Iru Privacy Notice

U.S.A., EEA, United Kingdom, and Switzerland coverage

Effective Date: July 2026 | Last Updated: October 2025

Contents

1. Scope and overview
2. Definitions
3. Roles and responsibilities (Controller vs Processor)
4. Personal data we collect and sources
5. Personal data we do not access (customer content clarification)
6. How we use personal data
7. How we disclose personal data
8. Cookies and similar technologies
9. International data transfers
10. Security
11. Retention
12. Your rights and choices
13. Region-specific notices (U.S. states, EEA/UK, Switzerland)
14. How to contact us
15. Updates to this notice

Appendix A: Data processing as a service provider/processor for customers

Appendix B: U.S. state privacy addendum (template + state-law landscape)

1. Scope and overview

This Privacy Notice explains how Iru and its affiliates (“Iru,” “we,” “us”) collect, use, disclose, and protect information that identifies or could reasonably be linked to an individual (“Personal Data”) in connection with:

• our websites and online properties (including marketing pages and support portals);
• our business-to-business sales, marketing, and customer relationship activities;
• account administration, billing, training, and support interactions;
• our recruiting and hiring activities; and
• our offices and in-person or virtual events (where applicable).

This Notice also describes our role when we process Personal Data on behalf of customers as a service provider/processor through our products and services (see Appendix A).

The legal entities covered by this Privacy Notice are: Iru, Inc., a Delaware corporation, and its wholly owned subsidiaries: Hyrax AI LLC, Kandji UK Limited, Kandji Pty. Ltd., Kandji Japan KK, Kandji Singapore Pte. Ltd., and Accuhive, LLC. Our principal office is located at 2811 Ponce de Leon, PH1, 13th Floor, Coral Gables, Florida 33134, United States. For a complete list of our affiliates and their contact information, please visit [specific URL] or see Section 14 below.

2. Definitions

Automated Decision-Making Technology (ADMT): Any technology that processes Personal Data and uses computation to replace or substantially replace human decision-making, as defined under applicable law, including CCPA/CPRA regulations and GDPR Article 22.

Controller / Business: The entity that determines the purposes and means of processing Personal Data. Under GDPR and UK GDPR, this is called a "controller"; under the Swiss Federal Act on Data Protection (FADP), a "controller"; and under certain US state privacy laws (e.g., CCPA/CPRA), a "business."

Customer Content: Data, files, or information that a customer (or its users) submits to or makes available through the services.

Personal Data: Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes "personal data" as defined under GDPR Article 4(1) and UK GDPR Article 4(1), "personal data" under Swiss FADP Article 5(a), and "personal information" as defined under applicable US state privacy laws (including CCPA/CPRA).

Processor / Service Provider: The entity that processes Personal Data on behalf of a controller/business under contractual instructions. Under GDPR and UK GDPR, this is called a "processor"; under the Swiss FADP, a "processor"; and under certain US state privacy laws (e.g., CCPA/CPRA), a "service provider" or "contractor."

Sensitive Personal Data/Information: Categories of Personal Data that are subject to heightened protections under applicable law. This includes "special categories of data" under GDPR Article 9 and UK GDPR Article 9 (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or data concerning sex life or sexual orientation); data requiring specific protections under Swiss FADP Article 5(c); and "sensitive personal information" as defined under CCPA/CPRA Section 1798.140(ae) (such as Social Security numbers, precise geolocation, racial or ethnic origin, biometric information, health information, and neural data).

Services: Iru’s products and services, including any associated applications, agents, dashboards, APIs, support tools, and documentation, as applicable.

3. Roles and responsibilities (Controller vs Processor)

We act as a Controller/Business for Personal Data we process for our own purposes, such as operating our websites, marketing and sales, managing contracts and billing, security of our corporate systems, events, and recruiting.

We act as a Processor/Service Provider when we process Personal Data on behalf of a customer under a contract (e.g., under a data processing addendum) to provide the Services. In those cases, the customer is typically the Controller/Business.

If you are an end user of a customer organization and want to exercise privacy rights regarding Customer Content, please contact your organization directly, as they are the controller/business for that data. We will assist our customers in responding to such requests as required by our contractual obligations and applicable law. If you are unable to contact your organization or have not received a response within a reasonable timeframe, you may contact us at [specific email address and/or postal address] and we will forward your request to the appropriate customer organization and work with them to facilitate a response.

