Privacy Policy

1. Information We Collect

1.1 Personal Identifiers

Depending on your role and account type, we may collect:

• Full legal name, date of birth, and mailing address
• Email address and phone number
• Social Security Number (SSN) or Taxpayer Identification Number (TIN) -- collected from investors for tax reporting (IRS Forms K-1) and from workers for payroll and employment tax purposes
• Government-issued photo identification (driver's license, passport) for identity verification
• Emergency contact information for workers

1.2 Financial Information

• Investment amounts, capital contribution history, and distribution records
• Bank account and routing numbers for ACH distributions and direct deposit payroll
• Accredited investor documentation (financial statements, tax returns, or third-party verification letters)
• Payroll information, including hourly rates, salary, deductions, and tax withholdings

1.3 Employment Information

• Work history, prior employer references, and professional qualifications
• Industry certifications (welding, OSHA 10/30, forklift operation, hazmat, etc.)
• Drug screening and pre-employment physical results (pass/fail status only -- we do not retain detailed medical reports)
• Background check results
• Workers' compensation claim history

1.4 Device and Technical Data

• IP address, browser type and version, operating system
• Device identifiers and screen resolution
• Referring URLs and pages visited within the Services
• Date, time, and duration of access sessions

1.5 NFC Proximity Data

• Check-in and check-out timestamps recorded by NFC keychain lanyard scans
• Location of the NFC reader within the facility at the time of each scan (e.g., main gate, foundry floor, break room)
• Duration calculations derived from scan pairs (shift length, break duration)

1.6 Production Data

• Items produced per shift attributed to work crews
• Quality control metrics and defect rates
• Equipment operation logs tied to operator IDs

1.7 Dashboard Usage Data

• Login timestamps and session duration
• Pages and features accessed within the portal
• Reports downloaded or generated
• Notification preferences and interaction history

2. How We Collect Information

2.1 Directly From You

We collect information you provide when you:

• Register for an account on any Ironborne portal
• Complete investor onboarding forms, subscription agreements, or accreditation questionnaires
• Submit employment applications, tax forms (W-4, W-9, I-9), or safety acknowledgments
• Communicate with us via email, phone, or through in-app messaging
• Submit support requests or feedback

2.2 Automatically

We collect certain information automatically when you use our Services or are present at our facilities:

• Cookies and Analytics: We use cookies, web beacons, and similar tracking technologies to collect usage data, maintain session state, and improve the Services. You can manage cookie preferences through your browser settings.
• NFC Readers: Installed at facility entry points, work zones, and common areas. NFC readers record timestamps when your assigned NFC keychain lanyard is brought within read range (typically 1-4 centimeters).
• Security Cameras: Closed-circuit video surveillance operates at facility entrances, production areas, loading docks, and parking areas for safety and security purposes.
• Server Logs: Our servers automatically record information about your interaction with the Services, including IP address, request timestamps, and response codes.

2.3 From Third Parties

We may receive information about you from:

• Background Check Providers: Criminal history, employment verification, and reference checks conducted through authorized screening services.
• Credit Reporting Agencies: Credit reports for investor accreditation verification, obtained only with your written consent.
• Identity Verification Services: Confirmation of identity documents submitted during onboarding.
• Government Agencies: Work authorization verification through E-Verify or equivalent systems.

3. How We Use Information

We use the information we collect for the following purposes:

3.1 Account Management and Authentication

To create, maintain, and secure your user account, verify your identity, and manage access permissions appropriate to your role.

3.2 Payroll Processing and Timekeeping

To calculate hours worked from NFC scan data, process payroll, withhold and remit applicable taxes, and maintain employment records as required by law.

3.3 Investment Management and Distribution Calculations

To track capital contributions, calculate investment returns, process distributions, generate tax documents (K-1s), and provide investors with accurate portfolio information.

3.4 Production Tracking and Quality Control

To monitor production output, measure efficiency, maintain quality standards, and generate operational reports for management and investor review.

3.5 Safety Compliance and Emergency Roll Call

To maintain awareness of which workers are present on-site at any given time using NFC data, enabling rapid headcounts during emergencies, evacuations, or safety drills. To track safety training completion and certification currency.

3.6 Legal Compliance and Regulatory Reporting

To comply with applicable federal, state, and local laws and regulations, including SEC reporting obligations, IRS tax filings, OSHA recordkeeping, Texas Workforce Commission requirements, and responses to lawful requests from government authorities.

3.7 Communication

To send operational updates, shift notifications, distribution announcements, safety alerts, regulatory notices, and other communications related to your relationship with Ironborne.

3.8 Service Improvement

To analyze usage patterns, identify technical issues, and improve the functionality, reliability, and security of our Services.

4. How We Share Information

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Payroll processors and benefits administrators
• Banking and financial institutions (for distributions and direct deposit)
• Cloud hosting and data storage providers
• Marketplace platforms used for product sales
• Accounting and tax preparation firms
• Background check and identity verification services

These providers are contractually obligated to use your information only for the purposes of providing their services to us and to maintain appropriate security measures.

4.2 Legal and Regulatory Authorities

We may disclose information to government authorities when required or permitted by law, including:

• SEC filings and securities regulatory inquiries
• OSHA inspections and occupational safety reports
• IRS and state tax authority filings
• Court orders, subpoenas, or other lawful legal process
• Law enforcement requests in connection with investigations

4.3 Co-Investors

Investors may have access to aggregated production data, revenue figures, and operational metrics through the Investor Portal. We do not share any investor's personal information (name, contact details, investment amounts, or financial data) with other investors. All co-investor-visible data is presented in aggregate form only.

