Introduction

Ironclad Resilience (“Ironclad,” “we,” “our,” or “us”) is committed to protecting the privacy and security of the individuals who engage with our websites, publications, research outputs, and related services (collectively, the “Services”). Our audience consists of professionals who make decisions in high-stakes environments; as such, we approach privacy with institutional rigor. This Privacy Policy explains—clearly and comprehensively—how we collect, use, disclose, store, and protect personal information, and it describes the rights and choices available to you under applicable law.

For purposes of this Policy, “personal information” (also called “personal data”) means any information that identifies, relates to, describes, or could reasonably be linked—directly or indirectly—to an identified or identifiable natural person. Personal information may include, for example, a name and business email submitted to receive our Inner Ring briefing, device identifiers used by analytics tools to help us understand site performance, or records indicating interaction with our affiliate links. Aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you is not treated as personal information and may be used by Ironclad for research, analytics, benchmarking, and service improvement without restriction.

Ironclad generally acts as the data controller, meaning we determine the purposes and means of processing personal information in connection with our public websites, newsletters, and reports. In limited engagements governed by separate contracts—such as a bespoke research workspace for a client—we may operate as a data processor on behalf of that client. Where a separate contract applies, its terms will govern to the extent of any conflict with this Policy.

This Privacy Policy is intended to comply with, and be interpreted consistently with, applicable data-protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA) as amended by the CPRA. Where local law affords you stronger protections than those set out here, we will honor the higher standard. Nothing in this Policy is intended to reduce or waive rights you hold under applicable law.

Your use of the Services is also governed by our Terms of Service, which set out contractual conditions (such as acceptable use and intellectual-property provisions), and informed by our Affiliate Disclosure, which explains how certain outbound links may generate compensation at no extra cost to you. We may also publish a Cookie Notice or similar technology disclosures from time to time. These documents should be read together for a full understanding of how we operate. If there is a direct conflict between this Privacy Policy and another Ironclad policy concerning the handling of personal information, this Privacy Policy will control unless a more specific document expressly states otherwise.

Ironclad does not seek to collect “special categories” of personal data (such as health information, precise geolocation, biometric identifiers, or information about racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership). Please do not submit such information to us. If you nonetheless provide special-category data, you do so voluntarily and at your discretion; we will handle it in accordance with this Policy and applicable law, and we may delete it where appropriate to minimize risk.

We may update this Privacy Policy to reflect changes in law, technology, or our operations. When we make material changes, we will revise the “Last Updated” date at the top of this page and, where appropriate, provide additional notice (for example, via an on-site banner or email to subscribers). Changes take effect on the date posted. Your continued use of the Services after an update constitutes acknowledgment of the revised Policy; however, no update will diminish rights you hold under applicable law.

Controller identity and contact. Ironclad Resilience is operated by [Legal Name of Company], with its registered business address at [Registered Address]. You may contact us about any privacy matter at privacy@ironcladresilience.com

Scope of This Privacy Policy

This Privacy Policy applies to all personal information collected, processed, or otherwise handled by Ironclad Resilience in connection with the operation of our websites, platforms, communications, and services (collectively, the “Services”). It governs the way we handle information when you interact with us in any capacity — as a casual visitor to our website, a subscriber to our intelligence briefings, a reader of our reports, a participant in surveys or outreach campaigns, or a purchaser clicking through to third-party products or services via affiliate links.

Specifically, this Policy covers the following contexts:

• Websites and online properties. Any Ironclad-owned domain, microsite, or digital platform that links to this Privacy Policy.
  
  
• Newsletters and research briefings. Our subscription-based communications, currently distributed via third-party platforms such as Beehiiv, which act as service providers on our behalf.
  
  
• Analytics and monitoring tools. Our use of technologies such as Google Analytics 4 (GA4), Hotjar, and other digital engagement trackers that provide insights into how our audience interacts with our Services.
  
  
• Affiliate relationships. The tracking and reporting of referrals when you click on affiliate links included within our content.
  
  

This Policy does not extend to activities conducted on websites or services operated by third parties, even where those websites are accessible through links embedded in our Services. For example, if you click an affiliate link to a recommended vendor or supplier, the collection and use of your personal information on that vendor’s website will be governed by that vendor’s own privacy policies and terms of service. We do not control, and are not responsible for, the privacy practices of third parties, and we encourage you to review their policies carefully before providing any personal information.

This Policy also does not apply to information that has been irreversibly de-identified or aggregated. Where personal information is modified so that it can no longer reasonably be linked to an identified or identifiable individual, it is considered outside the scope of privacy regulation. Ironclad may use such de-identified or aggregated data freely for research, statistical analysis, and operational improvement.

For clarity, this Policy should be read alongside, and in conjunction with, our Terms of Service and Affiliate Disclosure. The Terms of Service set the contractual conditions for your use of our Services, while the Affiliate Disclosure explains how we may earn compensation from certain product or service referrals. In some cases, we may also issue a standalone Cookie Notice or similar technology-specific disclosure. Collectively, these documents form the legal framework that governs both our obligations to you and the responsibilities you assume by using our Services.

Where conflicts arise between this Policy and other Ironclad policies, this Privacy Policy shall govern with respect to the collection and processing of personal information, unless another document explicitly states that it takes precedence.

