Privacy Policy

This Privacy Policy describes how Iron Rod AI ("we", "us", or "our") collects, uses, and shares your personal information when you use our website at theironrod.ai and ironrodai.com ("Site") and services ("Services"). This Privacy Policy is incorporated into and forms part of our Terms of Service.

Information We Collect

Information You Provide

We collect information that you provide directly to us when you:

• Create an account
• Subscribe to our services
• Contact our support team
• Use our chat and conversation features

This information may include:

• Name
• Email address
• Date of birth (for age verification and COPPA compliance)
• User credentials (password is stored in hashed form with salt only)
• Profile photo (if you upload one)
• Conversation data (questions, AI responses, and conversation history)
• Bookmarks, notes, and tags you create
• File attachments you upload (e.g., images for AI context)

Information Collected Automatically

When you use our Services, we may automatically collect certain information, including:

• IP address
• Browser type and version
• Device information
• Pages visited and features used
• Date and time of access

This information is used solely for security monitoring, technical troubleshooting, and service operation. We do not use this information for tracking, profiling, or targeted advertising.

How We Use Your Information

We use the information we collect for the following purposes:

• Provide, maintain, and operate our Services
• Process transactions and manage your account
• Send you technical notices, updates, and support messages
• Respond to your comments and questions
• Store conversation history solely to allow you to access and restore your previous conversations
• Automated service operations, such as session recovery and error resolution
• Security monitoring and fraud prevention

Legal Basis for Processing (for EEA Users)

If you are located in the European Economic Area (EEA), we process your personal information based on:

• Contract: Processing your information is necessary to provide our Services to you
• Legitimate Interests: We process information for:
  • Security monitoring and fraud prevention
  • Technical troubleshooting and bug fixes
  • Service performance optimization
  • Aggregate, de-identified analytics for service improvement
  • Feature usage analysis for service improvement and development (anonymized)
• Consent: Where required by law, we will obtain your consent before processing

Data Storage and Security

We take data security seriously and implement appropriate measures to protect your personal information:

• Passwords are never stored in plain text, only in hashed form with salt
• We do not store credit card information; payment processing is handled securely by Stripe
• We maintain reasonable security measures to protect against unauthorized access or disclosure
• Authentication tokens are used to maintain your login state and protect your account. We retain them only as needed for security and service operation
• All connections to our Services are routed through Cloudflare's secure network infrastructure
• We employ Cloudflare's bot protection and security measures to prevent automated attacks
• Our application infrastructure is hosted on enterprise-grade cloud platforms in the United States that maintain industry-standard certifications and implement comprehensive security practices including encryption-at-rest, disk encryption, firewalls, traffic filtering, regular backups, and continuous security monitoring

Cookies and Similar Technologies

Our site uses minimal cookies necessary for functionality:

• Session Cookie: Used to maintain your login state while you use our Services. Depending on your settings, it may persist for a limited period.
• CSRF Protection Token: Used to prevent cross-site request forgery attacks. This is a security cookie.
• Cloudflare Cookies: Used by our security provider for bot protection and to distinguish between legitimate users and automated traffic.

We do not use tracking, advertising, or analytics cookies. We do not respond to Do Not Track signals because we do not track users across third-party websites. You can disable cookies in your browser settings, but this may limit your ability to use certain features of our site.

Third-Party Services

We use third-party services to operate and deliver our Services. We carefully vet all providers to ensure their data practices are compatible with our commitments to you. Third-party providers that process user content (such as AI and search providers) are prohibited by contract or policy from using API data to train their models and are required to limit retention to what is necessary to process the request. Other providers (such as CDNs and font services) serve static assets and are described separately below.

Services You Interact With Directly

• Stripe for payment processing. When you make a payment, your payment information is provided directly to Stripe and is subject to their privacy policy. We only receive tokenized information and do not have access to your full payment details.
• Cloudflare for security, performance, and content delivery. Cloudflare may collect certain information about visitors to our website as described in their privacy policy.
• Cloudflare Turnstile for bot protection and to verify that visitors are human. This service may collect information necessary to distinguish between humans and bots.
• Microsoft for email delivery services. We use Microsoft's email infrastructure to send you account notifications, updates, and support communications. Subject to Microsoft's privacy policy.

