Last updated: May 14, 2026
Privacy Policy
This policy explains what information Iris Labs, Inc. (“Iris”) collects, how we use it, and your rights regarding your data.
1. Information We Collect
Account Information
When you register, we collect your name, email address, and password (stored as a salted hash). If you pay for the Service, we collect billing information processed by our payment provider (Stripe) — we do not store full card numbers on our servers.
Usage Data
We automatically collect data about how you use the Service, including API request logs, compute usage metrics, IP addresses, browser type, and timestamps. This data helps us operate, debug, and improve the platform.
Customer Content
Sandbox images, snapshots, and any data you store or process within your sandboxes are considered Customer Content. We access this only as needed to provide the Service (e.g., checkpoint/restore operations) or as required by law.
Communications
If you contact us via email or support channels, we retain those communications to help resolve your inquiry and improve our services.
2. How We Use Your Information
We use the information we collect to:
- Provision, operate, and maintain the Service;
- Process payments and send invoices;
- Send transactional emails (account verification, password reset, billing receipts);
- Send product updates and announcements — you may opt out at any time;
- Detect, investigate, and prevent abuse, fraud, and security incidents;
- Comply with legal obligations;
- Analyze aggregate, anonymized usage patterns to improve the Service.
We do not sell your personal data to third parties.
3. Legal Bases for Processing (EEA/UK Users)
If you are located in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases:
- Contract performance — processing necessary to provide the Service you signed up for;
- Legitimate interests — security monitoring, fraud prevention, and service improvement;
- Legal obligation — compliance with applicable law;
- Consent — for optional marketing communications.
4. Data Sharing and Disclosure
We share your information only in the following circumstances:
- Service providers: We use trusted vendors (Stripe for payments, AWS/Hetzner for infrastructure, Resend for email) who are contractually bound to protect your data and process it only as directed by us.
- Legal requirements: We may disclose data if required by law, subpoena, or court order. Where legally permitted, we will notify you before disclosing.
- Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred. We will provide notice prior to any such transfer.
- With your consent: For any other purpose with your explicit consent.
5. Data Retention
We retain account and usage data for as long as your account is active. After account deletion, we purge personal data within 90 days, except where we are required by law to retain it longer (e.g., billing records for tax purposes, typically 7 years).
Sandbox snapshots are deleted immediately upon your explicit deletion request or within 30 days of account termination.
6. Cookies and Tracking
We use strictly necessary cookies to manage authentication sessions. We do not use third-party advertising cookies or tracking pixels. We may use privacy-respecting analytics (e.g., Plausible) that do not require consent under GDPR.
7. Security
We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest for snapshots, regular security audits, and role-based access controls. However, no system is perfectly secure. Please report suspected vulnerabilities to security@iris.dev.
8. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you;
- Request correction of inaccurate data;
- Request deletion of your data (“right to be forgotten”);
- Object to or restrict processing of your data;
- Request a machine-readable export of your data (data portability);
- Withdraw consent for optional processing at any time.
To exercise these rights, email us at privacy@iris.dev. We will respond within 30 days (or as required by applicable law). You also have the right to lodge a complaint with your local data protection authority.
9. International Transfers
We are based in the United States. If you access the Service from outside the US, your data may be transferred to and processed in the US. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) to provide adequate protection for such transfers.
10. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately at privacy@iris.dev.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notice at least 14 days before the changes take effect. Your continued use of the Service after that date constitutes acceptance of the updated policy.
12. Contact
Data controller: Iris Labs, Inc.
2261 Market Street, Suite 5694
San Francisco, CA 94114, United States
Privacy inquiries: privacy@iris.dev