Privacy Policy

This Privacy Policy describes how IRIS AI TECHNOLOGIES, INC. ("HeyIris," "we," "us," or "our") collects, uses, and shares personal information through our website, software, and related services (collectively, the "Services"). HeyIris is an AI-powered solution that helps businesses manage security documentation and compliance.

Important Information About Our Services

Business Use Only: Our Services are designed exclusively for businesses and are not intended for personal or household use. We treat all personal information as relating to individuals in their professional capacity as business representatives.

Two Types of Data We Handle: This Privacy Policy covers two distinct types of data:

1. Website and Account Data: Information about visitors to our website and individuals who create accounts or interact with HeyIris directly (covered throughout this Privacy Policy)
2. Customer Data: Information our business customers upload to or create within the HeyIris platform when using our Services to respond to RFPs, security questionnaires, and similar documents (see Section 13 below for specific details)

Customer Responsibility: Our business customers have their own privacy policies governing how they handle their employees' and end users' personal information. HeyIris processes Customer Data as a service provider on behalf of our customers according to our service agreements. For questions about how a specific customer handles personal information in Customer Data, please contact that customer directly or review their privacy statement.

Children's Privacy: Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected information from a child under 18 without proper parental consent, we will promptly delete it.

‍

1. Personal Information We Collect

Information You Provide Directly

When you use our Services or contact us, you may provide:

• Contact Information: Name, business email address, phone number, company name, and job title
• Account Information: Username, password, and account preferences
• Communication Content: Messages, questions, feedback, and support requests you send us
• Payment Information: Billing details, bank account information, or payment card data (processed by third-party payment processors)
• Marketing Preferences: Your communication preferences and engagement with our marketing materials
• User Content: Prompts, documents, images, conversation text, and other materials you upload or create through the Services, along with associated metadata (such as timestamps, file properties, and edit history)

Important: Do not include sensitive personal information in prompts or uploaded content, including Social Security numbers, medical information, financial account numbers, or government identification numbers.

Information From Other Sources

We may receive information about you from:

• Public Sources: Government databases, social media platforms, and publicly available information
• Business Partners: Marketing partners, event co-sponsors, and referral sources
• Data Providers: Business contact databases and information services
• Third-Party Login Services: When you connect your account through services like Google, we receive information based on your account settings (username, profile picture, email address). Our use of data from Google APIs complies with the Google API Services User Data Policy, including Limited Use requirements. We do not sell Google account information.
• Your Employer: Information your organization provides when setting up enterprise accounts
• Service Providers: Companies that help us operate our business

Information Collected Automatically

When you use our Services, we and our service providers automatically collect:

• Device Information: Operating system, browser type, device model, IP address, unique device identifiers, language settings, and approximate location (city/state level)
• Usage Information: Pages viewed, features used, time spent on pages, navigation paths, access times, and interaction patterns
• Communication Tracking: Information about your engagement with our emails and messages

Cookies and Similar Technologies

We use cookies and similar technologies to operate and improve our Services:

• Cookies: Small text files stored on your device that help us recognize your browser, remember preferences, and understand how you use our Services
• Local Storage: Technologies like HTML5 that store data on your device to enable certain features
• Web Beacons: Tiny graphics (also called pixel tags) that help us track whether content was viewed or emails were opened

You can control cookies through your browser settings. Note that blocking cookies may limit some Service functionality.

‍

2. How We Use Your Personal Information

To Provide and Improve Our Services

• Operate, maintain, and deliver our Services
• Create and manage your account
• Process transactions and send related information
• Provide customer support and respond to your inquiries
• Communicate important updates, security alerts, and administrative messages
• Personalize your experience and understand your preferences

For Research and Development

• Analyze usage patterns to improve our Services
• Develop new features and products
• Conduct product research and testing
• Create aggregated, de-identified, or anonymous data for analysis (we remove information that identifies you personally before using data this way)
• Improve our AI system using anonymized data. No models are ever trained using any data.

