IronVest’s Privacy Policy

Update:  2023-11-20

INTRODUCTION

This Privacy Policy describes how we process your personal information when you visit IronVest.com, use the browser or extensions available when using Chrome, Firefox, Edge, or Opera, when you use the IronVest Mobile App, when you use the InboxGuard email add-on (collectively the Sites) and when you use Masked Card, Masked Email, Masked Account or the Biometric features of IronVest (collectively the “Products and Services”).  IronVest’s goal is to help you regain control of your personal information online. 

We never sell or share your data with anyone or any company without your express consent. Period. By using our Services or our products and services, you consent to us to share your data but only with companies we've hired to do work for us and only to carry out the services you want. They'll never own it or be able to share it with anyone else. Your data is yours. 

Philosophy. We're dedicated to consumer privacy rights and support privacy policies that are understandable. We're committed to responsibly handling any information we collect.

Data use. Many companies profit off their users by selling their information, but we'll never do that. We only use the data we collect about the way people use our products and our website to build better products. We'll never share any personal data about your online activity or use it to target you individually.

Data sharing. A few things that you do may require us to share data. For instance, when you buy one of our products with your credit card, we have to share that info to process the payment. We try to do things ourselves but sometimes need to rely on external companies. We make hard decisions about when to do so, always balancing the privacy risks against the benefits.

Law enforcement.We won't provide your information unless we're compelled by law through a valid court order, which is a much higher standard than the usual "permitted by law" standard. Companies don't have to tell you when someone requests your data, but we will try and inform you if we are legally allowed to do so, so you can be aware and take legal action if you choose.

As of today, IronVest has not received a national security order and we have not been required by a FISA court to keep any secrets.

Except as required by law, IronVest will not share your data with third parties.

WHAT INFORMATION DO WE COLLECT?

Your privacy is our business, so we spend a lot of time making sure that we collect the minimum information necessary to operate and responsibly handle all information we store. We think it’s important to be transparent with what, where, how, and why we need this data to operate  IronVest and how we store it.

The type of information

If you're using this feature of IronVest

Some of your personal identifying information, like your email address (optional), name, address, phone number, and credit card number for both application functionality (auto-fill and charges)

IronVest has it because you have an account with us, and it lets us forward your Masked Emails.

If we process a payment for you, our payments processor will have your email address, but they are contractually bound to only use it for that purpose.

Biometric data - for authentication and data protection

The end user’s biometrics are used to verify their identity and, by that, protect the end user from fraud and cyber crimes by bad actors. Biometric authentication is both stronger and provides better experiences than other means of authentication usually provided online. Please refer to IronVest’s more specific Biometric Data Privacy Policy for details regarding the processing of your biometric identifiers.

The fact that you're visiting and using the IronVest website

Each day IronVest checks in with our servers to let them know it's still active, as well as pick up any new form mappings or tracker signatures. We do not store your IP address when this check-in happens. Some of the IronVest’s websites use Matomo to understand what parts of the website are important to our users, what features are most frequently read up on, where users get lost in the documentation, etc. This data allows us to better understand how users use the system, the website, and the docs and where to focus improvements next. IronVest regards this analysis as an integral part of its online service.

Data about forms you encounter

In order to improve our ability to detect forms we collect some data about the fields and forms you interact with while using IronVest. Additionally, we record the last login (domain and time) for each autofill account. We do not store your IP address or associate this data with your account (if you have one with us.)

When checkout forms are used

We collect data, such as frequency and size, about purchases made (or not completed) online. We do not store your IP address or associate this data with your account (if you have one with us.)

Senders of messages to your Masked Emails

We know this information to let you reply without giving your real email address.

Content of messages sent to your Masked Emails

Your messages are forwarded to your real inbox. They are temporarily cached in your Masked Inbox for less than 24 hours (by default), then permanently deleted from our servers.

Your IronVest password (optional)

Only you know it. IronVest never knows your Master Password and even when we synchronize your data across "the cloud" it's all encrypted in a way we can't decrypt.

Your logins and account information (including passwords and where you have online accounts)

This is encrypted locally on your device.

If you enable Backup & Sync, we will store your encrypted data. Don't worry, IronVest can *not* read your encrypted data.

Your personal phone number (optional)

Let us forward calls and texts to your Masked Phone Number. Our friends at Twilio or Bandwidth have this number only to forward you calls & texts, but they don't know your name or other personal information. If you live in certain countries in the EU, we're required to verify your Masked Phone number using a mailing address.