Categories of Information We Collect

Ironclad Resilience collects only the information necessary to operate, secure, and improve the Services and to communicate with our audience in a professional context. The categories below describe the types of personal information we process, together with representative examples and clarifications designed to avoid ambiguity.

Personal Identifiers and Contact Details

When you subscribe to our newsletters, request a download, submit a form, or otherwise engage directly with us, we collect personal identifiers that enable us to recognize and contact you. These may include your name, business or personal email address, telephone number if you provide it, and any mailing address you voluntarily supply for correspondence. We use these identifiers to deliver requested materials, respond to inquiries, and manage subscriber preferences. We do not require you to create a persistent user account to access most Services, but when you do supply contact details, we treat them as personal information and handle them in accordance with this Policy.

Professional and Organizational Context

In many interactions our audience chooses to provide professional context—such as job title, organizational affiliation, industry, or areas of responsibility—so that we can tailor communications appropriately. Where you disclose such information, we will associate it with your contact record to maintain relevance and accuracy in our outreach. If you later advise us that such context has changed or is no longer appropriate to retain, we will update or remove it consistent with Section 12 (Your Rights) and Section 10 (Retention).

Device, Technical, and Network Information

When you visit our websites, certain technical data are collected automatically by your browser and our hosting environment so that pages can be served securely and reliably. This includes your Internet Protocol (IP) address, device and operating-system type, browser type and version, language settings, referrer URLs, timestamps, general error diagnostics, and similar network-level information. We process these data to establish secure connections, prevent abuse, detect anomalies, and understand the performance of the Services across devices and regions. Absent a lawful basis to link these data to identified users (for example, when you also submit a form), we use them in an aggregated or pseudonymized manner.

Usage and Interaction Data

To understand how readers engage with our pages and to improve clarity and navigation, we collect interaction data such as the pages you view, the sequence of navigation, time on page, click paths, scroll depth, outbound link clicks, and similar engagement signals. These data are typically gathered through analytics tools (for example, Google Analytics 4 and Hotjar) and help us prioritize layout, accessibility, and content decisions. We do not use interaction data to make automated decisions that produce legal or similarly significant effects about you.

Approximate Geolocation

We may infer an approximate geographic location from your IP address, usually at the country or region level. This inference allows us to understand audience distribution, apply jurisdictional settings where required by law, and assess the reach and relevance of our materials. We do not seek precise geolocation (such as GPS-level coordinates) and will not collect it without your explicit consent.

Transaction and Affiliate Interaction Data

Our content occasionally contains affiliate links to third-party products or services. When you click such a link, our affiliate partner may record that a referral originated from Ironclad, and, if you later complete a purchase, may report that fact to us for attribution and compliance. The information we receive is limited to referral and conversion metadata (for example, that a given link was clicked and a transaction occurred). We do not collect or store payment card numbers, bank details, or other sensitive financial information; those are processed directly by the third-party vendor under its own policies.

Correspondence, Support, and Survey Responses

If you contact us—via email, our Contact page, or other channels—we process the content of your message along with any identifiers you include so that we can respond and maintain appropriate records. From time to time we may invite readers to complete short surveys to improve the relevance of our work. Where survey responses contain personal information, we handle them in accordance with this Policy and, where feasible, aggregate or de-identify results for analysis.

Preference, Segmentation, and Inference Data

In the course of maintaining a professional relationship, we may derive limited inferences about your interests based on your explicit choices (for example, newsletters you subscribe to) and observable engagement (for example, whether you consistently read long-form analyses versus product briefs). We use these inferences narrowly—to send fewer, more pertinent communications—and not for automated decision-making that produces legal or similarly significant effects. You may opt out of such personalization at any time using the mechanisms described in Section 12.

Publicly Available and Third-Party-Sourced Information

Where lawful and appropriate in a B2B context, we may supplement our records with publicly available professional information (for example, a business email associated with a corporate domain or a publicly listed role on an organization’s website) to confirm that we are addressing communications to the right professional audience. We do not purchase consumer dossiers, and we do not combine public data with sensitive categories to create profiles about individuals.

Special Categories and Sensitive Information

Ironclad does not seek to collect special categories of personal data as defined by applicable law—such as health data, precise geolocation, biometric identifiers, or information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership. We ask that you do not include such information in correspondence or form submissions. If you nonetheless choose to provide it, you do so voluntarily; we will minimize, restrict, or delete such data where appropriate to reduce risk, and we will treat any residual processing in accordance with the strictest applicable legal standard.

Children’s Information

Our Services are designed for a professional audience. We do not knowingly collect personal information from individuals under the age of sixteen. If we become aware that we have inadvertently collected such information, we will delete it promptly and take steps to prevent similar collection going forward.

How We Collect Information

Ironclad Resilience gathers personal information through a combination of direct disclosures, automated technologies, service providers, affiliate partners, and lawful public sources. Each method of collection is designed to be proportionate, transparent, and limited to what is necessary for the purposes described in this Policy.

Direct Disclosures

We collect information that you voluntarily provide in the course of professional interaction. This includes subscribing to our Inner Ring briefing, requesting downloads of reports or analyses, registering for events, completing surveys, or corresponding with us by email or through the Contact page. In each case, you are the source of the personal information, and we use it only in line with the purposes outlined in this Policy.