Infrastructure and Service Providers

We also use the following categories of third-party providers to operate our Services. We may change or add providers within these categories at any time, provided they meet our data practice standards:

• AI language model providers for generating chat responses, content analysis, content moderation, text-to-speech, and text embeddings. Your queries and conversation content are sent to these providers solely to generate responses. These providers do not use API data for model training and do not retain your data beyond processing the request.
• Search providers for web and content searches performed as part of generating AI responses. Search queries derived from your questions may be sent to these providers.
• Cloud infrastructure providers for hosting our application, database, and related systems in the United States.
• Blockchain infrastructure providers for recording TruthLock™ cryptographic hashes on a public blockchain. Only the hash—not your content or personal information—is transmitted.
• Geolocation services for determining approximate geographic location from IP addresses when share links are viewed. IP addresses are sent to these providers solely for this purpose.
• Content delivery networks for serving frontend libraries used by our website. Your browser makes direct requests to these services, which may receive your IP address and browser information.
• Font services for serving web fonts used on our website. Your browser makes direct requests to these services, which may receive your IP address and browser information.
• Privacy-focused analytics for understanding aggregate, non-logged-in visitor traffic to our public pages (e.g., page views, referral sources). This service is cookieless, does not track individual users, does not collect personal information, and is not used for logged-in users or conversation data. No data from this service is shared with advertisers.

Voice (Read Aloud) Feature

Our optional Read Aloud feature uses third-party text-to-speech technology to convert AI responses (or custom preview text) into spoken audio. When you use this feature, the relevant text is sent to the provider to generate audio, which is then streamed to your device for playback. We do not store the generated audio. Voice is completely optional—you can use Iron Rod AI without ever enabling Read Aloud.

AI Technology

Our conversation features are powered by an agentic AI system that dynamically selects from multiple AI language model providers to generate the best response to your query. When you interact with our AI features, your questions and conversation context may be sent to one or more of these vetted providers solely to generate your response.

All AI language model providers we use meet our strict requirements: they do not train on data submitted through their APIs, and they do not retain your data beyond the immediate processing of your request. We may add or change providers at any time, provided they meet these standards.

All AI model training and improvements for our own proprietary systems are conducted exclusively using non-user data, which includes publicly available doctrinal and scriptural sources from The Church of Jesus Christ of Latter-day Saints, licensed religious content, and synthetic training data we generate internally. Your personal conversations, questions, and account details are never used for model training purposes.

TruthLock™ Verify

TruthLock™ Verify is our proprietary, patent-pending evaluation system that automatically assesses each AI-generated response for accuracy against authoritative sources. The verification process uses AI language model providers and search providers (already described above) to evaluate responses and produce a verification badge, accuracy classification, reasoning, and citations. The verification results are stored as part of your conversation data and are subject to the same data handling practices described in this Privacy Policy.

TruthLock™ Proof of Authenticity (PoA)

TruthLock™ Proof of Authenticity is our proprietary, patent-pending authentication system that creates a cryptographic hash (a one-way mathematical fingerprint) of verified AI responses and records this hash on a public blockchain (Base, an Ethereum Layer 2 network). The hash is computed locally on our servers—your conversation content is never sent anywhere to create it. This allows you to verify that your responses are authentic and unaltered.

What gets hashed (locally on our servers):

• Your question
• The AI response
• TruthLock verification badge and status
• TruthLock reasoning/narrative
• TruthLock citations

What is stored on the blockchain:

• A cryptographic hash (fingerprint) of the above content
• A timestamp of when the response was recorded
• A unique verification code

What is NOT stored on the blockchain:

• The actual text of your questions or responses
• Your name, email, or any personal information
• Any information that could identify you

The cryptographic hash is a one-way function—it is mathematically impossible to reverse the hash to obtain the original content. Your conversations remain private in your account. Because the blockchain record contains only a cryptographic hash and no personal information, blockchain permanence does not affect your right to have your personal data deleted from our systems. Because blockchain records are permanent, the on-chain hash may remain even after you delete your account; it does not contain your content or personal information.

Open Search (Beta)

Our optional open search feature, when enabled by you in your account settings, allows AI-generated responses to draw from general web sources beyond our curated scripture and Church content libraries. When this feature is active, your queries may be processed by AI and search providers without domain restrictions. This feature is designated as beta and is subject to the beta feature terms in our Terms of Service. Open search is completely optional and disabled by default.

Voluntary Sharing Feature

We provide an optional sharing feature that allows you to create a link to share a conversation or individual message. Sharing is completely voluntary and user-controlled. You choose whether to share, who can access the shared content (specific emails, specific domains, or public), and where to share the link (email, social media, etc.).

When you share a response, the full context is always included: your question, the AI response, and TruthLock verification details. This ensures the cryptographic proof remains valid—partial shares would invalidate the Proof of Authenticity. Recipients can use the verification link to confirm the content matches what was originally generated.

