Legal
Privacy Policy
Last updated: May 11, 2026
This Privacy Policy describes how Ironact, Inc. ("Prompt Architect", "we", "us", or "our") collects, uses, discloses, and protects personal information when you use the Prompt Architect platform, websites, and related services (the "Services"). It applies globally and includes specific disclosures for residents of the United States (federal, California, and the state patchwork), the United Kingdom, the European Economic Area (EEA), the Republic of Korea, Germany, and France.
1. Controller and Representatives
The data controller is:
Ironact, Inc. 1111B S Governors Ave Ste 51691 Dover, DE 19904 United States Phone: +1 (415) 851-9366 contact@ironact.net
EU Representative (GDPR Art. 27)
EU Representative — appointment in progress. Ironact is in the process of designating an EU representative under GDPR Art. 27 and will publish the appointee here as soon as the appointment is complete. In the interim, EEA residents who wish to exercise rights under the GDPR (access, rectification, erasure, restriction, portability, objection, withdrawal of consent) or who otherwise need to contact us about personal data may do so at contact@ironact.net or contact@ironact.net. We will respond within the timelines required by GDPR Art. 12 (generally one month, extendable by two further months for complex requests).
UK Representative (UK GDPR Art. 27)
Eui Sung Ko (acting as UK Representative), 267 Hanbury Street, London E1 5JY, United Kingdom. Contact: contact@ironact.net.
Personal Information Protection Officer / CPO (Korea, PIPA § 31)
Eui Sung Ko (고의성), Co-founder and Personal Information Protection Officer (개인정보 보호책임자). Phone: +82 10 8757 2946 · Email: contact@ironact.net (한국어 응대 가능).
Korean Domestic Agent (PIPA § 39-14)
Not applicable. Ironact does not currently meet either threshold under PIPA Art. 39-14 (prior-year revenue under KRW 1 trillion; fewer than 1 million daily Korean users averaged over three months) and does not have a Korean subsidiary with ≥30% equity. We will designate a domestic agent before crossing either threshold and update this notice accordingly.
Data Protection Officer
We have not formally appointed a Data Protection Officer because the legal thresholds in GDPR Art. 37 are not met by our current processing. The contact point for all data protection matters is contact@ironact.net.
2. Information We Collect
2.1 Information you provide
| Category | Examples |
|---|---|
| Account information | Name, email address, password (hashed), company size, role, language preference |
| Brand and project data | Brand names, website URLs, competitor lists, prompts, content uploaded for analysis |
| Billing information | Billing name, address, VAT/tax ID, last 4 digits of card (full card details are handled by our payment processor) |
| Communications | Messages, support tickets, survey responses |
2.2 Information collected automatically
| Category | Examples |
|---|---|
| Usage data | Pages and features accessed, clicks, session length, error events |
| Device and connection data | IP address, browser type and version, operating system, device type, referring URL |
| Cookies | See the Cookies Policy |
2.3 Information from third-party sources
| Category | Source |
|---|---|
| AI engine query results | ChatGPT, Perplexity, Gemini, Claude, Grok, Microsoft Copilot (we send brand-related queries and receive responses) |
| Public web content | Pages and feeds at URLs you register for monitoring |
| Authentication providers | Google OAuth (if you sign in with Google): name, email, profile picture, Google user ID |
2.4 Sensitive personal information (CCPA / CPRA)
The only categories of "sensitive personal information" under Cal. Civ. Code § 1798.140(ae) that we collect are:
- Account credentials (hashed password) — used only for authentication;
- Precise geolocation — we do not intentionally collect this. IP-based approximate location may be inferred for fraud prevention and analytics, but we do not derive precise geolocation.
We use these only for the purposes of (i) authenticating you, (ii) securing the Services, and (iii) providing the Services you request. None of these uses triggers the "Right to Limit Use of Sensitive Personal Information" under Cal. Civ. Code § 1798.121, so we are not required to display a "Limit Use" link. If our uses change, we will offer the link.
We do not knowingly collect special-category personal data under GDPR Art. 9 (such as data on racial or ethnic origin, political opinions, religious beliefs, health, sex life, or sexual orientation) or sensitive-data categories under PIPA Art. 23. Please do not submit such data through the Services.
Texas notice (Tex. Bus. & Com. Code § 541.105). We do not sell sensitive personal data or biometric personal data within the meaning of the Texas Data Privacy and Security Act.