Automated Collection via Our Websites

When you visit our websites, certain information is collected automatically through server logs and browser interactions. This includes IP addresses, device identifiers, browser type and version, referrer URLs, error diagnostics, and similar technical data. We also deploy cookies and analytics tools such as Google Analytics 4 and Hotjar to understand navigation paths, time on page, scroll depth, and other interaction metrics. Non-essential cookies are placed only with your consent, and you can adjust your preferences through your browser or our cookie banner.

Service Providers Acting on Our Behalf

We use carefully selected service providers to operate essential functions of our Services. For example, Beehiiv manages our newsletter distribution and subscriber records, while hosting providers deliver website content securely. These service providers process information strictly under our instructions and subject to contractual obligations that limit their use of data to the provision of their services.

Affiliate Partners and Tracking Mechanisms

When you click on an affiliate link within our content, the affiliate partner may assign a unique tracking identifier to attribute the referral. If a transaction is completed, the partner may report metadata back to us confirming the referral and conversion. We do not collect or store payment card numbers, bank account details, or other sensitive financial information; such information is processed exclusively by the vendor under its own policies. Our role is limited to receiving referral data sufficient for compliance and program evaluation.

Publicly Available Professional Sources

In limited circumstances, particularly for B2B outreach, we may consult publicly available professional directories or corporate websites to confirm subscriber eligibility or ensure our communications reach the appropriate professional audience. We do not acquire consumer marketing profiles, and we do not combine public data with sensitive categories of personal information.

Combined and Derived Data

Where lawful, we may combine information from different sources to create a more accurate record. For example, we may link a newsletter subscription (direct disclosure) with website engagement data (automated collection) to understand readership behavior. We may also derive limited inferences—such as interest in a specific risk domain based on articles read—to tailor communications. These inferences are narrow in scope and are not used for automated decision-making that produces legal or similarly significant effects.

Purposes of Processing

Ironclad Resilience processes personal information for specific, explicit, and legitimate purposes. We do not process data in ways that are incompatible with these purposes, and we do not sell personal information. Below we explain, in detail, why we process information, and how each purpose aligns with the lawful bases described in Section 

 Provision of Services and Subscriber Management

Our first and most important purpose is to deliver the Services you have requested. When you subscribe to our Inner Ring briefing, download a research report, or request other resources, we process your personal identifiers so that we can fulfill your request, confirm your subscription status, and respect your opt-in or opt-out preferences. Without processing these details, we could not provide the Services.

Communication and Relationship Management

We process information you provide when contacting us — such as names, email addresses, and message content — to respond to inquiries, resolve issues, and maintain professional correspondence. We may retain such communications for a limited period to demonstrate compliance, improve service quality, and establish a record of our interactions.

Continuous Improvement and User Experience

We process interaction data, such as navigation paths and content engagement, to understand how our Services are used. This allows us to refine layout, ensure accessibility, and prioritize resources most relevant to our professional audience. Where feasible, we use aggregated or de-identified data; where identifiers are processed, we minimize and secure them.

Security, Fraud Prevention, and Abuse Control

Technical and network data — including IP addresses, connection diagnostics, and server logs — are processed to maintain the confidentiality, integrity, and availability of the Services. This includes detecting abnormal behavior, investigating potential misuse, blocking malicious traffic, and complying with cybersecurity obligations. Processing for these purposes is essential to safeguard both our systems and our readership.

Analytics, Research, and Reporting

We process data to generate performance metrics about the reach and impact of our work. Analytics tools such as Google Analytics 4 and Hotjar enable us to assess engagement with cornerstone content, evaluate site usability, and make informed editorial decisions. These analyses are typically conducted on aggregated or pseudonymized data, reducing the risk of identification.

Affiliate Attribution and Disclosure Compliance

We process referral and transaction metadata associated with affiliate links to attribute commissions and ensure transparency under our Affiliate Disclosure. This processing is limited to basic referral and outcome information; we do not process payment card data or sensitive financial information.

Personalization of Content and Communications

Where lawful, we may tailor content or outreach based on your explicit subscription choices or observable engagement. For example, subscribers who frequently read financial risk content may receive more relevant resources on that theme. Personalization is optional, limited in scope, and can be declined at any time. We do not conduct automated decision-making that produces legal or similarly significant effects.Compliance with Legal and Regulatory Obligations

Finally, we process information when necessary to meet obligations under law, regulation, or judicial order. This includes maintaining accounting records, honoring rights requests under GDPR and CCPA/CPRA, and ensuring adherence to advertising and consumer-protection rules. In some cases, processing is required to establish, exercise, or defend legal claims.

Legal Bases for Processing

Under data protection laws such as the EU General Data Protection Regulation (GDPR), the UK GDPR, and comparable regimes, every instance of personal data processing must rest on a lawful basis. Similarly, under the California Consumer Privacy Act (CCPA/CPRA), businesses must disclose the categories of information processed and the business purposes for which they are used. This section explains the legal foundations on which Ironclad Resilience relies.

Consent

In some circumstances, we rely on your explicit consent to process your personal information. Examples include:

• Subscribing to our Inner Ring newsletter or other communications where you actively opt in.
  
