Privacy Policy
Last updated: June 2026
1. Introduction
Welcome to IQON ("we," "our," or "us"). We are committed to protecting your
privacy and personal information. This Privacy Policy explains how we collect,
use, disclose, and safeguard your information when you use our AI-powered asset
generation platform (the "Service"). By using the Service, you agree to the
collection and use of information in accordance with this policy.
IQON is operated from the Province of Ontario, Canada. Depending on where you
live, you may have additional rights under laws such as Canada's Personal
Information Protection and Electronic Documents Act (PIPEDA), the European Union
and United Kingdom General Data Protection Regulation (GDPR / UK GDPR), and the
California Consumer Privacy Act as amended by the California Privacy Rights Act
(CCPA/CPRA). Region-specific rights are described in Sections 9, 10, and 11.
2. Information We Collect
We collect the following categories of information:
- Account Information: Your email address and authentication credentials
when you create an account, and profile information from third-party sign-in
providers (such as Google) if you choose to use them. - Content You Provide: Website URLs you submit for brand extraction, prompts
and instructions you write, brand guidelines and reference images you upload,
and any other content you provide through the Service. - Generated Content: The AI-generated assets produced through your use of
the Service, along with the prompts and parameters that produced them. - Usage and Analytics Data: How you interact with the Service, including
features used, pages visited, actions taken, preferences set, and aggregated
performance metrics. This is described in detail in Section 6. - Session Replay Data: Privacy-masked recordings of interface interactions
(clicks, navigation, scrolling) used to diagnose bugs and improve usability.
Inputs, prompts, generated images, and sensitive content are masked. See
Section 6. - Payment Information: Subscription and billing details, handled directly by
our payment processor (Stripe). We do not store your full card number or
banking details. - Technical Data: IP address, approximate location derived from IP address,
browser type, device identifiers, and access logs collected automatically when
you use the Service.
3. How We Use Your Information
We use the information we collect for the following purposes, along with the
legal basis where applicable under privacy law:
- Service delivery: Providing, operating, and maintaining the Service
(contractual necessity). - Billing: Processing payments and managing your subscription (contractual
necessity). - Communications: Sending transactional and support messages related to your
account (contractual necessity). - Security and fraud prevention: Detecting, investigating, and preventing
abuse or unauthorized access (legitimate interest). - Service improvement: Analyzing usage patterns, session replays, and
aggregated prompt data to improve the platform, the user experience, and AI
outputs (legitimate interest, or consent where required). - Legal compliance: Meeting our obligations under applicable law, including
tax and financial record-keeping requirements (legal obligation).
We do not sell your personal data. We do not use it to serve you third-party
advertising. We do not use identifiable prompts or generated content to train AI
models without your explicit consent.
4. AI Processing and Third-Party Model Providers
The Service uses third-party AI infrastructure to generate brand assets. You
should be aware that:
- Prompts, brand instructions, and content you submit are transmitted to
Google's Gemini API for processing. Google's data handling practices are
governed by their API terms and privacy policies. - Website URLs you submit are processed by Firecrawl, a third-party web scraping
service, which retrieves and returns the content of those pages on our behalf. - By using these AI-powered features, you consent to your inputs being
transmitted to these providers solely for the purpose of generating your
requested output. - We do not share your account identity with these providers — inputs are
transmitted without personal identifiers where technically feasible.
5. Data Storage, Security, and International Transfers
Your data is stored on servers located in the United States (AWS us-east-2
region), operated by Supabase. We use industry-standard encryption in transit
(TLS) and at rest. Generated assets are stored in secure cloud object storage.
If you are accessing the Service from Canada, the European Union, the United
Kingdom, or another jurisdiction outside the United States, please be aware that
your data will be transferred to and processed in the United States and other
countries where our service providers operate. Where required, such transfers
are made under appropriate safeguards, such as the European Commission's
Standard Contractual Clauses (SCCs) and the UK International Data Transfer
Addendum. By using the Service, you acknowledge and consent to this transfer. We
take reasonable steps to ensure your data receives an adequate level of
protection in accordance with this Privacy Policy.
6. Analytics, Session Replay, and Performance Monitoring
To understand how the Service is used and to improve its reliability and user
experience, we use the following third-party analytics and monitoring tools.
These tools may set cookies or use similar technologies and may process your
data as described below. Where required by law, non-essential analytics and
session replay run only after you provide consent (see Section 7).
