Loading...
Version 2.0 — Effective date: April 5, 2026
This Privacy Policy describes how IronOS ("IronOS," "we," "us," or "our") collects, uses, stores, and shares personal information when you use our platform at ironos.dev.
IronOS is an AI-powered growth platform for powerlifting and strength sport coaches. It is operated by:
By creating an account or using IronOS, you agree to the collection and use of information in accordance with this policy. If you do not agree, do not use IronOS.
When coaches use IronOS to collect lead data through capture pages, IronOS acts as a data processor. The coach is the data controller for their leads.
IronOS (ironos.dev) is a coaching software platform operated by Mustafa Hadi. It is not affiliated with, endorsed by, or related to the IronOS open source firmware project (github.com/Ralim/IronOS), which is a separate product for soldering equipment.
We collect three categories of personal data:
| Data | Purpose | Stored By |
|---|---|---|
| Name, email address | Account creation and login | Clerk |
| Password | Authentication (hashed) | Clerk |
| Instagram handle, TikTok handle | Voice profile generation and content analysis | Supabase |
| Niche selection | Customizing AI content for your sport | Supabase |
| Voice samples (Instagram captions) | Generating your AI voice profile | Supabase |
| Competitor handles | Competitive analysis (Pro tier only) | Supabase |
| Payment information | Processing payments and subscriptions | Stripe |
| Data | Purpose | Stored By |
|---|---|---|
| Lead data (names, emails, lift stats, goals) | CRM and email sequences on your behalf | Supabase |
| AI-generated content (captions, ideas) | Content calendar and publishing | Supabase |
| Outreach data (DM scripts, prospect profiles) | Outreach queue management | Supabase |
| Email engagement (opens, clicks) | Lead scoring and sequence optimization | Supabase |
| A/B test results | Optimizing capture page conversion rates | Supabase |
| Plugin data (repurposed content, proposals, research) | Premium plugin features | Supabase |
| Data | Purpose | Stored By |
|---|---|---|
| IP address | Rate limiting and security (via Cloudflare headers) | Upstash |
| Browser type and version | Error tracking and compatibility | Sentry |
| Device information | Responsive design optimization | PostHog |
| Page views and feature usage events | Platform analytics and improvement | PostHog |
| Error and crash reports | Bug detection and resolution | Sentry |
| Cookies | Authentication and analytics (see Cookie Policy) | Clerk, PostHog |
Under GDPR and similar data protection laws, we must have a legal basis for processing your personal data. Here is how each basis applies:
| Legal Basis | What It Covers |
|---|---|
| Contract | Account creation, payment processing, providing the IronOS platform features you subscribed to (content generation, lead pipeline, outreach, plugins) |
| Legitimate Interest | Platform analytics (PostHog), error tracking (Sentry), security measures (rate limiting, bot protection), product improvement, and preventing fraud |
| Legal Obligation | Tax record retention, responding to lawful government requests, data breach notification obligations |
| Consent | Optional analytics tracking (PostHog) — you can opt out at any time in Dashboard > Settings > Privacy |
We retain data only as long as necessary for the purposes described. After your account is cancelled:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | 90 days after cancellation | Data export window |
| Lead data | 90 days after cancellation | Data export window |
| AI-generated content | 90 days after cancellation | Data export window |
| Voice profiles | Deleted at cancellation | No longer needed |
| Payment records | 7 years | Tax and legal compliance |
| Audit logs | 1 year | Security and incident investigation |
| Anonymized analytics | Indefinite | Product improvement (no personal data) |
You may export your data at any time from Dashboard > Settings before or after cancellation during the 90-day retention window.
We share data with the following service providers (sub-processors). Each has been selected for their security practices and compliance posture. We do not sell your data to any of them.
| Provider | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Clerk | Authentication | US | clerk.com/legal/privacy |
| Supabase | Database and storage | US | supabase.com/privacy |
| Stripe | Payments | US | stripe.com/privacy |
| Resend | Transactional email | US | resend.com/legal/privacy-policy |
| OpenAI | AI content generation | US | openai.com/policies/privacy-policy |
| Apify | Public data scraping | EU (Czech Republic) | apify.com/privacy-policy |
| Vercel | Hosting and deployment | US (global edge) | vercel.com/legal/privacy-policy |
| Cloudflare | CDN, security, bot protection | US (global edge) | cloudflare.com/privacypolicy |
| PostHog | Product analytics | US | posthog.com/privacy |
| Sentry | Error tracking | US | sentry.io/privacy |
| Upstash | Rate limiting (Redis) | US | upstash.com/trust/privacy |
| Trigger.dev | Background job processing | US | trigger.dev/legal/privacy |
We will notify you at least 14 days before adding a new sub-processor that handles personal data.
If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation:
To exercise any GDPR right, email legal@ironos.dev with the subject line "GDPR Request." We will respond within 30 days.
If you are a California resident, the California Consumer Privacy Act (as amended by CPRA) gives you additional rights:
We do not sell personal information. We have never sold personal information and have no plans to do so.
To exercise any CCPA right, email legal@ironos.dev with the subject line "CCPA Request." We will respond within 45 days.
If you are located in the United Kingdom, you have equivalent rights under the UK General Data Protection Regulation (UK GDPR) as listed in section 7.1 above. Your supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk.
We use a minimal set of cookies: essential (Clerk authentication), analytics (PostHog, opt-out available), and security (Cloudflare Turnstile on public forms). We do not use advertising cookies.
For full details, see our Cookie Policy.
IronOS is a business platform for coaching professionals. It is not directed at individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we discover that a child under 16 has provided personal data, we will delete it within 72 hours. If you believe a child has submitted data to IronOS, please contact us immediately at legal@ironos.dev.
IronOS is operated from the United States. If you are accessing IronOS from outside the US, your data will be transferred to and processed in the United States.
For transfers from the EU/EEA and UK, we rely on:
If you require a signed Data Processing Agreement for your use of IronOS, contact legal@ironos.dev.
In the event of a personal data breach that poses a risk to your rights and freedoms:
We may update this Privacy Policy from time to time. When we make material changes:
Your continued use of IronOS after the effective date constitutes acceptance of the updated policy. If you disagree with any changes, you may cancel your account before the new effective date.
If you have questions about this Privacy Policy, want to exercise your data rights, or need to report a privacy concern, contact us at:
Mustafa Hadi d/b/a IronOS
Data Protection Contact
Email: legal@ironos.dev
General support: support@ironos.dev
We aim to respond to all privacy inquiries within 30 days.