Iqidis Privacy & Data Policy

Last Updated: December 15, 2025
Owner: Legal & Security, Iqidis, Inc.
Contact: security@iqidis.ai

1. Introduction

Iqidis, Inc. (“Iqidis,” “we,” “us,” or “our”) is committed to protecting your privacy and safeguarding your information. This Privacy & Data Policy explains how we collect, use, disclose, secure, and retain information when you use our legal AI services, our website at https://iqidis.ai, and any related applications or services (collectively, the “Services”).

Iqidis, Inc. (“Iqidis,” “we,” “us,” or “our”) is committed to protecting your privacy and safeguarding your information. This Privacy & Data Policy explains how we collect, use, disclose, secure, and retain information when you use our Irys legal AI services, including our website currently available at https://iqidis.ai (and any successor domains, including https://irys.ai), and any related applications or services (collectively, the “Services”). “Irys” is a product name and brand of Iqidis, Inc., and not a separate legal entity.

By accessing or using the Services, you agree to the practices described here. If you do not agree, please discontinue use of the Services. This Policy complements and should be read together with our Terms of Service, Acceptable Use Policy, and Service Providers & Subprocessors Policy.

1.1 Scope and Audience

This Policy applies to (i) enterprise customers and their authorized users, (ii) visitors to our website and marketing properties, and (iii) prospective customers who engage with us through demos, events, or forms.

1.2 Roles & Ownership (Controller/Processor)

  • Enterprise / Organization Use. Where the Customer is an organization or enterprise, the Organization (as Customer) is the data controller/owner of Customer Content and Customer Data processed through the Services. Authorized Users act on behalf of the Organization, and Iqidis acts solely as the Organization’s data processor or service provider on the Organization’s documented instructions. We are not a custodian or data owner of your Customer Content. Ownership of your Customer Content and Output remains with you, as further described in the Terms of Service.
  • Website & Marketing. For website/marketing interactions (e.g., newsletter sign‑ups), Iqidis acts as data controller of that contact/admin data as described in this Policy.

1.3 Definitions

  • “Authorized User” means an individual human user who has been invited to, accepted access to, or otherwise uses the Services under an Organization Account. v
  • “Customer Content” means files, documents, text, prompts, and other content you or your users provide to the Services for processing, including resulting Output.
  • “Customer Data” means Personal and account information needed to administer your use of the Services (e.g., user identity, billing, settings).
  • “Organization” means a Customer account established by or on behalf of an entity under which multiple Authorized Users may access the Services.
  • “Telemetry” means limited behavioral/interaction metadata (e.g., UI clicks, navigation flows, request timing, status/error codes, coarse device/browser metadata) used to ensure reliability, security, and abuse detection-not prompts, model outputs, or uploaded documents/files.

2. Information We Collect

2.1 Information You Provide

  • Account & Profile: Name, email, firm/organization, role, and authentication data.
  • Payment/Billing: Processed by trusted payment providers (we do not store full payment card details).
  • Customer Content: Documents and other materials you upload or input to use the Services. Customer Content may be created by individual Authorized Users but is processed and stored within the Organization’s tenant context when used under an Organization Account.
  • Support/Feedback: Content of support tickets, feature requests, or product feedback.

2.2 Information Collected Automatically

  • Telemetry (content‑free): We collect minimal operational telemetry that excludes Customer Content and excludes uploaded user content. Telemetry is limited to behavioral/interaction metadata (e.g., UI events/clicks, navigation flows, request timing, status/error codes, coarse device/browser metadata) to improve reliability, security, and detect abuse. Telemetry does not include prompts, model outputs, or uploaded documents/files.
  • Device/Log Data: IP address, device and browser type, operating system, general geo (city/country), and timestamps to secure and operate the Services.
    (Refining your prior “Usage/Log Data” with this clarification.)

2.3 Information from Third Parties

We may receive limited information from (i) security/fraud prevention partners, (ii) marketing/event platforms, and (iii) analytics vendors, consistent with this Policy.

