PRIVACY POLICY

Introduction

This privacy policy ("Privacy Policy") applies to all visitors and users of the Iwyvern platform and website (collectively, "Iwyvern," "Platform," or "Services") at iwyvern.com, offered by Iwyvern ("we," "us," or "our"). It describes how we collect, use, disclose, and otherwise process your personal data in connection with our Services, including through the use of cookies and related technologies. It also informs you about your data protection rights under applicable law, including the General Data Protection Regulation (GDPR).

By accessing or using any part of the Services, you acknowledge you have read and understood this Privacy Policy.

Data Controller

Iwyvern

Contact Email: support@iwyvern.com

Iwyvern is the data controller responsible for the processing of your personal data collected through the Services.

Applicability of this Privacy Policy

This Privacy Policy applies to personal data we collect from you as a customer or visitor when using our Services.

If you are using the Services as an employee, contractor, or other representative of one of our customers, that customer is typically the data controller for much of your data, and we act as a data processor on their behalf. Please direct privacy inquiries or rights requests to the corresponding customer in such cases.

Personal Data We Collect

We collect personal data that you provide directly to us and data collected automatically through your use of the Services.

Data You Provide:

• Account Information: When you sign up for an account, we collect information such as your username and email address. We process this based on the performance of our contract with you.
• Profile Information: Any additional information you choose to provide in your user profile. Processing is based on performance of contract or your consent.
• Payment Information: When you make a purchase or subscribe to a paid service, we collect billing details such as name, billing address, and payment method. Full payment information (like credit card numbers) is processed directly by our payment processor, Stripe, and is not stored on our servers. We process this data based on the performance of our contract with you.
• Communications: Information you provide when you contact us (e.g., support requests, feedback). We process this based on our legitimate interest in responding to you and improving our Services, or to fulfill a contractual request.

Data Collected Automatically:

Like most online services, we automatically collect certain information when you visit or interact with our Services:

• Technical & Device Information: Your device's internet protocol (IP) address, device type, operating system, browser type, unique device identifiers, language settings, and general location information (e.g., city, country inferred from IP address).
• Usage Data: Information about your interaction with our Services, such as pages visited, features used, content viewed, time spent, referral URL, clicks, and other activity data.
• Security Data: To protect our services, we use tools like Google reCAPTCHA, which collects hardware and software information, such as device and application data and the results of integrity checks (e.g., your interaction with the reCAPTCHA prompt), as well as unique identifiers. This data is sent to Google to help distinguish humans from bots.

We process automatically collected data based on our legitimate interests in understanding how our Services are used, improving user experience, ensuring the functionality and security of our Services, and preventing fraud and abuse. For data collected via non-essential cookies or similar technologies, we rely on your consent, typically obtained via a cookie banner.

Some of this information is collected using cookies, web beacons, and related technologies. Please see our "Cookies" section below for more details.

Information We Do Not Intentionally Collect

We do not intentionally collect sensitive or special category personal data (as defined under GDPR), such as genetic data, biometric data for unique identification, health information, or religious beliefs.

Our Services are not directed to children. We do not knowingly collect personal data from individuals under the age of 16 (or a lower age if permitted by the user's EU Member State law, but not below 13). If we learn we have collected personal data from a child under the applicable age without verification of parental consent, we will take steps to delete that information promptly. If you believe we might have any information from or about a child under the applicable age, please contact us.

How We Use Your Personal Data and Lawful Bases

We use your personal data for the following purposes, relying on the specified lawful bases under GDPR:

• Provide, Maintain, and Improve Services: To operate the Platform and deliver the services you request. (Lawful Basis: Performance of Contract; Legitimate Interests in maintaining and improving services).
• Process Transactions: To complete transactions you initiate, including processing payments via our payment processor, Stripe. (Lawful Basis: Performance of Contract).
• Account Management & Administration: To manage your account and send administrative information (e.g., security alerts, updates, support messages). (Lawful Basis: Performance of Contract; Legitimate Interests in managing the service).
• Respond to Inquiries: To respond to your comments, questions, and requests for support. (Lawful Basis: Legitimate Interests in user support; Performance of Contract if related to service delivery).
• Facilitate User Communication: If applicable, to enable communication features between users. (Lawful Basis: Performance of Contract).
• Analyze Usage: To monitor and analyze trends, usage, and activities to understand how users interact with our Services and improve them. (Lawful Basis: Legitimate Interests in service improvement; Consent for analytics relying on non-essential cookies).
• Security and Fraud Prevention: To detect, prevent, and address technical issues, fraud, spam, abuse, and security incidents (e.g., through Google reCAPTCHA). (Lawful Basis: Legitimate Interests in protecting our Services, users, and business; potentially Legal Obligation).
• Personalization: To personalize your experience (e.g., remembering settings). (Lawful Basis: Legitimate Interests in enhancing user experience; Consent for certain personalization cookies).
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests. (Lawful Basis: Legal Obligation).
• Enforce Terms & Protect Rights: To enforce our terms of service and protect our rights, privacy, safety, or property, and/or that of yours or others. (Lawful Basis: Legitimate Interests).

Specific Technologies and Services We Use

• Amazon Web Services (AWS): For hosting our Platform and storing data.
• Google Analytics: For website analytics (subject to your consent where required).
• Google AI (Gemini): For providing specific AI-powered features within the Services.
• Google reCAPTCHA: To protect our Services from spam and abuse. Your use of reCAPTCHA is subject to the Google Privacy Policy and Terms of Use.
• Stripe: For payment processing. When you make a payment, your payment card data is collected and processed directly by our payment processor Stripe. We do not store your full credit card information on our servers. Stripe may use your data as required for processing payments, fraud prevention, and compliance with their legal obligations. For more information, please refer to Stripe's Privacy Policy.

