Privacy Policy

Effective: February 1, 2026

This Privacy Policy explains how DBR77 Sp. z o.o. ("DBR77", "we", "us", or "our") collects, uses, discloses, and protects personal data when you use the IRIS AI-Native Plant Operating System and our website at iris.dbr77.com (collectively, the "Services"). We are committed to protecting your privacy and processing your data in compliance with the EU General Data Protection Regulation (GDPR), the Polish Act on the Protection of Personal Data, and other applicable data protection laws.

1. Data Controller

The data controller responsible for processing your personal data is:

DBR77 Sp. z o.o.
ul. Legnicka 55, 54-203 Wrocław, Poland
KRS: 0000860440
NIP: 8792725331

If you are a customer of DBR77 Inc. (our US entity), DBR77 Inc. may act as a joint controller for certain processing activities. In such cases, DBR77 Sp. z o.o. remains the lead controller for GDPR purposes.

2. Data We Collect

We collect the following categories of personal data:

Information you provide directly

  • Account information: name, email address, job title, company name, phone number, and password when you register for an account.
  • Billing information: billing address, payment method details (processed by our payment processor — we do not store full payment card numbers).
  • Communications: information you provide when you contact our support team, submit feedback, or participate in surveys.
  • Customer Data: operational plant data, sensor readings, configuration files, and other content you upload to the Services.

Information collected automatically

  • Usage data: pages visited, features used, actions taken, timestamps, frequency and duration of use.
  • Device and technical data: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
  • Log data: server logs, error reports, and performance metrics.
  • Cookies and similar technologies: as described in our Cookie Policy.

Information from third parties

  • Single sign-on providers: if you authenticate using Google, Microsoft, or another SSO provider, we receive your name, email, and profile picture from that provider.
  • Business partners: we may receive contact information from partners who refer you to our Services.

3. Legal Basis for Processing (GDPR)

For individuals in the European Economic Area (EEA), we process personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR): processing necessary to provide the Services, manage your account, process payments, and deliver customer support.
  • Legitimate interests (Art. 6(1)(f) GDPR): processing necessary for our legitimate interests, including improving the Services, ensuring security, preventing fraud, conducting analytics, and marketing our products to existing customers. We balance these interests against your rights and freedoms.
  • Consent (Art. 6(1)(a) GDPR): where we rely on your consent, such as for non-essential cookies, marketing communications, or processing of special categories of data. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c) GDPR): processing necessary to comply with legal obligations, such as tax reporting, regulatory requirements, or responding to lawful requests from public authorities.

4. How We Use Your Data

We use personal data for the following purposes:

  • Service delivery: to provide, operate, maintain, and improve the IRIS platform and related services.
  • Account management: to create and manage your account, authenticate users, and process transactions.
  • Communication: to send you service-related notices, respond to your inquiries, and provide customer support.
  • Analytics and improvement: to understand how the Services are used, identify trends, and improve functionality and user experience.
  • Security: to detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
  • Marketing: to send you information about products, features, and events that may be of interest (with your consent where required). You can opt out at any time.
  • Legal compliance: to comply with applicable laws, regulations, and legal processes.
  • Aggregated insights: to create anonymized, aggregated data for benchmarking, research, and product development. This data does not identify any individual.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share personal data with the following categories of recipients:

  • Affiliates: DBR77 Inc. and other DBR77 group entities, subject to this Privacy Policy.
  • Service providers: third-party vendors who assist us in operating the Services (e.g., cloud hosting, payment processing, analytics, customer support tools). These providers are bound by data processing agreements and may only process data on our behalf and in accordance with our instructions.
  • Professional advisors: lawyers, auditors, and consultants where necessary for the operation of our business.
  • Law enforcement and regulators: where required by applicable law, regulation, legal process, or governmental request.
  • Business transfers: in connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the acquiring entity.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

  • European Commission adequacy decisions (Art. 45 GDPR).
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR).
  • Binding Corporate Rules where applicable.
  • The EU-US Data Privacy Framework, where the recipient is certified.

You may request a copy of the safeguards we use by contacting our Data Protection Officer at dpo@dbr77.com.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our general retention periods are:

  • Account data: retained for the duration of your account and for up to 12 months after account closure for legitimate business purposes (e.g., resolving disputes, enforcing agreements).
  • Customer Data: retained for the duration of your subscription. Upon termination, Customer Data is available for export for 30 days and then deleted, unless applicable law requires otherwise.
  • Billing records: retained for the period required by applicable tax and accounting laws (typically 5–10 years).
  • Usage and log data: retained for up to 24 months for analytics and security purposes, then anonymized or deleted.
  • Marketing data: retained until you withdraw consent or opt out, plus a suppression record to honor your preference.

8. Your Rights (GDPR)

If you are located in the EEA or the UK, you have the following rights under the GDPR:

  • Right of access (Art. 15): request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to restriction (Art. 18): request that we restrict processing of your personal data in certain circumstances.
  • Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent (Art. 7(3)): withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: file a complaint with a supervisory authority. The lead supervisory authority for DBR77 is the President of the Personal Data Protection Office (UODO) in Poland.

To exercise any of these rights, please contact our Data Protection Officer at dpo@dbr77.com. We will respond to your request within one (1) month, or inform you if an extension is needed.

9. Cookies

We use cookies and similar tracking technologies on our website and within the Services. For detailed information about the types of cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

10. Children's Privacy

The Services are not directed to individuals under the age of 16, and we do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information promptly. If you believe we may have collected data from a child, please contact us at dpo@dbr77.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email or by posting a prominent notice on our website at least thirty (30) days before the changes take effect. We encourage you to review this page periodically. The "Effective" date at the top indicates when this policy was last revised.

12. Contact & Data Protection Officer

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact:

Data Protection Officer
DBR77 Sp. z o.o.
ul. Legnicka 55, 54-203 Wrocław, Poland
Email: dpo@dbr77.com

General inquiries: legal@dbr77.com