2.4 Publicly Available Information

We may use public legal sources (e.g., court rulings, filings) to develop and improve our platform, in compliance with applicable law, without processing data restricted by confidentiality or contract.

3. How We Use Information

  • Service Delivery & Improvement: To provide, maintain, secure, and enhance the Services (including availability, performance, and feature improvements). For Organization Accounts, such processing is performed at the direction of the Organization and for the benefit of its Authorized Users.
  • AI Processing & Orchestration: To run our in‑house Knowledge Graph (KG), Retrieval‑Augmented Generation (RAG), and orchestration services and, where necessary, to perform scoped inference using third‑party models as described in Section 4.
  • Support & Communications: To provide customer support, notifications, updates, and product information.
  • Payments & Transactions: To process billing, subscriptions, and account matters.
  • Security & Compliance: To prevent fraud, abuse, and misuse; to comply with laws and enforce our terms.
  • Analytics (content‑free): To understand general usage patterns without analyzing Customer Content.

4. How Our AI Processes Your Data (Hybrid Architecture)

4.1 Local‑First, In‑House Processing

By default, requests are handled in‑house by Iqidis within Iqidis‑controlled infrastructure using our KG/RAG and orchestration layers. Customer Content is stored and processed within your organization’s dedicated Iqidis tenant and per‑user profile containers-not pooled or commingled with other customers or matters. We do not use Customer Content to train models.

4.2 Selective, Discrete Subprocessor Inference (If Needed)

For certain discrete aspects of a query (e.g., language polish, format transformation, translation, or general‑knowledge reasoning), our orchestrator may invoke a subprocessor (e.g., OpenAI, Anthropic, Google) for inference only. We disable vendor caching/retention, apply data minimization (often redaction/abstraction and least‑necessary context), and contractually require no training on Customer Content. Many requests are satisfied entirely in‑house without any external call.

4.3 Ephemeral Model Calls; No Training on Your Data

Third‑party model calls are stateless and ephemeral: prompts/outputs are not retained by vendors, and Customer Content is never used to train Iqidis or third‑party models. Internally, any temporary access for support/troubleshooting is purpose‑limited and deleted or anonymized consistent with Section 6 (Retention).

4.4 Why This Differs From “ChatGPT” or Default Cloud LLMs (and Many Legal Providers)

  • Default LLM usage often sends entire prompts to a third party and may use default vendor caching/retention.
  • Iqidis handles most logic in‑house, segments data per tenant/profile, and uses third‑party models only for narrow, bounded tasks with no training and no retention-reducing exposure and preserving confidentiality.
  • Unlike some legal tools that aggregate client data to “improve the model,” Iqidis does not pool or train on your Customer Content. You retain ownership of your data and Output; Iqidis acts solely as your processor/service provider.

5. Legal Bases for Processing (GDPR/UK GDPR)

We process personal data under one or more of the following bases: contract performance, legitimate interests (e.g., service security and improvement), consent (where required), and legal obligations.

6. Data Processing, Storage & Retention

6.1 AI Processing (No Training / No Vendor Retention)

  • No training on Customer Content by Iqidis or third‑party models.
  • Vendor caching/retention disabled for third‑party inference.
  • We do not enable optional vendor features that would store prompts/outputs. (If a customer explicitly requests such a feature for a use case, it will require a separate, written agreement and configuration.)

6.2 In‑House vs. Third‑Party Processing

  • In‑House (Default): KG/RAG and orchestration run inside Iqidis‑controlled infrastructure.
  • Third‑Party (Selective): If beneficial for a discrete inference step, we send minimal data to the selected model vendor under no‑retention/no‑training controls.

6.3 Limited Access by Authorized Personnel

Authorized personnel may access Customer Content only to resolve technical issues, provide support, ensure operation, or enforce terms, consistent with strict access control and audit logging. Access is purpose‑limited and time‑bound.

Organization administrators and owners do not have automatic access to the contents of another Authorized User’s personal workspace unless such content has been explicitly shared by that user or access is required for support, security, or legal compliance.

