Privacy Policy

This Policy applies to iframe.ai, iforels.com, cloud.iframe.ai, investors.iframe.ai, docs.iframe.ai, status.iframe.ai, and any other properties operated by IFORELS Inc. (collectively, the “Sites”).

For information you give us directly (e.g. account, billing, support, marketing), we are the controller. For Customer Data you upload to or generate on the platform, we are a processor acting on your documented instructions; the controller is you. The DPA governs that relationship.

We collect the categories below, and only as needed for the purposes in §3.

• Account information. Name, work email, organization, role, billing address, tax identifiers, payment method tokens (we do not store full card numbers), API keys you create.
• Usage and platform metadata. Reservations, Instance identifiers, region, GPU type, GPU-hours consumed, console actions, audit logs, security events.
• Technical data. IP address, user-agent, device and browser identifiers, request timestamps, referrer, language preference.
• Communications. Email, sales, and support correspondence; chat transcripts; meeting notes if you book one.
• Cookies and similar. See §6. We use first-party analytics and a small number of privacy-preserving third-party cookies; we do not use cross-site advertising trackers.
• Customer Data. Workload inputs, outputs, models, datasets, and logs you upload to or generate on the platform. We do not access this data except as necessary to operate the Services or as required by law (see DPA §3).

• Provide the Services. Operate the platform, run your Reservations, bill you, and respond to support requests.
• Secure the Services. Detect and prevent abuse, fraud, AUP violations, sanctions risk, and security incidents.
• Improve the Services. Aggregate, anonymized usage analytics. We do not use Customer Data to train, fine-tune, or improve our models.
• Communicate. Service notices, security advisories, and (with consent or legitimate interest where lawful) product updates and educational content.
• Comply with law. KYC / CIP, AML, OFAC sanctions screening, export controls (EAR), tax reporting, and lawful requests.

• Contract. Processing necessary to provide the Services to you (Account, billing, support).
• Legitimate interests. Securing the platform, preventing abuse, basic analytics, and business communication with existing customers.
• Consent. Marketing emails to prospects and non-essential cookies, where required. You can withdraw consent at any time without affecting prior processing.
• Legal obligation. KYC, AML, sanctions, tax, and lawful-order compliance.

We share your information only as described below.

• Sub-processors. Vetted vendors that help us run the Services (cloud infrastructure partners, payments, email delivery, support tooling). The list is published in the DPA; each is bound by GDPR Article 28-equivalent terms.
• Affiliates. IFORELS Inc. affiliates that help operate the business, under the same protections.
• Professional advisors. Auditors, lawyers, and accountants under confidentiality obligations.
• Authorities. Where compelled by valid legal process. We push back on overbroad requests and notify customers where lawful and not enjoined.
• Business transactions. In connection with a merger, acquisition, or asset sale. The acquirer is bound by this Policy.

We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under CPRA.

We use a small set of cookies, in three buckets:

• Strictly necessary. Authentication, CSRF protection, load balancing. Cannot be disabled without breaking the site.
• Functional. Region selection, theme, language preference. Off by default in jurisdictions that require opt-in.
• Analytics. Aggregated, IP-truncated analytics to understand site performance. No cross-site advertising trackers.

You can manage non-essential cookies via the cookie banner or your browser settings. Do Not Track and Global Privacy Control signals are honored where required.

• Account & billing records. Kept for the life of the account plus seven (7) years for tax and audit purposes.
• Audit and security logs. Twelve (12) months by default; longer where required by law or for ongoing investigations.
• Customer Data on the platform. Available for retrieval for seven (7) days after Reservation expiry; deleted thereafter using commercially reasonable methods (extended retrieval and NIST SP 800-88 certified deletion are available on Enterprise Agreements).
• Marketing data. Until you opt out or after twenty-four (24) months of inactivity, whichever is sooner.

We maintain administrative, technical, and physical safeguards including AES-256 encryption at rest, TLS 1.2+ in transit, MFA for administrative access, network segmentation, IDS/IPS, and monthly vulnerability scanning. We notify affected customers within seventy-two (72) hours of confirming a security incident impacting personal data. See the security overview.

Where we transfer personal data outside the EEA / UK / Switzerland, we rely on the European Commission's Standard Contractual Clauses (modules 2 and 3, as applicable), the UK International Data Transfer Agreement, and adequacy decisions where they exist. Sub-processor locations are listed in the DPA.

Depending on your jurisdiction, you may have rights to access, correct, delete, port, restrict, or object to processing of your personal information, and to withdraw consent. California residents have additional rights under CPRA, including the right to know, delete, correct, and limit use of sensitive personal information (we do not knowingly process sensitive personal information for profiling purposes).

To exercise a right, email privacy@iframe.ai. We respond within thirty (30) days (forty-five (45) for complex CPRA requests). You may also lodge a complaint with your local data protection authority.

The Services are not directed to anyone under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact privacy@iframe.ai.

We update this Policy periodically. Material changes are announced on the Platform at least thirty (30) days before they take effect (sooner where required by law). The current version, with last update date, is always the version published on this page.

IFORELS Inc. · 101 Jefferson Drive, Menlo Park, CA 94025 · cloud.iframe.ai · privacy@iframe.ai. EEA / UK Data Protection Officer: dpo@iframe.ai.