4. Personal data we collect and sources of collection

The categories of Personal Data we collect depend on how you interact with us and the context of our relationship. Below are the categories of Personal Data we collect, organized by the type of individual and interaction:

4.1 Website visitors, prospects and business contacts

• Identifiers and device data: IP address, cookie identifiers, browser type and version, device identifiers (such as advertising IDs where applicable), operating system and version, screen resolution, language preferences, referring URL, and approximate geographic location (country and city level) inferred from IP address.
• Contact and professional data you submit: first and last name, business email address, business telephone number, employer name, job title, business address, and any additional information you choose to provide (such as in free-text form fields or communications with us).
• Marketing interaction data: pages viewed, content downloaded (such as whitepapers, case studies, or product documentation), webinar registration and attendance, email opens and clicks (where you have consented or where permitted by applicable law), responses to surveys or promotional campaigns, and information about your interests and preferences that we infer from your interactions with our marketing content.

4.2 Customers, administrators and support users

• Account and administrator data: username, role and permissions within the Services, hashed and salted login credentials, authentication events and logs (including successful and failed login attempts), IP addresses and timestamps used for login sessions, multi-factor authentication settings and device registrations, session tokens, and configuration choices and preferences you set within your account choices.
• Billing and transactional data: billing contact name and address, invoicing email address, tax identification numbers (where required), purchase order numbers, transaction history, and payment tokens or references (note: payment card details are processed directly by our payment processors and are not stored by Iru).
• Support and communications: support ticket content, file attachments you provide, chat transcripts, email correspondence, and call recordings (where you have been notified and, where required by law, have provided consent).
• Training and community data: course enrollment and completion records, certification credentials, community forum usernames, profile information you provide, and posts or contributions to community forums.

4.3 End users and devices (service telemetry, logs, and device inventory)

The following categories of Personal Data may be collected through the Services, depending on customer configuration and the features enabled:

• Device identifiers: device name, manufacturer and model, operating system and version, serial number, hardware identifiers (such as MAC address), asset tags assigned by the customer, and enrollment dates.
• User/device association data: username, email address, or directory service identifier (such as Active Directory or Azure AD identifiers) linked to a device, and the association history.
• Device posture, inventory, and management actions: list of installed applications and versions, security settings and compliance status, disk encryption status, firewall configuration, command execution logs showing administrative actions taken on devices, and policy enforcement records.
• Audit logs and security events: administrative actions and changes, policy creation and modification logs, user authentication events, access control changes, login attempts (successful and failed), session information, and console access logs.
• Diagnostic data needed to provide support: support bundles generated by the customer and voluntarily shared with Iru, which may include system logs, configuration files, error reports, and performance metrics. Customers control what data is included in support bundles.

4.4 Recruiting and hiring

• Applicant contact details, CV/resume, work and education history, interview notes, references.
• Background checks are conducted only where permitted by applicable law and with appropriate notice and consent. In the United States, background checks comply with the Fair Credit Reporting Act (FCRA) and applicable state laws. In the EEA, UK, and Switzerland, background checks are conducted only where legally permitted under employment law and data protection regulations, with explicit consent where required, and are limited to verification of information provided by the candidate and checks necessary for the specific role.

4.5 Offices and events

• Visitor logs and access records (where applicable).
• Audio/visual recordings (e.g., webinars; event photos) where permitted and with notice.
• CCTV and physical security monitoring: Where Iru operates physical offices or facilities, we may use CCTV cameras and access control systems to protect the security of our premises, employees, and visitors. CCTV is deployed only in common areas and building perimeters, not in private spaces such as restrooms. Signage is posted at monitored locations. Recordings are retained for 60 days unless required for security incident investigation or legal compliance. In the EEA, UK, and Switzerland, CCTV processing relies on our legitimate interest in security, balanced against privacy rights, and complies with applicable CCTV codes of practice.

4.6 Sources

We collect Personal Data from:

• you (directly);
• your organization (e.g., when it creates or administers accounts for the Services);
• your device and browser (automatically); and
• third parties (e.g., resellers, event sponsors, service providers, and public/professional sources), where permitted by law.

4.7 Sensitive data

Iru processes the following categories of data that may be considered sensitive under applicable privacy laws:

Precise geolocation data: When customers enable location-based device management features, the Services may collect precise device location coordinates. This processing is performed only when the customer enables this feature and configures location tracking policies. In the EEA, UK, and Switzerland, this relies on the customer's legitimate interest in device security and recovery. In California and other applicable US states, you may limit the use of precise geolocation data through your device settings or by contacting us.