4.4 Corporate Transactions

In the event of a merger, acquisition, reorganization, asset sale, or similar corporate transaction, your information may be transferred as part of the transaction. We will notify affected users before their information becomes subject to a different privacy policy.

4.5 No Sale of Personal Information

5. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

Data Category	Retention Period	Basis
Investor records (personal, financial, tax documents)	7 years after final distribution	IRS recordkeeping, SEC compliance, statute of limitations
Employee records (personnel files, tax forms, certifications)	5 years after termination of employment	EEOC, DOL, OSHA, and state recordkeeping requirements
NFC timekeeping data (check-in/out, location within facility)	3 years	FLSA wage and hour recordkeeping, Texas Payday Law
Security camera footage	90 days (rolling overwrite)	Security and incident investigation purposes
Production data (output, quality metrics, equipment logs)	Indefinite	Business records, operational analysis, investor reporting
Dashboard usage logs (login, pages viewed)	2 years	Security monitoring, service improvement
Cookie and analytics data	13 months	Service improvement, industry standard

When retention periods expire, we securely delete or anonymize the data so that it can no longer be associated with you. Where anonymization is used instead of deletion, the resulting data set cannot be re-identified.

6. Your Rights

Depending on where you reside, you may have specific rights regarding your personal information under applicable privacy laws. Ironborne is committed to honoring these rights regardless of whether we are technically subject to every listed law, to the extent commercially reasonable.

6.1 Texas Data Privacy and Security Act (TDPSA)

If you are a Texas resident, you have the right to:

• Access: Confirm whether we are processing your personal data and access that data.
• Correction: Correct inaccuracies in your personal data.
• Deletion: Request deletion of personal data you have provided or that we have obtained about you.
• Data Portability: Obtain a copy of your personal data in a portable, readily usable format.
• Opt-Out: Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

6.2 California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)

If you are a California resident, you have the right to:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out: Opt out of the sale or sharing of your personal information. As stated above, we do not sell personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: You may limit our use of sensitive personal information (SSN, financial account numbers) to purposes necessary for providing the Services.

6.3 Illinois Biometric Information Privacy Act (BIPA)

If you are an Illinois resident, or if Illinois law otherwise applies, please see our separate Biometric Information Privacy Policy for detailed information about our collection, use, and storage of biometric information and your rights under BIPA.

6.4 Colorado, Connecticut, Virginia, Utah, Oregon, and Montana Privacy Laws

Residents of these states have rights similar to those described in Sections 6.1 and 6.2, including the right to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, sale of data, and certain profiling activities. If you reside in one of these states and wish to exercise your rights, please contact us using the information in Section 11.

6.5 European Union and United Kingdom (GDPR/UK GDPR)

If you are located in the EU or UK, you may have the following rights under the General Data Protection Regulation:

• Access: Obtain confirmation of whether we process your personal data, along with a copy of that data.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data where there is no legitimate reason for us to continue processing it.
• Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Restriction of Processing: Request restriction of processing under certain circumstances.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

Our lawful bases for processing include: performance of a contract (providing Services), compliance with legal obligations, legitimate interests (security, fraud prevention, operational improvement), and consent (where applicable).

6.6 Exercising Your Rights

To exercise any of the rights described above, submit a request to legal@ironborne.us with the subject line "Privacy Rights Request." Please include your full name, the email address associated with your account, your state or country of residence, and a description of the rights you wish to exercise.

We will verify your identity before processing any request. For security purposes, we may ask you to provide additional information to confirm your identity. We will respond to verified requests within the timeframe required by applicable law (typically 45 days for CCPA/CPRA and TDPSA, 30 days for GDPR).

You may designate an authorized agent to make a request on your behalf. Authorized agents must provide proof of written authorization and identity verification.

7. Security Measures

We implement technical, administrative, and physical safeguards to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

7.1 Technical Safeguards

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Multi-factor authentication for all admin and investor accounts
• Role-based access controls limiting data access to authorized personnel
• Automated intrusion detection and monitoring systems
• Regular vulnerability scanning and penetration testing

7.2 Administrative Safeguards

• Employee training on data handling and privacy obligations
• Confidentiality agreements with all employees and contractors
• Documented data breach response procedures
• Regular security policy reviews and updates

7.3 Physical Safeguards

• Restricted physical access to server rooms and data storage areas
• Secure disposal of physical records containing personal information
• Surveillance of facility access points

While we take reasonable measures to protect your information, no method of electronic storage or transmission over the internet is completely secure. We cannot guarantee absolute security of your data.

8. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. All investor account holders must be at least 18 years of age. All worker account holders must be at least 18 years of age, consistent with Texas labor laws governing hazardous occupations.

If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a minor, please contact us at legal@ironborne.us.

9. International Data Transfers

Ironborne Industries is based in the United States. If you access our Services from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we will transfer your personal data only where appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or your explicit consent. By using our Services from outside the United States, you consent to the transfer of your information to the United States as described in this policy.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this page.

For material changes that affect your rights or how we handle your personal information, we will provide prominent notice through the Services and send an email notification to registered users at least thirty (30) days before the changes take effect.

Your continued use of the Services after the effective date of a revised policy constitutes your acceptance of the changes. If you disagree with the updated policy, you should stop using the Services and contact us to request deletion of your account and personal information.

11. Contact and Data Protection Inquiries

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Ironborne Industries LLC
Attn: Data Protection
Hudspeth County, Texas
Email: legal@ironborne.us
Website: ironborne.us

For matters relating to the Wyoming holding entity:

Ironborne Holdings LLC
Email: legal@ironborne.us

If you are not satisfied with our response to a privacy concern, you may have the right to file a complaint with your local data protection authority or the Texas Attorney General's office.