Legal

Privacy Policy

Effective date: May 18, 2026  ·  IronWeft (“we,” “our,” “us”)

This Privacy Policy describes how IronWeft collects, uses, and protects information when you use our website at ironweft.io and our Agent IAM API (collectively, the “Service”).

1. Information We Collect

Account information. When you sign up, we collect your name, email address, and company name. We use this to create and manage your tenant account.

API usage data. We log every API call made with your key — including endpoint, timestamp, agent IDs, and authorization decisions. This data forms the hash-chained audit trail that is core to the Service.

Agent data. We store agent registration details (name, sponsor ID, roles, classification) and credential issuance records that you submit through the API.

Communication data. If you contact us via the contact form or email, we store the content of that communication to respond to your inquiry.

Technical data. We collect IP addresses, request headers, and error logs for security, abuse prevention, and debugging purposes.

2. How We Use Your Information

3. Data Retention

Audit log data is retained for the lifetime of your account and for a minimum of 12 months after account closure, to support compliance and regulatory requirements. Account data is deleted within 30 days of account closure upon request. API keys are stored as one-way hashes — we cannot recover the plaintext key.

4. Data Sharing

We do not sell your data. We do not share your data with third parties except:

5. Security

All data is transmitted over TLS. API keys are stored as bcrypt hashes. Audit logs are SHA-256 hash-chained — any tampering is detectable. We apply the principle of least privilege to all internal access.

No security system is impenetrable. If you discover a vulnerability, please disclose it responsibly to forged@ironweft.io.

6. Your Rights

Depending on your location, you may have the right to access, correct, or delete personal data we hold about you. To exercise these rights, contact us at forged@ironweft.io. We will respond within 30 days.

If you are in the European Economic Area, you have rights under GDPR including data portability and the right to lodge a complaint with your local supervisory authority.

7. Cookies

Our website does not use tracking cookies or third-party analytics. We may use a session cookie strictly necessary for authenticated areas of the Service.

8. Children

The Service is not directed to individuals under 16. We do not knowingly collect personal data from children.

9. Changes to This Policy

We may update this policy as the Service evolves. Material changes will be communicated via email to account holders. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact

Questions about this policy: forged@ironweft.io