LogoIronTasks
Legal Protocol

The Iron Vault Protocol

Most apps treat your data as their product. We treat it as your property. This policy outlines how our dual-tier architecture and telemetry systems guarantee your privacy by design.

Last Protocol Update: February 27, 2026

Local First

By default, your tasks live in your device's internal storage. No servers involved.

Hybrid Security

Choose between standard cloud sync (convenient recovery) or the Iron Vault (absolute Zero-Knowledge encryption).

Transparent Telemetry

We use analytics to improve the system, but we respect your 'Do Not Track' signals and offer full opt-out.

1. The Controller

IronTasks is operated from West Europe. We adhere strictly to the General Data Protection Regulation (GDPR), ensuring the highest standard of privacy protection for all users, regardless of your global location.

Our business model relies on premium subscriptions and cosmetic upgrades, not surveillance capitalism. We define "Personal Data" strictly and minimize its collection at every architectural level.

2. Data Collection

Task Data (The "Iron")

This includes task titles, descriptions, habits, and attachments.

Guest Mode: Stored locally (IndexedDB). Never leaves your device.
Iron Cloud: Stored on our servers. Access levels depend entirely on your chosen encryption tier (see "The Vault" below).

Identity & Accounts

Accounts: We store your email, display name, and an authentication ID to facilitate login.
Waitlist: When you sign up for the waitlist, we store your email and a cryptographic hash of your IP address to prevent spam.

Usage Data & Analytics

We use Google Analytics 4 to understand how users interact with our website (e.g., pages visited, time spent).

If Consent Denied: We receive only cookieless, anonymous pings that cannot be linked to you.
If Consent Granted: We collect standard usage data including IP address (anonymized), browser type, and device information.

3. Legal Basis for Processing

Under GDPR Article 6, we process your data based on the following grounds:

  • Contract: When you create an account, we process necessary data (Auth ID, Cloud Blobs) to fulfill our service agreement and sync your devices.
  • Consent: We use cookies for analytics ONLY if you explicitly click "Authorize" on our Telemetry Banner. You may withdraw this consent at any time.
  • Legitimate Interest: We process anonymous telemetry (cookieless pings) and IP hashes to secure the application, debug crashes, and prevent abuse.

4. The Vault: Storage & Encryption

We offer three distinct modes of operation. Your privacy level and our ability to assist with data recovery depend entirely on your choice.

Tier 1: Local (Guest) & BYOS

Data resides 100% on your device. We have zero access. You may optionally use your personal Google Drive ("Bring Your Own Storage") to sync. We act only as an API pass-through and do not store this data on our servers.

Tier 2: Standard Iron Cloud

Your data is stored on our secure infrastructure (EU-hosted). Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Important: In this mode, we manage the encryption keys. This allows you to use the "Forgot Password" feature to recover your account and data, but it means we possess the technical capability to decrypt your data.

Tier 3: The Iron Vault (Zero-Knowledge)

Absolute Privacy: If you enable the Iron Vault, your device encrypts your tasks using a key derived from your password before uploading them to Iron Cloud. We store only the encrypted ciphertext. We do not possess the key. We cannot read your tasks, and if you lose your password and recovery key, we cannot recover your data.

5. Third-Party Sub-processors

ProviderPurposeLocation
CloudflareHosting, Database (D1), Object Storage (R2), SecurityEurope (GDPR Compliant)
SupabaseAuthentication infrastructureGermany (AWS Frankfurt)
Stripe / LemonsqueezyPayment processingUS / Global
Google (Alphabet Inc.)Analytics (GA4) - Only if consentedIreland / US
Google (Optional)Drive Sync (User-initiated only)User's Region

6. Data Retention Policy

We adhere to data minimization principles. We do not keep data longer than necessary to provide the service.

Active Accounts

As long as your account is active, your data is retained to allow seamless syncing across your devices.

Account Deletion

If you execute a 'Delete Account' command within the app, your account metadata and all associated cloud files are immediately and permanently deleted from our servers.

Analytics Data

Google Analytics data associated with cookies, user identifiers, or advertising identifiers is automatically retained for 14 months before being permanently deleted.

7. Law Enforcement & Data Access

IronTasks acts as a secure conduit for user data. We require a valid, legally binding request (such as a warrant or court order from an authorized EU jurisdiction) before disclosing any user information. Our ability to comply depends on your security settings:

For Users on Standard Iron Cloud:
If legally compelled, we must provide the data we have, which includes your account email, timestamps, and your decrypted task data, as we manage the keys in this tier.
For Users on The Iron Vault (Zero-Knowledge):
If legally compelled, we can provide your account email and timestamps. We will also hand over your task data, but it will remain fully encrypted. Because we do not possess your Master Recovery Key, we are technically incapable of decrypting this data for authorities.

8. Cookies & Local Storage

We use Local Storage, IndexedDB, and Cookies to provide functionality and analyze usage. You have full control over non-essential cookies.

Essential (Strictly Necessary)

irontasks-data-storage (IndexedDB): The core database containing your task list.
securityStore (IndexedDB): Stores your encryption keys locally.
sb-auth-token: Stores your secure session token.
theme: Stores your Light/Dark preference.

Analytics (Optional)

_ga, _gid: Used by Google Analytics to distinguish users and session duration. These cookies are only set if you click 'Authorize' on our Telemetry Banner. If you decline, no analytics cookies are set.

9. Your GDPR Rights

1
Right to Erasure (Right to be Forgotten)

You can permanently delete your account and all associated cloud data instantly via the App Settings. No emails to support required.

2
Right to Portability

Your data belongs to you. You can export it at any time via Settings > Data Management in formats including .iron, CSV, HTML, and iCal.

3
Right to Withdraw Consent

You can clear your browser cookies at any time to revoke analytics consent.

10. Technical Appendix

// SECURITY SPECIFICATIONS

ENCRYPTION_ALGORITHM = "AES-GCM"

KEY_LENGTH = 256_bits

KEY_DERIVATION = "PBKDF2 (100,000 iterations)"

TRANSPORT_SECURITY = "TLS 1.3"

DATABASE_STORAGE = "Cloudflare D1 (EU Region)"

BLOB_STORAGE = "Cloudflare R2 (Encrypted at rest)"

Privacy Inquiries:
IronTasks
privacy@irontasks.io