- PostHog (product analytics and session replay): Collects product usage
events (such as pages viewed, features used, and conversion steps), an
anonymous device/session identifier, approximate location, and privacy-masked
session replays. Replays mask all text inputs, prompts, uploaded and generated
images, signed URLs, scraped website content, brand kits, project and brand
names, and account identity. We use this to measure product performance,
diagnose issues, and improve the user experience. - Microsoft Clarity (heatmaps and session replay): Collects privacy-masked
replays, heatmaps, scroll depth, and click behavior to help us understand
usability. Microsoft may use this data in accordance with its own privacy
statement. The same masking rules described above apply. - Vercel Analytics (performance): Collects aggregated, anonymized page
performance and Web Vitals metrics. It is not used for advertising and does
not build user profiles. - Sentry (error monitoring): Collects technical error and diagnostic data
(such as stack traces, browser type, and safe identifiers) to detect and fix
bugs. We configure Sentry to exclude prompts, image content, and other
sensitive data.
What we collect through these tools: product usage events, approximate
location, device and browser information, an anonymous analytics identifier, and
privacy-masked interaction recordings. Why we collect it: to operate, secure,
debug, and improve the Service and its user experience, and to understand which
features are valuable. How to opt out or delete it: you can decline
non-essential cookies through our cookie banner, adjust your browser settings, or
contact us at support@tryiqon.ai to request deletion (see Sections 7, 9, 10,
and 11).
7. Cookies and Similar Technologies
We use cookies and similar technologies (such as local storage and pixels) for
the following purposes:
- Strictly necessary: Required to operate the Service, including maintaining
your session, authentication state, and security. These cannot be disabled. - Analytics and performance: Used by the tools described in Section 6 to
understand usage and improve the Service. - Session replay: Used to record privacy-masked interface interactions for
debugging and usability research.
Consent. When you first visit the Service, we present a cookie banner that
lets you accept or decline non-essential (analytics and session replay) cookies.
In the European Union, the United Kingdom, and the EEA, non-essential cookies and
trackers are not loaded until you give consent (opt-in). In other regions,
analytics may run by default and you may decline at any time (opt-out). Your
choice is stored on your device and can be changed at any time by clearing your
browser storage or contacting us. Strictly necessary cookies are always active
because the Service cannot function without them.
We do not use tracking cookies to serve third-party advertising, and we do not
sell cookie data.
8. Data Retention
We retain different categories of data for different periods based on operational
need and legal requirements:
- Account and profile data: Retained for the life of your account. Deleted
within 90 days of account closure, except where retention is required by law. - Generated assets: Retained for the life of your account. Deleted within 90
days of account closure. - Prompts and generation history: Retained for up to 2 years from the date
of creation for fraud prevention, abuse review, and dispute resolution
purposes. After account closure, identifiable prompt data is deleted within 90
days. - Analytics and session replay data: Retained according to our analytics
providers' default retention windows (generally up to 12 months for replays
and longer for aggregated event data), after which it is deleted or anonymized. - Billing and financial records: Retained for 7 years as required by
Canadian tax law (Canada Revenue Agency). - Security and access logs: Retained for up to 1 year for security
monitoring and fraud investigation. - Anonymized and aggregated data: Data that has been stripped of personal
identifiers may be retained indefinitely for analytics and product improvement.
9. Your Rights and How to Exercise Them
Depending on your jurisdiction, you may have the following rights regarding your
personal data:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request that we correct inaccurate or incomplete information.
- Deletion: Request deletion of your account and associated personal data,
subject to our retention obligations. - Portability: Request your data in a structured, machine-readable format.
- Objection and restriction: Object to or restrict processing based on
legitimate interests. - Withdrawal of consent: Where processing is based on consent, withdraw it at
any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at support@tryiqon.ai with the
subject line "Privacy Request." We will respond within the timeframe required by
applicable law (generally 30 to 45 days). We may need to verify your identity
before processing your request. You may use an authorized agent to submit a
request on your behalf where the law permits.
10. European Union and United Kingdom Rights (GDPR)
If you are located in the European Union, the United Kingdom, or the EEA, IQON
acts as the "data controller" for your personal data. In addition to the rights
listed in Section 9, you have the right to:
- Be informed about how your data is processed (this policy).
- Lodge a complaint with your local supervisory authority (for example, your
national Data Protection Authority, or the UK Information Commissioner's
Office) if you believe your rights have been violated.
The legal bases on which we rely are described in Section 3. Where we rely on
consent — for example, for non-essential analytics and session replay cookies —
you may withdraw that consent at any time through the cookie banner or by
contacting us. International transfers of your data are described in Section 5.