Government identifiers: For employment verification and background checks (where legally required or permitted), we may collect government-issued identification numbers such as Social Security Numbers (US only), National Insurance Numbers (UK), or similar identifiers. This processing is strictly limited to legal compliance and employment purposes, with appropriate security controls including encryption and access restrictions. In the EU, UK, and Switzerland, processing of national identification numbers requires explicit legal authorization or consent under GDPR Article 9 and equivalent provisions.

Biometric data: Iru does not collect biometric identifiers or biometric information.

Neural data: Iru does not collect neural data (information generated by measuring the activity of a consumer's central or peripheral nervous system), which is classified as sensitive personal information under the California Consumer Privacy Act effective January 1, 2025.

Health information: We do not intentionally collect health information. If you voluntarily provide health-related information (for example, in a support request or accommodation request), we process it only for the stated purpose and protect it as sensitive data under applicable law. For all sensitive data categories, we implement enhanced security measures, limit access to authorized personnel only, and provide specific notice and obtain consent where required by applicable law.

5. Personal data we do not access (customer content clarification)

Iru does not access or read the content of customer files stored on managed devices (such as documents, emails, photos, or other file contents). Iru’s Services are designed exclusively to manage device configurations, security settings, and compliance posture. Customers retain full control over what data is collected through the Services. Customer file content is not accessed by Iru except in the following limited circumstances:

1. The customer explicitly enables a specific Service feature that requires content collection (such as data loss prevention or content filtering features), in which case the customer configures the scope and rules for such collection; or
2. The customer voluntarily provides content to Iru for technical support purposes (such as log file attachments, screenshots, or diagnostic support bundles that the customer chooses to generate and share). This separation is fundamental to Iru's role as a processor of customer data. Customers act as controllers of end-user data collected through the Services and are responsible for providing appropriate notice to their end users about data collection practices they configure.

Customer administrators within your organization may have visibility into device and account data that the customer configures within the Services.

6. How we use personal data

We use Personal Data for the following purposes, subject to applicable law:

• Provide, operate, maintain, and secure the Services and our websites.
• Create and manage accounts; authenticate users; administer subscriptions; process transactions.
• Provide customer support, troubleshoot, and respond to inquiries.
• Monitor, prevent, and investigate fraud, abuse, security incidents, and policy violations.
• Develop and improve products, features, and user experience; perform analytics and reporting.
• Conduct sales, marketing, and promotional communications (subject to your choices).
• Run events and manage office security and visitor access (where applicable).
• Recruit and evaluate candidates; conduct background checks where permitted.
• Comply with legal obligations and enforce our rights; manage disputes and litigation.

Automated decision-making and AI

We use automated systems and artificial intelligence in the following ways:

* Product improvement and analytics: We may use machine learning algorithms to analyze aggregated, de-identified usage patterns to improve Service performance and develop new features. This does not involve individual automated decision-making.

* Customer support: We may use AI-assisted tools to help categorize and route support requests and suggest potential solutions. Final support decisions involve human review.

* Recruiting: We may use automated systems to screen applications against job requirements. However, no hiring decision is made solely through automated means. All candidates who meet basic qualifications are reviewed by human recruiters, and you have the right to request human review of any automated screening decision. For any processing that constitutes solely automated decision-making with legal or similarly significant effects (within the meaning of GDPR Article 22, sections 50A-50D of the UK Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), or Swiss FADP Article 21), we will: (i) obtain your explicit consent where required; (ii) provide information about the logic involved; (iii) explain the significance and consequences; and (iv) offer the right to human intervention, the ability to express your point of view, and the right to contest the decision.

EU AI Act (Regulation (EU) 2024/1689, transparency obligations applicable from 2 August 2026):

Where our Services incorporate AI systems that interact directly with individuals, we will inform those individuals that they are interacting with an AI system, unless this is obvious from the circumstances. Where we deploy AI systems that generate or manipulate synthetic content, such content will be labeled as artificially generated or manipulated in accordance with Article 50 of the EU AI Act. Where a decision is made on the basis of output from a high-risk AI system listed in Annex III of the EU AI Act that produces legal effects or similarly significantly affects you, you have the right to obtain a clear and meaningful explanation of the role of the AI system in the decision-making process, as provided under Article 86 of the EU AI Act.

California Automated Decision-Making Technology (ADMT):

Where Iru uses automated decision-making technology as defined under the California Consumer Privacy Act to make significant decisions concerning California residents, Iru will provide a pre-use notice and the right to opt out of such processing. You may also request access to information about our use of ADMT, including the logic of the technology and the outcome of the decision as it pertains to you. To exercise these rights, please contact us using the methods described in Section 14.

