This Privacy Policy explains how Team Clarity, Inc. DBA Iron Gorilla (“Team Clarity,” “Iron Gorilla,” “we,” “us,” or “our”) collects, uses, discloses, stores, and protects personal information in connection with Iron Gorilla, our websites, applications, hosted services, APIs, dashboards, runtime environments, integrations, support, professional services, and related offerings.

This Privacy Policy should be read together with our Terms of Service, any applicable Order Form, Data Processing Addendum, security addendum, statement of work, or other written agreement between you and Team Clarity.

1. Scope

This Privacy Policy applies to personal information we process when you visit our websites, create an account, use the Services, communicate with us, purchase credits or subscriptions, receive support, participate in sales or marketing activities, or otherwise interact with Team Clarity.

This Privacy Policy also explains how we process personal information contained in Customer Data. “Customer Data” means data, prompts, files, content, configurations, inputs, outputs, logs, credentials, metadata, and other materials submitted to, generated through, processed by, or made available through the Services by or on behalf of a customer.

Where we process Customer Data on behalf of a customer, the customer is generally the controller or business, and Team Clarity acts as a processor or service provider. In that case, we process Customer Data according to the customer’s instructions, our Terms of Service, any applicable DPA, and applicable law. If you are an employee, contractor, user, customer, or other individual whose information is processed by one of our customers through Iron Gorilla, you should direct privacy requests to that customer unless we separately tell you otherwise.

Where we process account, billing, website, security, support, sales, marketing, telemetry, compliance, fraud-prevention, or business operations data for our own purposes, Team Clarity generally acts as the controller or business.

2. Who We Are

The controller for personal information processed under this Privacy Policy is:

Team Clarity, Inc. DBA Iron Gorilla
1111B S Governors Ave #41605
Dover, Delaware 19904
United States
legal@teamclarity.ai

EU/UK Representative (GDPR Article 27 / UK GDPR):

Jacob Hartmann
Team Clarity, Inc. DBA Iron Gorilla
Sos. Morarilor 2 B, Et. 3, Cam. 11
Cod 022452
Bucharest, Romania
legal@teamclarity.ai

3. Personal Information We Collect

We collect personal information from you, your organization, your use of the Services, connected systems, service providers, business partners, and third-party integrations.

Account and identity information may include your name, business email address, username, password or authentication method, organization name, role, title, team, workspace, account settings, permissions, and administrative status.

Contact and communications information may include emails, messages, support tickets, call notes, meeting details, feedback, survey responses, and other communications with us.

Billing and commercial information may include subscription plan, credit purchases, usage records, invoices, billing address, tax information, payment status, payment method metadata, transaction history, and payment processor information. We use Stripe for payment processing and do not intentionally store full payment card numbers ourselves.

Service usage and telemetry may include IP address, device identifiers, browser type, operating system, pages viewed, login activity, session information, API requests, runtime activity, compute usage, token usage, model usage, credit consumption, latency, errors, performance metrics, feature usage, audit events, security events, administrative actions, and related metadata.

Customer Data may include prompts, outputs, files, logs, traces, policy decisions, model calls, tool calls, integration activity, workflow configuration, agent configuration, connected-system data, credentials, API keys, OAuth tokens, metadata, and other data processed through Iron Gorilla. Customers are responsible for the credentials, tokens, and connected-system access they provide, and for the lawful basis for submitting any such information to the Services.

Integration information may include data from third-party systems you connect to the Services, such as account identifiers, permissions, tokens, configuration metadata, files, records, messages, tickets, code repositories, cloud resources, CRM data, productivity data, or other information made available through those integrations.

Website and analytics information may include cookie identifiers, device data, browser data, referral URLs, pages visited, approximate location derived from IP address, and interactions with our websites or emails.

Security and compliance information may include login history, access controls, authentication events, suspected abuse signals, fraud indicators, sanctions-screening information, audit logs, incident data, and information needed to protect the Services or comply with law.

Marketing and sales information may include company name, role, business contact details, product interests, event participation, lead source, marketing preferences, and communications history.