  
• Accepting non-essential cookies or analytics scripts (e.g., Hotjar session recordings) through our cookie banner.
  
  
• Participating in voluntary surveys where you choose to provide responses.
  
  

Where consent is the lawful basis, you may withdraw it at any time using the mechanisms described in Section 12. Withdrawal will not affect the lawfulness of processing carried out before consent was withdrawn.

Contractual Necessity

Certain processing is necessary to perform a contract to which you are a party or to take steps at your request prior to entering into a contract. For example:

• Delivering subscription services, reports, or downloads that you have requested.
  
  
• Managing your subscription preferences and ensuring you receive the correct communications.
  
  

Without this processing, we could not provide the Services you have requested.

Legitimate Interests

We also process personal information where it is necessary for our legitimate interests, provided that those interests are not overridden by your fundamental rights and freedoms. Examples include:

• Understanding how readers use our Services in order to improve usability and relevance.
  
  
• Maintaining appropriate business records and ensuring the efficiency of our operations.
  
  
• Preventing fraud, misuse, or security threats.
  
  
• Personalizing outreach narrowly, so that subscribers receive more relevant communications.
  
  

We apply a balancing test to confirm that these interests are proportionate and that your rights are not infringed. You have the right to object to processing based on legitimate interests, as described in Section 12.

Legal Obligations

In some cases, we process personal information because it is necessary to comply with a legal obligation. Examples include:

• Responding to lawful requests from regulatory authorities or law enforcement.
  
  
• Maintaining accounting and tax records.
  
  
• Honoring statutory rights under GDPR, UK GDPR, or CCPA/CPRA.
  
  

Failure to process information for these purposes could place Ironclad in breach of applicable law.

Vital Interests and Public Tasks (Limited Circumstances)

Although not typical in our operations, we may process personal information where necessary to protect someone’s vital interests (e.g., preventing harm) or where required to perform a task in the public interest or pursuant to official authority. These bases are rarely invoked but are included here for completeness in case such situations arise.

Cookies and Tracking Technologies

Ironclad Resilience uses cookies and related technologies to operate, secure, and optimize our Services. This section explains what these technologies are, how we use them, and the choices available to you.

What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They enable websites to recognize your device, remember preferences, and analyze browsing activity. Cookies may be:

• Session cookies: erased when you close your browser.
  
  
• Persistent cookies: remain stored until expiration or manual deletion.
  
  

We also use related technologies — such as pixel tags, local storage objects, and JavaScript libraries — which function similarly. For simplicity, we refer to all of these as “cookies.”

Categories of Cookies We Use

• Strictly Necessary Cookies
  These are essential for basic functionality, such as secure log-in, content delivery, and fraud prevention. They do not require consent.
  
  
• Performance and Analytics Cookies
  These help us understand how visitors interact with our websites, such as which pages are viewed and how long visitors stay. We use Google Analytics 4 and Hotjar to generate anonymized or pseudonymized reports. Consent is required before these are set.
  
  
• Functional Cookies
  These remember your preferences (e.g., language settings, display options) to improve your user experience.
  
  
• Affiliate Tracking Cookies
  When you click affiliate links, a partner may set cookies to attribute referrals and commissions. These cookies contain limited identifiers and do not collect payment card or sensitive financial data.
  
  
• Advertising/Targeting Cookies
  We do not currently deploy advertising or behavioral targeting cookies. If this changes, we will update this Policy and seek your consent before use.
  
  

Third-Party Cookies

Some cookies are placed by third parties providing services on our behalf (e.g., Beehiiv for newsletter delivery, affiliate networks for tracking). These parties may act either as processors (under contract with Ironclad) or, in some cases, as independent controllers with their own obligations. Their privacy notices govern any independent use of data.

Legal Bases for Cookie Use

• Strictly necessary cookies: processed under our legitimate interest in operating secure, functional Services.
  
  
• Analytics, functional, and affiliate cookies: processed only with your explicit consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  
  

Your Choices and Controls

You have several options for controlling cookies:

• Consent Banner: On your first visit, you can accept or reject non-essential cookies. Your preferences are stored but can be revisited.
  
  
• Browser Settings: Most browsers allow you to block or delete cookies. See your browser’s “Privacy” or “Preferences” section for instructions.
  

Opt-Out Tools:

• Google: Google Analytics Opt-out Browser Add-on
• Hotjar: Do Not Track opt-out

Do Not Track Signals (DNT): Our Services do not currently respond to DNT signals. You may instead rely on the tools above.

Updates to Cookie Practices

Because technologies evolve, the cookies and tools we use may change. We will update this Policy and, where legally required, re-request consent when introducing new non-essential cookies.

Disclosure of Information to Third Parties

Ironclad Resilience treats personal information as confidential. We do not sell personal information, and we do not “share” personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We disclose personal information only where necessary, proportionate, and consistent with the purposes and legal bases described in this Policy, subject to appropriate contractual and technical safeguards.

Service Providers (Processors) Acting on Our Behalf

We engage carefully vetted service providers to perform functions that enable the Services, including website hosting, newsletter delivery, analytics, security, and infrastructure. These entities act as data processors under our instructions and do not acquire independent rights to use your personal information.

