Privacy policy

PRIVACY POLICY

Last Updated: 03.06.26

IRIS (“we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you:

  • Visit irisnyc.store
  • Purchase an IRIS artwork
  • Activate an IRIS artwork via NFC
  • Create or use an IRIS Portal account
  • Interact with our services

If you do not agree with this Policy, please do not use our services.

1. Structure of the IRIS System

IRIS operates through two separate systems:

  1. Shopify Store — handles payments and shipping
  2. IRIS Portal — handles ownership, activation, and artwork passports

Shopify does not determine ownership.
Ownership is recorded only after NFC activation in the IRIS Portal.

2. Information We Collect

2.1 Information You Provide

When purchasing or activating an IRIS artwork, we may collect:

  • Email address
  • Name (if provided)
  • Shipping address (via Shopify)
  • Activation confirmation
  • IRIS artwork ID
  • Portal login credentials

2.2 Information Collected During Activation

When you scan the NFC chip and activate your artwork, we collect:

  • Artwork ID
  • Activation timestamp
  • Ownership confirmation
  • IP address (for security and anti-abuse)
  • Device/browser metadata

This data is used solely to validate and record ownership events.

2.3 Automatically Collected Data

When visiting our website, we may collect:

  • IP address
  • Browser type
  • Device type
  • Pages visited
  • Referring URLs

We may use cookies for:

  • Site functionality
  • Analytics
  • Security

3. How We Use Your Information

We use collected data to:

  • Process orders (via Shopify)
  • Validate NFC activation
  • Record ownership events
  • Maintain Artwork Passports
  • Provide access to your Portal account
  • Prevent fraud and abuse
  • Improve system performance
  • Comply with legal obligations

We do not sell personal data.

We do not use your data for investment profiling or valuation purposes.

4. Ownership Records

When you activate an IRIS artwork:

  • Your email becomes associated with that artwork’s digital passport
  • Activation is recorded as a permanent event
  • Ownership history may remain permanently attached to the artwork record

Ownership records are factual event logs, not public identity disclosures unless you choose to share them.

5. Data Storage

IRIS stores data using:

  • Secure hosting environments
  • Encrypted connections (HTTPS)
  • Role-based access control
  • Auditable event logs

Ownership and activation records are stored in a relational database (Postgres) and are protected by backend validation.

We take reasonable measures to protect data but cannot guarantee absolute security.

6. Shopify Data

Payments and shipping information are processed by Shopify.

IRIS does not store:

  • Full credit card numbers
  • Payment authentication data

Shopify’s privacy practices are governed by Shopify’s Privacy Policy.

7. Data Retention

We retain data:

  • As long as ownership records exist
  • As necessary for legal compliance
  • For fraud prevention
  • For system integrity

Ownership history may be retained permanently to preserve provenance integrity.

8. Marketplace (Future Phase)

If a peer-to-peer marketplace is introduced:

  • Ownership transfer records will be logged
  • Transaction metadata may be recorded
  • Additional privacy disclosures will be provided

IRIS will not act as a market maker.

9. Your Rights (U.S. + General)

Depending on your jurisdiction, you may have rights to:

  • Access your data
  • Request correction
  • Request deletion (subject to ownership record integrity)
  • Opt out of marketing communications

Note: Ownership history tied to an artwork may not be erasable if required for provenance integrity.


10. Children’s Privacy

IRIS is not directed to individuals under 18.

We do not knowingly collect data from minors.

11. Cookies & Analytics

We may use:

  • Functional cookies
  • Security cookies
  • Analytics tools

You may disable cookies in your browser, though some features may not function properly.

12. Security Measures

We implement:

  • HTTPS encryption
  • Secure backend validation
  • Role-based admin access
  • Activation rate limiting
  • Audit logs

We are not responsible for:

  • Loss of email access
  • Compromised user credentials
  • Third-party infrastructure failures

13. International Users

If you access IRIS from outside the United States, your information may be transferred to and stored in the U.S.

14. Changes to This Policy

We may update this Privacy Policy periodically.

Continued use of IRIS constitutes acceptance of the updated Policy.

15. Contact

For privacy and support-related inquiries: info@irisnyc.store