Professional services information may include information you provide during onboarding, implementation, integration, policy design, agent design, advisory work, support, training, or other services.

4. Sensitive and Regulated Data

The Services are not intended for highly regulated or sensitive data unless expressly authorized in a signed Order Form, Data Processing Addendum, Business Associate Agreement, security addendum, or other written agreement with Team Clarity.

You may not submit, process, store, transmit, or expose protected health information, payment card data, cardholder data, CUI, FCI, export-controlled data, classified information, children’s data, biometric data, genetic data, precise geolocation data, or other highly regulated data through the Services unless we have expressly agreed in writing.

We may process certain sensitive personal information where necessary to provide the Services, such as account credentials, API keys, OAuth tokens, security logs, or payment-related metadata. We use this information to provide, secure, authenticate, administer, and protect the Services.

5. How We Use Personal Information

We use personal information to provide, operate, maintain, and improve the Services; create and manage accounts; authenticate users; manage organizations, workspaces, permissions, agents, workflows, integrations, and deployments; process payments, credits, billing, taxes, renewals, usage, and invoices; provide support, onboarding, training, and professional services; route, proxy, monitor, log, and govern model calls and agent activity; operate runtime environments, control-plane services, policy services, DLP services, reporting, logging, and telemetry; detect, prevent, and investigate fraud, abuse, security incidents, unauthorized access, misuse, and violations of our Terms of Service; communicate about the Services, updates, security, support, billing, and administrative matters; send marketing communications where permitted; analyze usage, performance, errors, reliability, and service quality; develop new features and improve the Services; comply with legal, regulatory, tax, accounting, sanctions, export-control, and law-enforcement obligations; enforce our agreements and protect our rights, users, customers, and the public.

We do not share Customer Data with third-party AI model providers for the training or fine-tuning of their foundation models, and we configure our API integrations with such providers to opt out of training where the provider offers that option. We may use aggregated, anonymized, or de-identified usage data, telemetry, performance data, security data, operational data, and statistical information to improve the Services, develop new features, perform analytics, detect abuse or threats, benchmark performance, and operate our business.

6. GDPR Legal Bases

Where the GDPR or similar laws apply, we process personal information using the following legal bases.

We process account, subscription, billing, support, and service information where necessary to perform a contract with you or your organization.

We process tax, accounting, compliance, sanctions, export-control, and legal-request information where necessary to comply with legal obligations.

We process security, fraud-prevention, abuse-prevention, service-improvement, analytics, product-development, business-operations, and certain marketing information based on our legitimate interests, where those interests are not overridden by your rights and freedoms.

We process certain marketing, cookie, analytics, or optional information based on consent where consent is required. Where we rely on consent, you may withdraw consent at any time.

We may process personal information where necessary to protect vital interests, such as in urgent security or safety situations.

When we process Customer Data as a processor, the customer is responsible for establishing the legal basis for processing and for providing any required notices or consents.

7. AI, Model Providers, and Customer-Authorized Processing

Iron Gorilla may route, proxy, inspect, transform, log, or otherwise process prompts, outputs, metadata, model calls, tool calls, and related information involving third-party AI model providers.

You authorize us to transmit Customer Data, prompts, outputs, metadata, and related information to supported model providers as necessary to provide the Services. Current supported model providers include OpenAI API, Anthropic API, and Grok API.

We do not control third-party model providers, their systems, their availability, their pricing, their models, their outputs, or their independent legal obligations. Where required, our customer agreements or DPA will address applicable subprocessors and transfer mechanisms.

8. Cookies, Analytics, and Similar Technologies

We and our service providers may use cookies, pixels, local storage, analytics tools, logs, and similar technologies to operate our websites and Services, remember preferences, authenticate users, secure accounts, understand usage, measure performance, troubleshoot issues, and improve the Services.

We may use Cloudflare for edge hosting and customer support, Sentry for logging and monitoring, Resend for email, Twilio for SMS and phone verification, Stripe for payment processing, Amazon Web Services for application hosting, and Microsoft 365 for business productivity and internal operations.