7. How we disclose personal data

We may disclose Personal Data to:

• Service providers and vendors that support our business (e.g., hosting, customer support, CRM, analytics, payment processing) under appropriate contractual safeguards.
• Affiliates for internal business purposes consistent with this Notice.
• Partners and resellers where needed to support your purchase or where you request integrations.
• Professional advisors (e.g., auditors, insurers, legal counsel) where necessary.
• Authorities or other third parties when required by law or to protect rights, safety, and security.
• In connection with corporate transactions (e.g., merger, acquisition, financing, or sale of assets).
• Notwithstanding the foregoing, no mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All other categories of disclosures described in this Section 7 exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

For processing under customer contracts, our current sub-processor list is available at https://www.iru.com/legal/service-providers. We will provide advance notice of any changes to our sub-processor list in accordance with the notice process described in your customer agreement or data processing addendum, typically by email or through our customer portal, allowing you the opportunity to object to such changes as permitted by applicable law and contract.

8. Cookies and similar technologies

We and our service providers may use cookies, pixels, SDKs, and similar technologies on our websites to operate the site, understand usage, and (where permitted) personalize marketing.

8.1 Types of cookies

• Essential: required for website functionality and security.
• Functional: remember preferences and improve performance.
• Analytics: measure and improve site performance (e.g., aggregated usage statistics).
• Advertising/Targeting: deliver and measure advertising; build audiences (where you have consented or where permitted).

8.2 Your cookie choices

Depending on your location, we may display a cookie consent pop-up when you first visit our website. For visitors from the EEA, UK, Switzerland, and California, we obtain opt-in consent before setting any non-essential cookies, in compliance with applicable requirements, including the ePrivacy Directive and UK PECR. For visitors from other U.S. states with applicable privacy laws, we honor opt-out preferences, including the Global Privacy Control (GPC) signal, and provide a “Your Privacy Choices” button. You can change your cookie preferences at any time by visiting our cookie settings page at [insert URL]. Your updated preferences will take effect immediately, and any previously loaded non-essential scripts will be deactivated.

Some browsers support Global Privacy Control (GPC). We recognize and honor GPC signals as a valid opt-out of the sale or sharing of Personal Data in all jurisdictions where required by applicable law, including California, Colorado, Connecticut, and other states that mandate GPC recognition. When we detect a GPC signal, we apply the opt-out preference before any non-essential tracking technologies are activated for that session. You do not need to take any additional action beyond enabling GPC in your browser.

9. International data transfers

Iru is headquartered in the United States and may process Personal Data in the United States, the United Kingdom, Australia, Japan, Singapore, and other jurisdictions where we or our service providers operate. For a current list of sub-processor locations, please visit https://www.iru.com/legal/service-providers. When transferring Personal Data internationally, we use appropriate safeguards as required by law.

For transfers from the EEA, United Kingdom, and Switzerland to countries that do not provide an adequate level of protection, we rely on approved transfer mechanisms such as Standard Contractual Clauses (and the UK Addendum/IDTA, as applicable), Swiss-approved contractual clauses, and supplementary measures as required by law.

10. Security

We maintain administrative, technical, and physical safeguards designed to protect Personal Data against accidental, unlawful, or unauthorized destruction, loss, alteration, access, or disclosure. No method of transmission or storage is completely secure.

Key security controls include access controls, encryption in transit and at rest, regular security assessments, logging and monitoring, and a documented incident response plan.

11. Retention

We retain Personal Data for as long as necessary to fulfill the purposes described in this Notice, including to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods are governed by Iru's internal Retention Policy, which is reviewed and updated periodically to reflect changes in applicable law and business requirements.

Retention periods for personal data are determined based on the type of data and the purpose for which it is processed, in accordance with Iru's Retention Policy. Account and profile information is retained for the duration of the customer relationship plus 3 years. Service usage data is retained for up to 2 years after account closure. Marketing data is retained until consent is withdrawn or after 2 years of inactivity. Legal and compliance records are retained as required by applicable law (typically 6 years). Customer Content is retained for the duration specified in the customer agreement and is subject to customer-controlled deletion and retention settings.

12. Your rights and choices

12.1 Marketing communications

You can opt out of marketing emails by using the unsubscribe mechanism in our messages. You may still receive non-promotional, transactional communications.

