ContractBeam

Last updated: May 31, 2026

Privacy Policy

This Privacy Policy explains what information ContractBeam collects, why we collect it, and the choices you have. We've tried to write it in plain language so you don't need a lawyer to understand it.

Who we are

ContractBeam is a service operated by NexarionFlux AI LLC ("we," "us"). It helps you discover U.S. federal contracting and grant opportunities. You can reach us at any time at frank.yang@nexarionflux.ai.

ContractBeam works without an account. You don't sign up, you don't give us your name, and you don't give us a password. Because of that, almost everything below is tied to an anonymous visitor identifier stored in a cookie rather than to a real-world identity.

What personal data we collect and why

Here is the complete list of what we collect, why we collect it, and the GDPR legal basis for each item. We don't collect anything beyond this.

Anonymous visitor ID

We generate a random identifier (a UUID) and store it in a cookie named tv. The same value is used as the visitor_id key on the events, saves, and profile records described below.

  • Why: It acts as a pseudonymous ID so we can personalize what you see and run analytics, all without making you log in.
  • Legal basis: Because this cookie is used for personalization and analytics (and is not strictly necessary to deliver the page you requested), where consent is legally required we rely on your consent (Art. 6(1)(a)) to store and read it; we also rely on our legitimate interests (Art. 6(1)(f)) in operating and improving ContractBeam for the related processing.
  • Retention: Held indefinitely; the cookie itself lasts 2 years.

Behavior events

We record events that describe how you use the site: searches, impressions (an opportunity being shown to you), views, saves, unsaves, dismissals, bid clicks, filter changes, and profile actions. Each event may include a truncated copy of your search query and related metadata, along with denormalized facets such as NAICS code, agency, set-aside, state, source, and opportunity type.

  • Why: To learn from usage so we can improve ranking, generate recommendations, and understand how people move through the site (funnel analytics).
  • Legal basis: Legitimate interests (Art. 6(1)(f)), and, where required for the non-essential cookie that underpins this tracking, your consent (Art. 6(1)(a)).
  • Retention: Held indefinitely.

Saved opportunities

When you bookmark an opportunity, we store the opportunity IDs you saved, keyed to your visitor ID.

  • Why: To keep your bookmarks available and to help shape what we rank for you.
  • Legal basis: Legitimate interests (Art. 6(1)(f)).
  • Retention: Held indefinitely until you unsave the opportunity.

Self-declared business profile

If you choose to fill out the optional profile form, we store the NAICS codes, set-asides, states, and keywords you tell us about your business.

  • Why: This is our strongest signal for personalizing the opportunities we surface for you.
  • Legal basis: Consent (Art. 6(1)(a)) — the form is entirely voluntary.
  • Retention: Held indefinitely, and overwritten whenever you update it.

Client IP address

When you send events or saves, we read your IP address from the request (the x-forwarded-for header, falling back to x-real-ip).

  • Why: We use it only as a key for rate-limiting, which protects the service from abuse.
  • Legal basis: Legitimate interests (Art. 6(1)(f)) — security.
  • Retention: Used in memory at the moment of the request and never stored.

What we do NOT collect

To be clear about the boundaries, we do not collect any of the following:

  • No account or login credentials.
  • No passwords.
  • No visitor name or email address — there is no signup and no contact form that captures these.
  • No payment or financial data.
  • No precise geolocation.
  • No device fingerprinting, and no third-party advertising, ad networks, or cross-site tracking.

Aggregate, cookieless analytics

We use Vercel Web Analytics and Vercel Speed Insights (provided by our hosting provider, Vercel) to understand overall traffic and page performance. These are cookieless, set nothing on your device, and collect only aggregate data (such as page views, referrers, approximate region, and device type) — they do not identify you. We also keep an anonymous search log of search terms and their result counts, with no visitor ID, no IP address, and no other identifier attached, so we can see what people look for and what's missing. Because neither identifies you, they are not gated on cookie consent; our basis is legitimate interests (Art. 6(1)(f)).

Note: some opportunities listed on ContractBeam include a contact_name or contact_email. Those are public government points of contact published with the opportunity. They are not your data as a visitor.

Cookies

ContractBeam uses a single first-party cookie, tv, to hold your anonymous visitor ID for personalization and analytics. It is set as httpOnly, SameSite=Lax, and Secure in production, and it lasts 2 years.

This cookie is not strictly necessary to display the site — it powers personalization and analytics. In jurisdictions where the law requires consent for non-essential cookies (for example the EU/UK under the ePrivacy rules and GDPR), we ask for your consent before setting it, and you can decline or later withdraw consent by clearing the cookie (see below). We use no other cookies and no third-party or advertising cookies — our analytics (Vercel Web Analytics and Speed Insights) are cookieless.

For the full details on cookies, see our Cookie Policy.

Processors and where your data is stored

We rely on two service providers (sub-processors) to run ContractBeam. Both store and process data in the United States.

  • Vercel — hosting, edge proxy, and serverless functions (handles incoming requests, including your IP address), plus cookieless Vercel Web Analytics and Speed Insights.
  • Neon — serverless PostgreSQL database that stores opportunities, events, saves, and profiles.

Where our opportunity data comes from

For transparency, the opportunity listings on ContractBeam are drawn from:

  • SAM.gov — federal contract solicitations
  • Grants.gov — federal grants
  • USASpending.gov — awarded contracts
  • A sample seed dataset
  • Your own self-reported behavior and profile

We do not sell or share your data for advertising

ContractBeam does not sell your personal data, and does not share it with anyone for advertising or cross-context behavioral advertising. We use no third-party advertising or cross-site tracking; our only analytics are Vercel's privacy-friendly, cookieless Web Analytics and Speed Insights. The data we collect is used to run and improve ContractBeam itself.

How long we keep data, and how to clear it

We'll be honest with you: today, the data we collect (your visitor ID, events, saves, and profile) is retained indefinitely. We don't yet have an automatic deletion schedule.

The most direct control you have is the cookie. If you delete the tv cookie in your browser, the link between you and your stored data is severed — new activity will be tied to a fresh, unrelated visitor ID, and we'll have no practical way to connect your old records back to you.

If you'd like us to manually delete or retrieve your data, email frank.yang@nexarionflux.ai. Keep in mind that to act on a specific request we generally need the visitor ID associated with your data, since that's the only identifier we hold.

Your rights

If you're in the EU/UK (GDPR)

You have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Erasure of your data (Art. 17). We don't offer self-service deletion yet, so this is handled manually on request.
  • Portability — receive your data in a portable form (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Rectification — correct inaccurate data (Art. 16). Your business profile is editable directly in the app.
  • Withdraw consent at any time, where we rely on consent (such as for the non-essential tv cookie or your optional business profile). Withdrawing consent doesn't affect processing already carried out. The simplest way to withdraw consent for the cookie is to clear it in your browser.
  • Restrict processing in certain circumstances (Art. 18).
  • Lodge a complaint with your local data protection supervisory authority (Art. 77) if you believe we've mishandled your data.

If you're in California (CCPA/CPRA)

You have the right to:

  • Know / Access what personal information we've collected about you, the sources, and the purposes for which we use it.
  • Delete your personal information.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of your personal information. As noted above, we don't sell or share your data, so there's nothing to opt out of.
  • Non-discrimination — we will not deny you service, charge you a different price, or provide a different level of service for exercising any of these rights.

For reference, the only categories of personal information we collect are an online identifier (the anonymous visitor ID), internet/electronic activity (your behavior events, saves, and optional business profile), and an IP address used transiently for rate-limiting. We collect these from you and your use of the site, and use them solely to operate, personalize, and improve ContractBeam. We do not collect sensitive personal information, and we do not use or disclose personal information for purposes beyond those described here.

How to exercise these rights

Because your identity on ContractBeam is just an anonymous cookie, there are two practical paths:

  1. Clear the tv cookie in your browser. This immediately cuts the connection between you and your stored data, and is the fastest way to "reset" your relationship with us.
  2. Email us at frank.yang@nexarionflux.ai. We'll do our best to help, but note that without the visitor ID tied to your records we may not be able to locate or verify which data is yours. You may use an authorized agent to submit a request on your behalf where the law allows.

International users and data transfers

ContractBeam is hosted and stores data in the United States (via Vercel and Neon). If you access ContractBeam from outside the U.S., including the EU/UK, your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your country. Where required for transfers of EU/UK personal data, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses with our sub-processors.

Children

ContractBeam is not directed to anyone under the age of 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact frank.yang@nexarionflux.ai and we'll address it.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we'll revise the "Last updated" date at the top. If we make a significant change, we'll try to make it more noticeable. Your continued use of ContractBeam after an update means you accept the revised policy.

Governing law

This Privacy Policy is governed by the laws of the State of Michigan, without regard to its conflict-of-law rules.

Contact

Questions, requests, or concerns about your privacy? Email us at frank.yang@nexarionflux.ai.

Note: This document is a plain-language template provided for convenience, not legal advice — have a qualified attorney review it before you rely on it.