Privacy Policy

Ironwire Systems LLC · iron.sh

Effective Date: March 18, 2026

1. Introduction

Ironwire Systems LLC (“Ironwire,” “we,” “us,” or “our”) operates the iron.sh developer infrastructure platform available at https://iron.sh (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Service.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please discontinue use of the Service.

2. Who We Are

Ironwire Systems LLC is a limited liability company registered in the United States. We provide hardened virtual machine environments, egress control, secrets proxying, snapshot/restore capabilities, and audit logging for AI coding agents and developer workflows.

For privacy inquiries, contact us at: [email protected]

3. Information We Collect

3.1 Account and Registration Information

When you sign up for the Service, we collect:

  • Name and email address
  • Company name and role (optional)
  • Billing information (processed by our payment processor; we do not store raw card numbers)
  • Authentication credentials (stored in hashed form)

3.2 Usage and Telemetry Data

As you use the Service, we automatically collect:

  • VM session metadata (start/end times, duration, resource consumption)
  • SSH connection events and routing logs
  • Egress audit logs (destination hosts, bytes transferred, timestamps) — this is a core product feature
  • API request logs (endpoints called, response codes, latency)
  • Error and crash reports
  • Feature usage analytics (collected via PostHog)

3.3 Technical Information

We collect standard technical data including:

  • IP address and approximate geolocation
  • Browser or CLI client version and operating system
  • Device identifiers

3.4 Communications

If you contact us via email or other channels, we retain those communications to respond to you and improve the Service.

3.5 Information You Configure

The Service allows you to configure secrets, environment variables, egress allowlists, and audit policies within your sandboxed VM environments. We treat this configuration data as confidential and process it only to operate the Service on your behalf.

4. How We Use Your Information

We use the information we collect to:

  • Provision, operate, and maintain your VM environments and associated infrastructure
  • Authenticate users and enforce access controls
  • Generate and surface audit logs and egress reports as part of the Service
  • Process billing and prevent fraudulent transactions
  • Send transactional communications (account confirmations, security alerts, billing receipts)
  • Send product updates and service announcements (you may opt out of marketing communications)
  • Monitor service health, diagnose issues, and improve reliability
  • Conduct security monitoring, intrusion detection, and vulnerability analysis
  • Comply with legal obligations and enforce our terms
  • Conduct aggregate, anonymized analytics to improve the product

5. Legal Bases for Processing (EEA / UK Users)

If you are located in the European Economic Area or United Kingdom, we process your personal data under the following legal bases:

  • Performance of a contract: to provide the Service you have signed up for
  • Legitimate interests: security monitoring, fraud prevention, product improvement, and direct marketing to existing customers
  • Legal obligation: compliance with applicable laws and regulations
  • Consent: where we have obtained your explicit consent (e.g., optional analytics participation)

6. How We Share Your Information

We do not sell your personal data. We may share information with:

6.1 Service Providers

We engage trusted third-party vendors who process data on our behalf, including:

  • Cloud infrastructure providers (e.g., Latitude for bare metal hosting)
  • Object storage providers (e.g., Cloudflare R2 for VM snapshots)
  • Analytics providers (e.g., PostHog for product analytics)
  • Observability tools (e.g., Grafana/Prometheus for metrics)
  • Payment processors for billing
  • Compliance and audit tooling (e.g., Vanta for SOC 2)

All service providers are contractually obligated to handle your data securely and only for the purposes we specify.

6.2 Legal Requirements

We may disclose information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.3 Business Transfers

If Ironwire Systems LLC undergoes a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a materially different privacy policy.

6.4 With Your Consent

We may share your information for other purposes with your explicit consent.

7. Data Retention

We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this policy, subject to the following:

  • Account data: retained for the duration of your account, plus 90 days after account closure
  • Egress audit logs: retained for 12 months by default; configurable at the workspace level
  • VM snapshots: retained per your configuration; deleted upon your request or account termination
  • Billing records: retained for 7 years as required by applicable law
  • Security logs: retained for up to 24 months for incident investigation purposes

You may request deletion of your data at any time (subject to legal retention requirements) by contacting us at [email protected].

8. Security

Security is core to our product and our operations. We implement technical and organizational measures including:

  • Encryption in transit (TLS 1.2+) and at rest for stored data
  • VM-level network isolation and nftables-based egress enforcement
  • SSH routing via authenticated proxies
  • Continuous vulnerability scanning and patch management
  • Access controls and audit logging for internal systems
  • SOC 2 Type I certification in progress via Vanta

No security measure is perfect. In the event of a data breach that affects your personal data, we will notify you as required by applicable law.

9. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you
  • Correction: request correction of inaccurate or incomplete data
  • Deletion: request deletion of your personal data, subject to legal retention requirements
  • Portability: receive your data in a structured, machine-readable format
  • Restriction: request that we restrict processing of your data in certain circumstances
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We do not charge a fee for reasonable requests.

California residents: Under the CCPA/CPRA, you have the right to know, delete, and opt out of sale of personal information. We do not sell personal information.

10. Cookies and Tracking Technologies

We use cookies and similar technologies on the iron.sh web interface to:

  • Maintain your authenticated session
  • Remember your preferences
  • Collect aggregate analytics on feature usage (PostHog)

You can control cookies via your browser settings. Disabling cookies may affect Service functionality. We do not use third-party advertising cookies.

11. International Data Transfers

We are based in the United States. If you access the Service from outside the U.S., your information may be transferred to and processed in the U.S. and other countries where our service providers operate.

For transfers from the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) where required.

12. Children’s Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via a prominent notice on the Service, and update the Effective Date above.

Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Ironwire Systems LLC
Email: [email protected]
Website: https://iron.sh

We aim to respond to all privacy inquiries within 30 days.

© 2026 Ironwire Systems LLC. All rights reserved.