For Analytics

We analyze how users interact with our Services using tools like Google Analytics. This helps us understand which features are most valuable and how to improve user experience. Learn more about Google Analytics and opt-out options at: https://tools.google.com/dlpage/gaoptout

For Marketing

• Send promotional communications about our products and services
• Personalize marketing messages based on your interests and needs
• Measure the effectiveness of our marketing campaigns
• Invite you to events, webinars, or demos

You can opt out of marketing emails at any time (see Section 6).

For Advertising

We work with advertising partners to show you relevant ads on our Services and other platforms. These partners may use cookies and similar technologies to collect information about your online activity and serve interest-based advertising. See Section 6 for opt-out options.

For Legal and Safety Purposes

• Comply with applicable laws, regulations, and legal requests
• Respond to subpoenas, court orders, and government inquiries
• Protect our rights, property, and safety, and that of our users and the public
• Prevent, detect, and investigate fraud, security incidents, and illegal activity
• Enforce our Terms of Service and other agreements
• Defend against legal claims

‍

3. How We Share Your Personal Information

We share personal information in the following circumstances:

Service Providers

We engage third-party companies to perform functions on our behalf, including:

• Cloud hosting and infrastructure (Amazon Web Services, Databricks)
• Payment processing
• Email delivery and communication services
• Customer support tools
• Analytics and data analysis
• IT services and security

These providers access personal information only as needed to perform their functions and are contractually obligated to protect your information.

AI and Technology Providers

Our Services integrate with generative AI providers (such as Databricks and Amazon Web Services) to deliver core functionality. Data shared with these providers is governed by our agreements with them and their respective privacy policies.

Connected Third-Party Services

If you connect your HeyIris account with third-party services (like Google), we may share information with those services according to your authorization settings. Those services' privacy policies govern their use of shared information.

Business Partners

We may share information with partners for joint marketing activities, events, or co-sponsored content, in accordance with applicable law.

Professional Advisors

We may share information with lawyers, accountants, auditors, and other professional advisors who assist us in operating our business.

Legal and Safety Disclosures

We may disclose information when we believe in good faith that disclosure is necessary to:

• Comply with legal obligations
• Respond to valid legal processes
• Protect rights, property, and safety
• Prevent fraud or security threats
• Enforce our policies

Business Transactions

If HeyIris is involved in a merger, acquisition, sale of assets, bankruptcy, or similar transaction, personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

Other Users

Certain information may be visible to other users of the Services:

• Your profile information (name, photo, job title)
• Content you choose to share or make public
• Comments and contributions in shared workspaces

Private messages remain private unless you choose to share them.

‍

4. Data Retention

We retain personal information for as long as necessary to:

• Provide our Services and maintain your account
• Comply with legal, tax, and accounting obligations
• Resolve disputes and enforce our agreements
• Prevent fraud and maintain security

Retention periods vary based on:

• The type of information
• The purpose for which we collected it
• Legal requirements
• Whether you've requested deletion

When information is no longer needed, we securely delete or anonymize it.

‍

5. International Data Transfers

HeyIris is based in the United States. If you access our Services from outside the U.S., your information will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction. By using our Services, you consent to the transfer of your information to the United States and other countries. We implement appropriate safeguards to protect your information in accordance with this Privacy Policy.

‍

6. Your Privacy Rights and Choices

Marketing Communications

Opt Out: You can unsubscribe from promotional emails by clicking the "unsubscribe" link in any marketing email or by contacting us at privacy@heyiris.ai. Note that you'll still receive transactional and account-related messages.

Cookie Controls

Browser Settings: Most browsers allow you to block or delete cookies. Visit your browser's help section for instructions. Note that disabling cookies may affect Service functionality.

Mobile Advertising: You can limit ad tracking in your mobile device settings (iOS: Settings > Privacy > Advertising; Android: Settings > Google > Ads).

Browser Privacy Tools: Consider privacy-focused browsers (like Brave) or browser extensions (such as Privacy Badger, DuckDuckGo, Ghostery, or uBlock Origin).