12.2 Rights requests

Depending on your location and our relationship to you (Controller vs Processor), you may have rights to request access, correction, deletion, portability, to object or restrict certain processing, and (where applicable) to obtain an explanation of the role of any AI system in decisions that significantly affect you. If you reside in a state that provides the right to obtain a list of specific third parties to which your personal data has been disclosed (such as Oregon, Delaware, Minnesota, or Maryland), you may exercise that right by contacting us as described below. We may need to verify your identity before responding.

You may submit a rights request via our webform at [insert URL], by email to privacy@iru.com or by mail to the address in Section 14. We will verify your identity by matching information you provide with our records and may request additional information if necessary. We will respond to your request within one month (EU/UK/Swiss) or 45 days (US states), with the possibility of extension where permitted by law. If you use an authorized agent, we may require proof of authorization and direct verification. Where required by law, you may appeal a denied request by contacting us at privacy@iru.com with "Privacy Rights Appeal" in the subject line. We will respond to appeals within the timelines required by applicable law.

12.3 Opt-out of targeted advertising and certain disclosures

Where applicable, you may have the right to opt out of targeted advertising, the sale or sharing of Personal Data, and certain profiling. You can exercise these rights by using our cookie preference center, clicking the “Your Privacy Choices” at privacy@iru.com.

13. Region-specific notices

13.1 European Economic Area (EEA) and United Kingdom

If you are located in the EEA or UK and we process your Personal Data as a Controller, we rely on the following legal bases: performance of a contract (to provide our Services, manage your account, and process transactions); compliance with legal obligations (to meet regulatory, tax, and reporting requirements); legitimate interests (including operating and improving our Services, marketing our products to business contacts, ensuring network and information security, and preventing fraud), where those interests are not overridden by your data protection rights; and, where required, your consent.

Your rights may include access, rectification, erasure, restriction, portability, objection, the right not to be subject to certain automated decision-making, and (where applicable under the EU AI Act) the right to obtain a meaningful explanation of the role of any high-risk AI system in decisions that produce legal effects or similarly significantly affect you.

You have the right to lodge a complaint with a supervisory authority. For a list of EU supervisory authorities, visit https://edpb.europa.eu/about-edpb/board/members_en. For the UK, contact the Information Commissioner’s Office (ICO) at https://ico.org.uk/. In accordance with Section 103 of the UK Data (Use and Access) Act 2025, UK individuals have the right to submit data protection complaints directly to Iru before escalating to the ICO. You may submit a complaint by email to privacy@iru.com, by mail to the address in Section 14, or through our online complaint form at [insert URL]. We will acknowledge your complaint within 30 days of receipt and will take appropriate steps to respond without undue delay, including informing you of the outcome. If you are not satisfied with our response, you may escalate your complaint to the ICO.

13.2 Switzerland

If you are located in Switzerland and we process your Personal Data as a Controller, the Swiss Federal Act on Data Protection (FADP) provides rights including access, data portability, and the ability to request correction or deletion in certain circumstances. Under Article 21 of the FADP, if we make a decision based exclusively on automated processing that has a legal consequence for or a considerable adverse effect on you, we will inform you of the decision and, on request, you may express your point of view and request that the decision be reviewed by a natural person.

You have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/edoeb/en/home.html. For international transfers from Switzerland to the United States and other countries without an adequate level of protection, we rely on Swiss-approved standard contractual clauses (with the necessary Swiss-specific amendments), the Swiss-U.S. Data Privacy Framework (where applicable), and supplementary measures as required by Swiss law.

13.3 United States (state privacy laws)

Certain U.S. state privacy laws grant residents rights to access, delete, correct, obtain a copy of data, and opt out of targeted advertising, sales/sharing, and certain profiling (and to appeal certain decisions). Requirements and applicability thresholds vary by state.

Iru is subject to the California Consumer Privacy Act (CCPA/CPRA) and other applicable U.S. state comprehensive privacy laws, including those enacted in Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Delaware, Montana, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island, among other states, in each case to the extent applicable based on statutory thresholds. We publish required disclosures in this notice and update them as new laws become effective.

Large language model training disclosure: Effective July 1, 2026, under the Connecticut Data Privacy Act, controllers are required to disclose whether they collect, use, or sell personal data for the purpose of training large language models. Iru does not use personal data collected through the Services or our websites to train large language models or generative AI systems.

13.4 California (CCPA/CPRA)

If you are a California resident, you may have rights to know, delete, correct, and opt out of certain disclosures, to limit the use of sensitive personal information (where applicable), and, where we use automated decision-making technology for significant decisions concerning you, to opt out of and request access to such processing. We do not discriminate against you for exercising your rights.

