Privacy Policy
(DPF-Compliant – Non-HR Data)

Last Updated: 03/13/26

Legal Entity:
Ironpaper, Inc. (“Ironpaper,” “we,” “us,” or “our”)
[“None”]

Ironpaper is a United States–based organization.

1. Data Privacy Framework Participation

Ironpaper complies with the EU–U.S. Data Privacy Framework (EU–U.S. DPF), the UK Extension to the EU–U.S. DPF, and the Swiss–U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce, with respect to non-human resources personal data transferred from the European Union, the United Kingdom, and Switzerland to the United States.

Ironpaper has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Ironpaper has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the DPF Principles and/or the Swiss-U.S. DPF Principles (DPF Principles), the Principles shall govern. The core Data Privacy Framework Principles include: Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.

To learn more about the Data Privacy Framework program, and to view our certification, please visit:
https://www.dataprivacyframework.gov

2. Types of Personal Data Collected

Under the DPF, Ironpaper may collect and process the following categories of personal data:

• Identifiers (name, email address, phone number)
• Business contact information (company name, job title)
• Online identifiers (IP address, browser type, device information)
• Marketing and communications data
• Website usage and analytics data

Ironpaper does not collect sensitive personal data unless voluntarily provided.

3. Purposes of Data Collection and Use

Ironpaper collects and uses personal data for the following purposes:

• Providing and delivering marketing and consulting services
• Responding to inquiries and requests
• Managing client and prospect relationships
• Marketing communications and content delivery
• Website analytics, performance, and security
• Legal and compliance obligations

4. Access Rights

Individuals whose personal data is covered by this Privacy Policy have the right to access, correct, amend, or delete their personal data, subject to applicable law.

Access requests may be submitted by contacting us at:
privacy@ironpaper.com

5. Choice and Opt-Out Rights

Individuals may limit the use or disclosure of their personal data by:

• Opting out of marketing communications using unsubscribe links
• Contacting us directly at privacy@ironpaper.com
• Requesting restrictions on certain data uses or disclosures

Where Ironpaper processes data on behalf of a client, individuals may be directed to the relevant client to exercise their choices.

6. Disclosure of Personal Data / Onward Transfers

Ironpaper may disclose personal data to the following categories of third parties:

• Service providers (e.g., hosting, CRM, analytics, email platforms)
• Professional advisors (legal, accounting)
• Government or regulatory authorities when required by law

All onward transfers are subject to contractual obligations consistent with the DPF Principles. Ironpaper remains liable under the DPF if a third party processes personal data in a manner inconsistent with the Principles, unless Ironpaper proves it is not responsible for the event giving rise to the damage.

7. Law Enforcement and Public Authority Requests

Ironpaper may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

8. Data Retention and Security

Ironpaper retains personal data only for as long as necessary to fulfill the purposes outlined in this policy or as required by law.

We implement reasonable administrative, technical, and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction.

9. Privacy Inquiries and Complaints

Questions or complaints regarding this Privacy Policy or Ironpaper’s data practices should be directed to:

Ironpaper, Inc.
Email: privacy@ironpaper.com
Website: https://www.ironpaper.com

10. Independent Dispute Resolution

In compliance with the Data Privacy Framework, Ironpaper commits to resolve complaints about our collection or use of personal data. European Union, United Kingdom, and Swiss individuals with inquiries or complaints regarding our handling of personal data in reliance on the DPF should first contact us using the contact information above.

Ironpaper has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by us, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

11. Binding Arbitration

Under certain limited conditions, individuals may invoke binding arbitration as a last resort before the Data Privacy Framework Panel. See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction for more information on this process.

12. Enforcement Authority

Ironpaper is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

13. Changes to This Policy

We may update this Privacy Policy from time to time. Updates will be posted on this page with a revised effective date.