Interest-Based Advertising Opt-Outs

• Digital Advertising Alliance: http://optout.aboutads.info
• Network Advertising Initiative: http://optout.networkadvertising.org

Note: Opt-outs are device and browser-specific, so you'll need to opt out on each device and browser you use.

Third-Party Platform Connections

If you've connected HeyIris to third-party services (like Google), you can manage or revoke those connections through your account settings or the third-party service's settings.

Account Deletion

To request account closure, contact us at privacy@heyiris.ai. Note that deletion requests may take time to process, and some information may be retained as required by law or for legitimate business purposes.

Do Not Track

Some browsers offer "Do Not Track" signals. We currently do not respond to Do Not Track signals. Learn more at http://www.allaboutdnt.com.

‍

7. State-Specific Privacy Rights (United States)

Residents of certain U.S. states have additional privacy rights under state law:

California Residents (CCPA/CPRA)

California residents have the right to:

• Know: Request information about the personal information we collect, use, disclose, and sell
• Access: Obtain a copy of your personal information
• Delete: Request deletion of your personal information
• Correct: Request correction of inaccurate personal information
• Opt Out: Opt out of the sale or sharing of personal information for targeted advertising
• Limit Use: Limit use of sensitive personal information
• Non-Discrimination: Not receive discriminatory treatment for exercising these rights

Categories of Personal Information: We collect the categories described in Section 1. We do not "sell" personal information as defined by California law, but we may share information for targeted advertising purposes, which you can opt out of using the controls in Section 6.

Sensitive Personal Information: We do not collect or use sensitive personal information except as necessary to provide our Services.

Retention: See Section 4 for retention information.

Authorized Agent: You may designate an authorized agent to submit requests on your behalf. We may require proof of authorization.

Virginia, Colorado, Connecticut, Utah, and Other State Residents

If you reside in Virginia, Colorado, Connecticut, Utah, or other states with comprehensive privacy laws, you may have rights similar to those described above, including:

• Right to confirm whether we process your personal information
• Right to access your personal information
• Right to correct inaccuracies
• Right to delete personal information
• Right to obtain a copy of your personal information
• Right to opt out of targeted advertising and certain data sales

How to Exercise Your Rights

To exercise your rights, contact us at:

• Email: privacy@heyiris.ai
• Subject Line: "Privacy Rights Request"

Include your name, email address, state of residence, and specific request. We'll respond within the timeframe required by applicable law (typically 45 days, with possible extension).

Verification: To protect your privacy, we'll verify your identity before processing requests. We may ask for additional information to confirm you are the person about whom we collected information.

Appeals: If we deny your request, you may appeal by contacting us at privacy@heyiris.ai with "Privacy Rights Appeal" in the subject line.

‍

8. European Economic Area (EEA), UK, and Swiss Residents (GDPR)

If you're located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and similar laws:

Legal Basis for Processing

We process personal information based on:

• Contract Performance: To provide Services you've requested
• Legitimate Interests: To improve our Services, prevent fraud, and ensure security (where not overridden by your rights)
• Consent: Where you've provided specific consent (which you can withdraw at any time)
• Legal Obligations: To comply with applicable laws

Your GDPR Rights

• Access: Obtain confirmation of processing and a copy of your personal information
• Rectification: Correct inaccurate or incomplete information
• Erasure: Request deletion in certain circumstances
• Restriction: Restrict processing in certain situations
• Data Portability: Receive your information in a structured, commonly used format
• Object: Object to processing based on legitimate interests or for direct marketing
• Withdraw Consent: Withdraw consent at any time (without affecting prior processing)
• Lodge Complaints: File complaints with your data protection authority

Data Transfers

When we transfer personal information outside the EEA, UK, or Switzerland, we use appropriate safeguards such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions
• Other legally approved mechanisms

EU Representative

For GDPR inquiries, contact us at privacy@heyiris.ai with "GDPR Inquiry" in the subject line.

