Legal
Privacy & Data Policy
Irys legal AI services, a product of Iqidis, Inc.
Iqidis, Inc. · 3 Columbus Circle, Floor 15, New York, NY 10019
Last Updated: May 9, 2026
Owner: Legal & Security, Iqidis, Inc. · Contact: legal@iqidis.ai & info@iqidis.ai
1. Introduction
Iqidis, Inc. is committed to protecting your privacy and safeguarding your information. This Privacy & Data Policy explains how we collect, use, disclose, secure, and retain information when you use our Irys legal AI services at iqidis.ai (and successor domains including irys.ai) and any related applications or services (collectively, the “Services”).
Roles & Ownership.Where the Customer is an organization or enterprise, the Organization is the data controller/owner of Customer Content and Customer Data. Authorized Users act on behalf of the Organization, and Iqidis acts solely as the Organization's data processor or service provider. We are not a custodian or data owner of your Customer Content. For website/marketing interactions, Iqidis acts as data controller of that contact/admin data.
2. Information We Collect
Information You Provide
- Account & Profile: Name, email, firm/organization, role, and authentication data.
- Payment/Billing: Processed by trusted payment providers (we do not store full payment card details).
- Customer Content: Documents and other materials you upload or input to use the Services.
- Support/Feedback: Content of support tickets, feature requests, or product feedback.
Information Collected Automatically
- Telemetry (content-free): Minimal operational telemetry excluding Customer Content. Limited to behavioral/interaction metadata (e.g., UI events/clicks, navigation flows, request timing, status/error codes, coarse device/browser metadata). Telemetry does not include prompts, model outputs, or uploaded documents/files.
- Device/Log Data: IP address, device and browser type, operating system, general geo (city/country), and timestamps.
3. How Our AI Processes Your Data (Hybrid Architecture)
Local-First, In-House Processing
By default, requests are handled in-house by Iqidis within Iqidis-controlled infrastructure using our KG/RAG and orchestration layers. Customer Content is stored and processed within your organization's dedicated Iqidis tenant and per-user profile containers. not pooled or commingled with other customers. We do not use Customer Content to train models.
Selective, Discrete Subprocessor Inference (If Needed)
For certain discrete aspects of a query (e.g., language polish, format transformation, translation, or general-knowledge reasoning), our orchestrator may invoke a subprocessor (e.g., OpenAI, Anthropic, Google) for inference only. We disable vendor caching/retention, apply data minimization, and contractually require no training on Customer Content. Many requests are satisfied entirely in-house without any external call.
No Training on Your Data
Third-party model calls are stateless and ephemeral: prompts/outputs are not retained by vendors, and Customer Content is never used to train Iqidis or third-party models. Unlike some legal tools that aggregate client data to “improve the model,” Iqidis does not pool or train on your Customer Content.
4. Legal Bases for Processing (GDPR/UK GDPR)
We process personal data under one or more of the following bases: contract performance, legitimate interests (e.g., service security and improvement), consent (where required), and legal obligations.
5. Data Processing, Storage & Retention
- No training on Customer Content by Iqidis or third-party models.
- Vendor caching/retention disabled for third-party inference.
- Authorized personnel may access Customer Content only to resolve technical issues, provide support, or enforce terms. Access is purpose-limited and time-bound, with strict access control and audit logging.
- Customer Content (Support Cases): Deleted or anonymized within 30 days after issue resolution, unless a longer period is required by law or expressly requested for ongoing support.
- Telemetry/Logs: Behavioral/interaction metadata retained for reliability/security; telemetry does not contain prompts, model outputs, or uploaded files.
6. Sharing & Disclosure
We do not sell personal data. We may share data with Service Providers & Subprocessors as necessary to deliver features; Regulators, Legal Authorities, and Advisors as necessary to comply with law or enforce rights; in connection with Business Transfers (e.g., M&A) subject to this Policy's protections; with your consent or at your direction; and intra-Organization among Authorized Users as controlled by user-configured permissions.
When an Authorized User is removed from an Organization Account, that user's access is immediately and irrevocably terminated. All Customer Content created by that user within the Organization remains under the control of and accessible to the Organization.
7. Security
We maintain controls aligned with SOC 2 and ISO 27001 frameworks, including encryption in transit and at rest; least-privilege access and SSO/IdP; network segmentation and WAF; vulnerability scanning and independent penetration testing; centralized logging and anomaly detection; and secure SDLC practices.
Data Security Incidents.If Iqidis becomes aware of a confirmed unauthorized access to or disclosure of Customer Content caused by Iqidis's breach of this Policy, Iqidis will notify the Customer without undue delay and no later than 72 hours after becoming aware; provide information about the nature of the incident, affected data categories, likely consequences, and measures taken; investigate, mitigate, and remediate the incident; and cooperate with Customer's reasonable requests for additional information.
Customer Responsibilities (Shared Responsibility). Customer is responsible for configuring security features (e.g., SSO, MFA, role-based access), managing user access and credential hygiene, classifying and minimizing sensitive data uploaded to the Services, and promptly notifying Iqidis of suspected compromise of Customer accounts or credentials.
Security questions and incident reports may be submitted to: security@iqidis.ai.
8. Data Processing Addendum (DPA) & International Transfers
For controller-processor obligations under GDPR/UK GDPR/CPRA (including Standard Contractual Clauses/UK addendum for international transfers), privacy/security indemnification, and cost allocation relating to Data Security Incidents, see the Iqidis Data Processing Addendum (DPA) available upon request. If there is a conflict between this Policy and the DPA, the DPA controls for the subject matter of that conflict.
9. Your Rights
Depending on your jurisdiction, you may have rights to: access your personal data; correct inaccurate personal data; request deletion of your personal data; restrict processing; object to processing; receive your data in a portable format; withdraw consent at any time; and lodge a complaint with a supervisory authority. To exercise any rights, submit a verifiable request to info@iqidis.ai.
10. Additional Provisions
Automated Decision-Making: We do not use personal data to make decisions that have legal or similarly significant effects solely through automated processing.
International Transfers & Regionalization: Data may be processed in the U.S. and E.U. We use appropriate safeguards (e.g., Standard Contractual Clauses and UK addenda) for cross-border transfers. Regional routing can be configured on request.
Children's Privacy: We do not knowingly collect data from individuals under 18. If such data is identified, it will be promptly deleted.
“Do Not Track”: Our Services do not currently respond to browser DNT signals. Please use the controls in our Cookie Policy to manage non-essential cookies.