6.4 Retention

  • Customer Content (Support Cases): Deleted or anonymized within 30 days after issue resolution, unless a longer period is required by law or expressly requested by you for ongoing support.
  • Backups: Maintained securely and isolated until deletable.
  • Telemetry/Logs: Behavioral/interaction metadata retained for reliability/security; telemetry does not contain prompts, model outputs, or uploaded files.

7. Sharing & Disclosure

We do not sell personal data. We may share data with:

  • Service Providers & Subprocessors as necessary to deliver features (see our Service Providers & Subprocessors Policy for current list and commitments, including change‑notice/objection rights).
  • Regulators, Legal Authorities, and Advisors as necessary to comply with law, enforce rights, or protect safety.
  • Business Transfers (e.g., M&A) subject to this Policy’s protections.
  • With Your Consent or at your direction.
  • Intra-Organization Sharing. Customer Content may be shared among Authorized Users within an Organization at the direction of those users through the Services’ sharing features. Such sharing is controlled by user-configured permissions and does not grant Organization administrators default access to unshared personal workspace content.

7.1. Data Retention upon User Departure from an Organization

Content created by an Authorized User within an Organization’s account is considered part of that Organization’s data instance on the Services. Consequently, when an Authorized User is removed from or otherwise leaves an Organization:

  • All Content Remains with the Organization: All Customer Content created by that user within the context of that Organization remains under the control of and accessible to the Organization. This includes both Personal Content (e.g., unshared drafts and documents within the user’s personal workspace) and Shared Content.
  • User Access is Revoked: When an Authorized User is removed from an Organization Account by an administrator, that user’s access to that specific Organization’s account, including all of its Customer Content, is immediately and irrevocably terminated.

However, this revocation is strictly limited to the specific Organization from which the user was removed. The underlying User Account associated with the user’s login credentials (e.g., their personal email address) remains active and unaffected.

This ensures that a user who is a member of multiple Organizations (for example, a contract attorney using a single Irys account for several different clients) or who also maintains a separate personal subscription does not lose access to their entire account or to the content within other Organizations. The user can continue to log in with their existing credentials to access any other Organizations they are a member of or to manage their individual account.

7.2. Intra-Organization Sharing

Customer Content may be shared among Authorized Users within an Organization at the direction of those users through the Services’ sharing features. Such sharing is controlled by user-configured permissions and does not grant Organization administrators default access to unshared personal workspace content of an active user.

8. Security

8.1 Technical & Organizational Measures.
We maintain controls aligned with SOC 2 and ISO 27001 frameworks, including encryption in transit and at rest; least‑privilege access and SSO/IdP; network segmentation and WAF; vulnerability scanning and independent penetration testing; centralized logging and anomaly detection; and secure SDLC practices.

8.2 Data Security Incidents.
If Iqidis becomes aware of a confirmed unauthorized access to or disclosure of Customer Content processed by the Services (a “Data Security Incident”) that is caused by Iqidis’s breach of this Policy or our Security Measures, Iqidis will:

  • Notify the Customer without undue delay and no later than 72 hours after becoming aware, unless prohibited by law;
  • Provide information reasonably available at the time of notice, including: the nature of the incident, affected data categories, approximate number of data subjects/records affected (if known), likely consequences, and measures taken or proposed to address the incident;
  • Investigate, mitigate, and remediate the incident and take reasonable steps to prevent recurrence; and
  • Cooperate with Customer’s reasonable requests for additional information needed to meet legal or regulatory obligations (including drafts of regulator/individual notices if required).

8.3 Exclusions.
”Data Security Incident” does not include: (i) unsuccessful or attempted attacks (e.g., pings, scans, DDoS); (ii) events impacting only anonymized/aggregated data or telemetry; (iii) incidents caused by Customer’s configurations, credentials, devices, or third‑party systems not controlled by Iqidis; or (iv) Customer’s breach of the Agreement or AUP.

8.4 Customer Responsibilities (Shared Responsibility).
Customer is responsible for (i) configuring security features (e.g., SSO, MFA, role‑based access), (ii) managing user access/permissions and credential hygiene, (iii) classifying and minimizing sensitive data uploaded to the Services, and (iv) promptly notifying Iqidis of suspected compromise of Customer accounts or credentials.

