Privacy Policy

Last updated · 12 May 2026 Effective · 12 May 2026 Version 2.1

Contents

Who we are
What we collect
Why we collect it
Legal basis (GDPR)
Who we share with
How long we keep it
Where data lives
Your rights
How we protect data
Cookies & tracking
Children
Changes to this policy
Contact us

1. Who we are

IronCastle is operated by Permus Information Technology LLC ("Permus", "we", "us"), a company registered in Dubai, United Arab Emirates. Our registered address is provided on the Contact page. Permus is the data controller for all data described in this policy.

You can reach our data protection contact at [email protected].

2. What we collect

Information you give us

Account data: name, work email, company name, role, phone number (optional).
Billing data: billing contact, address, VAT number, payment method tokens (we do not store card numbers — Stripe does).
Support communications: emails, chat transcripts, voice calls (recorded with notice).

Information we collect automatically

Telemetry from your environments: security events from agents you deploy, audit logs from cloud/SaaS integrations you authorise, network metadata from probes you install. This is the data we exist to monitor.
Portal usage: log-in events, IP address, browser fingerprint, session duration — strictly for security and abuse prevention.

What we do not collect

File contents, document bodies, or message bodies — unless explicitly required by an incident and authorised by you in writing.
Personal data of your end customers — IronCastle is for protecting your business; we never touch your customers' identities unless they're already in your security logs.
Browsing history, keystrokes, or screen content from the endpoint agent. The agent inspects processes and files; it does not record what you read or type.

3. Why we collect it

To deliver the IronCastle service — detect threats, investigate incidents, send you reports.
To bill you accurately and meet our tax obligations.
To prevent abuse and protect the service (rate limits, fraud checks, lawful-access requests).
To improve detections — aggregated, anonymised pattern data feeds back into rule development. Customer-attributable data is never used for this without explicit consent.

4. Legal basis (GDPR / UK GDPR)

Performance of contract — your subscription with us, for the service itself and billing.
Legitimate interest — security monitoring, abuse prevention, internal analytics on anonymised data.
Consent — marketing emails (always opt-in), non-essential cookies, and any optional processing.
Legal obligation — tax, accounting, and lawful-access requests from competent authorities.

We share data only with subprocessors that are necessary to deliver the service. The full list is published at subprocessors.html and includes infrastructure, payment, email, and analytics providers. Each is contractually bound by data processing terms equivalent to ours.

We do not sell personal data. Ever. We do not share data with advertisers or data brokers.

We will disclose data to law enforcement only on receipt of a binding legal request and after verifying its validity. We publish a transparency report annually.

6. How long we keep it

Security events: 90 days hot retention by default. Extended retention (12 / 24 / 36 months) available on Keep and Citadel.
Account data: for the life of your account, plus 90 days for offboarding.
Billing records: 7 years (UAE tax law requires this).
Support communications: 3 years.
Marketing data: until you unsubscribe, then deleted within 30 days.

7. Where your data lives

You choose your data residency at sign-up: UAE, Australia, or EU. Data does not leave the region you choose. Regional data planes are operated on infrastructure listed in subprocessors.html.

The only exception is aggregated, anonymised threat-intelligence data, which may be processed cross-region to improve detection. Customer-attributable data is never moved without your explicit instruction.

8. Your rights

Under GDPR / UK GDPR / UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection, you have the right to:

Access the personal data we hold about you
Correct inaccurate data
Delete data we no longer need (subject to legal retention obligations)
Receive a copy in a portable format
Restrict or object to processing
Withdraw consent at any time
Lodge a complaint with your data protection authority

Request any of the above by emailing [email protected]. We respond within 30 days.

9. How we protect your data

We hold ISO 27001 and ISO 42001 certification. Operational details are on the Trust page. Headline controls:

All data encrypted in transit (TLS 1.3) and at rest (AES-256).
Least-privilege access. Two-person rule for production database changes.
Quarterly penetration testing by independent third parties.
Row-level isolation enforced at the database level — cross-tenant reads are physically impossible.
Annual SOC 2 Type II attestation (in progress for 2026).

10. Cookies and tracking

We use a small set of strictly-necessary cookies (session, CSRF, language preference) and optional analytics cookies (Plausible — privacy-respecting, no cross-site tracking). Full details at cookies.html.

We do not use third-party advertising cookies. We do not implement Google Analytics, Meta Pixel, or similar tracking.

11. Children

IronCastle is a B2B product. It is not directed at children under 16. We do not knowingly collect data about children. If you believe we have, contact us and we will delete it.

12. Changes to this policy

We will notify customers in writing of any material change at least 30 days before it takes effect. Minor edits (typos, link fixes) are logged at the top of this page with a new version number and date.

13. Contact us

Data Protection Lead — [email protected]
Security disclosures — [email protected]
General — [email protected]

Postal address — Permus Information Technology LLC, Dubai Internet City, Dubai, United Arab Emirates.