• Contractual safeguards. Each provider is bound by a written data-processing agreement (DPA) that, among other things, limits processing to documented instructions, imposes confidentiality obligations, mandates appropriate technical and organizational security measures, and restricts onward transfers.
  
  
• Access minimization. Providers receive only the minimum personal information necessary to perform their function (for example, our newsletter platform receives subscriber email addresses and preference metadata).
  
  
• Oversight. We conduct due diligence before onboarding a provider and review material changes over time. Where appropriate, we assess external attestations (e.g., SOC 2/ISO 27001) and incident-response posture.
  
  

Illustrative providers include: website hosting and CDN vendors; email/newsletter platform providers (e.g., Beehiiv) for subscription management and delivery; analytics vendors (e.g., GA4, Hotjar) for aggregated engagement insights; and security/monitoring services.

International element. Some providers may process data outside your home jurisdiction. When they do, transfers occur under the safeguards described in Section 9 (International Data Transfers).

Sub-processors of Our Providers

Certain primary providers may engage their own sub-processors for specialized infrastructure (for example, cloud compute, DDoS protection, or email relay services). Our DPAs require primary providers to (i) maintain an up-to-date list of sub-processors, (ii) flow down equivalent data-protection obligations, and (iii) remain fully responsible for their sub-processors’ compliance.

Affiliate and Commercial Partners (Attribution Only)

Where our content includes affiliate links, the applicable affiliate network or merchant may set a limited-purpose identifier to attribute referrals. If a purchase occurs, the partner may report conversion metadata to us (e.g., that a referral resulted in a transaction). We do not receive or store payment card numbers or sensitive financial information; those are processed directly by the merchant under its policies. We use referral metadata solely for (i) attribution and program accounting, (ii) transparency and compliance with our Affiliate Disclosure, and (iii) performance reporting.

CPRA note. Affiliate attribution for commission accounting, as implemented by Ironclad, is not used for cross-context behavioral advertising; therefore we do not “share” personal information for that purpose.

Analytics and Measurement Partners

We use analytics providers to generate aggregated or pseudonymized metrics about how the Services are used (for example, page performance, navigation paths, scroll depth). Where identifiers are processed, we configure tools to minimize data collection consistent with our purposes, and—where required by law—deploy such tools only with your consent (see Section 7). Analytics partners act under contract and are prohibited from using data provided by Ironclad for their own unrelated purposes.

Legal, Regulatory, and Safety Disclosures

We may disclose personal information where we, in good faith, believe such disclosure is necessary to:

• Comply with a lawful request or legal obligation (e.g., subpoena, court order, or regulatory inquiry);
  
• Establish, exercise, or defend legal claims;
  
• Investigate, prevent, or respond to suspected fraud, security incidents, or abuse of the Services; or
  
• Protect the rights, property, or safety of Ironclad, our audience, or the public.
  

Where legally permissible and practical, we evaluate the scope and validity of each request, seek to limit disclosure to what is strictly required, and, when appropriate, notify affected individuals before producing data.

Business Transactions (Mergers, Acquisitions, Reorganizations)

If Ironclad Resilience is involved in a corporate transaction such as a merger, acquisition, financing, or sale of assets, personal information may be transferred to the relevant counterparty and its advisors for the limited purpose of evaluating and consummating the transaction. Any recipient will be required to honor protections materially consistent with this Policy, and—in the event of a completed transfer—will be bound to use the information only as a successor to Ironclad’s rights and obligations. If a use materially differs from this Policy, we will provide notice and, where required, obtain consent.

Information You Choose to Make Public

If you choose to publish information in a public context (for example, by posting comments on a public platform or participating in public-facing surveys), that information may be viewed, collected, and used by others outside our control. We encourage you to exercise caution when deciding what to disclose in public channels. Where we publish survey results, we typically aggregate or de-identify data to reduce re-identification risk.

Disclosures With Your Explicit Consent

Beyond the scenarios described above, we may disclose personal information to third parties when you expressly authorize us to do so. Consent is granular and may be withdrawn at any time; withdrawal will not affect the lawfulness of disclosures made prior to the withdrawal.

No Sale or “Sharing” for Cross-Context Behavioral Advertising

Ironclad does not sell personal information and does not “share” personal information for cross-context behavioral advertising (as those terms are defined by the CCPA/CPRA). If our practices change in the future, we will update this Policy, provide required opt-out mechanisms, and—where applicable—seek prior consent.

International Data Transfers

Ironclad Resilience is headquartered in the United States. Accordingly, personal information collected through our Services may be transferred to, stored in, or otherwise processed in jurisdictions outside of your own, including the United States. These jurisdictions may have privacy and data-protection laws that differ from those in your country and, in some cases, may not be recognized as providing an equivalent level of protection.

We recognize these differences and implement safeguards designed to ensure that transfers of personal information comply with applicable law and that your rights continue to be protected.

Transfers Within Ironclad Resilience

At present, Ironclad Resilience operates as a single U.S.-based entity. If we expand into additional jurisdictions, personal information may be transferred between group entities. In such cases, transfers will occur under intra-group transfer agreements incorporating contractual protections equivalent to those described in Section 9.3 below.