13.4.1 Notice at Collection

(a) Notice at Collection: What categories of Personal Information do we collect?

Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer. In California and certain other countries and US states, it does not include deidentified or aggregate information, or information that is publicly available, such as in governmental records, or that a consumer has made available to the general public.

It is routine for us to collect, process, and store Personal Information about you over the course of your interactions with us.

We collect the following categories of Personal Information:

Personal identifiers: name, business postal address, email address, phone numbers, IP address, online identifiers, cookie identifiers, device identifiers, advertising IDs, account name, username, and hashed login credentials.

Device and hardware information: device name, manufacturer and model, operating system and version, serial number, MAC address, asset tags, enrollment dates, and hardware identifiers.

Financial and transactional information: billing contact name and address, invoicing email address, tax identification numbers (where required), purchase order numbers, transaction history, and payment tokens or references. Payment card details are processed directly by our payment processors and are not stored by Iru.

Internet or other electronic activity information: browsing history on our services, pages viewed, links clicked, content downloaded, search queries within our platform, features accessed, session duration, referral sources, email opens and clicks (where consented or permitted by law), webinar registration and attendance, and interaction patterns with our services.

Commercial information: records of products or services purchased, subscription details, renewal history, and service usage patterns.

Professional information: job title, employer name, department, business contact details, professional credentials, and business communications.

Geolocation data: approximate geographic location (country and city level) inferred from IP address. Precise device location coordinates are collected only when a customer enables location-based device management features within the Services.

Audio and visual information: recordings of calls to our customer support numbers (where notice and, where required, consent has been provided), webinar recordings, event photographs, and CCTV footage if you visit one of our premises.

User and device association data: username, email address, or directory service identifier linked to a managed device, and association history.

Audit and security event data: administrative actions and changes, policy creation and modification logs, user authentication events, access control changes, login attempts, session information, and console access logs.

Inferences: information about your interests and preferences that we infer from your interactions with our marketing content and Services.

Sensitive Personal Information: government-issued identification numbers such as Social Security Numbers (for employment verification and background checks, where legally required); precise geolocation data (where the customer enables location tracking); and login credentials with passwords. Iru does not collect biometric identifiers, biometric information, or neural data.

We collected the same categories of Personal Information in the 12 months prior to the date of this Notice and, where retained, going back to January 1, 2022.

(b) Notice at Collection: What are the purposes for our collection of Personal Information?

We collect Personal Information for our business purposes and to comply with applicable laws, in particular:

• to provide, operate, maintain, and secure the Services and our websites;
• to create and manage accounts, authenticate users, administer subscriptions, and process transactions;
• to provide customer support, troubleshoot issues, and respond to inquiries;
• to monitor, prevent, and investigate fraud, abuse, security incidents, and policy violations;
• to develop and improve products, features, and user experience, and to perform analytics and reporting;
• to conduct sales, marketing, and promotional communications (subject to your choices);
• to run events and manage office security and visitor access;
• to recruit and evaluate candidates and conduct background checks where permitted by law;
• to comply with legal obligations and enforce our rights, manage disputes, and support litigation;
• to facilitate the diligence, negotiation, and completion phases of corporate transactions contemplated by Iru or its subsidiaries; and
• to provide device management, security, and compliance services to our customers as a processor or service provider under their instructions.

(c) Notice at Collection: What criteria do we use to determine how long we retain Personal Information?

We retain Personal Information in accordance with Iru's Retention Policy and as described in Section 11 of this Notice. Retention periods are determined based on: (1) the length of time needed to fulfill the purposes described in this Notice; (2) legal, regulatory, tax, or accounting requirements; (3) our legitimate business interests; and (4) the exercise or defense of legal claims. For category-specific retention periods, see Section 11.

Notice at Collection: Do we sell Personal Information or share Personal Information for purposes of cross-context behavioral advertising?

We do not sell personal information as defined under the California Consumer Privacy Act. We do not share personal information for cross-context behavioral advertising purposes as defined under the CCPA. We do not knowingly sell or share the personal information of consumers under 16 years of age. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes.

California-Specific Disclosures (CCPA/CPRA)Categories of Personal Information Collected: We collect the following categories of personal information as defined under California Civil Code Section 1798.140: (A) Identifiers; (B) Personal information categories listed in Cal. Civ. Code § 1798.80(e); (D) Commercial information; (F) Internet or other electronic network activity information; (G) Geolocation data; (H) Sensory data; (I) Professional or employment-related information; (K) Inferences drawn from other personal information.

