Privacy Policy
Effective date:
Last updated:
Iris (“Iris,” “we,” “our,” or “us”) respects your privacy. This Privacy Policy explains what personal data we collect when you join the Iris waitlist, how we use it, with whom we share it, and the rights you have under the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and other applicable data-protection laws.
By submitting your information through the form on https://iriss.space, you confirm that you have read and understood this Policy.
1.Data Controller
The data controller responsible for the processing of your personal data is:
IrisEmail: iris.app000@gmail.com
You may contact the controller at any time to exercise the rights described in Section 9 below.
2.Categories of Personal Data We Collect
When you join the Iris waitlist, we collect the following categories of personal data.
2.1 Information you provide
- Your full name;
- Your email address;
- Your explicit consent to receive transactional and informational emails from Iris.
2.2 Information collected automatically
- A salted HMAC-SHA-256 hash of your IP address, truncated to 24 hexadecimal characters. The original IP address is never stored.
- Your user-agent string (truncated to 256 characters), used to detect coordinated automated abuse.
- The HTTP
Refererheader (truncated to 512 characters), if any, identifying the page that linked you to our signup form.
2.3 Information we derive
- Your position on the waitlist;
- A unique referral code we generate for you;
- The referral code, if any, that brought you to the waitlist;
- The number of confirmed referrals attributed to you;
- Timestamps for signup, email confirmation, reminder dispatch, and welcome-email dispatch.
We do not collect: passwords, payment-card or financial information, government identifiers, biometric data, or any special-category data within the meaning of Article 9 GDPR (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health, or sexual orientation).
3.Purposes and Legal Bases
We process your personal data only for the purposes set out below, each grounded in one of the legal bases listed in Article 6(1) GDPR.
| Purpose | Data used | Legal basis (Art. 6(1) GDPR) |
|---|---|---|
| Send the email confirmation link to validate your address | Name, email | (b) pre-contractual measures at your request |
| Send a welcome email and confirm your queue position | Name, email, position | (b) pre-contractual measures |
| Send one automated reminder if you have not confirmed within 24 hours | Name, email, signup timestamp | (f) legitimate interest in completing your signup |
| Send rare product announcements (e.g. product launch) | Name, email | (a) explicit consent, withdrawable at any time |
| Detect and mitigate signup abuse, multi-account creation, and bot rings | Hashed IP, user agent, referrer | (f) legitimate interest in service integrity |
| Track and credit referrals when invited users confirm their spot | Referral code, hashed IP | (b) pre-contractual measures |
4.Subprocessors
We rely on the following service providers (“sub-processors”) to process your personal data on our behalf. Each is contractually bound by data-protection commitments equivalent to those required by Article 28 GDPR.
| Sub-processor | Service | Hosting region | Privacy notice |
|---|---|---|---|
| Supabase Inc. (United States) | Database and storage | European Union (AWS, Frankfurt) | supabase.com/privacy |
| Vercel Inc. (United States) | Hosting, edge functions, web analytics, bot detection | Multi-region; functions execute in the closest available region | vercel.com/legal/privacy-policy |
| Resend (United States) | Transactional email delivery | European Union (AWS Ireland, eu-west-1) | resend.com/legal/privacy-policy |
| Cloudflare Inc. (United States) | Turnstile bot challenge (deployed only if explicitly enabled) | Global edge network | cloudflare.com/privacypolicy |
5.International Data Transfers
Some of our sub-processors are headquartered in the United States. When personal data is transferred outside the European Economic Area (“EEA”), the transfer is safeguarded by the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914) and, where applicable, by adherence to the EU-US Data Privacy Framework. We further apply technical safeguards (TLS 1.3 in transit, AES-256 at rest at our sub-processors) to reduce risk in accordance with the European Data Protection Board’s recommendations following the Schrems II ruling.
6.Data Retention
- Name, email, consent, derived data: retained until you unsubscribe.
- Hashed IP, user agent, referrer: retained until you unsubscribe.
- Email-provider logs (Resend): retained by Resend for 30 days, then automatically deleted.
- Aggregated web-analytics events (Vercel): retained for up to 12 months without personal identifiers.
You can erase all personal data we hold about you, instantly and permanently, by clicking the unsubscribe link in any email we send you. There is no soft-delete and no recovery period.
7.Cookies and Similar Technologies
The Iris website does not set any first-party tracking cookies. Vercel Web Analytics is privacy-friendly and cookieless: it aggregates anonymised performance metrics without persisting identifiers in your browser. If Cloudflare Turnstile is enabled, it may set a single cookie scoped to challenges.cloudflare.com exclusively to prevent automated abuse; that cookie is not accessible to Iris and is not used for analytics, profiling, or advertising.
8.Security
We implement technical and organisational measures appropriate to the risk, including:
- encryption in transit (TLS 1.3) and at rest (AES-256);
- HMAC-SHA-256 signatures on confirmation and unsubscribe links, verified with timing-safe comparison;
- row-level security on the Postgres database, with strict separation between read-only anonymous keys and the privileged service-role key;
- edge-level bot detection (Vercel BotID), origin allowlisting, content-security-policy headers, and rate-limiting on every sensitive endpoint;
- a salted IP hash used solely for anti-abuse purposes; the original IP address is never written to disk.
No system can be made entirely secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform you without undue delay, in accordance with Articles 33 and 34 GDPR.
9.Your Rights Under the GDPR
Subject to applicable conditions, you have the following rights:
- Right of access (Art. 15) — to obtain a copy of the personal data we hold about you;
- Right to rectification (Art. 16) — to correct inaccurate or incomplete data;
- Right to erasure (Art. 17) — the unsubscribe link in any of our emails performs this immediately; you may also request erasure by email;
- Right to restriction of processing (Art. 18);
- Right to data portability (Art. 20) — to receive your personal data in a structured, commonly used and machine-readable format;
- Right to object (Art. 21) to processing based on legitimate interest;
- Right to withdraw consent (Art. 7(3)) at any time, without affecting the lawfulness of processing performed before withdrawal;
- Right to lodge a complaint (Art. 77) with a supervisory authority — in France, the Commission Nationale de l’Informatique et des Libertés (CNIL); in other Member States, the corresponding national authority.
To exercise any of these rights, send an email to iris.app000@gmail.com. We respond within thirty (30) calendar days, as required by Article 12(3) GDPR. We may ask for additional information to verify your identity before acting on your request.
10.Children’s Privacy
Iris is not directed to individuals under sixteen (16) years of age. We do not knowingly collect personal data from children. If you believe a child has submitted personal data to us, please contact us and we will erase the data without undue delay.
11.Changes to This Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the latest version. Where the changes are material, we will notify confirmed waitlist members by email and obtain renewed consent where required by law. Continued use of the service after the effective date of an update constitutes your acceptance of the revised Policy for processing not based on consent.
12.Contact
For any privacy-related question, request, or complaint, please contact:
IrisEmail: iris.app000@gmail.com
← Return to the Iris home page · Terms of Service · Legal Notice