Transfers to Service Providers and Partners

We engage service providers and technology partners (for example, Beehiiv for newsletters, hosting/CDN providers, analytics platforms such as Google Analytics 4 and Hotjar) that may process data in the United States or across global infrastructure. When personal information is transferred internationally in connection with these services, we require contractual commitments that:

• Processing is limited to our documented instructions;
  
• Providers must implement appropriate technical and organizational security measures;
  
  
• Data may not be transferred onward without equivalent safeguards.
  

Safeguards for EU/UK/Swiss Personal Data

For individuals located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, international transfers are safeguarded through one or more of the following:

• Adequacy Decisions: Where personal data is transferred to a country recognized by the European Commission, UK Government, or Swiss Federal Council as providing adequate protection.
  
• Standard Contractual Clauses (SCCs): We incorporate SCCs approved by the European Commission (and, where relevant, the UK International Data Transfer Addendum or UK International Data Transfer Agreement) into our contracts with processors.
  
• Data Privacy Framework (DPF): Where applicable, transfers to U.S.-based providers participating in the EU–U.S. DPF, UK Extension, or Swiss–U.S. DPF.
  
• Supplementary Measures: We apply additional technical safeguards (such as encryption in transit and at rest, pseudonymization, and access controls) to mitigate risks identified in transfer impact assessments.
  

Safeguards for Other Jurisdictions

Where other jurisdictions (e.g., Brazil’s LGPD, Singapore’s PDPA, Canada’s PIPEDA) impose restrictions on cross-border data transfers, we adopt contractual and technical measures consistent with those frameworks before transferring data internationally.

Transparency and Your Rights

• Copies of Safeguards: Where required by law, you may request a copy of the safeguards governing transfers of your personal data (e.g., SCCs) by contacting us via Section 15 (Contact Us).
  
• Right to Object: In some jurisdictions, you have the right to object to transfers where you believe protections are insufficient. We will assess such objections in light of applicable law and our operational obligations.

Data Retention

Ironclad Resilience retains personal information only for as long as necessary to fulfill the purposes described in this Policy, or as required to comply with applicable laws and regulations. We apply structured retention schedules designed to ensure compliance with the principle of storage limitation (Article 5(1)(e) GDPR) and equivalent obligations under other data-protection frameworks.

Guiding Principles

• Purpose-driven retention: We keep personal information only as long as it serves the specific, legitimate purpose for which it was collected.
  
• Minimization: Where full retention is not necessary, we either anonymize the data or restrict access until deletion.
  
• Legal obligations: We retain some categories of information longer when required by law (e.g., tax, accounting, anti-fraud, or compliance recordkeeping).
  
• Defensibility: Data may be preserved where reasonably necessary to establish, exercise, or defend legal claims, investigations, or regulatory inquiries.
  

Typical Retention Periods by Category

• Subscriber Data (email addresses, preferences, subscription metadata):
  Retained for the active subscription period plus 24 months after opt-out, to ensure suppression lists are honored and avoid re-contacting individuals who have unsubscribed.
  
• Communications & Correspondence (emails, inquiries, customer support):
  Retained for up to 36 months, unless a longer retention is necessary for dispute resolution, compliance, or regulatory recordkeeping.
  
• Analytics & Technical Logs (GA4, Hotjar, server logs):
  
  • Raw Google Analytics data: typically retained no longer than 26 months.
    
  • Hotjar session data: retained for 12 months unless earlier deletion is requested.
    
  • Server access/security logs: generally retained for up to 12 months.
    Aggregated or anonymized data may be kept indefinitely, as it no longer identifies individuals.
    
• Affiliate Attribution & Financial Records:
  Affiliate referral metadata and related accounting records are retained for as long as necessary to complete payment cycles and comply with statutory accounting/tax laws (commonly 7 years under U.S. law).
  
• Legal/Regulatory Records:
  Certain documents, such as consent records, contracts, or dispute-related materials, may be retained for statutory periods mandated by law (commonly between 6–10 years, depending on jurisdiction).
  

 Secure Disposal & Anonymization

When data reaches the end of its retention period:

• Deletion: We securely erase data using cryptographic deletion or secure overwriting methods.
  
• Anonymization: Where appropriate, personal data is irreversibly anonymized and may be retained indefinitely for business intelligence, research, or reporting purposes.
  

Exceptions to Standard Retention

We may retain data longer than standard schedules if:

• Required by a legal obligation (e.g., regulatory request, tax audit).
  
• Necessary to resolve a dispute, enforce agreements, or protect rights.
  
• Needed to demonstrate compliance with requests to exercise data-subject rights (e.g., erasure, objection).
  

Transparency

Where required by law (e.g., GDPR Article 13/14, CPRA 1798.100), we disclose retention periods or the criteria used to determine them at the point of collection. Individuals may also request further details regarding applicable retention periods by contacting us as outlined in Section 15 (Contact Us).

Security of Information

Ironclad Resilience applies layered technical, organizational, and administrative measures to safeguard personal information against loss, misuse, unauthorized access, disclosure, alteration, or destruction. While no system can guarantee absolute security, we implement controls designed to reduce risk to a level appropriate to the sensitivity of the information we process.

Technical Safeguards

• Encryption: Data is encrypted in transit using TLS 1.2+ and, where feasible, at rest using AES-256 or equivalent standards.
  
• Access Management: Role-based access control (RBAC), strong authentication, and periodic access reviews limit data access to authorized personnel only.
  