Who has your Masked Phone number

IronVest has it so we can forward calls and texts to you, along with anyone you choose to give it to. Our friends at Twilio or Bandwidth have this number only to forward you calls & texts, but they don't know your name or other personal information. If you live in certain countries in the EU, we're required to verify your Masked Phone number using a mailing address.

Who has contacted your Masked Phone number

We store it on our servers so we can forward you Masked Phone communications and keep track of callers you've blocked. Our friends at Twilio or Bandwidth can see who called your Masked Phone, but what they have is anonymous (in no way tied to you directly) other than the number they have to forward calls and messages. If you live in certain countries in the EU, we're required to verify your Masked Phone number using a mailing address.

Content of text messages sent to you via masked phone number

We store the messages for less than 24 hours on our servers then delete them. We store them for the service of security features such as passcode protection. Our friends at Twilio or Bandwidth have access to your messages as well.

Your billing information (personal credit card number, name, and address) (optional)

We know your name and billing address (but not your credit card number). Our payments processor stores your encrypted card number compliant with PCI DSS standards.

If you have subscribed to any of our tiers with Biometric functionality, we collect your biometric data.

Your biometric identifier is collected and stored, in decentralized digital bits, by our vendor Anonybit.com.

Your Masked Card numbers

Our bank partner stores them. We do not, but we can access them through their interface.

Who has charged your Masked Cards (merchants)

We can see the merchant that charged your Masked Card (which doesn't always indicate the actual website). Your credit/debit card bill will show charges from  “IRONVEST” and not the actual merchant. Our bank partner can see who charged your Masked Card, but it is anonymous (in no way tied to you directly). We have no choice but to keep certain pieces of data (for legal purposes), but we ensure that merchants do not have your credit card information.

Where you spend your Masked Cards (domains)

The domain itself has it. Our bank partner has it, but it's not tied to you directly.

If you are using our InboxGuard email client add-on, we collect encrypted metadata from received emails

For users of the InboxGuard email client add-on, we collect, use, and store only the data necessary to provide and improve the core features of the application, such as detecting phishing attempts and securing email content. Specifically: - We do not use Google user data for advertising, profiling, or for training, or developing AI/ML models unrelated to the security features of Inboxguard. - We do not share Google user data with third parties except where necessary to improve the functionality of Inboxguard, and only under strict privacy safeguards. - Google user data is retained only as long as needed to provide the security features of the Inboxguard add-on and is securely deleted when no longer necessary for these purposes. - Inboxguard integrates with Gmail and other email services to enhance user security, ensuring all data usage aligns strictly with the functionalities required for the service.

COOKIES AND SIMILAR TECHNOLOGIES

We log aggregate information about our site visitors, but it does not contain your name, Email, or other personally identifiable information. These logs are automatically generated for all websites and are not powered by online trackers.

We may use session cookies from time to time. Session cookies expire when you close your browser. You can set your browser to refuse cookies by following the instructions provided by your web browser.

We won't share your data unless you are using specific services through us that require it or if we are ever compelled by legal orders, in which cases, we will share the minimum data required.

Even so, IronVest.com is not directed at individuals under 13 years of age in compliance with the Children's Online Privacy Protection Act (COPPA).

If you choose to sign up for our newsletters or to receive emailed updates of our privacy blog, we'll occasionally send you emails with coupons, announcements, and IronVest news.

We will sometimes link to other websites. You should consult the respective privacy policies of these third-party sites before using them. Our privacy policy does not apply to these other websites, and we cannot control their activities.

Processing activities specific to IronVest’s Web Applications, Mobile Application, Browser Extensions

IronVest, IronVest Mobile Application and InboxGuard Email Add-On (“the Sites”) are founded upon universal values and around the principle of giving users control over their personal data, so neither IronVest nor IronVest Mobile tracks your personal data. The Sites have the limited ability to collect data about what Sites you visit and web behavior such as what forms you interact with (or we autofill), but we only use this anonymized data to improve our form detection and filling capabilities.

The Sites use algorithms to assist End Users with auto-filling data into forms that allow for use of the products or services (including but not limited to Masked Card, Masked Email, and Masked Phone numbers) but otherwise, neither IronVest nor IronVest Mobile sends any personal data or account information to our servers.  IronVest and IronVest Mobile only send the following information to our servers 1) when getting software versions, 2) obtaining updates to our form detection, 3) sending back form telemetry, such as form metadata, auto-filled metrics, and any user-created crowdsourced form mappings. The information sent to our servers is explicitly not tied to your account or other personal information. You can also opt-out of this kind of data collection in the application's settings if you prefer.