8.5 Subprocessor Incidents.
Iqidis requires subprocessors to provide equivalent incident notice and cooperation. Iqidis will coordinate the response and relay material updates to Customer where the subprocessor’s processing relates to the Services used by Customer.

8.6 No Public Statements.
Iqidis will not name or make public statements about Customer in connection with a Data Security Incident without Customer’s prior approval, unless required by law or regulator. This does not limit Iqidis’s obligation to provide timely notices to regulators/individuals where legally required.

8.7 Security Contacts.
Security questions and incident reports may be submitted to: security@iqidis.ai (or through Customer’s support channel). For sensitive disclosures, encryption instructions are available on request.

Note on costs/remedies. Iqidis will bear its own reasonable, documented costs to investigate and remediate a Data Security Incident caused by Iqidis. Any indemnification or broader cost allocation (e.g., data‑subject/regulator claims, credit monitoring) is governed by a separate DPA or enterprise agreement, as referenced in Section 9.

9. Data Processing Addendum (DPA) & International Transfers

9.1 DPA (Controller-Processor Terms; Indemnity & Costs).
For controller-processor obligations under GDPR/UK GDPR/CCPA (including Standard Contractual Clauses/UK addendum for international transfers), privacy/security indemnification, and cost allocation relating to Data Security Incidents, see the Iqidis Data Processing Addendum (DPA) available upon request. If there is a conflict between this Policy and the DPA, the DPA controls for the subject matter of that conflict. Where the Customer is an Organization, the DPA applies between Iqidis and the Organization as controller, and Authorized Users act on behalf of such Organization.

9.2 Subprocessors and Change Notice.
Current subprocessors and our 30‑day change‑notice/objection process are described in the Service Providers & Subprocessors Policy.

10. Your Rights

Depending on your jurisdiction, you may have rights regarding your personal data. We are committed to upholding these rights. To exercise any of the rights described below, please submit a verifiable request to info@iqidis.ai.

Your rights may include:

  • Access: The right to know what personal data we have collected about you and to request a copy.
  • Correction (Rectification): The right to request the correction of inaccurate personal data.
  • Deletion (Erasure): The right to request the deletion of your personal data, subject to certain exceptions.
  • Restriction of Processing: The right to request that we limit the processing of your personal data in certain circumstances.
  • Objection to Processing: The right to object to our processing of your personal data based on legitimate interests.
  • Data Portability: The right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format. As our platform does not yet have an automated, self-service export tool for all data types, we will fulfill portability requests through a manual process. Upon receiving a verifiable request, we will compile and export your data and provide it to you securely within the timeframe required by applicable law (e.g., 30-45 days, depending on the jurisdiction).
  • Withdrawal of Consent: The right to withdraw your consent at any time where we rely on consent to process your data, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Lodge a Complaint: The right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable law.

11. Automated Decision‑Making

We do not use personal data to make decisions that have legal or similarly significant effects solely through automated processing.

12. International Transfers & Regionalization

Data may be processed in the U.S. and E.U. We use appropriate safeguards (e.g., Standard Contractual Clauses and UK addenda) for cross‑border transfers. Regional routing can be configured on request for applicable features, subject to technical feasibility.

13. Children’s Privacy

We do not knowingly collect data from individuals under 18. If such data is identified, it will be promptly deleted.

14. “Do Not Track”

Our Services do not currently respond to browser “Do Not Track” signals. Please use the controls available in our Cookie Policy to manage non‑essential cookies.

15. Changes to This Policy

We may update this Policy to reflect legal, technical, or business developments. Material changes will be posted with a new effective date, and we will provide reasonable advance notice where appropriate. Updates may include changes related to collaboration features, organization accounts, or product branding, provided that such updates do not materially reduce the protections afforded to Customer Content without notice.

16. Contact Us

Iqidis, Inc.
3 Columbus Circle, Floor 15
New York, NY 10019
Email: security@iqidis.ai