• Segmentation: Sensitive data is logically separated from other environments to reduce attack surface.
  
• Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), and endpoint monitoring are deployed.
  
• Logging & Monitoring: Security logs are maintained and monitored for anomalous or unauthorized activities.
  
• Vulnerability Management: Regular patching, penetration tests, and vulnerability scans are performed.
  

Organizational Safeguards

• Policies: Documented information-security and acceptable-use policies govern handling of personal data.
  
• Training: Personnel receive onboarding and ongoing training on data-protection, phishing awareness, and secure practices.
  
• Vendor Risk Management: Service providers undergo due diligence, are bound by contractual security obligations (see Section 8), and are periodically reassessed.
  
• Confidentiality Commitments: Employees, contractors, and vendors sign confidentiality or NDA agreements.
  
• Segregation of Duties: Key functions (e.g., system administration, security monitoring, data handling) are separated to mitigate insider risks.
  

Incident Detection & Response

• Monitoring: We actively monitor infrastructure and applications for indicators of compromise.
  
• Response Plans: Documented incident-response procedures guide triage, escalation, forensic investigation, and remediation.
  
• Containment & Recovery: Security events are contained quickly, root causes analyzed, and corrective actions implemented.
  
• Breach Notification: If a breach of personal information occurs, we notify affected individuals and regulators without undue delay, and within timeframes required by law (e.g., 72 hours under GDPR).
  

Shared Responsibility with Users

Certain safeguards depend on user action. We encourage subscribers and readers to:

• Use strong, unique passwords and maintain confidentiality.
  
• Keep systems and browsers updated.
  
• Avoid transmitting sensitive personal or financial information through unencrypted channels (e.g., plain-text email).
  
• Notify us promptly of any suspected compromise related to our Services.
  

Continuous Improvement

Security practices are reviewed and updated regularly in light of evolving threats, regulatory requirements, and technological developments. Where appropriate, we conduct audits, penetration tests, and security assessments against recognized standards (such as NIST CSF and ISO/IEC 27001).

Your Privacy Rights

Ironclad Resilience respects your privacy rights and provides clear mechanisms to exercise them. The exact rights available to you depend on your jurisdiction, but we will honor all legally enforceable requests in accordance with applicable law.

GDPR, UK GDPR, and Similar Frameworks

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with similar privacy frameworks, you have:

• Right of Access: Obtain confirmation whether we process your data and receive a copy.
  
• Right to Rectification: Correct inaccurate or incomplete information.
  
• Right to Erasure (“Right to Be Forgotten”): Request deletion of your personal data, subject to lawful bases for retention.
  
• Right to Restrict Processing: Temporarily suspend processing (e.g., during a dispute about accuracy).
  
• Right to Data Portability: Receive your data in a structured, machine-readable format and transfer it to another controller.
  
• Right to Object: Object at any time to processing for direct marketing or processing based on legitimate interests.
  
• Rights Against Automated Decisions/Profiling: To not be subject to decisions based solely on automated processing that significantly affect you, unless specific safeguards apply.
  

CCPA/CPRA (California Residents)

If you are a California resident, your rights under the California Consumer Privacy Act (as amended by the CPRA) include:

• Right to Know: Access categories and specific pieces of personal information collected, used, or disclosed.
  
• Right to Delete: Request deletion, subject to exceptions (e.g., compliance obligations).
  
• Right to Correct: Correct inaccurate personal information.
  
• Right to Opt-Out of Sale/Sharing: Direct us not to sell or share your data for cross-context behavioral advertising. Ironclad does not sell/share personal information in this way but honors opt-out requests.
  
• Right to Limit Sensitive Information Use: Restrict how sensitive information is processed, if applicable.
  
• Right to Non-Discrimination: We will not deny services, charge higher prices, or reduce quality if you exercise your rights.
  

Other Jurisdictions

• Brazil (LGPD): Rights to confirm processing, access, correct, delete, and revoke consent.
  
• Canada (PIPEDA): Rights to access and correct personal information, with transparency on use/disclosure.
  
• Australia (Privacy Act): Rights to access, correct, and complain about handling of personal information.
  We will comply with local law where it grants additional or different rights.
  

Exercising Rights

• Requests can be made via the channels listed in Section 15 (Contact Us).
  
• Where law permits, you may appoint an authorized agent (e.g., under CCPA) if they provide proof of authority.
  
• We will verify identity before fulfilling requests using reasonable methods proportionate to the sensitivity of the data.
  
• Response timelines:
  
  • GDPR/UK GDPR: Typically within 1 month, extendable by 2 months for complex cases.
    
    
  • CCPA/CPRA: Within 45 days, extendable by 45 days when reasonably necessary.
    

Limits and Exceptions

We may deny or limit a request if:

• The information must be retained to comply with legal or contractual obligations.
  
• Disclosure would infringe the rights/freedoms of others.
  
• The request is manifestly unfounded, repetitive, or excessive (in which case a reasonable fee may be charged).

Children’s Privacy

Ironclad Resilience is intended for a professional audience. We do not knowingly collect, use, or disclose personal information from children.

13.1 Age Thresholds and Applicability

• United States (COPPA): We do not knowingly collect personal information from children under 13 years of age.
  
