Privacy Policy

Irora Labs (“we,” “us,” or “our”) operates Artysan (the “Platform”), accessible at artisan.iroralabs.com. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our Platform, including our website, application, marketplace, and related services.

Irora Labs is a self-funded, independent company. We do not sell your data to advertisers and never will. Our business model is straightforward: subscription plans and small transaction fees on marketplace and point-of-sale activity.

By using Artysan, you agree to the collection and use of information described in this policy. If you do not agree, please do not use the Platform.

1. Information We Collect

1.1 Information You Provide

• Account information: Name, email address, and password when you create an account.
• Profile information: Business name, craft specialties, profile photo, bio, and social media links.
• Craft data: Recipes, formulas, batch records, inventory items, supplier information, and production notes you enter into the Platform.
• Marketplace content: Shop details, product listings, descriptions, images, and pricing you publish on the Artysan marketplace.
• Payment information: Billing details provided during subscription signup or marketplace transactions. Payment card details are processed directly by Stripe and are never stored on our servers.
• Communications: Messages you send through marketplace messaging, support requests, and feedback you provide.

1.2 Information Collected Automatically

• Usage data: Pages visited, features used, actions taken, timestamps, and session duration.
• Device information: Browser type, operating system, device type, screen resolution, and language preferences.
• Network information: IP address, approximate geographic location (city/region level), and referring URL.
• Performance data: Page load times, error logs, and crash reports to help us improve platform stability.

1.3 Information from Third Parties

If you sign in using a third-party authentication provider (such as Google, Apple, or GitHub through our authentication service), we receive your name, email address, and profile photo from that provider. We do not receive your password.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Platform and its features.
• Process transactions, including subscriptions and marketplace payments.
• Manage your account, authenticate your identity, and enforce security.
• Deliver craft-specific functionality across our 75+ supported craft modules.
• Send transactional emails (order confirmations, password resets, billing receipts).
• Send product updates and feature announcements (you can opt out at any time).
• Detect and prevent fraud, abuse, and unauthorized access.
• Analyze usage patterns in aggregate to improve the user experience.
• Respond to support requests and resolve disputes.
• Comply with legal obligations and enforce our Terms of Service.

3. Third-Party Services

We rely on a small number of trusted third-party services to operate the Platform. Each is bound by its own privacy policy and data processing agreements:

4. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Preference cookies: Remember your settings such as theme preference (dark/light mode), active craft modules, and display preferences.
• Analytics cookies: Help us understand how the Platform is used so we can improve it. These are aggregated and anonymized where possible.

We do not use advertising cookies or tracking pixels. We do not participate in cross-site advertising networks.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

• Service providers: With the third-party services listed in Section 3, solely to operate the Platform.
• Marketplace transactions: When you purchase from or sell to another user, we share necessary order details (shipping address, order contents, contact information) between buyer and seller to fulfill the transaction.
• Public content: Information you choose to make public (marketplace shop, product listings, seller profile) is visible to other users and search engines.
• Organization members: If you belong to an organization or team account, other members of that organization may see shared data such as recipes, batches, and inventory within the organization scope.
• Legal requirements: When required by law, regulation, legal process, or enforceable government request.
• Safety and fraud prevention: To protect the rights, property, or safety of Irora Labs, our users, or the public.
• Business transfer: In connection with a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Platform to you. Specifically:

• Account data: Retained until you delete your account.
• Craft data (recipes, batches, inventory): Retained until you delete the data or your account.
• Transaction records: Retained for 7 years after the transaction date to comply with tax and financial regulations.
• Usage logs: Aggregated and anonymized after 90 days. Raw logs are deleted after 12 months.
• Support communications: Retained for 3 years after resolution for quality and training purposes.

After account deletion, we remove your personal data within 30 days, except where retention is required by law. Anonymized, aggregate data may be retained indefinitely for analytics.

7. Data Security

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted using TLS 1.2 or higher.
• Data at rest is encrypted using AES-256 encryption.
• Database access is controlled through row-level security (RLS) policies, ensuring users can only access their own data.
• Authentication tokens are short-lived and managed by Clerk's security infrastructure.
• Payment processing is handled entirely by Stripe, which is PCI DSS Level 1 certified.
• We conduct regular security reviews and dependency audits.

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

8. Your Rights and Choices

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Export: Export your craft data (recipes, batches, inventory, and production records) at any time through the Platform's built-in export tools.
• Correction: Update or correct inaccurate personal information through your account settings or by contacting us.
• Deletion: Request deletion of your account and associated personal data. You can initiate this from your account settings or by emailing us.
• Portability: Receive your data in a structured, machine-readable format.
• Opt out of marketing: Unsubscribe from promotional emails at any time using the link in each email. Transactional emails (receipts, security alerts) are not affected.
• Restrict processing: Request that we limit the processing of your data in certain circumstances.
• Object: Object to the processing of your data for certain purposes, including direct marketing.

To exercise any of these rights, email us at contact@iroralabs.com. We will respond within 30 days.

9. International Data Transfers

Your data may be processed in countries other than your country of residence. Our service providers (Clerk, Stripe, Supabase, Vercel) operate globally. When data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses and data processing agreements with each provider.

10. Children's Privacy

Artysan is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at contact@iroralabs.com.

11. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• The right to know what personal information we collect, use, and disclose.
• The right to request deletion of your personal information.
• The right to opt out of the sale of your personal information. We do not sell personal information.
• The right to non-discrimination for exercising your privacy rights.

To make a CCPA request, email contact@iroralabs.com with the subject line “CCPA Request.”

12. European Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional rights. Our legal bases for processing are:

• Contract performance: Processing necessary to provide the Platform and fulfill our obligations to you.
• Legitimate interest: Improving the Platform, preventing fraud, and ensuring security.
• Consent: Where we send promotional communications or use non-essential cookies.
• Legal obligation: Retaining transaction records for tax compliance.

You may lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on the Platform at least 14 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Platform after the effective date constitutes your acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise any of your rights, contact us at: