Irys Privacy Statement — Last Updated March 1, 2023

We have prepared this Data Privacy Policy for Irys, Inc. To explain how, why, and when we collect personal data in services using the information and location-centric data that we compile about the movement, activities, and places people visit. The following describes our data collection and use practices for the information that we collect and the data we receive from our data partners (such as mobile app publishers and developers) about individuals. This Data Privacy Policy describes our data privacy practices related to personal information that we collect through our Website at https://www.irys.us (the “Website”) and is used to provide information to Website users, Customers (as defined below) and business partners about our services.

Opt-Out and Do Not Sell - California Residents

Irys does engage in the sale of personal data with a variety of partners. You can opt-out of data collection and sharing at any time by emailing us at privacy@irys.us, or by accessing these opt-out mechanisms in our Privacy Policy. You have a right under the CCPA to opt-out of the sale of your information by utilizing Irys  “Opt-out/Do Not Sell” Form.

INFORMATION WE COLLECT AND HOW WE COLLECT IT

We obtain a variety of information (collectively the “Information”) from trusted third-party data providers such as mobile application developers. We collect this Information primarily through Software Development Kits (SDKs) that are embedded with mobile apps or APIs, which are interfaces through which these app developers can provide us with information about their users.

WE COLLECT THE FOLLOWING INFORMATION FROM THESE APPS

  • Mobile ad identifiers, primarily Apple iOS IDFAs or Google Android IDs;

  • The horizontal accuracy of the latitude/longitude coordinates.

  • The precise geographic location of a device at a certain time, usually expressed in latitude/longitude coordinates along with a timestamp;

In addition to the above we may also receive

  • Information about a device such as device type and model and OS type and version;

  • Public facing (external) IP address of device;

  • The direction in which the device is traveling as a degree coordinate and speed of device;

  • Altitude and vertical accuracy;

  • Phone carrier and connection type (e.g., cellular, wifi);

  • Proximity beacon UUID’s or any associated Bluetooth Low Energy(BLE) beacon metadata.

  • Device language;

  • Available or connected WiFi SSID and/or BSSID names;

We also collect certain Information when people visit our website(s), including the website on which this Privacy Policy resides. When you visit our website, we or third party platforms we work with may automatically collect other information from your desktop computer, laptop, mobile phone, tablet, or other consumer electronic device that you use to access the website. This information may include anonymous data, such as a unique browser identifier, device type, operating system, settings and system configurations, IP address, other unique device identifiers, and mobile network information and your activity on our website, as well as data about the webpages you access, traffic to and from websites, the dates and times associated with transactions, and web log data. We refer to this as “Site Data.”

HOW WE USE THE INFORMATION WE COLLECT

  • Inferences from Aggregated Data. We often use the information we collect to make inferences about human location and traffic patterns. We curate these insights into data products. We may append other fields such as venue name, category, dwell timed or ticker symbols to an aggregate group of device IDs to build consumer profiles or to make financial based decisions such as trading on the stock market based off our aggregate panel. IDs."

  • Aggregated Traffic Patterns and Research. We also share the information we receive with other marketing and research companies (including advertising platforms), who use the information to provide similar services. This helps these companies to better predict and draw insights about consumer, market or scientific trends related to human movement patterns. This same information may also be licensed to real estate, city planners or smart city companies and augmented with fields to create more specific segments. For example if an aggregate group of devices drive vs walk to determine whether to put a bus stop in an area or not or to understand the flow of traffic overtime to determine whether to purchase or not purchase a piece of real estate.

The above is not an exhaustive description of all of the ways the information we collect may be used:  we may, for instance, sometimes customize uses of the information we have for certain customers. But the above does describe the types of information that we collect, how we generally collect it, and what our company focuses on.

INFORMATION WE SHARE WITH OTHERS

We share the data and information we compile about someone in an aggregated or anonymized way using advertising IDs or another type of anonymous identifier:

  • to display and optimize advertisements (like improving the relevancy of the advertisements displayed, tailoring them to certain interests, or creating audiences

  • for measurement, statistics, usage reporting, and other data analytics, and

  • for industry analysis, demographic profiling, market research and other such purposes.


WHO WE SHARE YOUR INFORMATION WITH

We may share your personal information with selected third parties including:

·       business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you in order to provide our clients with a product or service;

·       analytics and search engine providers that assist us in the improvement and optimization of the Service.

We may disclose your personal information to third parties:

·       If we enter into negotiations to buy, sell, or merge with any business or assets, or if we enter into bankruptcy, reorganization, or receivership, in which case we may disclose your personal information to the prospective or eventual seller or buyer of such business or assets;

·       If we are under a duty to disclose or share your personal information in order to comply with any legal obligation, or in the event of an emergency, or in order to enforce or apply our Terms of Use and other agreements, or to protect the rights, property, or safety of Irys, our customers, clients or others; and

·       To any other third party not covered in this policy with your prior consent.

HOW DO WE SECURE YOUR INFORMATION

We maintain commercially reasonable physical, electronic, and procedural safeguards to secure your information from loss, misuse and unauthorized access, disclosure, alteration, and destruction. However, we are unable to guarantee that security measures we take will not be penetrated or compromised or that your information will remain secure under all circumstances.

CHILDREN’S INFORMATION

The Website is not intended for children under 13 years of age and Irys does not knowingly collect personal information from children under 13 years of age. If you believe that we might have any Personal Data from a child under 13, please contact us privacy@irys.us   If you are a parent or guardian of a child who is 13-16 years old and using our Services, please send us an email at privacy@irys.us to opt in to the use of your personal information or request deletion of any personal information we may have collected about the child.

DO NOT TRACK

Some web browsers may transmit "do-not-track" signals to the websites with which the user communicates. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether you intend for these signals to be transmitted, or whether you even are aware of them. Because there currently is no industry standard concerning what, if anything, websites should do when they receive such signals, we currently do not take action in response to these signals.

STORAGE AND TRANSFER OF INFORMATION

We operate the Services in and from a number of different jurisdictions, but the Site is primarily operated from the United States, which is where your information will likely be stored and processed. Your information may be disclosed in response to inquiries or requests from government authorities or to respond to legal process in the countries in which we operate and/or store your information.

DATA RETENTION

We generally retain  mobile advertising IDs on the following schedule:  (a) we render mobile advertising IDs inactive for interest-based advertising purposes within 120 days, (b) we continue to use mobile advertising IDs for analytics purposes and other purposes unrelated to interest-based advertising and reporting for up to 24 months provided that we may retain them if we have a legal or significant operational or legal need to do so, such as for auditing, corporate record-keeping, compliance, record-keeping, accounting or security and bug-prevention purposes.

YOUR RIGHTS

Irys believes in extending privacy rights to everyone regardless of where you live or if your state or country has established privacy laws granting you individual rights over your data. You may exercise the following rights regarding your personal information, subject to our ability to verify your request and certain other limitations:

·       Information about You: You may ask for us to state what categories of personal information about you we have, and the categories of sources from which we collect your personal information;

·       Receive a Copy of Your Data: You may request the categories and specific pieces of information (if any) we have about you, the categories of personal information that we have disclosed about you for a business purpose, and the categories of third parties with which we have shared personal information in the previous 12 months.

·       Delete Your Data: You may request that we delete the personal information we have collected from you.

·       Do-Not-Sell: You may opt out of our sale(s) of your personal information, as “sale” is defined by California law. Please see above for more information.

·       Non-Discrimination: We won’t use our services to discriminate against you for exercising your privacy rights.

All requests will be performed at no cost to you.

How to Exercise Your Rights.

To exercise any of the above rights, please contact us at privacy@irys.us with the following information:

·       Your device identifier (Add instructions on how to get AAID or IDFA)

·       A utility bill or similar documentation showing your address (we use this to confirm your identity by correlating it to our location data)

 

Any information you submit to us to verify your identity will only be used for verification purposes. It may be stored via email but will not be used in our data analytics and other products.

All requests must be verified. Some requests, including receiving a copy of your data or requests made by an agent claiming to be acting on your behalf, are subject to heightened requirements. If we cannot verify your identity based on the information provided, a request for a copy of your data shall be treated as a request for information and if we cannot verify your identity, a request to delete personal information may be treated as a request to opt out of the sale of personal information.

If you have any other request you wish to submit to us, you may submit a general information request here.

Authorized Agent. You may designate an authorized agent to make a request on your behalf. An Authorized Agent must have written documentation of their authority to act on your behalf, such as a Power of Attorney.

YOUR EU AND OTHER PRIVACY RIGHTS. If you are a resident of the EEA you may request a copy of your personal information and confirmation that we are processing personal information about you. You may also be entitled to ask us for other information such as purposes of processing, categories of personal data and recipients of the information. You may be entitled to request correction of any personal information about you which is incomplete or inaccurate, deletion or erasure of it, suspension of processing of it or making it available for transfer to third parties. These rights apply under and subject to applicable law. If you want to exercise any of these or other rights under applicable law, please contact us at privacy@irys.us. We may require you to prove your identity with approved identification.

You may also have the right, in certain circumstances, to object to our processing your personal information. However, we may be entitled to continue processing it in line with applicable law. You can exercise this right at any time by contacting us at privacy@irys.us. You may also have the right, where provided under applicable law, to ask us to stop processing your personal information for direct marketing purposes. You can exercise this right by checking certain boxes on the forms we use to collect your information or by clicking "unsubscribe" on the emails you receive. You can also exercise this right at any time by contacting us at privacy@irys.us.

We will retain your personal information for as long as needed to provide you with services you have requested. We will retain and use your personal information as necessary to comply with our legal obligations, resolve disputes and enforce our agreements.

 

STATEMENT REGARDING GDPR

The GDPR requires Irys and those using our services to provide users with certain information about the processing of their “Personal Data”. “Personal Data” is a term used in Europe that means, generally, data that identifies or can identify a particular unique user or device – for instance, names, addresses, cookie identifiers, mobile device identifiers, precise location data, and biometric data.

If you have any questions about Irys’s data practices in the context of the GDPR, you may contact our Data Protection Officer a Privacy@irys.us .

To comply with the GDPR, we provide the below representations and information, which are specific to persons located in EEA countries or Switzerland (so please don’t rely on the below, if you’re not):

a.             Legal grounds for processing your Personal Data: The GDPR requires us to tell you about the legal basis we’re relying on to process any Personal Data about you. The legal basis for us processing your Personal Data for the purposes set out in the above sections  will typically be because:

·     You provided your consent. In order to provide our services that involve use of precise location information related to other Personal Data, (and to store and gain access to information stored on your device such as Advertising IDs), we rely on your consent. To obtain this consent, we rely on our own compliance steps and our web and mobile partners’ compliance steps, designed to ensure that consent is collected and passed on to partners, and to ensure that we only facilitate the collection of legally obtained data. We may choose to obtain consent in other cases as well, in which case we will adhere to applicable laws relating to such consent and its withdrawal. We also seek to obtain consent for certain partners with whom we work, who are often independent data controllers.

·     The processing is in our legitimate interest. In some cases, we use legitimate interest as a legal basis for processing Personal Data. We rely on legitimate interest when we use Personal Data to maintain the security of our services, such as to detect fraud or to ensure that bugs are detected and fixed. We also rely on legitimate interest when we use our own Trusted Partners’ data (or Visitors’ data) to communicate with them about our Services or analyze our own Site activity.

·     Contractual Relationships: Sometimes, we process certain data as necessary under a contractual relationship we have (such as our Trusted Partner records and contact information).

·     Legal Obligations: Finally, some processing of data may be necessary for us to comply with our legal or regulatory obligations.

b.             Transfers of Personal Data: When we transfer Personal Data outside of the EEA or Switzerland, we take steps to make sure that appropriate safeguards are in place to protect your Personal Data. In general, our data transfers of our Personal Data are safeguarded by European Standard Contractual Clauses and Data Processing Agreements where this is required by European Data Protection Law. Feel free to contact us at the contact information below for more information about the safeguards we have put in place to protect your Personal Data and privacy rights in these circumstances.

·     Personal Data Retention: As a general matter, we retain your Personal Data for as long as necessary to provide our Services, or for other important purposes such as complying with legal obligations, resolving disputes, and enforcing our agreements. We generally retain Advertising IDs on the following schedule: we render Advertising IDs inactive for purposes of providing our services within 13 months from receipt of consent (or from any “refreshed” consent permitting us to continue to retain information), provided that we may retain data for longer periods, as needed, where we have fully de-identified such data in a manner so that it cannot be linked to Personal Data, Please note that we may retain this (and other) Information whenever and so long as we have a significant legal or operational need to do so, such as for auditing, corporate record-keeping, compliance accounting or security and bug-prevention purposes.

c.             Your Rights as a Data Subject: The GDPR provides you with certain rights in respect of Personal Data that data controllers hold about you, including certain rights to access Personal Data, to request correction of the Personal Data, to request to restrict or delete Personal Data, and to object to our processing of your Personal Data (including profiling for online ad targeting). More specifically,

·     Right to Access: If you wish to exercise your right to access Personal Data we process as a data controller, you may do so by requesting access through the e-mail address privacy@irys.us . When we receive your request, we will provide you with current, step-by-step instructions to follow in order to obtain access. As we are required to verify a requestor’s identity prior to providing Personal Data, we will assess requests to exercise certain data access rights on a case-by-case basis: in doing so, we consider (a) the difficulty of verifying whether data that we hold and data we have linked to it truly and solely belongs to the data subject making the request, along with (b) the potential adverse effects on disclosure of personal data to the wrong individual. Because such improper disclosure would likely adversely affect the privacy rights and freedoms of the data subject, we may limit the Personal Data we make available. Please note that we will only grant requests for access for Personal Data for which we are a data controller, as explained further in sub-section (e) below. Where we act as a processor for one of our Trusted Partners, we will refer your request to that Trusted Partner. Please identify the Trusted Partner your request refers to (if possible), to simplify this process.

·     Right to Correct: If you wish to exercise your right to correct Personal Data, you may do so by contacting us at the contact information below.

·     Right to Object to Processing or to Withdraw Consent: By using the device-based “opt-out” signals you may withdraw consent for processing on which we rely on consent. If you do so, we will cease processing your Personal Data for purposes of our services within 30 days or less. We either collect these opt-out signals ourselves or receive them from the mobile apps we work with.

·     Right to Erasure: You also have the right to obtain the erasure of Personal Data concerning you that we hold as a controller. The above opt-out process satisfies this right. When a user opts-out through our partners (or through mobile device settings), and we receive this signal, we no longer use Personal Data to provide our advertising services. We will also manually delete your Personal Data if prefer that we do so; please contact us and email your device to privacy@irys.us for further instructions if you wish to exercise this right manually. Please note, however, that we may retain copies of certain Personal Data on inactive or back-up files, for our certain important internal and purposes, such as auditing, accounting and billing, legal or bug-detection, for as long as is necessary to fulfill those purposes.

·     Right to Lodge Complaints: You have the right to lodge a complaint with a supervisory authority. However, we hope that you will first consult with us, so that we may work with you to resolve any complaint or concern you might have.

d.             Irys sometimes is a data controller and sometimes is a data processor. EU data protection law makes a distinction between organizations that process Personal Data for their own purposes (known as “data controllers”) and organizations that process Personal Data on behalf of other organizations (known as “data processors”). As noted above, we are not always a data controller of the data in our possession but are sometimes a data processor for other companies such as our Trusted Partners (for instance, when we receive or process personal data on behalf of our Trusted Partners). In such cases, we may direct your inquiry to the relevant data controller, since data controllers are the ones with primary responsibility for your Personal Data.

Privacy@Irys.us.

CHANGES TO PRIVACY POLICY

If we make material changes to this Privacy Policy that may impact you, we will prominently post notice of the change on our website for a period of at least 30 days prior to the change becoming effective. We recommend that you check the Privacy Policy frequently so that you are informed of any changes.

CONTACT IRYS

If you have any questions regarding our Privacy Policy or our privacy practices, or about Irys generally, you can contact us by email at privacy@Irys.us or via regular mail at the following address:

Irys, Inc.,
Attn: Privacy
244 5th Ave, Suite 238
New York, NY 10001