Privacy Policy
Last updated: June 9, 2026
1. Introduction
Welcome to Iris ("we", "our", or "us"). We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This Privacy Policy explains how we collect, use, process, and safeguard your information when you use our AI agent platform and custom chat widgets.
2. Data Controller
The data controller responsible for your personal data is the owner of the Iris Agent platform. If you have any questions about this Privacy Policy or our privacy practices, please contact us at privacy@iris-agent.com.
3. Data We Collect
We collect and process the following categories of personal data:
- Account Data: Name, email address, password, and registration metadata.
- Workspace Data: Workspace names, configurations, custom instructions, and integration settings (such as Slack access tokens).
- Knowledge Base Assets: Text files, PDFs, and crawled URLs that you upload to train your custom AI agents.
- Chat logs: Conversations generated through your active AI widget interfaces and telemetry metadata.
- Billing Data: Payment card details, subscription tiers, and transaction history (processed securely by our payment gateway).
4. Legal Basis & Purposes of Processing
We process your personal data based on the following legal grounds under the GDPR:
- Contractual Necessity (Article 6(1)(b)): To set up your account, provision your workspaces, run your AI agents, and manage billing.
- Consent (Article 6(1)(a)): Where you actively agree to receive updates, newsletters, or marketing correspondence.
- Legal Compliance (Article 6(1)(c)): To prevent fraud, ensure platform security, and maintain tax records.
5. Subprocessors & Third-Party Sharing
To deliver our services, we share your data with trusted subprocessors. We maintain Data Processing Agreements (DPAs) with these providers to ensure your data is secure:
| Subprocessor | Purpose | Data Residency & Transfer |
|---|---|---|
| Supabase | Database, auth, and hosting provider | Hosted in EU Central (Frankfurt, Germany) |
| Google Gemini API | AI LLM Inference processing | Processed via Google Vertex APIs (EU/US locations) |
| Stripe | Payment processing & Billing lifecycle | Global network with standard EU data protection mechanisms |
| Resend | Transactional and notification emails | Processed via secure US/EU email servers |
6. Cookies
We use only strictly necessary functional cookies (such as Supabase authentication session cookies and functional sidebar state cookies) to verify your identity and support basic features. We do not use third-party tracking or advertising cookies.
7. Your Data Protection Rights (GDPR)
Under the GDPR, you possess the following rights regarding your personal data:
- Right of Access: You can request details of the personal data we hold about you.
- Right to Rectification: You can update your display name or account metadata directly from the Account Settings panel.
- Right to Erasure (Right to be Forgotten): You can permanently delete your user account and all owned workspaces through our platform Settings. This cascades to wipe all databases and vector indices.
- Right to Data Portability: You can download your profile, workspaces, agents, and conversation history in structured JSON format via the "Export My Data" action.
8. Data Security
We implement industry-standard organizational and technical measures to secure your data, including Row Level Security (RLS) across all database tables, HTTPS transport encryption, and secure encryption for storage tokens.