You can control cookies through your browser settings and, where available, our cookie preference tools. Some cookies are necessary to operate the Services and cannot be disabled through our tools.

We do not currently respond to all browser “Do Not Track” signals because there is no consistent industry standard. Where required by applicable law, we will honor legally recognized opt-out preference signals, such as Global Privacy Control, for applicable sale, sharing, or targeted-advertising opt-outs.

9. How We Disclose Personal Information

We may disclose personal information to service providers, subprocessors, contractors, vendors, and infrastructure providers who help us provide, secure, support, monitor, analyze, bill, and improve the Services.

These providers may include:

Stripe for payment processing, billing, invoices, subscriptions, and payment-related fraud prevention.

Cloudflare for edge hosting and customer support.

Resend for email delivery.

Amazon Web Services for application hosting.

Microsoft 365 for business productivity and internal operations.

Sentry for logging and monitoring.

Twilio for SMS and phone verification.

OpenAI API for LLM processing.

Anthropic API for LLM processing.

Grok API for LLM processing.

We may also disclose personal information to customer administrators and organization owners; connected systems and integrations authorized by you or your organization; professional advisors such as lawyers, accountants, auditors, insurers, and investors; law enforcement, regulators, courts, governmental authorities, and other parties where required or permitted by law; parties involved in a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction; and other parties with your consent or at your direction.

We may disclose aggregated, anonymized, or de-identified information that does not reasonably identify you.

10. Third-Party Integrations

If you connect third-party systems to Iron Gorilla, we may access, receive, transmit, store, modify, delete, or otherwise process information from those systems as configured by you, your users, your administrators, your agents, your credentials, your policies, or your workflows.

Your use of third-party integrations may also be subject to the privacy policies and terms of those third parties. We are not responsible for the privacy practices of third-party services that you choose to connect to the Services.

11. International Data Transfers

We operate globally and may process personal information in the United States, the European Union, and other jurisdictions where we, our customers, our service providers, our subprocessors, or model providers operate.

If we transfer personal information from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with data-transfer restrictions, we use appropriate safeguards where required. These may include adequacy decisions, the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum (UK IDTA) for transfers from the United Kingdom, supplementary technical and organizational safeguards, contractual commitments, and, where Team Clarity is certified, the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks.

12. Retention

We retain personal information for as long as reasonably necessary to provide the Services, maintain accounts, support customers, comply with law, resolve disputes, enforce agreements, prevent fraud or abuse, maintain security, process billing and taxes, preserve auditability, and operate our business.

Customer Data retention may depend on the applicable plan, Order Form, configuration, retention settings, technical availability, legal obligations, and backup or security requirements. Upon termination, access to Customer Data may be disabled, but Customer Data may remain in backups, logs, archives, legal holds, billing records, security records, and other retention systems until applicable retention periods expire.

Billing and transaction records are generally retained for at least seven (7) years to satisfy tax, accounting, audit, and statute-of-limitations requirements. Account records (including identity, contact, and authentication information) are generally retained for the life of the account plus three (3) years. Security logs, audit logs, and abuse-prevention records are generally retained for up to two (2) years after the relevant event, except where a longer period is required to investigate incidents, comply with law, or enforce our rights. Marketing records are retained until you opt out, after which we retain only suppression-list information needed to honor your opt-out. Customer Data retention follows the applicable Order Form, plan, or DPA; in the absence of a specified period, Customer Data is generally deleted within ninety (90) days after termination, subject to backups and legal holds.

Security logs, abuse-prevention records, audit records, and operational telemetry may be retained after account closure where necessary to protect the Services, investigate incidents, prevent fraud, comply with law, or enforce our rights.

Marketing records are retained until you opt out or until we no longer need them, except that we may retain suppression-list information to honor opt-out requests.

When we no longer need personal information, we will delete, anonymize, de-identify, or retain it only as permitted or required by law.

13. Security

We use commercially reasonable technical and organizational measures designed to protect personal information, including measures for access control, authentication, encryption, monitoring, logging, security review, incident response, and infrastructure protection.

No method of transmission, storage, or processing is completely secure. You are responsible for configuring and using the Services securely, protecting credentials, assigning appropriate permissions, managing connected systems, and promptly notifying us of suspected unauthorized access, compromised credentials, unintended agent activity, misconfigured workflows, or security incidents.

Where required by applicable law or contract, we will provide notices of security incidents or data breaches. For Customer Data, the customer may be responsible for notifying affected individuals, regulators, or other parties, and we will assist as required by our applicable agreement.

14. Your Privacy Rights

Depending on where you live and how we process your personal information, you may have rights to access your personal information, obtain a copy of your personal information, correct inaccurate personal information, delete personal information, restrict or object to processing, withdraw consent, request portability, opt out of certain marketing, targeted advertising, sale, or sharing, limit certain uses of sensitive personal information, appeal a privacy-rights decision where applicable, and complain to a data protection authority or regulator.

To exercise privacy rights, contact us at legal@teamclarity.ai or use any privacy request form we make available.

We will respond to verifiable privacy requests without undue delay and in any event within the time periods required by applicable law (generally within one (1) month under the GDPR, with a possible extension of up to two (2) additional months for complex requests, and within forty-five (45) days under California law, with a possible extension of an additional forty-five (45) days where reasonably necessary). We may need to verify your identity before responding. If you submit a request on behalf of someone else, we may require proof of authorization.

If your request concerns Customer Data processed by one of our customers, we may refer your request to that customer or require you to contact that customer directly.

We will not discriminate against you for exercising privacy rights.

15. GDPR and European Privacy Rights

If you are in the European Economic Area, United Kingdom, or Switzerland, you may have the right to request access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and human review of certain automated decisions where applicable.

You may also have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first so we can try to resolve your concern.

For GDPR-related requests, contact:

legal@teamclarity.ai

EU/UK Representative (GDPR Article 27 / UK GDPR):

Team Clarity / Iron Gorilla
Sos. Morarilor 2 B, Et. 3, Cam. 11
Cod 022452
Bucharest, Romania

16. California and Other U.S. State Privacy Rights

This section applies to residents of California and, where applicable, residents of other U.S. states with similar privacy laws.

In the past 12 months, we may have collected the following categories of personal information: identifiers; commercial information; internet or electronic network activity; professional or employment-related information; approximate geolocation derived from IP address; audio, electronic, or similar communications information if you communicate with us; inferences related to product usage, preferences, or account activity; sensitive personal information such as account login credentials, API keys, OAuth tokens, security information, and payment-related information; and Customer Data or other content you submit to the Services.

We collect these categories from you, your organization, your devices, your use of the Services, connected systems, third-party integrations, service providers, payment processors, security providers, analytics providers, business partners, and publicly available sources.

We use these categories for the purposes described in this Privacy Policy, including providing the Services, account management, billing, security, fraud prevention, analytics, support, product improvement, compliance, and business operations.

We may disclose these categories of personal information to the following categories of recipients for the business purposes described above: identifiers, internet/electronic network activity, and approximate geolocation to infrastructure providers (Amazon Web Services, Cloudflare), security and monitoring providers (Cloudflare, Sentry), communications providers (Resend, Twilio), and business productivity providers (Microsoft 365); commercial information and payment-related sensitive information to payment processors (Stripe); Customer Data, prompts, outputs, and related sensitive information (e.g., API keys, OAuth tokens) to LLM API providers (OpenAI API, Anthropic API, Grok API), infrastructure providers (Amazon Web Services), and customer administrators or connected systems authorized by you or your organization; professional/employment information and inferences to customer administrators, professional advisors (lawyers, accountants, auditors, insurers), and parties involved in corporate transactions; and all categories to law enforcement, regulators, or other parties where required or permitted by law.

We do not sell personal information. We may use analytics tools, cookies, and similar technologies. To the extent that applicable law treats certain analytics, advertising, or cookie disclosures as a “sale,” “sharing,” or targeted advertising, you may opt out through our cookie preference tool, any “Do Not Sell or Share My Personal Information” link we provide, or legally recognized opt-out preference signals such as Global Privacy Control.

We do not knowingly sell or share personal information of individuals under 18.

We do not use or disclose sensitive personal information for purposes that would require a right to limit under California law, except where permitted by law, such as to provide the Services, secure accounts, prevent fraud, process payments, or comply with law.

California and other eligible U.S. residents may request to know/access personal information, request deletion, request correction, opt out of sale or sharing where applicable, limit certain sensitive-information uses where applicable, and exercise non-discrimination rights.

Requests may be submitted to legal@teamclarity.ai or through any privacy request form we make available.

17. New York Privacy and Security

For New York residents, we maintain reasonable administrative, technical, and physical safeguards designed to protect private information, consistent with applicable law. Where required, we will provide notices of breaches involving covered private information to affected individuals and relevant authorities.

Customers are responsible for ensuring they do not submit children’s or minors’ data through the Services unless expressly authorized in writing and legally compliant.

18. Children and Minors

The Services are intended for users who are at least 18 years old. We do not knowingly collect personal information from children or minors as direct users of the Services.

If you believe a minor has provided personal information to us directly, contact us at legal@teamclarity.ai. If the information was submitted by or through one of our customers, contact that customer directly.

19. Marketing Communications

We may send marketing communications to business contacts where permitted by law. You can opt out of marketing emails by using the unsubscribe link in the email or by contacting us.

Even if you opt out of marketing, we may still send transactional, security, billing, support, legal, and service-related communications.

20. Automated Decision-Making

We may use automated systems to detect fraud, abuse, security risks, policy violations, billing risk, performance issues, and service misuse.

We do not use our own account or website data to make decisions that produce legal or similarly significant effects about individuals without appropriate human involvement where required by law.

Customers may configure agents, workflows, models, tools, integrations, or automated actions through the Services. In those cases, the customer is responsible for determining whether its use involves automated decision-making, profiling, or regulated decisions, and for providing required notices, legal bases, human review, and safeguards.

21. Data Processing Addendum

Where your use of the Services involves our processing of personal data on your behalf, our Data Processing Addendum (DPA) forms part of the agreement governing your use of the Services. The current DPA is available on request by contacting legal@teamclarity.ai.

Where a DPA applies, it will govern our processing of Customer Data as a processor or service provider. If there is a conflict between this Privacy Policy and a signed DPA regarding Customer Data, the DPA controls for that processing.

22. Subprocessors and Service Providers

We use third-party service providers and subprocessors to provide the Services. Our current subprocessors are Cloudflare for edge hosting and customer support; Resend for email delivery; Amazon Web Services for application hosting; Microsoft 365 for business productivity and internal operations; Sentry for logging and monitoring; Twilio for SMS and phone verification; Stripe for payment processing; OpenAI API for LLM processing; Anthropic API for LLM processing; and Grok API for LLM processing.

We may update our providers from time to time. Customers may request our current subprocessor list by contacting legal@teamclarity.ai, and enterprise customers may receive additional subprocessor commitments, including notice or objection rights, through a DPA, Order Form, or security addendum.

23. Business Transfers

We may disclose or transfer personal information in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, corporate transaction, or due diligence related to such transactions.

24. Legal Requests and Compliance

We may disclose personal information if required by law, subpoena, court order, regulator, law enforcement request, legal process, national security request, or where we believe disclosure is necessary to protect our rights, safety, security, users, customers, the public, or the Services.

Where legally permitted and practical, we may notify affected customers of legal requests for Customer Data, but we do not guarantee notice.

25. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be effective when posted or otherwise made available, unless a later effective date is stated.

If we make material changes, we will use commercially reasonable efforts to provide additional notice, such as by email to account holders, an in-product notification, or a notice on our website, before the changes take effect.

26. Contact Us

For privacy questions or requests, contact:

Team Clarity, Inc. DBA Iron Gorilla
1111B S Governors Ave #41605
Dover, Delaware 19904
United States
legal@teamclarity.ai

EU/UK Representative (GDPR Article 27 / UK GDPR):

Team Clarity / Iron Gorilla
Sos. Morarilor 2 B, Et. 3, Cam. 11
Cod 022452
Bucharest, Romania