Privacy Policy

1. Who We Are

IRIX ("IRIX," "we," "us," "our") is the data controller for personal data collected through irix.bio. We are based in Bulgaria and process data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Bulgarian data protection law.

Contact for privacy matters: [CONTACT EMAIL — to be added]

2. What Data We Collect

When you join our waitlist or newsletter: Email address.

When you place an order (once our store is live): Name, shipping address, email address, order history, payment confirmation (processed by our payment provider — we do not store full card details).

Automatically, when you visit our site: IP address, browser type and device information, pages visited and time spent (via cookies — see our Cookie Policy).

3. How We Use Your Data

• Send you the email sequence and updates you signed up for (waitlist, launch announcements, research content)
• Process and fulfill orders, including shipping and customer service
• Respond to inquiries you send us
• Improve our website and understand how visitors use it (via analytics)
• Comply with legal obligations (e.g. tax and accounting records)

We do not sell your personal data to third parties.

4. Legal Basis for Processing (GDPR Article 6)

5. Third Parties We Share Data With

• Systeme.io — email list management and automation
• [Payment processor — to be confirmed, e.g. Stripe] — payment processing once checkout is live
• [Shipping/fulfillment partner — to be confirmed] — order fulfillment from our EU warehouse
• [Web hosting/analytics provider — to be confirmed, e.g. Vercel, Google Analytics] — website hosting and traffic analytics

6. International Data Transfers

Our service providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses) as required under GDPR.

7. Your Rights Under GDPR

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Restriction — request that we limit processing of your data
• Data portability — request your data in a portable format
• Object — object to processing based on legitimate interest or for direct marketing
• Withdraw consent — unsubscribe from emails at any time via the link in any email, or by contacting us directly

To exercise any of these rights, contact us at [CONTACT EMAIL — to be added]. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (КЗЛД) or your local data protection authority.

8. Data Retention

• Waitlist/newsletter email addresses: until you unsubscribe or request deletion
• Order data: as required by Bulgarian tax and accounting law (typically up to 10 years for financial records)
• Inquiry/support communications: up to 2 years from last contact

9. Data Security

We take reasonable technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse. No system is completely secure, and we cannot guarantee absolute security of data transmitted to us.

10. Children's Privacy

Our products and services are not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by an updated "Last updated" date at the top of this page.

12. Contact

Questions about this Privacy Policy or your data: [CONTACT EMAIL — to be added]