Privacy Policy
Last updated: April 2026
Who we are
IRIS PARIS is a simplified joint-stock company (SAS) registered in France and is the data controller for the personal data processed through the IRIS mobile application and this website.
SIREN: 101 388 551
Address: 10 Rue de la Paix, 75002 Paris, France
Contact: contact@iris.paris
Who can use IRIS
IRIS is intended for users aged 18 and over. You are asked to confirm your date of birth during onboarding. We do not knowingly process personal data of minors.
What data we process
Depending on how you use IRIS, we may process:
- Account data: your name, email address or phone number, date of birth, sign-in identifier (Apple, Google or phone), and the preferences you set in the app.
- Content you create: photos of the card spreads you capture, the text of the readings generated for you, and any journal entries you save.
- Technical data: device type, operating system, app version, language, crash reports and performance diagnostics.
- Usage data: events describing how you interact with the app (screens viewed, actions taken) used to measure product performance.
- Purchase data: when subscriptions become available, transaction identifiers and receipts provided by Apple. IRIS never receives your payment card details.
Why we process it and on what legal basis
- Providing the service (account creation, generating and saving readings, journal, authentication): performance of our contract with you — Art. 6(1)(b) GDPR.
- Security, fraud prevention, error monitoring: our legitimate interest in keeping the service reliable and safe — Art. 6(1)(f) GDPR.
- Product analytics: our legitimate interest in understanding usage. Analytics are measured with IP truncation and no advertising identifiers.
- Payment processing and tax records: performance of contract and compliance with legal obligations (French tax law) — Art. 6(1)(b)(c) GDPR.
Who we share data with
We do not sell your personal data. We share data only with service providers acting on our behalf under a data processing agreement, and only to operate IRIS:
- Apple and Google — authentication (Sign in with Apple, Google Sign-In).
- Apple — subscription billing and App Store notifications, when subscriptions are offered.
- Cloud hosting and storage providers — running the IRIS application servers and storing your reading photos and user content in encrypted storage, primarily in the European Union.
- Database providers — the managed PostgreSQL database that holds your account, readings and journal entries, hosted in the European Union.
- Content delivery and edge networks — serving our website and API traffic efficiently and securely.
- Crash and error monitoring providers — diagnosing bugs and crashes, with personal data scrubbing enabled.
- Product analytics providers — understanding how the app is used, with IP truncation and no advertising identifiers.
Any international transfers outside the EEA rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses adopted by the European Commission. We will share the identity of a specific processor on request.
How long we keep it
- Account, readings and journal entries: for the life of your account.
- If you delete your account, we hard-delete your data within 30 days of the request, except records we are legally required to keep (e.g. billing records retained for up to 10 years under French law).
- Crash and analytics data: retained for up to 13 months, then deleted or anonymized.
Your rights
Under the GDPR you can, at any time:
- Access the data we hold about you and obtain a copy.
- Rectify inaccurate data.
- Delete your account and associated data from within the app.
- Restrict or object to certain processing.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with the French data protection authority (CNIL).
To exercise these rights, email contact@iris.paris. We respond within one month.
Security
Data in transit is encrypted with TLS. Reading photos and user content are stored encrypted at rest. Access to production systems is restricted to a small number of authorized IRIS team members.
Changes to this policy
We update this policy as the product evolves. The "last updated" date at the top of the page reflects the most recent change.