Not legal advice — attorney review pending
This privacy policy is drafted by Bruce. It has not been reviewed by an attorney. Bruce will publish an attorney-reviewed version before the first paid enterprise install. For EU-resident data subjects with specific GDPR concerns, email privacy@irisbites.com and Bruce will respond directly.
Privacy policy
Last updated:
Short version: we collect almost nothing about visitors. For paying customers we keep only what we need to run your install. We don't sell data, we don't run ad-tracking, we use one privacy-respecting analytics service, and you can ask us to delete everything any time.
1. What we collect
From every visitor (whether or not you sign up)
- Aggregated page-view analytics via Plausible or Vercel Analytics — both privacy-respecting services that do NOT use tracking cookies, do NOT identify you personally, and do NOT track you across other sites.
- Server logs (IP address, browser type, request timestamps) — held for up to 30 days for security and debugging, then deleted.
- Essential cookies only — your dark/light theme preference and (if you logged in) your session. We do not set advertising or third-party tracking cookies.
If you submit a form, book a call, or email us
- Your email address and whatever else you typed (business name, question, etc.) — stored in our internal CRM (Airtable) so we can reply and follow up.
- If you book a call: calendar metadata via Google Calendar (your email + the time slot). Call notes if Bruce takes them during the call.
- If you subscribe to the newsletter: your email goes to Beehiiv, our newsletter platform. Unsubscribe link in every email.
If you become a paying customer
- Payment information — handled entirely by Stripe; we never see or store your card number. We see only the last 4 digits + cardholder name.
- Install scope and configuration — what tier you purchased, when, which industry template, what tools we installed. Stored in our project tracker.
- Call recordings (only if you opt in) — for some installs we record a small number of test calls during the install window to tune Iris. These live in YOUR vendor accounts, not ours; we can review them with your permission for troubleshooting and never copy them to our infrastructure.
2. What we don't collect
- Names, addresses, phone numbers of visitors who don't contact us
- Browsing behavior across other websites — we don't have third-party trackers
- Personalized advertising data — we don't run ads
- Social-media login data — we don't offer social login
- Biometric data, voice prints, or face data — we don't collect them
- Your customers' data (call recordings of YOUR customers, your lead database, etc.) — that lives in YOUR vendor accounts, not ours. See trust page for the full data flow.
3. Where your data lives
We use a small number of carefully picked vendors. Each is contractually a “processor” — they hold data on our behalf and don't use it for their own purposes beyond standard operational logging.
Airtable
Our internal CRM — your form submissions, install records, support tickets.
Beehiiv
Newsletter platform — if you subscribed, your email lives here.
Stripe
Payment processing — they hold your card; we see only last 4 digits + name.
Resend
Transactional email — confirmation emails, receipts, refund notices.
Vercel
Hosting + server logs (30 days).
Plausible / Vercel Analytics
Aggregated page-view metrics. No personal identification.
Google Workspace
Bruce's email and calendar. Where threads with you actually live.
Your install's operational data (call recordings of your customers, lead databases, knowledge base, etc.) lives in YOUR accounts at the install vendors (Synthflow, Twilio, ElevenLabs, your own Google Workspace, etc.). We have access only when you grant it via support ticket.
4. Your rights under GDPR
If you are a resident of the European Economic Area, UK, or Switzerland, you have the following rights regarding personal data we hold about you:
- Right of access — request a copy of every record we hold on you.
- Right of rectification — ask us to correct anything inaccurate.
- Right of erasure (“right to be forgotten”) — ask us to delete every record. We comply within 30 days, faster on most requests.
- Right of portability — request your data in a machine-readable format (we use JSON or CSV).
- Right to object — withdraw consent at any time for processing based on consent (e.g. newsletter).
- Right to lodge a complaint with your local data protection authority if you believe we've mishandled your data.
Lawful basis: for newsletter signups, our basis is your explicit consent. For customer-account data, our basis is contract performance. For analytics and server logs, our basis is legitimate interest in operating and securing the site.
To exercise any GDPR right: email privacy@irisbites.com. We'll confirm receipt within 72 hours.
5. Your rights under CCPA (California)
If you are a California resident, the California Consumer Privacy Act gives you similar rights:
- Right to know what personal information we collect, use, and share.
- Right to delete personal information we hold (subject to a few exceptions, like records we need for tax compliance).
- Right to opt out of the sale or sharing of personal information.
- Right to non-discrimination for exercising your CCPA rights.
We do not sell or share personal information in the sense the CCPA uses those terms. We don't exchange your data with advertising networks or data brokers. The only third parties who see Iris-Bites-collected data are our own infrastructure providers (listed in section 3), and they process it on our behalf under processor terms.
To exercise a CCPA right: email privacy@irisbites.com. We'll respond within 45 days.
6. Cookies
We use the minimum cookies needed to make the site work. Specifically:
- Theme preference — remembers if you chose dark or light mode. Stored in localStorage, not a cookie.
- Session cookie (only if you log in) — lets the site recognize you between pages. Expires when you close the browser.
- Preview/coming-soon bypass cookie — if you visited the site before launch with a preview link, a 30-day cookie remembers your access.
We do not use: Google Analytics, Facebook Pixel, LinkedIn Insight, TikTok Pixel, Hotjar, Mixpanel, advertising cookies, or any third-party tracker that follows you across sites.
7. Affiliate links and external sites
When you click an affiliate link on this site, the destination vendor may set cookies on their domain — that's how they credit the referral to us. We have no access to those cookies. Each vendor has its own privacy policy that applies once you leave Iris Bites. We disclose every affiliate relationship on the disclosure page.
8. Data deletion
Email privacy@irisbites.com and we will delete every record we hold on you — newsletter subscription, CRM entries, call notes, install configuration — within 7 days for non-customers and within 30 days for active customers (a few records, like tax-relevant transaction data, must be retained per US law; we'll list anything we retained and why).
9. Children
Iris Bites is a service for business owners. We do not knowingly collect data from anyone under 16. If you believe a minor has submitted information through the site, email privacy@irisbites.com and we'll delete it immediately.
10. Changes to this policy
We may update this policy from time to time. Material changes will be announced by email to active customers and posted at the top of this page with a new “Last updated” date.
11. Contact
Privacy questions: privacy@irisbites.com. General inquiries: see the contact page.
Related: Terms of Service · Refund policy · Trust & security · Affiliate disclosure