Privacy Policy

Isorun BV ("Isorun", "we", "us", "our") is a company registered in the Netherlands. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our website (isorun.ai), dashboard (app.isorun.ai), and API services (api.isorun.ai) (collectively, the "Services").

We process personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Dutch data protection law.

1. Data Controller

Isorun BV is the data controller for personal data processed through the Services. Contact us at privacy@isorun.ai.

2. Data We Collect

Account Data

• Email address and name (via Auth0 authentication)
• OAuth provider identifiers (e.g., GitHub, Google)
• Team and project identifiers

Billing Data

• Payment information processed by Stripe (we do not store card numbers)
• Billing address
• Invoice history

Usage Data

• API call metadata (timestamps, sandbox IDs, durations)
• Resource consumption (CPU time, memory allocation)
• Error logs for debugging (no customer code or data)

Website Analytics

• Page views and referrer information via Plausible Analytics (cookie-free, GDPR-compliant)
• No personal identifiers are collected for analytics

3. How We Use Your Data

• Service delivery: To create and manage your account, provision sandboxes, and process billing.
• Infrastructure operation: To maintain, secure, and improve the Services.
• Communication: To send transactional emails (billing receipts, security alerts). We do not send marketing emails without explicit consent.
• Legal compliance: To comply with legal obligations, including tax and financial regulations.

4. Legal Basis for Processing (GDPR Art. 6)

• Contract performance: Processing necessary to provide the Services you requested.
• Legitimate interest: Security monitoring, fraud prevention, and service improvement.
• Legal obligation: Tax records, invoicing, and regulatory compliance.
• Consent: Marketing communications (if opted in).

5. Data Sharing

We share data only with the following categories of processors:

• Auth0 (Okta): Authentication and identity management. auth0.com/privacy
• Stripe: Payment processing. stripe.com/privacy
• Cloudflare: Edge computing, CDN, and DNS. cloudflare.com/privacypolicy
• Plausible Analytics: Cookie-free website analytics. plausible.io/privacy

We do not sell personal data. We do not share data with advertisers.

6. Customer Code and Data

Code and data you execute within sandboxes is ephemeral by default. Sandbox filesystems are destroyed when the sandbox is terminated. We do not inspect, log, or retain the contents of your sandboxes. Audit trail logs (if enabled) contain only metadata (command names, exit codes, timestamps), not your code or data.

7. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account closure.
• Billing records: Retained for 7 years as required by Dutch tax law.
• Usage logs: Retained for 90 days, then aggregated and anonymized.
• Sandbox data: Deleted immediately upon sandbox destruction.

8. Your Rights (GDPR)

You have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict processing
• Data portability
• Object to processing based on legitimate interest
• Withdraw consent at any time

To exercise any of these rights, email privacy@isorun.ai. We will respond within 30 days.

9. International Transfers

Your data may be processed in the European Union and the United States. For transfers outside the EU, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and we verify that our processors provide adequate data protection.

10. Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS 1.3) and at rest
• Hardware-level sandbox isolation (each sandbox runs in its own virtual machine)
• Access controls and audit logging
• Regular security reviews

11. Cookies

We use only essential cookies required for authentication (Auth0 session). We do not use tracking cookies or third-party advertising cookies. Our analytics (Plausible) are entirely cookie-free.

12. Children

The Services are not intended for children under 16. We do not knowingly collect data from children.

13. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via email or dashboard notification. The "last updated" date at the top of this page indicates the most recent revision.

14. Contact

For privacy inquiries or to exercise your GDPR rights:

Isorun BV
Email: privacy@isorun.ai
Netherlands

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.