To exercise your rights or contact our privacy team, email support@tryiqon.ai.
11. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have specific rights under the California
Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to know: Request disclosure of the categories and specific pieces of
personal information we have collected about you, the sources, the business
purposes for collection, and the categories of third parties with whom we
share it. - Right to delete: Request deletion of personal information we have collected
from you, subject to legal exceptions. - Right to correct: Request correction of inaccurate personal information.
- Right to opt out of sale or sharing: We do not sell your personal
information, and we do not share it for cross-context behavioral
advertising, as those terms are defined under the CCPA/CPRA. - Right to limit use of sensitive personal information: We do not use or
disclose sensitive personal information for purposes beyond those permitted
under the CCPA/CPRA. - Right to non-discrimination: We will not discriminate against you for
exercising any of your privacy rights.
The categories of personal information we collect are listed in Section 2. We
collect this information for the business purposes described in Section 3 and
share it only with the service providers listed in Section 12, who are
contractually limited to processing it on our behalf. To exercise your
California rights, contact us at support@tryiqon.ai with the subject line
"California Privacy Request." You may also designate an authorized agent to make
a request on your behalf.
12. Third-Party Services
We use the following third-party services, each of which may process your data as
described:
- Supabase: Database, authentication, and file storage (US).
- Vercel: Application hosting, edge network, and performance analytics;
processes all incoming requests (US). - Google Gemini API: AI image and text generation; receives prompts and
brand content you submit. - Google OAuth: Optional sign-in via your Google account.
- Firecrawl: Web scraping service; processes URLs you submit to extract brand
information. - Stripe: Payment processing; handles all billing and subscription data.
- PostHog: Product analytics and session replay.
- Microsoft Clarity: Heatmaps and session replay.
- Sentry: Error and performance monitoring.
Each provider operates under its own terms of service and privacy policy. We
encourage you to review their policies if you have questions about how they
handle your data.
13. User-Generated Content, Copyright, and Takedowns
You are responsible for the content you create, upload, submit, or generate using
the Service, including any prompts, reference images, brand materials, website
URLs you submit for scraping, and AI-generated assets (collectively,
"User Content"). You represent and warrant that you have all necessary rights to
your User Content and that it does not infringe the intellectual property,
privacy, publicity, or other rights of any third party.
Scraped content. When you submit a website URL for brand extraction, you
represent that you are authorized to access and use the content of that site and
that doing so does not violate the target site's terms or any applicable law. We
process URLs you provide solely to deliver the feature you requested and are not
responsible for content you direct us to retrieve.
No monitoring obligation; right to remove. We do not pre-screen User Content,
but we may remove or disable access to any content that we believe, in our sole
discretion, infringes a third party's rights, violates our Terms of Service, or
is otherwise unlawful.
Designated copyright agent and takedown requests. If you believe content made
available through the Service infringes your copyright or other intellectual
property rights, please send a written notice to our designated agent with: (a)
your contact information; (b) identification of the work claimed to be infringed;
(c) identification and location of the allegedly infringing material; (d) a
statement that you have a good-faith belief the use is not authorized; and (e) a
statement, under penalty of perjury, that the information is accurate and you are
authorized to act on the rights holder's behalf.
Designated Copyright / Content Removal Agent
IQON — Attn: Copyright Agent
Email: legal@tryiqon.ai (subject line: "Copyright / Content Removal")
We will review valid notices, remove or disable infringing material where
appropriate, and may notify the user who submitted it. We reserve the right to
terminate, in appropriate circumstances, the accounts of users who are repeat
infringers.
14. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not
knowingly collect personal information from minors. If you believe we have
inadvertently collected information from a minor, please contact us immediately
at support@tryiqon.ai and we will take prompt steps to delete it.
15. Marketing Communications
We will only send you marketing or promotional communications if you have
provided express consent, in accordance with Canada's Anti-Spam Legislation
(CASL). You may withdraw consent and unsubscribe at any time by clicking the
unsubscribe link in any marketing email or by contacting us at
support@tryiqon.ai. Withdrawing consent does not affect the delivery of
transactional messages related to your account or subscription.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of
material changes by posting the updated policy on this page and updating the
"Last updated" date. For significant changes, we will provide additional notice
via email.
17. Contact Us
If you have any questions about this Privacy Policy or our data practices, please
contact us at support@tryiqon.ai. For copyright or content removal requests, use
legal@tryiqon.ai as described in Section 13.