  
• EEA/UK (GDPR/UK GDPR, Art. 8): We do not knowingly collect personal data from children under 16, unless a lower local age of digital consent (no lower than 13) applies; in such cases, parental/guardian authorization is required.
  
  
• Other Jurisdictions: Where local law sets a higher threshold or specific requirements, we comply with that standard.
  

No Targeting, Profiling, or Child-Directed Features

Our Services, communications, and analytics are designed for adults. We do not design features for minors, run child-directed marketing, or knowingly engage in profiling of children. We also do not knowingly place non-essential cookies for behavioral analysis on users we know to be under the applicable age of consent.

Parental/Guardian Rights and Our Response Process

If you believe a child has provided personal information to Ironclad without appropriate consent:

1. Contact us immediately (see Section 15, Contact).
   
2. We will verify the requestor’s identity and relationship to the child (and, where required, request reasonable documentation).
   
3. Upon verification, we will locate and securely delete the child’s personal information from active systems, unsubscribe any email addresses, and disable access related to that submission, except where limited retention is legally required (e.g., to document the request itself).
   
4. Where feasible, we will confirm deletion to the verified parent/guardian.
   

 Age-Gating and Consent Mechanisms

Where required by law or context (e.g., gated resources), we may implement age-gating or require parental/guardian authorization before processing a minor’s data. If such authorization cannot be verified, the transaction will not proceed and any data captured in the attempt will be deleted.

Education-Focused or Exceptional Circumstances

We do not offer child-directed services. If, in an exceptional engagement (e.g., a third-party program) children’s data could be implicated, processing would occur only under a separate contract and lawful basis, with appropriate consents and safeguards clearly documented in advance.

Changes to This Policy

Ironclad Resilience may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal obligations, or business operations. We are committed to transparency in communicating these updates.

Types of Changes

• Material Changes: If we make significant changes—such as expanding categories of data collected, introducing new purposes, or modifying how we share data—we will provide clear and prominent notice before the change takes effect. Where required by law, we will also obtain renewed consent.
  
• Non-Material Changes: Updates that clarify text, reorganize content, or provide additional details without reducing your rights will be published without advance notice.
  

How We Provide Notice

Depending on the nature of the change and legal requirements, we may notify you through:

• A banner or notice on our homepage or relevant Service.
  
• An email or direct communication, if we have your contact information.
  
• Other equivalent channels, if more appropriate.
  

Effective Date

Each version of this Privacy Policy will display an Effective Date at the top. The most recent version governs our practices.

Your Continuing Use

By continuing to use our Services after updates become effective, you acknowledge the revised Policy. Where legally required (e.g., GDPR, CPRA), we will seek renewed consent if changes alter the legal basis of processing.

Contact Us

If you have questions about this Privacy Policy, our data practices, or if you wish to exercise your rights, please contact us using one of the methods below. We will acknowledge receipt and respond within the timeframes required by applicable law.

Primary Privacy Contact

Ironclad Resilience
Attn: Privacy Officer
Address: [Insert Registered Business Address]
Email: privacy@ironcladresilience.com
Security issues: security@ironcladresilience.com (for reporting suspected vulnerabilities or incidents)

For sensitive matters, you may request our PGP public key to encrypt your email.

Data Protection Officer (DPO)

If and when a DPO is formally appointed under GDPR/UK GDPR, we will publish the officer’s name and contact details here. Until then, please write to privacy@ironcladresilience.com and address your message “For the attention of the Privacy Officer.”

 EU/UK Representative (if required)

If Ironclad becomes subject to Article 27 GDPR/UK GDPR representative obligations, we will designate an EU/UK representative and update their contact information here. Rights requests sent to the representative will be promptly relayed to Ironclad for action.

Submitting a Rights Request

• How to submit: Email privacy@ironcladresilience.com with the subject line “Privacy Rights Request,” stating the right you wish to exercise (access, deletion, correction, objection, portability, etc.).
  
• Identity verification: To protect your data, we may request reasonable information to verify your identity (e.g., confirmation via the subscribed email account or limited additional details).
  
• Authorized agents (CCPA/CPRA): If you appoint an agent, we require proof of authorization (e.g., a signed permission or power of attorney). We may also ask you to verify your identity directly with us.
  
• Response times: We aim to respond within 1 month (GDPR/UK GDPR) or 45 days (CCPA/CPRA). Extensions permitted by law may apply for complex requests; if so, we will inform you.
  
  

Do Not Sell or Share (CPRA)

Ironclad does not sell personal information and does not share it for cross-context behavioral advertising. If these practices change, we will provide an opt-out mechanism and update this Policy. For CPRA-related inquiries, contact privacy@ironcladresilience.com or use our future “Do Not Sell or Share My Personal Information” link once available.

Accessibility & Language Support

We are committed to accessible communications. If you need this Policy or a rights-request process in an alternative format or language, contact privacy@ironcladresilience.com and specify your requirements. We will make reasonable accommodations consistent with applicable law.

Complaints to Supervisory Authorities

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your data protection authority. You may also raise concerns with us first—we will do our best to resolve them quickly.

• EEA DPAs: see the European Data Protection Board’s directory
  
• UK: Information Commissioner’s Office (ICO)
  
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC)