Skip to content

Privacy Policy

Effective date: July 14, 2026 · Last updated: July 14, 2026

The short version: your recipes, inventory, and craft data are yours. We store them so the app works, and that is it.

No advertising. No tracking cookies. No analytics scripts following you around. No selling or renting your data, ever. You can export everything or delete your account yourself, from Settings, at any time.

Irora Labs (“we,” “us”) operates Artysan (the “Platform”) at artisan.iroralabs.com. We are a small, self-funded, EU-based company. This policy explains, in plain language, what data the Platform handles and the controls you have over it.

Artysan's core is free to use during launch - there are no paid plans. The one place money can move today is shipping: if you buy a shipping label or a label refund is issued, that payment is processed by Stripe (see Section 3). Card details never touch our servers. If paid plans ever arrive, this policy is updated first and you will be notified before anything takes effect.

1. What We Collect

  • Account information: your email address and password (stored only as a secure hash by our authentication provider), or your name, email, and profile photo if you sign in with Google. Plus the display name you choose.
  • Craft data: the recipes, formulas, ingredients, inventory, batches, suppliers, and notes you enter. This is your working data; we process it only to show it back to you and power features you invoke on it.
  • Newsletter email: if you sign up for the monthly price report, your email address - only after you confirm via the double-opt-in link we send.
  • First-party usage events: which features and pages are used, which may be recorded to our own database - never to a third-party analytics service. Used only in aggregate to understand what is working.
  • Server logs: IP address and request metadata, kept short-term for security, rate-limiting, and abuse prevention.

We never store your card details - the only payment flow that exists (shipping labels) is processed entirely by Stripe. We do not buy data about you from anyone, and we do not enrich your profile from outside sources.

2. What We Never Do

  • No selling, renting, or trading your personal data. Not our business model.
  • No advertising networks, ad pixels, or cross-site tracking of any kind.
  • No third-party analytics scripts in your browser.
  • No training AI models on your private craft data.
  • No cookie consent banner - because there is nothing to consent to (see Section 4).

3. Services We Rely On

A small set of infrastructure providers processes data on our behalf, each under a data processing agreement:

Supabase (database, authentication, storage)

Stores your account and craft data in an EU-region PostgreSQL database with row-level security, and manages sign-in sessions. See Supabase's privacy policy.

Netlify (hosting)

Serves the website and app. Processes IP addresses and request metadata to deliver pages and protect against abuse. See Netlify's privacy policy.

Resend (email)

Sends account emails (sign-in links, confirmations) and the newsletter you opted into. Processes your email address and message content. Every newsletter carries an unsubscribe link that works immediately. See Resend's privacy policy.

Stripe (shipping-label payments only)

Processes payment when you buy a shipping label, and issues refunds when a label purchase fails. Stripe receives the payment details you enter; we never see or store your card number. Not used anywhere else - there are no paid plans. See Stripe's privacy policy.

Gelato (print fulfillment)

If you order printed materials through the Platform, Gelato receives the order contents and the shipping address needed to produce and deliver them. See Gelato's privacy policy.

Railway (background jobs)

Runs the worker that maintains our public materials price dataset. It processes market data about craft supplies and stores - not your personal data or your recipes.

Anthropic (optional AI features)

Only when you explicitly use an AI-assisted feature (for example, mapping a spreadsheet during import), the content needed for that request is processed by Anthropic's API. Your data is not used to train their models. If you never use an AI feature, nothing is ever sent. See Anthropic's privacy policy.

Google (only if you choose Google sign-in)

If you sign in with Google, Google shares your name, email, and profile photo with us. We never see your Google password. If you use email sign-in instead, Google is not involved.

4. Cookies and Local Storage

The Platform uses exactly two kinds of browser storage:

  • Sign-in session cookies - set by our authentication system so you stay signed in. Strictly necessary; the app cannot work without them.
  • Device-local preferences - your theme, active craft modules, display settings, and similar choices, kept in your browser's local storage. They never leave your device unless a feature explicitly syncs them to your account.

That is the complete list. No analytics cookies, no advertising cookies, no third-party cookies at all - which is why you will not see a cookie banner here.

5. When Data Is Shared

  • With the processors in Section 3 - solely to run the Platform.
  • Within your organization - if your account belongs to a team organization, members of that organization see its shared data (recipes, batches, inventory). Today organizations are personal (one per account).
  • Legal requirements - if required by law, regulation, or enforceable government request.
  • Safety - to protect the rights, property, or safety of our users, the public, or Irora Labs.
  • Business transfer - if the company is ever acquired or merged, you will be notified before your data becomes subject to a different policy.

If we launch features that share data between users (for example, a marketplace or community benchmarks), those features and this policy will describe exactly what is shared before you can opt in.

6. How Long We Keep Data

  • Account and craft data: until you delete it or delete your account. After account deletion we remove your personal data within 30 days, except where law requires longer.
  • Newsletter: unsubscribing takes effect immediately; your address is not mailed again.
  • Operational telemetry and logs: purged on rolling windows (90 days to 12 months depending on the record); security logs kept only as long as needed.
  • Backups: encrypted database backups roll over on a short retention window; deleted data ages out of backups automatically.

7. Security

  • All traffic is encrypted in transit (TLS 1.2+); data is encrypted at rest (AES-256).
  • Every database table is protected by row-level security policies, so your data is only reachable by your own authenticated session.
  • Sign-in uses short-lived session tokens managed by Supabase Auth.
  • We run dependency audits and structural security checks as part of development.

No system is perfectly secure, and we will not pretend otherwise. If a breach affects your data we will notify you and the relevant authority as GDPR requires.

8. Your Rights and Controls

  • Export: download everything from Settings → Data → Export My Data as machine-readable JSON, any time, no questions asked.
  • Deletion: delete all your data (keeping your login) or your entire account from Settings → Danger Zone. Both are self-service and permanent.
  • Correction: edit your data directly in the app, or ask us for help.
  • Access, restriction, objection, portability: the full set of GDPR rights applies; anything not self-service is one email away.
  • Complaint: you can lodge a complaint with your local data protection authority.

For anything you cannot do in-product, email contact@iroralabs.com. We respond within 30 days.

9. Legal Bases and International Transfers

For users in the EEA, UK, and Switzerland, our legal bases under GDPR are: contract performance (running the Platform for you), legitimate interest (security, abuse prevention, aggregate product improvement), consent (the newsletter, which is double-opt-in and revocable in one click), and legal obligation where records must be kept.

Your account data lives in an EU-region database. Where a processor operates outside the EU, transfers are covered by standard contractual clauses in that processor's data processing agreement.

10. Children's Privacy

Artysan is not intended for anyone under 16, and we do not knowingly collect data from children under 16. If you believe a child has provided us personal information, contact us and we will delete it promptly.

11. California Residents (CCPA)

California residents have the right to know what we collect (Sections 1 and 3), to request deletion (self-service, Section 8), and to opt out of the sale of personal information - trivially satisfied, because we do not sell personal information and never will. We do not discriminate against anyone for exercising privacy rights.

12. Changes to This Policy

If we make material changes we will notify you by email or a prominent in-app notice at least 14 days before they take effect. The date at the top reflects the latest revision.

13. Contact