Privacy Policy

IRIS is a product of Cyrus Labs Ltd, a company registered in England & Wales (company number 17153679), with registered office at Charlbert Court, Charlbert Street, London NW8 7DB. We are the data controller for personal data we collect about you when you use our website or service.

Account data

• Name and email address provided when you sign up.
• Authentication identifiers issued by Amazon Cognito (our auth provider).
• Organisation membership and role information you create within IRIS.

Connection data

• AWS account IDs and the IAM role ARN you authorise IRIS to assume. We do not receive AWS access keys.
• OpenAI and Anthropic admin API keys, only if you choose to connect those providers. These are encrypted and described in our Security page.

Usage and cost data

• Cost and resource metadata read from your AWS account (e.g. spend per service, instance types, region, tags).
• Usage and cost data read from your AI providers (e.g. spend per model, token counts, request counts).
• We do not read prompts, completions, customer payloads, database rows, or object contents.

Technical data

• Standard server logs (IP address, browser, request paths, timestamps) used to operate and secure the service.
• A session cookie named iris_session used to keep you logged in.

Analytics

• We use Google Analytics 4 on irislabs.co.uk to understand which pages help visitors and which don't (page views, traffic sources, country-level location, device type, time on page). Aggregate and anonymised — no personal information is stored against your identity.
• Google Analytics is only loaded after you accept the cookie banner shown on your first visit. If you decline, no analytics cookies are set and no data is sent.
• We do not use advertising or marketing trackers (no remarketing pixels, no Facebook Pixel, no LinkedIn Insight Tag, etc.).

We process personal data on the following lawful bases under UK GDPR:

• Performance of a contract — to provide the IRIS service to you (account creation, authentication, scanning your authorised AWS and AI accounts, generating reports and alerts).
• Legitimate interest — to operate, secure, and improve the service (server logs, abuse prevention, debugging) and to send service-related communications such as budget breach alerts.
• Legal obligation — to comply with applicable laws (e.g. responding to lawful requests, maintaining tax and accounting records).
• Consent — for any optional communications you opt into. You can withdraw consent at any time.

IRIS is operated by a small team and we share personal data only with the subprocessors needed to run the service. The full list and their roles is on our Security page. In summary:

• Amazon Web Services (eu-west-1, Ireland) — hosting, database, object storage, authentication (Cognito), email (SES).
• Vercel — frontend hosting and CDN.
• OpenAI and Anthropic — only if you connect those providers, and only via your own admin key.
• Stripe — subscription billing once launched.
• GitHub — source code hosting and CI/CD.

We do not sell, rent, or trade personal data. We do not share it with advertisers.

Customer data processed by IRIS itself is stored in the EU (AWS eu-west-1, Ireland). Some subprocessors are based in the United States — specifically OpenAI, Anthropic, Stripe, GitHub, and Vercel's edge network. International transfers to those providers are governed by Standard Contractual Clauses and each provider's data processing terms.

• Account data: for as long as you maintain an account with IRIS, plus up to 90 days after deletion to allow recovery.
• Cost and usage data: for as long as your account is active. On deletion, snapshots are removed within 90 days.
• Server logs: typically 30 days, longer where required to investigate security incidents.
• Billing records: retained for 7 years to comply with UK accounting law.

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data erased (subject to legal retention obligations such as billing records).
• Restrict or object to processing in certain circumstances.
• Receive your data in a portable format.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email hello@irislabs.co.uk. We will respond within one calendar month.

IRIS uses one essential cookie, iris_session, to keep you signed in. If you accept the analytics consent banner on first visit, Google Analytics also sets _ga and _ga_* cookies to count returning visitors anonymously. We do not use advertising or marketing cookies.

Our technical and organisational measures are described on the Security page. To report a vulnerability or security concern, email security@irislabs.co.uk.

We may update this policy as the product evolves. Material changes will be communicated by email to account owners and the “Effective” date at the top of this page will be updated.

Questions about this policy or your data: hello@irislabs.co.uk.

Cyrus Labs Ltd · Charlbert Court, Charlbert Street, London NW8 7DB · Company No. 17153679