3. Purposes and Legal Bases (GDPR / UK GDPR)
For users in the EEA, the UK, and other jurisdictions with similar laws, we process personal data on the following legal bases. The retention column references the per-category retention periods in § 7.
| Purpose | Categories used | Legal basis | Retention reference |
|---|---|---|---|
| Provide and maintain the Services (accounts, dashboards, brand monitoring) | Account, brand data, usage data | Contract (Art. 6(1)(b)) | Until deletion + 90 days (§ 7) |
| Process payments and prevent fraud | Billing, usage data | Contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) — fraud prevention | Tax-law retention (§ 7) |
| Send service-related emails (transactional, security, billing) | Account, communications | Contract (Art. 6(1)(b)) | While account active (§ 7) |
| Marketing emails about new features | Account | Consent (Art. 6(1)(a)) — opt-in; you can unsubscribe at any time. For Germany, double-opt-in per UWG § 7 | Until unsubscribe (§ 7) |
| Improve the Services, debug, and measure usage | Usage, device data | Legitimate interests (Art. 6(1)(f)) — operating and securing the platform | 30–90 days (§ 7) |
| Comply with legal obligations (tax, accounting, lawful requests) | Account, billing | Legal obligation (Art. 6(1)(c)) | As required by law (§ 7) |
| Establish, exercise, or defend legal claims | All as relevant | Legitimate interests (Art. 6(1)(f)) | Statute of limitations |
You can object to processing based on legitimate interests at contact@ironact.net (see § 8).
4. How We Use AI Engines
The core function of the Services is to query third-party AI answer engines with brand-related prompts and analyse the responses. We do not send identifiable personal data of your end users to AI engines. Queries typically contain brand names, product names, and category keywords you have configured.
When you upload your own brand content for the Brand Intelligence Model (BIM), that content may be processed by third-party AI providers (such as OpenAI for embeddings) under their data-processing terms. We use enterprise / API-tier endpoints where available; these providers do not train their models on your content under their standard API terms, but you should review their policies linked in § 5.
5. Sharing and Sub-processors
We do not sell personal data. We share personal data only with:
5.1 Sub-processors that help us deliver the Services
| Sub-processor | Role | Location | Privacy link |
|---|---|---|---|
| Vercel, Inc. | Web/application hosting, edge network | USA (with global edge regions) | https://vercel.com/legal/privacy-policy |
| Railway Corp. | Worker / backend hosting | USA | https://railway.com/legal/privacy |
| Neon, Inc. | Managed PostgreSQL database | USA / EU (region of your project) | https://neon.tech/privacy-policy |
| OpenAI, L.L.C. | LLM inference and embeddings | USA | https://openai.com/policies/privacy-policy |
| Anthropic, PBC | LLM inference (Claude) | USA | https://www.anthropic.com/legal/privacy |
| Google LLC | LLM inference (Gemini), OAuth sign-in | USA / EU | https://policies.google.com/privacy |
| Perplexity AI, Inc. | AI engine queries | USA | https://www.perplexity.ai/hub/legal/privacy-policy |
| xAI Corp. | AI engine queries (Grok) | USA | https://x.ai/legal/privacy-policy |
| Microsoft Corporation | AI engine queries (Copilot) | USA | https://privacy.microsoft.com/privacystatement |
| Stripe, Inc. | Payment processing | USA / EU | https://stripe.com/privacy |
| Axiom Inc. | Application logs and observability | USA / EU | https://axiom.co/privacy |
| Sentry (Functional Software, Inc.) | Error monitoring | USA | https://sentry.io/privacy/ |
| Resend, Inc. | Transactional and marketing email | United States | https://resend.com/legal/privacy-policy |
We do not currently use analytics, advertising, session-replay, CRM, or customer-support tools that process personal data of end users. If we add any, we will update this Policy and the Cookies Policy and, where required, re-prompt consent.
We maintain a current list of sub-processors at /docs/legal/sub-processors. Material changes will be announced in this Policy with at least 30 days' notice.
5.2 Other recipients
- Legal and regulatory authorities, when required by law, court order, or to respond to lawful requests (we resist overbroad requests and notify affected users where lawful).
- Professional advisors (lawyers, auditors, accountants) under confidentiality.
