and LLM-based classification to detect crisis language, prohibited content, and potential PHI. Flagged messages are blocked before delivery.
• Care planning: Care plan note generation features send relevant care context to a third-party LLM for processing. No raw user data is used to train third-party models under our agreements.

We use Vercel AI Gateway to route AI requests. Model providers may include Anthropic and OpenAI. We do not permit these providers to use your data to train their models.

We do not sell your personal information.

We may share your information in the following limited circumstances:

• With providers you contact: When you message or express interest in a provider, that provider can see your first name, general location, and service needs as configured in your profile
• With other users via public directory: Provider profiles — including name, credentials, services, and photo — are publicly visible to all Platform users and visitors
• Service providers: We use Supabase (database and authentication), Stripe (payments), Twilio (SMS), Vercel (hosting and AI gateway), and Google AdSense (advertising). These providers access only the data necessary for their services and are contractually bound to protect it
• Legal requirements: We may disclose information when required by law, court order, or to protect the rights, property, or safety of users or the public — including potential disclosure to emergency services when we detect imminent risk of harm
• Business transfers: In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of that transaction

We retain your data for the following periods:

• Active accounts: Retained for as long as your account remains active
• Deleted accounts: Account data is deleted within 30 days of account deletion. Anonymized aggregate usage data may be retained indefinitely
• Messages: Retained for 2 years from the date sent, then automatically deleted
• Care plan notes: Retained for 3 years or until account deletion, whichever comes first
• Provider credentials: Retained for the duration of the provider account plus 1 year after closure, for compliance purposes
• Payment records: Retained for 7 years per standard accounting and tax requirements

The Beacon is not a HIPAA-covered entity and does not act as a business associate under HIPAA. The Platform is a technology service that facilitates connections and is not a healthcare provider, health plan, or healthcare clearinghouse.

While we implement strong security practices, the Platform is not a HIPAA-compliant environment. Do not use Platform features — including messaging, profile fields, or care plan notes — to transmit or store Protected Health Information (PHI).

Under Nevada SB 220 and other applicable Nevada privacy laws, Nevada residents have the following rights:

• Right to know: You may request a copy of the personal information we have collected about you
• Right to correct: You may request correction of inaccurate personal information
• Right to delete: You may request deletion of your personal information, subject to legal retention requirements
• Right to opt out of sale: We do not sell personal information. If this changes, we will provide an opt-out mechanism
• Right to data portability: You may export your profile data from your account settings
• Non-discrimination: We will not discriminate against you for exercising any of these rights

To exercise any of these rights, email privacy@thebeacon.help. We will respond within 45 days as required by Nevada law.

We implement the following security measures to protect your information:

• All data is encrypted in transit via TLS 1.2 or higher
• Data at rest is encrypted by our database provider (Supabase / PostgreSQL)
• Row-level security (RLS) policies restrict database access so users can only access their own data
• Authentication is managed by Supabase Auth with industry-standard session handling
• Admin access is role-restricted and logged
• API endpoints are authenticated and rate-limited

Despite these measures, no internet transmission or storage method is 100% secure. In the event of a data breach that affects your rights or freedoms, we will notify affected users as required by applicable law.

We use session cookies required for authentication and platform functionality. We also use Google AdSense, which may set advertising cookies. You can control cookie settings through your browser settings. Disabling cookies may affect Platform functionality.

GuidingLight™ is not directed to individuals under 18. We do not knowingly collect personal information from minors. If you believe we have collected information from a minor, please contact us at privacy@thebeacon.help and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice on the Platform at least 14 days before the change takes effect. Continued use after that date constitutes acceptance.

For privacy-related questions, requests, or to report a concern, contact our Privacy team at: privacy@thebeacon.help

The Beacon — Fernley, Nevada, USA