Sensitive Personal Information: We collect the following categories of sensitive personal information: government-issued identification numbers (Social Security Numbers, for employment verification where legally required); account log-in credentials with passwords; and precise geolocation data (where the customer enables location tracking within the Services). Iru does not collect biometric identifiers, biometric information, or neural data.

Business/Commercial Purposes: We use personal information for the following business purposes as defined in Cal. Civ. Code § 1798.140(e): (1) Auditing related to counting ad impressions and verifying quality and positioning of ad displays; (2) Detecting security incidents and protecting against malicious, deceptive, fraudulent, or illegal activity; (3) Debugging to identify and repair errors that impair existing intended functionality; (4) Short-term, transient use, including non-personalized advertising shown as part of a consumer's current interaction, provided the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction; (5) Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing analytics services, providing storage, or providing similar services on behalf of the business; (6) Providing advertising and marketing services, except for cross-context behavioral advertising; (7) Undertaking internal research for technological development and demonstration; and (8) Undertaking activities to verify or maintain the quality or safety of a service or device.

Category-to-Purpose Mapping and Sale/Sharing Disclosure: The following table identifies the business purposes for which each category of personal information is collected and whether it is sold or shared, as required by CPPA regulations § 7012(e)(1)-(3). Category-to-Purpose Mapping and Sale/Sharing Disclosure:

Categories of Recipients: We disclose personal information to the following categories of third parties: service providers (cloud hosting, payment processing, customer support, analytics, email delivery, and marketing platforms), business partners (integration partners, resellers), affiliates and subsidiaries, legal and regulatory authorities (law enforcement, courts, regulatory agencies), and professional advisors (attorneys, accountants, auditors, insurers).

Retention Criteria: We retain Personal Information in accordance with Iru’s Retention Policy and as described in Section 11 of this Notice. Our retention is based on: (1) the length of time needed to fulfill the purposes described in this notice; (2) legal, regulatory, tax, or accounting requirements; (3) our legitimate business interests; and (4) the exercise or defense of legal claims.

Sale or Sharing: We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). We do not disclose personal information to third parties for monetary or other valuable consideration, and we do not share personal information for cross-context behavioral advertising purposes. California residents have the right to opt out of the sale or sharing of their personal information. To exercise this right, please click the "Do Not Sell or Share My Personal Information" link available at [insert URL], visit our privacy preference center at [insert URL], email us at privacy@iru.com with "California Opt-Out Request" in the subject line. We will process your opt-out request within 15 business days and will not discriminate against you for exercising this right. We honor opt-out preference signals such as the Global Privacy Control (GPC) as required by California law.

If we collect sensitive personal information, California residents have the right to limit our use and disclosure of such information to uses necessary to perform the services or provide the goods reasonably expected by an average consumer, certain enumerated business purposes, and uses to verify or maintain the quality or safety of our services. To exercise this right, please use our privacy preference center, email privacy@iru.com. We will use all reasonable endeavors to respond within 15 business days.

Additional California Rights: California residents may also exercise the following rights by contacting us using the methods described in Section 14: Right to Know, Right to Delete, Right to Correct, and Right to Non-Discrimination.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. We will require proof of authorization and may require you to verify your identity directly with us.

Response Timing: We will respond to verifiable consumer requests within 45 days. If we require more time (up to 90 days total), we will inform you of the reason and extension period.

Verification Process: To protect your privacy, we will verify your identity before processing requests by matching information provided with our records or requiring account login.

Extended Right to Know: Under the CCPA as amended and CPPA regulations effective January 1, 2026, California residents may request access to personal information collected beyond the preceding 12-month period, going back to January 1, 2022, where Iru retains such data. To submit an extended access request, please use the contact methods described in Section 14. The categories of personal information collected since January 1, 2022 are consistent with those described in Section 4 and the California-Specific Disclosures above. We will respond to verified requests within 45 days (extendable by an additional 45 days where reasonably necessary).