- Successor entities in a merger, acquisition, financing, or sale of assets, in which case we will notify affected users.
5.3 CCPA / state-law treatment
We do not "sell" personal information for monetary or other valuable consideration, and we do not "share" personal information for cross-context behavioural advertising, within the meaning of the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA, or any other US state privacy law. We have not sold or shared in the preceding 12 months and do not plan to.
6. International Data Transfers
Personal data is processed primarily in the United States and, depending on your project region, in EU regions (Neon).
EEA / UK / Swiss transfers. Where we transfer personal data from the EEA, the UK, or Switzerland to the US or another non-adequate country, we rely on the following mechanisms, in this order of preference:
- EU-US Data Privacy Framework (DPF) — for sub-processors that self-certify under the DPF (Commission Implementing Decision (EU) 2023/1795). Sub-processors with confirmed self-certification under the EU-US Data Privacy Framework (verified at https://www.dataprivacyframework.gov/list) include: Google LLC, OpenAI L.L.C., Anthropic, PBC, Microsoft Corporation, Stripe, Inc., and Vercel, Inc. Remaining US sub-processors rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) together with supplementary technical and organizational measures. We re-audit DPF participation annually.
- Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914;
- UK International Data Transfer Addendum (IDTA) or the UK Addendum to the EU SCCs;
- Swiss SCCs for Swiss transfers.
Where SCCs are relied on, we conduct a Transfer Impact Assessment (TIA) and apply supplementary technical and organisational measures (encryption in transit, encryption at rest, key management, access controls). A copy of the relevant safeguards is available on request at contact@ironact.net.
Korean users (PIPA Art. 28-8). Personal data of Korean users may be transferred to the United States and to sub-processors listed in § 5. We rely on PIPA Art. 28-8(1)(iii) — the disclosure mechanism in the privacy policy — for transfers necessary to perform the contract for the Services. The required disclosures are:
- Recipients: as listed in § 5.1.
- Country of transfer: primarily the United States; the EU where you select an EU project region.
- Means and time of transfer: encrypted transmission over the internet (TLS 1.2+) and API calls, at the time you use the Services.
- Items transferred: account information, brand data, usage data, billing information, prompt-run content as described in § 2.
- Purpose: providing the Services as described in § 3.
- Retention: as described in § 7.
- Recipient's contact for objections: contact@ironact.net.
If you object to overseas transfer, we may not be able to provide the Services. To object, contact contact@ironact.net.
7. Retention
We retain personal data only as long as needed for the purposes for which it was collected, including to comply with legal obligations.
7.1 By data category (CCPA / CPRA / state laws)
| CCPA category | Examples in our system | Retention period |
|---|---|---|
| Identifiers (name, email, account ID) | Account information | Until account deletion + 90 days backup; billing identifiers up to 10 years (tax law) |
| Customer records (Cal. Civ. Code § 1798.80(e)) | Name, email, payment instrument | Same as above |
| Commercial information | Subscription history, transactions | 10 years (tax/accounting laws) |
| Internet / network activity | Pages visited, error logs, IP address | 30–90 days for logs; 12 months for security events |
| Geolocation (approximate, IP-derived) | Inferred from IP | Same as Internet / network activity |
| Professional / employment | Role, company size | Until account deletion + 90 days |
| Inferences (drawn from above) | Visibility analytics | While project active + 24 months |
| Sensitive PI (credentials) | Hashed password | Until account deletion |
7.2 By data type (operational reference)
| Data | Retention period |
|---|---|
| Account information | Until you delete your account, then up to 90 days for backups and dispute resolution |
| Brand and project data | Until you delete it or close your account, then up to 90 days |
| Prompt runs and analytics outputs | While the project is active, then up to 24 months for trend analysis (you may request earlier deletion) |
| Billing records and invoices | Up to 10 years where required by tax law (e.g., Germany — § 147 AO; France — Art. L102-B LPF; Korea — VAT Act; US — IRC) |
| Server and application logs | 30–90 days |
| Security event logs | Up to 12 months |
| Marketing email subscriber data | Until you unsubscribe |
| Backups | Up to 30 days, then automatically purged |
After the retention period we delete or irreversibly anonymise the data.