There are a few limited pieces of information we need to know to make sound decisions about the services we provide from IronVest and IronVest Mobile:

  • Information about your installation of IronVest Mobile, such as where you downloaded it, the original version you installed, the current version you have, and the month of your original install.

  • Because there is a different version of IronVest for each browser (Chrome, Firefox, Edge), we know how many installs there have been for each browser.

  • On a daily basis, we know how many users we have of IronVest Mobile and whether those users are based in or outside the U.S.

  • In order to improve our form detection capabilities, when you interact with forms we capture pieces of form meta-data and metrics such as if what we auto-filled into a form was then corrected by you. This data collection is anonymized and explicitly not tied to your account information, and not received in real-time, only once a day.

  • Lastly, we know how many visits to IronVest.com come from the IronVest tool, but we do not know if any given add-on user clicked anything or other personal details.

  • If you choose to interact with IronVest Mobile to send us feedback, we may receive the following additional information that doesn't identify you: The description of the problem that you submit to us and the website URL and any trackers found on it.

All of your personal Masked Email, Masked Phone, and Masked Card data is encrypted using industry-standard 256-bit AES encryption. The information is accessed by the particular IronVest product in real-time when the information is needed. All of your accounts, passwords, and other browsing activity are stored locally in an encrypted database that we do not have the ability to decrypt. It's encrypted using industry-standard 256-bit AES encryption. If you choose to use the Sync feature to access your IronVest data from any device, that means we're storing that data in an encrypted form on our servers - we can't read your passwords or see your accounts.

If you're using IronVest Premium, we use specialty companies to process payments and phone calls, and texts. These service providers will have access to some of your data only to process it, but they'll never own or share it with anyone else.

If you have any questions about this policy, please contact us at support@ironvest.com.

Third-Party Data Sharing

If you've subscribed to an IronVest tier that includes secure payment features, we use specialty companies to process payments and phone calls and texts. These service providers will have access to some of your data only to process it, but they'll never own it or share it with anyone else.

For your convenience, the following chart describes each IronVest partner as well as how and why your information may be shared with third parties in order to operate IronVest. We share this data because we need to in order to operate our services.

The Type of Information if You’re Using this Feature of IronVest

Company

Purpose

Data Disclosed

Matomo Tag Manager: 

We are constantly trying to improve the user experience on our website by providing clearer paths for signing up for IronVest and providing visitors with more personalized and relevant campaigns. To accomplish this we use Matomo and Matomo tag manager.

We consider Matomo to be a third-party data processor and therefore, Matomo’s Privacy Policy regulates how your data is processed, and not IronVest’s Privacy Policy.

You can access the Matomo privacy policy here: 

https://matomo.org/privacy-policy/

UserGuiding

We want our customers to get the full value of IronVest, quickly and effectively. For that end, we are employing an optional tool that provide a step-by-step user guides in the Web Dashboard.

You can disable this feature anytime in the Settings.

To learn more, check out the “End User Data” section in the UserGuiding privacy policy: https://userguiding.com/privacy-policy/.

Randomly assigned user ID, statistics about guides interaction.

You Use Our Commercial Websites

Facebook Pixel

We use advertising cookies or pixels, such as Facebook Pixel to deliver tailored advertising on our Sites. 

You can learn more about how to control advertising cookies by visiting the Network Advertising Initiative’s Consumer Opt-Out link, the DAA’s Consumer Opt-Out link for browsers, or the DAA’s opt-out link formobile devices. Please note that electing to opt-out will not stop advertising from appearing in your browse or applications and may make the ads you see less relevant to your interests.

Facebook Pixel connects data from the Facebook advertising network with actions performed on IronVest’s websites. The Facebook pixel tracks conversions that can be attributed to ads on Facebook, Instagram and Audience Network.

You can access the privacy policy for Facebook here: Privacy Policy.

Pay for Premium or use Masked Cards

Stripe

Connexpay

To allow payment processing settlement services, and fraud checking when using credit or debit cards.

Name, address, email address, details of user funding instruments, and details of payment transactions.

