Privacy Policy
Effective date: May 18, 2026 · IronWeft (“we,” “our,” “us”)
This Privacy Policy describes how IronWeft collects, uses, and protects information when you use our website at ironweft.io and our Agent IAM API (collectively, the “Service”).
1. Information We Collect
Account information. When you sign up, we collect your name, email address, and company name. We use this to create and manage your tenant account.
API usage data. We log every API call made with your key — including endpoint, timestamp, agent IDs, and authorization decisions. This data forms the hash-chained audit trail that is core to the Service.
Agent data. We store agent registration details (name, sponsor ID, roles, classification) and credential issuance records that you submit through the API.
Communication data. If you contact us via the contact form or email, we store the content of that communication to respond to your inquiry.
Technical data. We collect IP addresses, request headers, and error logs for security, abuse prevention, and debugging purposes.
2. How We Use Your Information
- To provide, operate, and improve the Service
- To generate and maintain your tamper-evident audit trail
- To enforce tenant isolation and access control
- To detect and prevent abuse, fraud, and unauthorized access
- To communicate with you about your account, updates, and support requests
- To comply with legal obligations
3. Data Retention
Audit log data is retained for the lifetime of your account and for a minimum of 12 months after account closure, to support compliance and regulatory requirements. Account data is deleted within 30 days of account closure upon request. API keys are stored as one-way hashes — we cannot recover the plaintext key.
4. Data Sharing
We do not sell your data. We do not share your data with third parties except:
- Infrastructure providers: We use Supabase (database), Render (hosting), and Stripe (billing). Each is bound by their own privacy and data processing terms.
- Legal requirements: We may disclose data if required by law, court order, or to protect the rights, property, or safety of IronWeft or others.
5. Security
All data is transmitted over TLS. API keys are stored as bcrypt hashes. Audit logs are SHA-256 hash-chained — any tampering is detectable. We apply the principle of least privilege to all internal access.
No security system is impenetrable. If you discover a vulnerability, please disclose it responsibly to forged@ironweft.io.
6. Your Rights
Depending on your location, you may have the right to access, correct, or delete personal data we hold about you. To exercise these rights, contact us at forged@ironweft.io. We will respond within 30 days.
If you are in the European Economic Area, you have rights under GDPR including data portability and the right to lodge a complaint with your local supervisory authority.
7. Cookies
Our website does not use tracking cookies or third-party analytics. We may use a session cookie strictly necessary for authenticated areas of the Service.
8. Children
The Service is not directed to individuals under 16. We do not knowingly collect personal data from children.
9. Changes to This Policy
We may update this policy as the Service evolves. Material changes will be communicated via email to account holders. Continued use of the Service after changes constitutes acceptance of the updated policy.
10. Contact
Questions about this policy: forged@ironweft.io