What we collect, and what we can't

1. Who we are

IronSeal is operated by ConnectDevs(“we”, “us”, “our”). We are the data controller for personal information processed through this service. For privacy questions or to exercise your rights described below, contact us at privacy@ironseal.app.

2. Data we collect

Every field below is necessary for IronSeal to function. We don't collect anything “just in case”.

3. What we don't collect

• ✕Message content. Encrypted in your browser before transmission; the server only ever holds ciphertext.
• ✕Your private keys. Generated and stored locally on your device (in IndexedDB).
• ✕Your passphrase. Used locally to derive an encryption key — never transmitted.
• ✕Your contacts list from your phone or email. We never read your address book.
• ✕Location data. No GPS, no IP-based location tracking.
• ✕Behavioural analytics. No Google Analytics, no Meta Pixel, no Hotjar, no session-replay.
• ✕Advertising IDs. We don't advertise; we have no use for them.

4. How we use the data

We process the data above only to:

• →Authenticate you and keep your session secure
• →Relay encrypted messages between participants
• →Show contact requests, presence (online/offline), and read receipts
• →Detect and rate-limit abuse (brute-force logins, message spam)
• →Send transactional email — password resets, contact-request notifications
• →Comply with legal obligations (court orders, tax law)

We do not use your data to train AI models, build advertising profiles, or sell to data brokers.

5. Legal bases for processing

For users in the UK, EEA, or other GDPR-equivalent jurisdictions, our legal bases are:

• CONTRACTOperating your account, relaying messages, and providing the service you signed up for.
• LEGITIMATESecurity logging, rate-limiting, abuse prevention, and minimal product analytics.
• CONSENTOptional features such as encrypted private-key backup, biometric registration, and TOTP setup.
• LEGALCompliance with applicable laws — court orders, tax records, anti-fraud rules.

6. Sub-processors we use

We rely on the following third-party services. None of them ever receive plaintext messages.

All sub-processors are bound by data processing agreements. We'll update this list 30 days before adding any new sub-processor that handles personal data.

7. How long we keep things

8. Your rights

Depending on where you live, you have the right to:

• →Access — request a copy of the personal data we hold about you
• →Rectify — correct any inaccurate information
• →Delete — close your account and have your data purged. You can do this yourself in Settings → Account → Delete account
• →Export — download your account data as an AES-256 password-protected archive. You can do this yourself in Settings → Account → Export your data; the unlock password is emailed to you
• →Object — to processing based on legitimate interests
• →Withdraw consent — for any feature that requires it (biometrics, key backup, TOTP)
• →Lodge a complaint — with your local data protection authority

Email privacy@ironseal.appto exercise these rights. We'll respond within 30 days.

9. California residents (CCPA/CPRA)

If you live in California, you have additional rights under the CCPA/CPRA:

• →The right to know what personal information we collect (covered in §2 above)
• →The right to delete it (covered in §8 above)
• →The right to correct inaccurate information
• →The right to opt out of “sale” or “sharing” of personal information — we do neither, so this is not applicable, but the right exists
• →The right to non-discrimination for exercising any of the above

10. Children

IronSeal is not directed at children under 13 (or 16 in the EEA / UK). We do not knowingly collect personal data from children. If you believe a child has created an account, contact us at privacy@ironseal.app and we will delete the account promptly.

11. International data transfers

Our servers are hosted in the United States. If you are accessing IronSeal from outside the U.S., your data will be transferred to and processed in the U.S. Where required, we rely on Standard Contractual Clauses or equivalent safeguards. Because message content is end-to-end encrypted, transferring ciphertext across borders carries no additional disclosure risk — the U.S. server sees the same encrypted bytes as everyone else.

12. Security

Beyond the end-to-end encryption that's the entire point of IronSeal, we apply standard industry safeguards on the server side:

• →HTTPS / TLS 1.3 for all transport
• →HSTS, CSP, and modern security headers
• →Database encryption at rest
• →Short-lived JWT access tokens (30 minutes) with rotation + blacklisting
• →Rate limiting (20 req/min anonymous, 120 req/min authenticated)
• →3-strike lockout on biometric / PIN failures
• →Optional TOTP two-factor authentication

See our Security Whitepaper for the full cryptographic specification.

13. Breach notification

If we ever suffer a data breach affecting your personal data, we will notify affected users and the relevant data-protection authority within 72 hours of discovery, where feasible. The notification will describe what happened, what data was affected, and the steps we're taking. Because messages are end-to-end encrypted, a server-side breach would expose ciphertext only — not message content.

14. Changes to this policy

If we make material changes, we'll email you (and post a banner in-app) at least 14 days before they take effect. The “Effective” date at the top of this page always reflects the most recent version. Past versions are kept on request — email privacy@ironseal.app.

15. Governing law & contact

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law principles.

Privacy questions, data-subject requests, or anything else: privacy@ironseal.app