14. How to contact us

You may contact us regarding privacy matters through the following channels:

Email: privacy@iru.com
Mail: Attn: Legal Department, Iru, Inc., 2811 Ponce de Leon, PH1, Coral Gables, FL 33134, USA

Data Protection Officer (EU/UK/Switzerland): For individuals in the European Economic Area, United Kingdom, and Switzerland, our Data Protection Officer can be reached at:

Email: privacy@iru.com
Mail: Attn: Data Protection Officer, Iru, Inc., 2811 Ponce de Leon, PH1, Coral Gables, FL 33134, USA

EU Representative (Article 27 GDPR): Iru is currently evaluating whether appointment of an EU Representative in the European Union pursuant to Article 27 GDPR. This section will be updated if and when our assessment reveals the necessity to appoint an EU Representative. In the interim, EU data subjects may contact our Data Protection Officer using the details above.

UK Representative (Article 27 UK GDPR): Iru is not required to appoint a UK representative under Article 27 UK GDPR because Iru has an establishment in the United Kingdom through Kandji UK Limited.

Swiss Representative: Iru is currently evaluating whether appointment of a representative in Switzerland is required under Swiss Federal Act on Data Protection (FADP) Article 14. In the interim, Swiss data subjects may contact our Data Protection Officer using the details above.

Note: If you are located in the EU, UK, or Switzerland and wish to exercise your data protection rights or raise concerns about our data processing practices, you may contact our Data Protection Officer (listed above). You also have the right to lodge a complaint with your local supervisory authority.

15. Updates to this notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes that affect your rights or how we process your personal data, we will provide notice as required by applicable law, which may include:* Posting a prominent notice on our website or within our Services* Sending you an email notification to the address associated with your account* For EU/UK/Swiss users: providing advance notice of material changes as required under GDPR, UK GDPR, and Swiss FADP* For California residents: updating this notice at least 30 days before the effective date of material changes to rights under CCPA/CPRA. We will update the "Last Updated" or "Effective Date" at the top of this notice. We encourage you to review this Privacy Notice periodically. Your continued use of our Services after changes become effective constitutes acceptance of the revised Privacy Notice, except where additional consent is required by law.

Appendix A: Data processing as a service provider/processor for customers

When Iru provides the Services to a customer, Iru acts as a processor (under GDPR/UK GDPR/Swiss FADP), service provider (under CCPA/CPRA), or similar role under other applicable privacy laws, processing certain Personal Data on the customer’s behalf pursuant to the customer agreement and data processing addendum (DPA). In that context:

• The Customer is responsible for determining what data is collected, used, and made available through the Services.
• Iru processes Customer Content only under documented instructions and as permitted by contract and applicable law.
• Iru implements security measures and supports audits, incident notifications, and data subject requests as described in customer agreements.
• Iru discloses Customer Content to sub-processors only under contract and maintains an up-to-date sub-processor list.

Data Processing Obligations

Sub-Processors: Iru engages sub-processors only under written contract with equivalent data protection obligations. Iru maintains a current list of sub-processors at https://www.iru.com/legal/service-providers and provides advance notice (minimum 30 days for EU/UK/Swiss customers, or as specified in the DPA) before engaging new sub-processors, allowing customers to object on reasonable grounds.

Government Access Requests: Iru will notify customers of government or law enforcement requests for Customer Content unless legally prohibited. Iru will challenge overly broad or unlawful requests where appropriate and will redirect requestors to the customer where possible.

Audit Rights: Customers may audit Iru's compliance with data protection obligations through: (i) review of SOC 2 Type II reports or equivalent third-party certifications provided annually, (ii) completion of reasonable written questionnaires (maximum twice annually), and (iii) on-site audits upon reasonable advance notice (minimum 30 days) and subject to confidentiality obligations, with costs borne by the customer unless the audit reveals material non-compliance.

Security Incident Notification: Iru will notify customers of any personal data breach affecting Customer Content without undue delay and in any event within 72 hours of becoming aware of the breach, providing information required under GDPR Article 33, UK GDPR Article 33, and Swiss FADP Article 24, including nature of breach, categories and approximate numbers of affected data subjects, likely consequences, and mitigation measures.

Data Return and Deletion: Upon termination or expiration of services, Iru will, at the customer's election: (i) return all Customer Content in a commonly used format within 30 days, or (ii) securely delete all Customer Content within 90 days, except where retention is required by applicable law. Iru will provide written certification of deletion upon request.

Cross-Border Transfers: For transfers of personal data from the EU/EEA, UK, or Switzerland to the United States or other third countries, Iru relies on: (i) Standard Contractual Clauses approved by the European Commission (Module 2: Controller-to-Processor and Module 3: Processor-to-Processor), (ii) UK International Data Transfer Agreement/Addendum, (iii) Swiss Federal Data Protection and Information Commissioner approved clauses, and (iv) supplementary measures as required by law.