Privacy summary

What data we process

• Account data — the email, name, and workspace details of the people who administer an IRIS workspace.
• Alert metadata — the content, severity, routing, and acknowledgement history of alerts you send, used to drive escalation and to produce the audit trail.
• Recipient phone numbers — the contact details of the people you alert. For this data we act as a processor on behalf of you, the tenant; you remain the controller.

Controller, processor & legal bases

For the recipient phone numbers and alert content you push into the platform, you are the controller and MeshWorks Wireless Oy is your processor under a Data Processing Addendum — we process that data only on your documented instructions. Establishing the lawful basis is yours as controller; controllers typically rely on Art. 6(1)(b) (performance of a contract) or Art. 6(1)(f) (legitimate interest in operating safety-critical alerting). See the DPA summary.

For your own operator-account data, the controller is MeshWorks Wireless Oy (Finnish business ID 2119271-8), Hatanpään valtatie 48, 33900 Tampere, Finland. When you sign in to the IRIS dashboard we process your email, a hashed password, and login timestamps to authenticate you, secure the service, and administer billing. Our lawful bases are Art. 6(1)(b) (performance of the Service Agreement), Art. 6(1)(c) (the six-year retention obligation under the Finnish Accounting Act 1336/1997), and Art. 6(1)(f) (detecting login abuse). Recipients of this data are Cloudflare (hosting) and, when paid billing is enabled, Stripe (payment processing, acting as our processor).

When you contact us or start a trial

If you submit the contact form or start a free trial, MeshWorks Wireless Oy is the controller of the details you provide (name, work email, company, phone, and any message), together with technical data your browser sends — your IP address, user-agent, and referring page — which we keep to detect and prevent spam and abuse. Our lawful bases are Art. 6(1)(b) (taking steps at your request before entering a contract — setting up your trial) and Art. 6(1)(f) (our legitimate interest in responding to business enquiries); the box you tick simply confirms you have read this notice. These details are stored within Cloudflare (our processor) and are not shared with any third-party CRM — core records sit in Cloudflare’s EU region, while some globally-distributed edge components hold the minimum needed, covered by our DPA and the EU–US Data Privacy Framework / SCCs. We retain them for up to two years, then delete them; you can ask us to erase them sooner at the privacy address below.

EU data residency

IRIS runs on Cloudflare’s EU infrastructure. Our core database and alerting state — Cloudflare D1 and Durable Objects — are pinned to the EU region. Some edge components (KV and Queues) are distributed across Cloudflare’s global network; the data they hold is minimised and protected under our DPA and the EU–US Data Privacy Framework / Standard Contractual Clauses. Our current subprocessors are listed on the subprocessors page.

International transfers

Where a subprocessor processes personal data outside the European Economic Area, the transfer is protected by an adequacy decision (e.g. the EU–US Data Privacy Framework, where the recipient is certified), the European Commission’s Standard Contractual Clauses (Decision 2021/914), or another lawful mechanism under Chapter V GDPR. The applicable safeguard for each provider is noted on the subprocessors page.

Your GDPR rights

Subject to the conditions in the GDPR, individuals can exercise rights including:

Where IRIS acts as a processor, requests from individuals are routed to you (the controller); we assist as required under the DPA.

Beyond those shown above, you also have the rights to restriction of processing, data portability, and to object to processing carried out on legitimate-interest grounds. You have the right to lodge a complaint with a supervisory authority — in Finland, the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), or the authority in your own country.

IRIS does not carry out automated decision-making or profiling that produces legal or similarly significant effects (GDPR Art. 22).

Retention

We keep personal data only as long as needed to deliver the service and meet legal obligations:

• Recipient numbers & group memberships — for the life of your Service Agreement, then deleted within 30 days of termination unless you instruct otherwise.
• Alert & reply records — 12 months by default; you can configure a shorter window.
• Billing / usage records — six years (Finnish Accounting Act); phone identifiers kept beyond an erasure request are pseudonymised within 30 days.
• Operator-account data — account lifetime plus 12 months.
• Opt-out (STOP) state — kept indefinitely so we can keep honouring your opt-out, until you send START.

Analytics & cookies

This website uses privacy-friendly, cookieless analytics (Cloudflare Web Analytics) and only essential cookies. See the cookie policy.

Making a privacy request

Email [email protected] with your request. The full, binding Privacy Notice is available on request.

MeshWorks Wireless Oy has not designated a Data Protection Officer: our processing does not meet the Article 37(1) GDPR thresholds, and data-protection enquiries are handled at the address above. We will give Customers at least 30 days’ notice of any material change to this notice; the “Last updated” date always reflects the current version.