‍

9. Security

We implement reasonable technical, administrative, and physical safeguards designed to protect personal information, including:

• Encryption of data in transit and at rest
• Access controls and authentication requirements
• Regular security assessments and monitoring
• Employee training on data protection
• Vendor security reviews

However, no security measures are perfect. While we strive to protect your information, we cannot guarantee absolute security. Please use strong passwords and protect your account credentials.

‍

10. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, and services not operated by HeyIris. We're not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with personal information.

Our content may also appear on third-party platforms. This Privacy Policy applies only to information collected through our Services.

‍

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We'll update the "Last Updated" date at the top
• For material changes, we'll provide additional notice (such as email notification or prominent website notice)
• Continued use of our Services after changes take effect constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy regularly to stay informed about our privacy practices.

‍

12. Customer Data Processing

This section explains how HeyIris handles data that our business customers ("Customers") upload to or generate within our platform when using our Services.

Understanding the Relationship

When you use HeyIris to respond to RFPs, security questionnaires, or similar documents, you transfer your business information, documentation, and other data to our platform. In this relationship:

• You (the Customer) are the "data controller" who determines what data is processed and why
• HeyIris is the "data processor" or "service provider" who processes data on your behalf according to your instructions and our agreement
• Your end users and employees are the data subjects whose information may be included in Customer Data

What is Customer Data?

"Customer Data" means any data, content, or information that you upload to, input into, or generate through the HeyIris platform, including:

• RFP Responses: Content, documents, and information created when responding to requests for proposals
• Security Questionnaire Responses: Answers, documentation, and supporting materials for security assessments
• Company Documentation: Policies, procedures, certifications, compliance records, and other business documents
• User Information: Information about your employees or team members who use the platform
• Metadata: Information about how and when data was uploaded, modified, or accessed
• AI-Generated Content: Responses, summaries, and other content generated by our AI using your input

How We Process Customer Data

We process Customer Data solely to:

• Provide the Services you've requested (responding to RFPs, security questionnaires, etc.)
• Generate AI-powered responses based on your documentation and input
• Store and manage your documents and responses
• Enable collaboration among your authorized users
• Maintain, support, and improve the functionality of our Services
• Ensure security and prevent misuse
• Comply with legal obligations

We do not:

• Use Customer Data to market to anyone other than you
• Share Customer Data with third parties except as described below or in our service agreement
• Sell Customer Data
• Use Customer Data to train our general AI models (unless you specifically opt in to such use)

Where Customer Data Goes

We may share or transfer Customer Data to:

1. AI and Cloud Service Providers: Our platform relies on third-party AI and infrastructure providers (including Databricks and Amazon Web Services) to process Customer Data and deliver core functionality. These providers:
   
   • Act as sub-processors under our agreements
   • Are contractually required to maintain appropriate security and confidentiality
   • Process data only as necessary to provide services to HeyIris
   • May not use Customer Data for their own purposes
2. Authorized Service Providers: Third-party vendors who help us operate the platform (hosting, security monitoring, backup services), bound by confidentiality obligations
3. Your Authorized Users: Team members and other individuals you've authorized to access Customer Data through the platform
4. As Required by Law: When necessary to comply with legal obligations, court orders, or valid legal process
5. With Your Consent: When you specifically authorize us to share Customer Data

Data Security for Customer Data

We implement enterprise-grade security measures to protect Customer Data, including:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
• Access Controls: Role-based access, multi-factor authentication, and principle of least privilege
• Network Security: Firewalls, intrusion detection, and network monitoring
• Security Audits: Regular security assessments, penetration testing, and vulnerability scanning
• Vendor Security: Due diligence and security requirements for all sub-processors
• Incident Response: Defined procedures for detecting, responding to, and notifying you of security incidents
• Data Isolation: Logical separation of Customer Data between different customers

Data Location and Transfers

Customer Data is primarily stored and processed in the United States. We may transfer Customer Data to other countries where our service providers operate. When we transfer data internationally:

• We implement appropriate safeguards (Standard Contractual Clauses, adequacy decisions, etc.)
• We ensure sub-processors provide equivalent data protection
• For EU/UK data, we comply with GDPR requirements for international transfers

