irisbites

Not legal advice — attorney review pending

This privacy policy is drafted by Bruce. It has not been reviewed by an attorney. Bruce will publish an attorney-reviewed version before the first paid enterprise install. For EU-resident data subjects with specific GDPR concerns, email privacy@irisbites.com and Bruce will respond directly.

Privacy policy

Last updated:

Short version: we collect almost nothing about visitors. For paying customers we keep only what we need to run your install. We don't sell data, we don't run ad-tracking, we use one privacy-respecting analytics service, and you can ask us to delete everything any time.

1. What we collect

From every visitor (whether or not you sign up)

  • Aggregated page-view analytics via Plausible or Vercel Analytics — both privacy-respecting services that do NOT use tracking cookies, do NOT identify you personally, and do NOT track you across other sites.
  • Server logs (IP address, browser type, request timestamps) — held for up to 30 days for security and debugging, then deleted.
  • Essential cookies only — your dark/light theme preference and (if you logged in) your session. We do not set advertising or third-party tracking cookies.

If you submit a form, book a call, or email us

  • Your email address and whatever else you typed (business name, question, etc.) — stored in our internal CRM (Airtable) so we can reply and follow up.
  • If you book a call: calendar metadata via Google Calendar (your email + the time slot). Call notes if Bruce takes them during the call.
  • If you subscribe to the newsletter: your email goes to Beehiiv, our newsletter platform. Unsubscribe link in every email.

If you become a paying customer

  • Payment information — handled entirely by Stripe; we never see or store your card number. We see only the last 4 digits + cardholder name.
  • Install scope and configuration — what tier you purchased, when, which industry template, what tools we installed. Stored in our project tracker.
  • Call recordings (only if you opt in) — for some installs we record a small number of test calls during the install window to tune Iris. These live in YOUR vendor accounts, not ours; we can review them with your permission for troubleshooting and never copy them to our infrastructure.

2. What we don't collect

  • Names, addresses, phone numbers of visitors who don't contact us
  • Browsing behavior across other websites — we don't have third-party trackers
  • Personalized advertising data — we don't run ads
  • Social-media login data — we don't offer social login
  • Biometric data, voice prints, or face data — we don't collect them
  • Your customers' data (call recordings of YOUR customers, your lead database, etc.) — that lives in YOUR vendor accounts, not ours. See trust page for the full data flow.

3. Where your data lives

We use a small number of carefully picked vendors. Each is contractually a “processor” — they hold data on our behalf and don't use it for their own purposes beyond standard operational logging.

Airtable

Our internal CRM — your form submissions, install records, support tickets.

Beehiiv

Newsletter platform — if you subscribed, your email lives here.

Stripe

Payment processing — they hold your card; we see only last 4 digits + name.

Resend

Transactional email — confirmation emails, receipts, refund notices.

Vercel

Hosting + server logs (30 days).

Plausible / Vercel Analytics

Aggregated page-view metrics. No personal identification.

Google Workspace

Bruce's email and calendar. Where threads with you actually live.

Your install's operational data (call recordings of your customers, lead databases, knowledge base, etc.) lives in YOUR accounts at the install vendors (Synthflow, Twilio, ElevenLabs, your own Google Workspace, etc.). We have access only when you grant it via support ticket.

4. Your rights under GDPR

If you are a resident of the European Economic Area, UK, or Switzerland, you have the following rights regarding personal data we hold about you:

  • Right of access — request a copy of every record we hold on you.
  • Right of rectification — ask us to correct anything inaccurate.
  • Right of erasure (“right to be forgotten”) — ask us to delete every record. We comply within 30 days, faster on most requests.
  • Right of portability — request your data in a machine-readable format (we use JSON or CSV).
  • Right to object — withdraw consent at any time for processing based on consent (e.g. newsletter).
  • Right to lodge a complaint with your local data protection authority if you believe we've mishandled your data.

Lawful basis: for newsletter signups, our basis is your explicit consent. For customer-account data, our basis is contract performance. For analytics and server logs, our basis is legitimate interest in operating and securing the site.

To exercise any GDPR right: email privacy@irisbites.com. We'll confirm receipt within 72 hours.

5. Your rights under CCPA (California)

If you are a California resident, the California Consumer Privacy Act gives you similar rights:

  • Right to know what personal information we collect, use, and share.
  • Right to delete personal information we hold (subject to a few exceptions, like records we need for tax compliance).
  • Right to opt out of the sale or sharing of personal information.
  • Right to non-discrimination for exercising your CCPA rights.

We do not sell or share personal information in the sense the CCPA uses those terms. We don't exchange your data with advertising networks or data brokers. The only third parties who see Iris-Bites-collected data are our own infrastructure providers (listed in section 3), and they process it on our behalf under processor terms.

To exercise a CCPA right: email privacy@irisbites.com. We'll respond within 45 days.

6. Cookies

We use the minimum cookies needed to make the site work. Specifically:

  • Theme preference — remembers if you chose dark or light mode. Stored in localStorage, not a cookie.
  • Session cookie (only if you log in) — lets the site recognize you between pages. Expires when you close the browser.
  • Preview/coming-soon bypass cookie — if you visited the site before launch with a preview link, a 30-day cookie remembers your access.

We do not use: Google Analytics, Facebook Pixel, LinkedIn Insight, TikTok Pixel, Hotjar, Mixpanel, advertising cookies, or any third-party tracker that follows you across sites.

7. Affiliate links and external sites

When you click an affiliate link on this site, the destination vendor may set cookies on their domain — that's how they credit the referral to us. We have no access to those cookies. Each vendor has its own privacy policy that applies once you leave Iris Bites. We disclose every affiliate relationship on the disclosure page.

8. Data deletion

Email privacy@irisbites.com and we will delete every record we hold on you — newsletter subscription, CRM entries, call notes, install configuration — within 7 days for non-customers and within 30 days for active customers (a few records, like tax-relevant transaction data, must be retained per US law; we'll list anything we retained and why).

9. Children

Iris Bites is a service for business owners. We do not knowingly collect data from anyone under 16. If you believe a minor has submitted information through the site, email privacy@irisbites.com and we'll delete it immediately.

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email to active customers and posted at the top of this page with a new “Last updated” date.

11. Contact

Privacy questions: privacy@irisbites.com. General inquiries: see the contact page.