Effective date: July 1, 2026 Last updated: July 1, 2026
This Privacy Policy explains how Revivo Project Inc., doing business as Iron Lock ("Iron Lock," "we," "us," or "our"), collects, uses, shares, and protects personal information in connection with the Iron Lock mobile app (iOS and Android), our cloud services, and our smart safe / lock box products (together, the "Services").
We built the Iron Lock app to control a physical security product. We collect as little personal information as possible, we do not sell your personal information, and — importantly — your fingerprints never leave your safe. This policy describes exactly what we do and do not do, and the rights you have.
This document is provided for transparency and is not legal advice.
The rest of this policy gives the full detail.
Revivo Project Inc., dba Iron Lock 1303 E Warner Avenue, Santa Ana, CA 92705, USA Website: https://shopironlock.com Privacy contact: info@shopironlock.com
The Iron Lock app and related services are offered only in the United States. We do not direct them to, or make them available to, individuals in the European Economic Area (EEA) or the United Kingdom. See Section 13.
We collect the following, and only the following, categories of information.
We use this to create and secure your account, sign you in, send password-reset and email-verification messages, and identify you within the app.
We use this to let you set up, organize, and manage your safes and the people you authorize.
We use access codes solely to operate your safe. Access codes are handled by our backend and synchronized to your safe over an authenticated, encrypted connection (Google Firebase, United States) so the keypad can verify them; they are not published in the clear. Keep your access codes confidential, do not reuse codes you use elsewhere, and change a code if you believe it may have been exposed. See Section 7 (Security).
We use this to give you an access history for your safe (a security feature). We disclose at account creation that access events are logged, and you consent to this logging as part of using the Services. The app retains a limited, rolling number of recent events (see Section 6, Retention).
This live state flows through our real-time database (Google Firebase Realtime Database, United States) so the app can show and control your safe in real time. This live state is not stored long-term by us; it exists only transiently to operate the device.
Some Iron Lock safes include a fingerprint sensor so you can unlock the safe with your fingerprint.
Because we never receive or store a biometric template, we do not collect, capture, store, sell, lease, trade, or profit from biometric identifiers or biometric information. See Section 11 for our statement under state biometric laws (including Illinois BIPA and Texas CUBI) and Section 13 for the EU/UK position.
During setup, the app uses Bluetooth Low Energy (BLE) to detect your nearby safe so it can pair with it. Signal-strength information is used only in memory, only during pairing, to find the right device. We declare Bluetooth as "never for location" and do not use Bluetooth in the background. We do not collect GPS or any location data.
If you use our in-app support assistant, we process the content of your support messages and the name and email associated with your request. When you send a message, it leaves your device and is processed by our support-chat backend, which is hosted on Netlify (United States) and uses Anthropic to help draft a reply, may look up your order on Shopify to assist you, and may email a transcript to our support team via Resend when your conversation is closed. Please avoid sending information in support chat that you do not want shared with our support system. See Section 5.
A signed command counter / message authentication code used to protect lock commands against replay attacks. This is operational security data, not data about you.
For clarity, the Iron Lock Services do not collect:
We use personal information to:
We do not use your personal information for advertising, profiling, or automated decisions that produce legal or similarly significant effects, and we do not build advertising profiles about you.
Where the EU or UK GDPR applies, our legal bases are:
We do not sell your personal information and we do not share it for cross-context behavioral advertising. We disclose limited personal information only to service providers who process it on our behalf, under contract, and who are prohibited from using it for their own purposes:
| Service provider | What it does | Location |
|---|---|---|
| Google Firebase | Account authentication, account database, and real-time device state and commands (live lock/door state and command delivery) | United States |
| Netlify | Hosting for our support-chat backend (processes your support messages and the associated name and email) | United States |
| Anthropic | AI-assisted drafting of support replies in the in-app assistant | United States |
| Shopify | Looking up your order when you contact support | United States / Canada |
| Resend | Sending support and transactional email | United States |
| Expo / EAS | App build and delivery infrastructure | United States |
We may also disclose personal information: (a) to comply with law, legal process, or a lawful government request; (b) to protect the rights, safety, or property of you, us, or others; and (c) in connection with a merger, acquisition, or sale of assets, in which case we will continue to protect your information consistent with this policy.
A current list of our service providers is available on request at info@shopironlock.com.
This section is our published data-retention policy. We keep personal information only as long as reasonably necessary for the purposes described in this policy.
When you delete your account, your account data is erased from our database and your safe's stored codes are cleared from our real-time database. Residual copies may persist briefly in routine backups maintained by our service providers and are overwritten on their ordinary cycles.