Data Retention and Deletion

• Active Accounts: We retain Customer Data for as long as your account is active and as needed to provide Services
• After Termination: Following account termination, we retain Customer Data for a limited period (typically 30-90 days) to allow for account recovery or as specified in our agreement
• Backup Systems: Deleted data may persist in backup systems for up to 90 days before permanent deletion
• Legal Requirements: We may retain certain data longer if required by law, to resolve disputes, or enforce agreements
• Your Rights: You may request deletion of Customer Data at any time (see Section 13 below)

Your Rights and Responsibilities Regarding Customer Data

Your Responsibilities as a Customer:

• Ensure you have the right to upload and share Customer Data with HeyIris
• Comply with applicable privacy laws regarding your end users' data
• Maintain the security of your account credentials
• Not upload sensitive personal information unless necessary and properly protected
• Provide required notices to your end users about data processing
• Respond to data subject requests from your end users (we'll assist as described below)

Your Rights as a Customer:

• Access and export your Customer Data at any time through the platform
• Correct or update Customer Data through the platform
• Delete Customer Data from the platform
• Receive assistance responding to data subject requests from your end users
• Receive information about our data security practices
• Be notified of data breaches affecting Customer Data

Assisting with End User Rights Requests

If your end users (employees, contractors, etc.) submit privacy rights requests related to their information in Customer Data:

1. Direct Requests to Customer: End users should submit requests to you (the Customer) as the data controller
2. HeyIris Assistance: We'll provide reasonable assistance to help you respond to requests, including:
   
   • Providing access to relevant data in the platform
   • Helping with data export or deletion
   • Providing information about our processing activities
3. Direct Requests to HeyIris: If an end user contacts us directly, we'll redirect them to you unless legally required to respond directly

Data Processing Agreement (DPA)

Our processing of Customer Data is governed by our Data Processing Agreement (DPA), which:

• Defines our obligations as a data processor
• Includes Standard Contractual Clauses for international transfers (where applicable)
• Specifies security requirements and breach notification procedures
• Addresses sub-processor management
• Provides for audits and inspections

If you need a copy of our DPA or have questions about data processing, contact us at privacy@heyiris.ai.

Sub-Processors

We maintain a list of sub-processors who may access or process Customer Data. Current sub-processors include:

• Amazon Web Services (AWS): Cloud infrastructure and storage
• Databricks: AI and data processing platform
• [Other sub-processors as applicable]

We'll notify you of any changes to our sub-processors in accordance with our service agreement, typically providing 30 days' notice before adding new sub-processors.

Data Breach Notification

In the event of a security incident affecting Customer Data:

• We'll notify you without undue delay (and no later than 72 hours after becoming aware)
• Notification will include available information about the nature of the breach, affected data, and mitigation steps
• We'll cooperate with your investigation and regulatory notification obligations
• We'll take prompt action to remediate the incident and prevent recurrence

Questions About Customer Data?

For questions about how HeyIris processes Customer Data:

• Email: privacy@heyiris.ai or dpo@heyiris.ai
• Subject: "Customer Data Processing Inquiry"
• Include: Your company name and account information

For end users seeking information about their data in Customer Data, please contact the HeyIris customer (your employer or the organization) who controls that data.

‍

13. Contact Us

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We'll update the "Last Updated" date at the top
• For material changes, we'll provide additional notice (such as email notification or prominent website notice)
• Continued use of our Services after changes take effect constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy regularly to stay informed about our privacy practices.

‍

14. Contact Us

For General Privacy Questions:
Email: privacy@heyiris.ai

For Privacy Rights Requests:
Email: privacy@heyiris.ai
Subject: "Privacy Rights Request"

Mailing Address:
IRIS AI TECHNOLOGIES, INC.
500 7th Ave 

Floor 8

New York, NY

Data Protection Officer (if applicable):
Ben Hills, Chief Executive Officer, ben@heyiris.ai

We'll respond to your inquiry within a reasonable timeframe as required by applicable law.

‍

Thank you for trusting HeyIris with your information.

‍