Privacy Policy – Ironclad ID

Last updated: 09-02-2026

This privacy policy describes how the Ironclad ID mobile application (“App”) collects, uses, and protects your information.

1. Who we are

Ironclad ID PTY LTD
[email protected]

2. Data we collect and why

The App collects and uses the following data to provide identity verification and related features.

Data	Purpose	Required
Email address	To identify your organisation, sign you in, and link your account.	Yes
Name (e.g. display name, given name)	Obtained from your work/school account for display in the App and for verification.	Yes (for full functionality)
Authentication credentials (tokens)	Stored securely on your device so you can stay signed in and access the service. Used to call our backend and Microsoft identity services.	Yes
App usage / interactions	E.g. generating or verifying codes, so we can provide the service and improve it.	Yes (for core features)

We do not collect your password. Sign-in is handled by Microsoft Entra ID (formerly Azure AD); we only receive tokens and basic profile information (e.g. name, email) that Microsoft provides after you sign in.

3. How we collect and store data

On your device: Email, tenant/organisation choice, and authentication tokens are stored locally using secure storage (and, where needed, backup storage) so the App can work offline and after you close it. Tokens are used to call our servers and Microsoft’s identity services.
Biometric data: The App uses your device’s biometric unlock (e.g. fingerprint or face) only to protect access to the App on your device. We do not receive, store, or transmit your biometric data; it is handled entirely by your device’s operating system.
Over the network: When you use the App, we send the data above to our backend servers and, for sign-in, to Microsoft (Entra ID). Data in transit is protected using standard encryption (e.g. HTTPS).

4. Who we share data with

Our backend services: We send your email, name, and tokens to our own servers to provide verification, codes, and related features.
Microsoft: For sign-in and account linking we use Microsoft Entra ID. Microsoft’s privacy policy applies to their processing: Microsoft Privacy Statement.

We do not sell your personal data. We do not share it with third parties for their marketing.

5. Data retention and your choices

On your device: Stored email, organisation, and tokens remain until you sign out completely or uninstall the App.
On our servers: We retain account information for as long as the user’s account remains active to operate the service. Verification and security-related events may be logged and retained for audit, fraud prevention, and legal compliance purposes, and are deleted or anonymised when no longer required.

You can sign out completely from within the App to clear local auth data; the next time you open the App you will need to sign in again. Uninstalling the App removes data stored on your device.

6. Security

We use industry-standard measures to protect your data, including secure storage on device, encrypted communication (HTTPS), and secure handling of authentication tokens. Access to our backend is restricted and audited.

7. Children

The App is not directed at children. We do not knowingly collect data from children. If you believe a child has used the App and we hold their data, contact us and we will delete it.

8. Changes to this policy

We may update this privacy policy from time to time. We will post the updated policy (e.g. on our website or in the App) and, where required by law, ask for your consent.

9. Contact

For privacy questions, requests, or complaints, contact us at:
[email protected]

For users in the UK/EEA, you may also have the right to lodge a complaint with your local data protection authority.