HubSpot Tracking Code: 

Our Site also uses HubSpot, which uses cookies to help us analyze how Business visitors use the Site. HubSpot’s products help us to identify Business visitors, analyze email campaigns, and track website contact forms so we can tailor business marketing communications to those users. Anonymous visitor tracking information may be shared with other HubSpot customers. For more information about HubSpot cookies, please visit: https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser

If you use biometric protection for enhanced privacy and security

Anonybit

Anonybit collects and processes your  biometric data. Data is processed, in order to authenticate your identity and for your convenience prior to your conducting any sensitive online transactions via our Website, our Mobile Application, and browser extensions.

Your biometric data identifier, e.g., facial geometry

Certain premium users who enrolled to use all of IronVest’s products before 2022

Recurly

To allow payment processing settlement services, and fraud checking when using credit or debit cards.

Name, address, email address, details of user funding instruments, and details of payment transactions.

If you are a new ACH user of Masked Cards

Plaid

To verify banking details

Temporary access to Online banking ID and password

If you create Masked Cards

Stripe

Connexpay

To allow for the completion of online transactions using Masked Cards.

Transactions completed on Masked Cards

Certain premium users who enrolled to use all of IronVest’s products before 2022 (making Masked Cards via ACH)

CheckCommerce

To allow payment processing settlement services, and fraud checking when using a bank account.

Name, details of user funding instruments, and details of payment transactions.

If you are using the Finance App

Manteca

We partnered with Manteca to enable connection to your financial assets as well as to provide the intelligent financial advisor feature. Check out Manteca’s Privacy Policy and Terms of Service.

Details about financial accounts you choose to connect

If you are using the InboxGuard Add-on

Google

IronVest does not share any data collected from Google services with third parties, except where absolutely necessary for the functioning and improvement of the email security service. Any such data sharing is conducted under strict contractual agreements to ensure the security and confidentiality of the data.”

Masked Phone Number Providers

If you are an international user of Masked Phones (and certain older Masked Phone users)

Twilio

To provide IronVest users with a Masked Phone number and, on IronVest’s behalf, to facilitate secure transactions by texting hidden codes in international transactions between End Users and the End Users’ business partners.

Phone number and address if located in certain countries in the EU.

If you use Masked Phones

Bandwidth

To provide IronVest users with a Masked Phone number and, on IronVest’s behalf, to facilitate secure transactions by texting hidden codes between the End User’s and the End User’s business partners.

Phone number

Telesign

We send Telesign the user’s phone number and the Masked (virtual) phone number assigned to the user by IronVest, to get reputation score, allow/flag/block recommendation and reason codes with Intelligence (Score) platform.

User’s phone number, and the Masked (virtual) phone number assigned to the user

3rd Party Customer Support Tools

If you email our support team

Groove

To speak with customers and potential customers via email, mostly for customer support

Email address, name if provided

If you chat with our support team

Olark

To speak with customers and potential customers using real-time live chat, mostly for customer support

Email address if provided, name if provided

If you call us on the phone

Mighty Call

To speak with customers and potential customers over the phone, mostly for customer support

Phone number

Fraud Prevention

If you make Masked Cards

MaxMind

To determine location data about a provided IP address

IP address, billing address

General Data Protection Regulation ("GDPR")

IronVest has a range of privacy and security controls across its organizations to ensure compliance with the General Data Protection Regulation (GDPR), including, but not limited to:

  • GDPR-compliant data protection agreements with all customers for whom IronVest Processes Personal Data;

  • A PIA driven process to ensure that all products and services are built with Privacy By Design;

  • An extensive, on-going training program for its employees, with data privacy and protection education upon hiring and then again at least on an annual basis;

  • State-of-the-art technical and security measures, including data encryption at rest and in transit;

  • Records of processing which include mapped storage and transfer of Personal Data throughout IronVest’s product-lines;

  • Appropriate access right limitations;

  • Company-wide systems for protecting Data Subject rights, ensuring that individual access/portability/right-to-be-forgotten rights are respected; and

  • Appointment of a Data Protection Officer.

Lawful bases for processing personal information (applies only in the European Economic Area):

We process personal information where one or more of the following conditions that are set out in the GDPR apply:

  • Where it is necessary in order for us to conduct our business and pursue our, or our affiliates' legitimate interests for internal administrative purposes. In particular, we collect, use and store your personal information: (i) to communicate and manage our relationship with our customers; (ii) to allow our customers to use our Products; (iii) to develop new Products and to improve performance of our Products and software; (iv) to maintain contact data about you or a third party (such as, your employer); (v) to inform you of Products, marketing plan and other business related items which may be of interest to you; (vi) to ensure the security and proper performance of our systems and our operations, (vii) for accounting, billing and audit purposes and (viii) where appropriate, to establish, exercise or defend legal claims.