8. Your Rights
8.1 EEA / UK (GDPR / UK GDPR)
- Access — request a copy of your personal data;
- Rectification — correct inaccurate or incomplete data;
- Erasure — ask us to delete your data ("right to be forgotten");
- Restriction — limit processing in certain cases;
- Portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller;
- Object — to processing based on legitimate interests or for direct marketing (we will stop unless we have compelling legitimate grounds that override your rights);
- Withdraw consent — at any time, without affecting the lawfulness of prior processing;
- Not be subject to automated decisions — see § 11;
- Lodge a complaint — with your local supervisory authority (see § 13).
We will respond within one month (extendable by two further months for complex requests). The first request is free; we may charge a reasonable fee for manifestly unfounded or repetitive requests.
8.2 California (CCPA / CPRA)
California residents have the right to:
- Know what categories and specific pieces of personal information we collect, use, disclose, and (if applicable) sell or share;
- Delete personal information, subject to exceptions;
- Correct inaccurate personal information;
- Opt out of "selling" or "sharing" personal information — we do not sell or share personal information for cross-context behavioural advertising;
- Limit the use of sensitive personal information — see § 2.4 explaining why no link is required;
- Non-discrimination for exercising your rights;
- Designate an authorised agent to act on your behalf.
Automated Decision-Making Technology ("ADMT", effective 1 January 2026). Under the California Privacy Protection Agency's 2025 ADMT regulations (Cal. Code Regs. Tit. 11), where a business uses ADMT for a "significant decision" concerning a consumer, the consumer has the right to pre-use notice, to opt out, and to access information about the ADMT. As stated in § 11, the Services do not make significant decisions about consumers using ADMT today. If we begin to do so, we will provide the required notices, opt-out, and access channels at that time.
To exercise these rights, email contact@ironact.net or write to the address above. We will verify your identity before responding.
8.3 Other US states
You may have rights under your state's privacy law:
| State | Statute | Rights | Appeal |
|---|---|---|---|
| Virginia | VCDPA (§ 59.1-575 et seq.) | Access, correct, delete, portability, opt-out of sale/targeted advertising/profiling; sensitive-data opt-in | Yes — 60 days |
| Colorado | CPA (§ 6-1-1301 et seq.) | Same; universal opt-out (OOPS) honoured | Yes — 45 days |
| Connecticut | CTDPA | Same; OOPS honoured | Yes |
| Utah | UCPA | Access, delete, portability, opt-out | No appeal mechanism |
| Texas | TDPSA | Same as VCDPA | Yes |
| Oregon | OCPA | Same; broader sensitive-data treatment | Yes |
| Montana | MCDPA | Same as VCDPA | Yes |
| Iowa, Tennessee, New Jersey, Delaware, Indiana, Kentucky, New Hampshire, Maryland, Minnesota, Rhode Island | Various | Generally similar; consult your state's AG site | Most provide an appeal |
Appeal procedure. If we deny your rights request, you may appeal by emailing contact@ironact.net with the subject "Appeal" within 60 days. We will respond to the appeal within the deadline required by your state law (typically 45–60 days). If the appeal is denied, you may contact your state Attorney General.
To exercise rights or appeal, contact contact@ironact.net. We will verify your identity, including via your authorised agent where applicable.
8.4 Korea (PIPA)
Korean users have the right to (i) be notified of and consent to the processing of personal data; (ii) access, correct, delete, and suspend processing of their personal data; (iii) under PIPA Art. 37-2 (effective 15 March 2024), refuse, request an explanation of, or request human review of decisions made by fully automated systems that significantly affect their rights or obligations (see § 11); (iv) lodge a complaint with the Personal Information Dispute Mediation Committee (개인정보 분쟁조정위원회, https://www.kopico.go.kr) or the Personal Information Protection Commission (PIPC, https://www.pipc.go.kr); and (v) seek compensation through the courts.
You can exercise these rights through your account settings or by contacting the CPO listed in § 1.