Sharing Your Personal Data

We do not sell your personal data. We may share your personal data with the following categories of recipients under specific circumstances and based on lawful grounds:

• Service Providers: Third-party vendors, consultants, and other service providers who perform services on our behalf (e.g., hosting with AWS, analytics with Google, AI features with Google, security with Google reCAPTCHA, payment processing with Stripe). These providers only have access to personal data needed to perform their functions and are contractually obligated to protect it. (Basis: Performance of Contract; Legitimate Interests).
• Affiliated Organizations, Employees, Contractors: Our personnel and affiliated entities (if any) who need the information to process it on our behalf or provide Services, bound by confidentiality obligations. (Basis: Legitimate Interests in efficient operation).
• Professional Advisors: Lawyers, bankers, auditors, and insurers providing consultancy, banking, legal, insurance, and accounting services, where necessary. (Basis: Legitimate Interests in managing our business; Legal Obligation).
• Legal Requirements & Law Enforcement: Government authorities, courts, or other third parties if we believe disclosure is required by law, regulation, legal process, or governmental request; to protect our rights, property, or safety, or that of our users or the public; or to detect, prevent, or otherwise address fraud, security, or technical issues. (Basis: Legal Obligation; Legitimate Interests).
• Business Transfers: In connection with, or during negotiations of, any merger, sale of assets related to the Iwyvern service, financing, or acquisition of all or a portion of the service operations by another entity. We will notify you as required by law. (Basis: Legitimate Interests in business continuity).
• With Your Consent: We may share your information with other third parties when we have your explicit consent to do so.

Data Storage and International Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA), specifically on servers located in Ireland (using AWS).

However, certain processing activities may involve transferring your data outside the EEA. This occurs when we use service providers located outside the EEA, such as Google (for Analytics, AI, reCAPTCHA) and potentially components of AWS infrastructure operating globally.

When we transfer your personal data outside the EEA to countries not deemed adequate by the European Commission, we ensure appropriate safeguards are in place to protect your data, primarily by relying on the Standard Contractual Clauses (SCCs) approved by the European Commission, along with supplementary measures as necessary.

Iwyvern Communications With You

If you are a registered user, we may send you emails related to your account, security, system updates, or necessary service information (Basis: Performance of Contract; Legitimate Interests). We may also occasionally send emails about new features, solicit feedback, or provide updates about Iwyvern (Basis: Legitimate Interests, or Consent for purely marketing emails). You can opt-out of non-essential (marketing) emails by clicking the "unsubscribe" link in the email or by contacting us at support@iwyvern.com.

If you send us a request (e.g., via support email), we reserve the right to publish the nature of the request (without your personal data) to help clarify issues or support other users.

Your Choices

• Marketing Communications: You can opt-out of marketing emails as described above.
• Cookies and Analytics: We use cookies for essential purposes and analytics. For analytics cookies (such as Google Analytics), we obtain your explicit consent through our cookie consent banner. You can change your cookie preferences at any time by clearing your browser cookies and revisiting our site, which will prompt the consent banner to appear again. Most browsers also allow you to control cookies through settings. You can typically delete existing cookies and configure your browser to reject new ones.
• Analytics: You can opt-out of Google Analytics tracking via our cookie consent banner. Additionally, you can use browser add-ons like the Google Analytics Opt-out Browser Add-on (https://tools.google.com/dlpage/gaoptout).

Your Data Protection Rights under GDPR

If you are located in the EEA or UK, you have the following data protection rights:

• Right of Access: You can request copies of your personal data.
• Right to Rectification: You can ask us to correct inaccurate personal data or complete incomplete data.
• Right to Erasure ('Right to be Forgotten'): You can ask us to delete your personal data under certain conditions (e.g., it's no longer necessary, you withdraw consent, you object and there are no overriding legitimate grounds).
• Right to Restriction of Processing: You can ask us to restrict the processing of your personal data under certain conditions (e.g., while accuracy is contested, processing is unlawful but you oppose erasure).
• Right to Object: You have the right to object to processing based on our legitimate interests. We must stop processing unless we can demonstrate compelling legitimate grounds which override your interests, rights, and freedoms, or for legal claims. You also have an absolute right to object to processing for direct marketing purposes.
• Right to Data Portability: You can request to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and have the right to transmit that data to another controller, where processing is based on consent or contract and carried out by automated means.
• Right to Withdraw Consent: If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority (data protection authority) in your EU Member State of residence, place of work, or place of the alleged infringement if you believe our processing violates GDPR.

To exercise any of these rights, please contact us at support@iwyvern.com with the subject line "Privacy Rights Request". We may need to verify your identity before processing your request.

Data Retention and Deletion

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. This includes retaining data for as long as your account is active, to perform our contractual obligations, provide services, comply with legal obligations (e.g., tax, accounting), resolve disputes, enforce our agreements, and protect our legitimate interests.

When data is no longer needed, we will securely delete or anonymize it. For example, account information may be retained while your account is active and for a reasonable period afterward for administrative or legal purposes. Usage logs might be anonymized or deleted after a shorter period (e.g., 12 months, unless needed longer for security investigations).

Contacting Iwyvern About Your Privacy

If you have questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us:

Email: support@iwyvern.com (Please use subject line "Privacy Concern" or "Privacy Rights Request" as appropriate)