  • Where it is required by applicable privacy laws, we will obtain your consent to: (i)send you direct marketing in relation to relevant Products that we provide; (ii)place cookies and use similar technologies in accordance with the ‘Cookies´section of this Statement and the information provided to you when those technologies are used;

  • Where it is necessary in order for us to comply with our legal obligations, such as requirements to process requests by government or law enforcement authorities.

Transfers to third countries

Whenever IronVest transfers personal information beyond the country of origin, we will do so in accordance with applicable laws. In the context of its European operations, IronVest may transfer Personal Data abroad to other countries in the European Economic Area or to third countries. In reaction to the decision by the Court of Justice of the European Union issued on July 16th 2020, in its Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (called “Schrems II case”) and in furtherance to the Recommendations 01/2020 issued by the European Data Protection Board on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, IronVest has evaluated the data transfers necessary for its multinational operations. IronVest will ensure that importers of any Personal Data offer an adequate level of protection, whether through an adequacy decision or appropriate safeguards under Article 46 of the GDPR.

To the extent Personal Data processed by IronVest would be transferred to a country, territory or sector outside the EEA that is not recognized by the European Commission as providing an ‘essentially equivalent´ level of protection to that which exists within the EU, IronVest will rely on EU Standard Contractual Clauses for transfers: (i) between IronVest affiliates, and (ii) to third parties. The EU Standard Contractual Clauses can be viewed on the European Commission’s website here. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

(Open a new window)

As per the guidance of the European Data Protection Board, IronVest has implemented programs to review such data transfers and to employ additional safeguards when appropriate for the data processing required by law and our customer contracts.

With respect to personal data received or transferred, IronVest and its U.S. Subsidiaries are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Security and Retention

We follow generally accepted standards to protect the personal data submitted to us, both during transmission and once it is received. Information you provide to us is stored on our secure servers. Any payment transactions will be encrypted using current PCI-DSS standards. If IronVest has issued you a password, you are responsible for keeping the password confidential. If you have any questions about the security of your personal data, you can contact us at support@ironvest.com.

We retain personal data to the extent necessary to provide Products to our customers, employees, and prospective employees. Generally, we retain personal data for as long as you remain an active customer or user of our Sites and Services and for 3 years afterwards, or otherwise as required for our business operations or by applicable laws. We will permanently destroy biometric data when the initial purpose for collecting or obtaining such data has been satisfied, or within 3 years of your last interaction with us, whichever occurs first. Different retention of personal data may be necessary under contractual terms with the data controller for whom we provide services, for fraud prevention, to identify technical problems, or to resolve legal proceedings. Images added to PowerShare are automatically deleted after 45 days.

We may retain non-personally identifiable aggregate information beyond this time for research purposes and to help us improve and further develop our Products. You cannot be identified from aggregate information retained or used for these purposes. Where we process personal information for marketing or business analytic purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in the future.

Data collected through the InboxGuard add-on from Google accounts is retained only for the period necessary to provide the email security services. We regularly review our retention practices to ensure compliance with privacy policies and securely delete any data no longer required for providing the service.

Your California Privacy Rights

California has passed a law called the California Consumer Privacy Act (CCPA). If the CCPA is applicable to you, you have the right to:

  1. know the categories of personal information collected about you in the prior 12 months and its sources and business purpose;

  2. know whether your personal information is sold or disclosed, and to whom, in the prior 12 months;

  3. if your personal information is sold, to opt out of the sale of your personal information;

  4. access and then delete your personal information (subject to exceptions); and

  5. equal service and price if you exercise your privacy rights.

“Personal Information” is defined to include information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household. This includes (among other types of personal information) IP addresses, geolocation data, biometric information, and “unique identifiers” such as device and cookie IDs, internet activity information like browsing history, commercial information such as products or services purchased or consuming histories or tendencies, and characteristics concerning an individual’s race, color, sex (including pregnancy, childbirth, and related medical conditions), age (40 or older), religion, genetic information, sexual orientation, political affiliation, national origin, disability or citizenship status. Inferences are drawn from personal information “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” are also considered “personal information.”

Contact us at support@ironvest.com.

Note: If you have made financial transactions with us, we are required to retain some data to comply with Payment Card Industry Data Security Standards (PCI) and other financial reporting requirements.

Your Nevada Rights

You may review and request changes to your information or opt-out of the sale of your personal information at support@ironvest.com.