8.5 California Disclosures (CCPA-specific appendix)
For each CCPA-defined category of personal information, the following table sets out the categories of sources from which we collect, the business or commercial purposes for collecting, and the categories of third parties to whom we disclose (Cal. Code Regs. Tit. 11 § 7011(e)):
| CCPA category | Sources | Purposes | Recipients | Sold / shared? |
|---|---|---|---|---|
| Identifiers | You; Google OAuth | Provide Services, fraud prevention, transactional emails | Hosting / database sub-processors (§ 5.1) | No |
| Customer records | You; Stripe | Billing, tax compliance | Stripe, accounting providers | No |
| Commercial information | You | Provide subscriptions, analytics | Hosting / database sub-processors | No |
| Internet / network activity | You / your browser | Operate platform, security | Hosting, logging, error-monitoring (§ 5.1) | No |
| Geolocation (approximate) | IP address | Fraud prevention, security | Hosting, logging | No |
| Professional / employment | You | Personalise experience | Hosting / database sub-processors | No |
| Inferences | Derived | Analytics, recommendations | Internal only | No |
| Sensitive PI (credentials) | You | Authentication | Hosting / database sub-processors | No |
We have not sold or shared personal information in the preceding 12 months.
9. Cookies and Similar Technologies
We use a small number of essential cookies (session, locale) and may use first-party analytics cookies. We do not use third-party advertising cookies. Full details, including the cookie table and how to manage your preferences, are in the Cookies Policy.
For users in the EEA, the UK, France, and Germany, where consent is required for non-essential cookies (ePrivacy Directive, TDDDG § 25 in Germany, French Loi Informatique et Libertés Art. 82), we obtain consent through the cookie banner before setting non-essential cookies. The "Accept all" and "Refuse all" buttons are of equal accessibility on the first layer of the banner, per CNIL Délibération 2020-091 and ICO guidance.
10. Children
The Services are not directed to children under the age limits described in § 1 of the Terms of Service. We do not knowingly collect personal information from children.
United States (COPPA). The Services are not directed to children under 13. We do not knowingly collect personal information from a child under 13. If we learn we have collected such information, we will delete it. Parents/guardians may contact contact@ironact.net to request review or deletion. We will comply with the FTC's 2025 amendments to the COPPA Rule by their effective date.
If you believe a child has provided us personal information, contact contact@ironact.net and we will delete it.
11. Automated Decision-Making
We do not make decisions based solely on automated processing — including profiling — that produce legal or similarly significant effects concerning you within the meaning of GDPR Art. 22 / UK GDPR Art. 22 / PIPA Art. 37-2 / CCPA ADMT rules. The AI-generated analytics produced by the Services are decision-support outputs reviewed by your team, not decisions about you.
If our processing changes such that ADMT or Art. 22-style decisions become relevant, we will provide the required notices, opt-out, and human-review channels, and update this Policy.
12. Security
We use industry-standard technical and organizational measures to protect personal data, including:
- TLS 1.2+ encryption in transit and AES-256 encryption at rest for databases and backups;
- Role-based access control and least-privilege principles;
- Logging and monitoring of administrative access;
- Regular dependency and infrastructure security updates;
- Annual security reviews; SOC 2 Type II controls for Enterprise plans (in progress / available on request).
No system is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (and, where applicable, affected users) within the deadlines required by GDPR Art. 33–34, PIPA Art. 34 (without delay), and applicable US state breach-notification laws.
13. Supervisory Authorities
You can lodge a complaint with the supervisory authority in your country, including:
| Jurisdiction | Authority | Website |
|---|---|---|
| EU (one-stop shop) | Your local DPA — list at https://edpb.europa.eu/about-edpb/about-edpb/members_en | edpb.europa.eu |
| France | Commission Nationale de l'Informatique et des Libertés (CNIL) | cnil.fr |
| Germany | Federal Commissioner for Data Protection (BfDI) and the relevant state DPA | bfdi.bund.de |
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk |
| Korea | Personal Information Protection Commission (PIPC) | pipc.go.kr |
| California | Attorney General / California Privacy Protection Agency (CPPA) | oag.ca.gov · cppa.ca.gov |
| Texas | Office of the Attorney General | texasattorneygeneral.gov |
| Virginia, Colorado, Connecticut, and other states | State Attorney General | (see your state's AG website) |
We encourage you to contact us first so we can address your concern directly.
14. Changes to this Policy
We may update this Policy from time to time. Material changes will be announced by email or in-product notice at least 30 days before they take effect (or any longer period required by local law). The "Last updated" date at the bottom of this page always reflects the current version. Continued use of the Services after the effective date is acceptance of the updated Policy.
15. Contact
Email: contact@ironact.net General: contact@ironact.net
Ironact, Inc. 1111B S Governors Ave Ste 51691 Dover, DE 19904 United States Phone: +1 (415) 851-9366