Privacy Policy

Last updated: April 7, 2026

This Privacy Policy explains what personal data we collect and how we handle it. It is a starting point appropriate for a soft launch. Before you accept EU, UK, or California customers at scale, have your counsel review this document against GDPR, UK GDPR, CCPA/CPRA, and any industry-specific regulations that apply to your business.

1. Who we are

IR-OS ("we," "us," "our") operates the IR-OS Incident Command Platform accessible at ir-os.com and app.ir-os.com. For questions about this Privacy Policy or your personal data, contact us at [email protected].

2. What we collect

2.1 Account and profile data

When you sign up for IR-OS, we collect:

Your name and work email address
Your organization name, industry, and size
Your role within your organization (e.g., CISO, IR Lead)
A hashed version of your password (we never store plaintext passwords)

2.2 Usage data

When you use the Service, we log:

IP address, user agent, and approximate geolocation derived from the IP
Timestamps for sign-ins, sign-outs, and key actions (incident declarations, task updates, AAR generation)
Incident metadata you enter, team roster, IR plan content, exercise findings, and assessment data (collectively "Customer Data")
Error and performance telemetry

2.3 AI interaction data

When you use AI-assisted features, the relevant context (incident title, type, recent events, IR plan sections, regulatory context) is sent to OpenRouter, which routes to the underlying model provider (currently Anthropic or similar). We do not send personal identifiers like email addresses into these prompts unless they are part of your incident content.

2.4 Cookies

We use strictly necessary cookies to keep you signed in (Supabase Auth session cookies) and to detect the country/region for performance routing (Cloudflare). We do not use advertising or cross-site tracking cookies.

3. How we use your data

Provide the Service: authenticate you, store and display your incident records, deliver notifications.
Operate and improve: debug errors, measure performance, fix security issues.
Communicate: send transactional emails (alerts, AARs, password resets) and occasional product updates to the account owner.
Comply with law: respond to lawful requests from authorities, enforce our Terms, protect our rights.

We do not sell your personal data. We do not rent your email address to third parties.

4. Subprocessors

IR-OS relies on the following subprocessors to operate the Service. Each processes personal data only as necessary to perform its function and is bound by its own data protection terms.

Subprocessor	Purpose	Location
Cloudflare, Inc.	DNS, CDN, WAF, Workers (app hosting), Pages (landing), Email Routing	Global edge network
Supabase, Inc.	Postgres database, authentication, row-level security	United States
OpenRouter.ai	Gateway to large language model providers for AI-assisted features	United States
Resend, Inc.	Transactional email delivery (alerts, AARs)	United States

5. Retention

We keep Customer Data for as long as your account is active, plus a reasonable window afterward for backups and legal retention. When you delete your account, we delete or anonymize your personal data within 90 days, except for data we are required to retain for legal, accounting, or security reasons.

Incident records are stored in an append-only, hash-chained ledger. Individual events cannot be edited or deleted after creation; an incident can only be deleted as a whole by deleting the account or the org.

6. Security

We implement reasonable administrative, technical, and physical safeguards to protect your data, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256 via Supabase)
Row-level security enforced at the database layer (tenant isolation)
SHA-256 hash-chained event ledger for tamper evidence
Secrets managed via Cloudflare Workers secrets and environment variables, not committed to source control
Principle of least privilege for internal access

See our Security page for more detail.

No system is perfectly secure. In the event of a security incident affecting your personal data, we will notify you and any applicable authorities as required by law.

7. Your rights

Depending on your location, you may have some or all of the following rights regarding your personal data:

Access: request a copy of the data we hold about you
Correction: ask us to correct inaccurate data
Deletion: ask us to delete your data
Portability: request your data in a machine-readable format
Objection: object to certain processing activities
Complaint: lodge a complaint with your local data protection authority

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. International transfers

IR-OS is operated primarily in the United States. If you are located outside the United States, your data will be transferred to and processed in the US. We rely on appropriate safeguards for these transfers, including the EU Standard Contractual Clauses where applicable.

9. Children

IR-OS is not intended for anyone under 18. We do not knowingly collect personal data from children.

10. Changes

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we will give reasonable notice via email or an in-product banner.

11. Contact

Questions or concerns? Email [email protected].