Legal

Privacy Policy

This policy explains controller-side processing, processor-side handling, legal bases, data sharing, retention, and rights management.

Effective date: 2026-02-15

This Privacy Policy explains how Iridae ApS ("we", "us") processes personal data in connection with the Intelligence Platform (the "Service"). This policy is written for business customers.

Who we are

Controller (for most business/contact/admin data): Iridae ApS, Maglebjergvej 6, 2800 Kongens Lyngby, Denmark Email: privacy@iridae.com

Two different roles depending on the data

When you upload content or provide links that contain personal data, you typically do so on behalf of your organization. In that case:

  • You are the Controller
  • We are the Processor

The processing is governed by our DPA: https://iridae.com/legal/dpa

B) When we are a Controller (our own business operations)

We are the Controller for personal data we process to run our business, such as:

  • account and admin information
  • billing and payment data
  • support communications
  • security, logs, and anti-abuse data
  • website and marketing data

This Privacy Policy mainly describes this Controller-side processing, and it also summarizes Processor-side handling at a high level.

Personal data we collect (Controller-side)

We may collect:

  • Account and contact data
    • name, work email, company name, role/title (if provided)
    • login credentials and account identifiers
  • Billing data
    • invoice details, billing contact info, VAT details
    • payment status and transaction references (payment card data is usually handled by the payment provider, not stored by us)
  • Support and communications
    • messages you send us, attachments you include, and metadata needed to respond
  • Usage, security, and logs
    • device and browser info, IP address, timestamps
    • activity logs (for example, login events and feature usage)
    • error logs and security/audit logs
  • Website analytics
    • pages viewed, referrers, approximate location, cookies/identifiers (see Cookies section)

Important: You control what you submit into the Service. We strongly discourage submitting unnecessary personal data in uploads/links.

How we use personal data (Controller-side)

We use personal data to:

  • provide and operate the Service (accounts, access, customer administration)
  • billing, taxes, and accounting
  • customer support
  • security, abuse prevention, and debugging
  • service improvement (for example, performance and reliability improvements)
  • legal compliance and enforcement of agreements
  • marketing

We rely on:

  • contract (to provide the Service, support, billing)
  • legal obligation (tax/accounting, compliance requests)
  • legitimate interests (security, fraud prevention, service reliability, basic B2B marketing, and improving the Service)

Where consent is required (typically cookies/analytics in the EU), we will request it.

Your content, AI, and model improvement (Processor-side summary)

When you use the Service, your organization may submit documents, game materials, and links that could include personal data. In most cases we process this as a Processor under the DPA.

AI and subprocessors. We may use our own models and third-party AI providers/subprocessors to generate Outputs as described in our AI Policy: https://iridae.com/legal/ai and in our Subprocessor list: https://iridae.com/legal/subprocessors.

Training and improvement. Unless you have a written no-training agreement with us, we may use Customer Content to improve the Service, including training our systems, as described in the AI Policy and DPA. We aim to do this in privacy-preserving ways (for example, learning model updates/weights rather than reusing raw content across accounts), but residual risk cannot be eliminated entirely.

Sharing and disclosures

We share personal data with:

  • Subprocessors/service providers (hosting, AI, monitoring, support tooling, payments) to run the Service
  • professional advisors (legal/accounting) as needed
  • authorities where required by law
  • a buyer/successor in a merger, acquisition, or asset sale (with appropriate protections)

We do not sell personal data.

International transfers

If personal data is processed outside the EU/EEA, we use appropriate safeguards (for example, adequacy decisions or Standard Contractual Clauses), as described in the DPA.

Retention

  • Controller-side data: We keep personal data as long as needed for the purposes above, including legal/accounting requirements and security needs.
  • Processor-side (Customer Content): Deletion/return is handled under the DPA. As a default, we delete or return Customer Personal Data within 60 days after termination/expiry, subject to lawful retention (for example, security logs, backups, dispute resolution) as described in the DPA.

Security

We use appropriate technical and organizational measures to protect personal data (access controls, encryption in transit, and other safeguards described at a high level in the DPA).

No system is perfectly secure. You are responsible for configuring access to any third-party links you provide.

Your rights (and how to exercise them)

If we are the Controller of your personal data, you may have rights to access, rectify, delete, restrict, object, and data portability, and to lodge a complaint with a supervisory authority.

To exercise rights, contact: privacy@iridae.com.

If the personal data is in Customer Content that we process as a Processor, we will generally refer you to the Customer (the Controller) or assist the Customer under the DPA.

Cookies and analytics

We use analytics/cookies and describe them at https://iridae.com/legal/cookies and (where required) obtain consent via a cookie banner and preference controls.

Children

The Service is for business use and not directed to children. We do not knowingly collect children's personal data.

Changes

We may update this policy from time to time. We will post the updated version with a new effective date.