Verification page transparency: Public verification pages display our blockchain wallet address and transaction details so anyone can independently verify the proof on the blockchain. No personal information about you is shown on verification pages.

Purpose of TruthLock™:

• For you: Every response is evaluated for accuracy with transparent reasoning and citations, and you can verify your private conversations are authentic and unaltered at any time
• For recipients: If you choose to share, recipients can see the verification results and confirm the authenticity of shared content

International Data Transfers

Your information may be transferred to and processed in the United States where our infrastructure is located. We ensure appropriate safeguards are in place for such transfers by relying on Standard Contractual Clauses with our service providers and their documented compliance frameworks. If you are located in the European Economic Area or other regions with data transfer restrictions, your continued use of our Services constitutes acknowledgment that your data will be processed in the United States under these safeguards.

Data Retention

We retain your personal information for as long as necessary to provide you with our Services and as described in this Privacy Policy. This includes your name, email, hashed password, and conversation history. Conversation data is stored solely to allow you to access and restore your previous conversations. Inactive accounts (no login for 3 or more years) may be flagged for deletion with 90 days advance notice via email to your registered address and notification upon next login attempt. When you request account deletion, all your personal information including your name, email, and conversation history will be permanently deleted from our systems within 30 days.

Children's Privacy

Our Services are designed to be family-friendly and are available to users of all ages. However, for users under the age of 13, we require verifiable parental consent before creating an account in compliance with the Children's Online Privacy Protection Act (COPPA).

We verify parental consent through direct communication with parents via email or phone before activating accounts for users under 13. During registration, users provide their date of birth. If the user is under 13, we block automatic account creation and require a parent or guardian to contact us directly at [email protected] to verify their consent and complete the account setup process.

For account registration, we collect the same limited information (name, email, and date of birth) from all users regardless of age. If you are a parent or guardian and believe your child under 13 has provided us with personal information without your consent, please contact us at [email protected] and we will promptly delete such information.

Data Sharing

We do not sell, trade, or otherwise transfer your personal information to third parties. The only sharing of information occurs with the service providers described in this policy, solely for the purposes of delivering our Services. We do not use your conversation data for AI training, analytics, or any purpose other than providing you with access to your own conversation history and delivering our Services to you.

Security Breach Notification

In the unlikely event of a data breach that may compromise your personal information, we will assess the impact promptly and notify affected users and, where applicable, regulators without undue delay and in accordance with applicable law. For qualifying breaches, we aim to notify users and applicable authorities within 72 hours of becoming aware of the breach.

Your Rights

Depending on your location, you may have certain rights regarding your personal information, including:

• Access to your personal information
• Correction of inaccurate or incomplete information
• Deletion of your personal information
• Restriction or objection to processing
• Data portability—you may request a copy of your data in machine-readable format (JSON) by contacting [email protected] and verifying your identity

How to Request Account Deletion

To delete your account and all associated data, submit a request via support at https://ironrodai.com/support. We will process your request within 30 days. Backup copies of deleted data may remain in our backup systems for up to 7 days before being permanently purged, but these backups are not accessible for operational purposes.

Additional Rights for EEA Users

If you are located in the European Economic Area, you also have the right to:

• Withdraw consent at any time (where processing is based on consent)
• Object to processing based on legitimate interests
• Lodge a complaint with your local data protection authority
• Receive your data access requests free of charge (a fee may apply for manifestly excessive or repetitive requests, as permitted under applicable law)

To exercise these rights, please contact us at [email protected].

Your California Privacy Rights

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Opt-out of the sale of personal information (Note: We do not sell personal information)
• Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at [email protected] with "California Privacy Rights" in the subject line.

Aggregated and Anonymized Data

We may create anonymized or aggregated data from your usage patterns that does not identify you personally. This de-identified data may be used for:

• Service improvement and feature development
• Statistical analysis for service improvement
• Internal benchmarking and feature prioritization

This anonymized data is not considered personal information and is not subject to this Privacy Policy. All analytics for logged-in users and conversation data are performed internally using our custom-built analytics platform; we do not use third-party analytics services for logged-in users or conversation data.

Governing Law

This Privacy Policy and any disputes related to it or our Services shall be governed by the laws of the State of Utah, United States, without regard to conflict of law provisions.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' notice before the updated Privacy Policy takes effect by posting the changes on this page, updating the "Last Updated" date, and making reasonable efforts to notify you (such as by email). Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

Data Protection Officer

Contact Us

Last Updated: February 11, 2026