Legal
Data & Compliance
Last updated: draft, not yet published
Draft, pending legal review
This is a working draft prepared for review by a qualified lawyer before publication. Text shown like [THIS] is a placeholder that must be completed, and [Review: like this] flags a point to confirm. Nothing here is binding until reviewed and published.
GDPR roles
For the workspace content you create and sync, you are the data controller and [PUBLISHER] acts as a data processor that hosts your (end-to-end encrypted) content on your behalf. For account and telemetry data, [PUBLISHER] is the data controller.
Where your data lives
All servers are located in the European Union. We do not transfer personal data outside the EU. [Review: name the hosting region/country, e.g. OVHcloud, France.]
Sub-processors
We use the following sub-processors to operate the service:
- [HOSTING PROVIDER]: server hosting (EU)
- [PAYMENT PROCESSOR]: Pro subscription billing
- [EMAIL PROVIDER]: transactional email (password resets, invitations)
Security
Synced workspace content is end-to-end encrypted; our servers store only ciphertext. All traffic is encrypted in transit (TLS). [Review: state encryption-at-rest posture for server databases and local secrets.]
Retention and deletion
Telemetry and bug-report data are retained for [RETENTION PERIOD]. When you delete your account, your cloud data is deleted from our servers[after a 30-day grace period]; your local SQLite database is unaffected and remains on your machine.
Your rights and breach notification
You may exercise your GDPR rights (access, rectification, erasure, portability, objection) by contacting contact@ironcall.dev. In the event of a personal-data breach, we will notify the competent supervisory authority and affected users as required by the GDPR.
Data Processing Agreement
Organizations that need a Data Processing Agreement (DPA) can request one at contact@ironcall.dev. [ATTACH DPA TEMPLATE].