IAM
STUDIO Back to Home

Privacy Policy

Last updated: March 27, 2026

1. Introduction

Welcome to IAM Studio ("we", "us", "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform through the web application, native iOS/iPadOS application, or any other authorized client (collectively, the "Service"). We respect your privacy and are committed to protecting it through our compliance with this policy.

By accessing or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

2. Information We Collect

We collect several types of information from and about users of our Service:

2.1 Personal Data

Personally identifiable information that you voluntarily provide when registering or using the Service:

  • Full name and display name
  • Email address
  • Profile picture (via OAuth or manual upload)
  • Organization name and role
  • Authentication credentials (managed securely via Supabase Auth)

2.2 Usage Data

Information automatically collected when you use the Service:

  • IP address, browser type, and operating system
  • Device type, screen resolution, and timezone
  • Pages visited, features used, and access times
  • Referring URL and navigation patterns

2.3 Mobile & Native App Data (iOS/iPadOS)

When using our native iOS or iPadOS application, we may additionally collect:

  • Device identifiers: Device model, OS version, and app version for compatibility and crash reporting.
  • Push notification tokens: Used exclusively to deliver notifications you have opted into. You may disable push notifications at any time via your device settings.
  • Camera and file access: Only when you explicitly choose to upload an attachment or take a photo within the app. We do not access your camera or files in the background.

3. How We Use Your Information

We use the information collected to:

  • Create and manage your account and organization.
  • Authenticate your identity, including via Google and Microsoft OAuth integrations.
  • Provide, operate, and maintain the Service.
  • Send important notifications related to your account, projects, and Service updates.
  • Process transactions and manage subscriptions via our payment processor.
  • Monitor and analyze usage trends to improve the Service.
  • Detect, prevent, and address technical issues and security threats.
  • Comply with legal obligations and enforce our terms.

4. Third-Party Integrations and OAuth

If you choose to authenticate using third-party services like Google or Microsoft, we collect only the information necessary to provide our Service, such as your name, email address, and profile picture.

Google API Services Limited Use Disclosure: IAM Studio's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we:

  • Only use Google user data to provide and improve the app's user-facing features.
  • Do not use Google user data for advertising, including retargeting or personalized ads.
  • Do not sell Google user data.
  • Do not use Google user data for any purpose unrelated to the app's core functionality.

Similarly, information received from Microsoft services will adhere to the Microsoft APIs Terms of Use.

5. Payment Processing

Subscription payments are processed by Paddle.com Market Limited ("Paddle"), which acts as our Merchant of Record. Paddle handles all payment data, including credit card numbers and billing addresses. IAM Studio does not store or have access to your full payment card details.

Paddle processes your data in accordance with their own Privacy Policy. Paddle acts as a sub-processor of personal data for the purpose of fulfilling transactions and managing subscriptions.

Note: All payment and subscription management is handled exclusively through the web platform. The native iOS/iPadOS application does not process payments.

6. Disclosure of Your Information

We may share information in the following situations:

  • By Law or to Protect Rights: If we believe disclosure is necessary to respond to legal process, investigate or remedy potential violations, or protect the rights, property, and safety of others.
  • Service Providers: We share data with third-party providers who perform services on our behalf, including hosting (Supabase / AWS), payment processing (Paddle), email delivery, and analytics.
  • Within Your Organization: Information you create or upload within the Service is accessible to members of your organization according to the roles and permissions configured by your organization's administrator.

We do not sell your personal data to third parties.

7. Data Security (SOC 2 Compliance)

We use administrative, technical, and physical security measures to help protect your personal information. Our infrastructure and processes are designed in alignment with SOC 2 Type II standards, ensuring your data is handled with the highest levels of security, availability, processing integrity, confidentiality, and privacy.

Security measures include encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, and regular security audits. While we take reasonable steps to protect your data, no method of electronic storage or transmission is 100% secure.

8. Data Retention

  • Active accounts: Data is retained for the duration of your account's existence.
  • Deleted accounts: Personal data is deleted or anonymized within 30 days of account deletion, except where retention is required by law.
  • Backups: Encrypted backups may retain data for up to 90 days before automatic purge.
  • Audit logs: Access and security logs are retained for up to 12 months for compliance and security purposes.

9. Your Rights (GDPR & Data Privacy)

In compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws, you have specific rights regarding your personal data:

  • Right of Access & Portability: Request access to and obtain a copy of your personal data in a structured, commonly used format.
  • Right to Rectification: Request correction of your personal data if it is inaccurate or incomplete.
  • Right to Erasure (Right to be Forgotten): Request the deletion of your personal data, subject to legal retention requirements.
  • Right to Object & Restrict: Object to or request the restriction of processing your personal data for certain purposes.
  • Right to Withdraw Consent: Withdraw your consent at any time where we rely on consent to process your personal information.

To exercise any of these rights, contact us at info@iam-suite.com. We will respond to all legitimate requests within 30 days.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal data we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

11. Children's Privacy

IAM Studio is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected information from a child under 16, we will take steps to delete such information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance through the Service or by email. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions or comments about this Privacy Policy, please contact us at:

IAM Studio
Email: info@iam-suite.com