Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Beamer is a SaaS widget for in app announcements, changelogs, NPS surveys and feedback. It loads third party JavaScript and writes a visitor identifier, so it requires prior consent under GDPR and ePrivacy.
Beamer is a SaaS engagement platform founded in 2017 and headquartered in New York City and Madrid. It is embedded into a host app or website through a small JavaScript snippet that adds a notification icon, opens a panel with release notes, product news and changelogs, and can display NPS surveys and feedback prompts. Beamer is used by product, marketing and customer success teams to announce features, collect reactions and segment users by behaviour or attributes, with its infrastructure running on AWS, primarily in US East and optionally in Frankfurt for enterprise customers.
When the widget loads, Beamer sets cookies such as beamer_USER_ID to identify the visitor, beamer_FILTER_BY_URL to scope which posts are shown, beamer_LAST_POST_SHOWN to deduplicate notifications and beamer_FIRST_VISIT to mark the first session. It also reads and writes values to localStorage and sends technical data to its servers, including IP address, user agent, referrer, page URL, post interactions, clicks, reactions and survey answers. When the host app passes a user id or email, Beamer links engagement data to that identified profile.
Beamer processes personal data within the meaning of Art. 4(1) GDPR, because the visitor identifier, IP address and engagement events can be linked to a natural person, especially when the host app passes a known user id. The widget is not strictly necessary to deliver the requested service, so writing identifiers to the device falls under Art. 5(3) of the ePrivacy Directive, which requires prior informed consent. In Germany this is mirrored by section 25 TDDDG, and US visitors gain CCPA rights such as the right to opt out of sale or sharing of personal information.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The lawful basis for loading Beamer is consent under Art. 6(1)(a) GDPR, combined with the ePrivacy consent rule for storing or reading information on a terminal. Beamer scripts must therefore be blocked until the visitor accepts the relevant cookie category, typically Functional or Marketing depending on how segmentation is configured. Consent must be freely given, specific, informed and as easy to withdraw as to give, and the choice must be logged with a timestamp, the consent text version and the policy shown so that compliance can be demonstrated under Art. 7 GDPR.
Because Beamer Inc. is established in the United States and its primary AWS region is US East, using the widget triggers a third country transfer under Chapter V of the GDPR. Transfers rely on the EU US Data Privacy Framework where Beamer or its sub processors are certified, and on Standard Contractual Clauses plus supplementary measures otherwise. Practical compliance steps: sign a DPA with Beamer, list it in your record of processing activities, document the transfer mechanism, gate the snippet behind a consent banner, update your privacy and cookie policies, and consider the EU hosting option for stricter audiences.
Websites using Beamer must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is generally not required for standard Beamer usage, since it focuses on product announcements and basic engagement metrics rather than large scale profiling or special category data. A documented risk assessment under Art. 35(1) GDPR is still recommended because data is transferred to the US and persistent identifiers are written to visitor devices. A DPIA becomes appropriate when Beamer is combined with detailed user segmentation, CRM enrichment or behavioural scoring across sensitive audiences such as children or patients.
Sample consent text
We use Beamer to show product news, changelogs and feedback surveys inside our app. Beamer sets cookies and a local identifier on your device and transfers data to its servers in the United States. Do you accept the use of Beamer?
Third-party domains contacted
getbeamer.comapp.getbeamer.comapi.getbeamer.comcdn.getbeamer.comanalytics.getbeamer.comstatic.getbeamer.combeamer-cdn.s3.amazonaws.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| beamer_USER_ID | first_party | 1 year | Stores a unique visitor identifier so Beamer can deduplicate announcements and track engagement events per visitor. |
| beamer_FILTER_BY_URL | first_party | 1 year | Scopes which posts and announcements should be displayed based on the current URL or section of the app. |
| beamer_LAST_POST_SHOWN | first_party | 1 year | Records the id of the last post shown to the visitor to deduplicate notifications and avoid re showing the same announcement. |
| beamer_FIRST_VISIT | first_party | 1 year | Marks the timestamp of the visitor first session and is used for first time user logic and analytics. |
| _beamer_session | first_party | session | Maintains a short lived session identifier for the current widget interaction and survey state. |
| _beamer_csrf | first_party | session | CSRF token used to protect Beamer API calls made from the widget against cross site request forgery. |
Beamer places tracking cookies for advertising — comply with GDPR using FlowConsent.
Beamer sets several first party cookies on the host domain, including beamer_USER_ID for visitor identification, beamer_FILTER_BY_URL for post scoping, beamer_LAST_POST_SHOWN for deduplication and beamer_FIRST_VISIT for first session detection. It also writes the same identifier to localStorage so it survives cookie clearing.
Yes. Beamer loads non essential third party JavaScript and writes persistent identifiers, so prior informed consent is required under Art. 5(3) of the ePrivacy Directive and Art. 6(1)(a) GDPR. The snippet must be blocked by your CMP until the visitor accepts the relevant cookie category.
The legal basis is consent under Art. 6(1)(a) GDPR, combined with the ePrivacy consent rule for storage and access on the terminal device. Legitimate interest (Art. 6(1)(f)) is not appropriate because the widget is not strictly necessary and writes persistent identifiers used for engagement tracking.
Yes. Beamer Inc. is based in New York and its default AWS region is US East. Transfers rely on Standard Contractual Clauses and, where applicable, the EU US Data Privacy Framework. An EU hosting option (AWS Frankfurt) is available on enterprise plans for customers needing data residency.
A full DPIA is generally not required for standard Beamer usage because it does not involve large scale profiling or special category data. A documented risk assessment under Art. 35(1) is still recommended due to US transfers and persistent identifiers. Run a DPIA if you combine Beamer with detailed segmentation or sensitive audiences.
Block the Beamer script through your CMP, load it only after consent for the relevant category, sign a DPA with Beamer, list it in your record of processing activities, document the SCC or DPF transfer mechanism, mention Beamer and its cookies in your privacy and cookie policies, and consider the EU hosting option for stricter audiences.
Yes. Comparable changelog and announcement tools include AnnounceKit, Headway, Featurebase, Frill, Canny and ProductBoard. Intercom can also deliver in app messages and product news, with the caveat that it is a broader customer messaging suite and carries its own cookie and consent footprint.
List Beamer as a third party service used for in app announcements and feedback, name its cookies (beamer_USER_ID, beamer_FILTER_BY_URL, beamer_LAST_POST_SHOWN, beamer_FIRST_VISIT) with their purpose and duration, disclose the transfer to the US and the legal basis (consent), and link to the Beamer privacy policy.