We use commercially reasonable administrative and technical safeguards to protect your information, including encryption of data in transit (TLS) for our app-to-cloud connections, authenticated and encrypted real-time database connections, server-side access rules on the lock channel, and access controls on your account.
No method of transmission or storage is completely secure, and — because Iron Lock is a physical security product — no lock can guarantee absolute security or that it will prevent forced entry, theft, hacking, or unauthorized access. Iron Lock is one layer of a broader security plan. You are responsible for keeping your account credentials and access codes confidential, retaining your mechanical backup key, and maintaining adequate battery and connectivity.
If we become aware of a data breach affecting your personal information, we will notify you and the relevant authorities as required by applicable law.
Depending on where you live, you may have some or all of the following rights:
You may use an authorized agent to submit a request where the law permits; we may ask the agent to prove authorization and ask you to verify your identity.
We do not sell your personal information for money or other valuable consideration, and we do not share it for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA) and similar U.S. state laws. We have not done so in the preceding 12 months. Because we do not sell or share personal information, we do not offer a "Do Not Sell or Share My Personal Information" link; however, we will honor any opt-out preference signal (such as Global Privacy Control) that we are required to recognize.
Notice at collection (connected device). Because Iron Lock is a connected device, we surface a link to this Privacy Policy in the app at or before the point the app first collects personal information, consistent with California's connected-device notice requirements.
Sensitive personal information. To the extent any information we handle is considered "sensitive" (for example, the on-device biometric capability described in Sections 3.6 and 11), we use it only to provide the Services you request — to let you unlock your safe — and not for inferring characteristics or for any purpose that would require us to offer a "Limit the Use of My Sensitive Personal Information" right. We do not sell or share sensitive personal information.
Categories collected and disclosed (CCPA). In the prior 12 months we have collected the following CCPA categories and disclosed them to service providers (Section 5) for the business purposes described above:
State rights. Residents of California, Virginia, Colorado, Connecticut, Texas, and other states with comprehensive privacy laws may exercise the rights described in Section 8, including the right to appeal a denied request. To appeal, reply to our decision or email info@shopironlock.com with "Privacy Appeal" in the subject line.
The Iron Lock app and Services are intended for a general adult audience and are not directed to, marketed to, or intended for use by children under the age of 13 (or under 16 where a higher age of digital consent applies). We do not knowingly collect, use, or disclose personal information from children under 13.
If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at info@shopironlock.com and we will promptly delete that information and terminate any associated account. We do not condition a child's participation in any activity on disclosing more personal information than is reasonably necessary.
This section describes our practices regarding biometric identifiers and biometric information under laws such as the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and Washington (RCW 19.375). This section, together with the standalone Biometric Data Notice & Consent, serves as our publicly available written policy on biometric retention and destruction.
We are based in the United States, and the Services are offered only in the United States. Your information is processed in the United States (and, for Shopify order lookups, potentially Canada, which has an EU adequacy decision) by the service providers listed in Section 5. We do not offer or direct the Services to individuals in the EEA or the United Kingdom (see Section 13), so we do not routinely engage in transfers of EEA/UK personal data.
If the EU or UK GDPR nonetheless applies to any transfer to us, we rely on the EU-US Data Privacy Framework and its UK Extension where a recipient is certified, and on the EU Standard Contractual Clauses (with the UK Addendum / International Data Transfer Agreement for UK transfers) as an additional safeguard. You may request more information at info@shopironlock.com.
Availability and representatives. The Iron Lock app and related services are offered only in the United States and are not directed to, or made available to, individuals in the EEA or the United Kingdom. Because we do not target or offer services to individuals in those regions, we have not appointed a representative under Article 27 GDPR or Article 27 UK GDPR. If we begin offering the Services in the EEA or the UK, we will appoint and name a representative here before doing so. The remainder of this section applies only to the extent the EU or UK GDPR applies to you.
Data Protection Officer. Based on the nature and scale of our processing, we are not required to appoint a Data Protection Officer. Direct privacy questions to info@shopironlock.com.
Your GDPR rights. You may request access, rectification, erasure, restriction of or objection to processing, and portability, and you may withdraw consent at any time. You can delete your account and all associated data in the app (Settings → Account → Delete Account) or email us; we will respond within one month (extendable to three for complex requests), free of charge.
Right to complain. You have the right to lodge a complaint with your local supervisory authority, or in the UK with the Information Commissioner's Office (ico.org.uk).
Special-category (biometric) data. As explained in Sections 3.6 and 11, we do not receive or store any biometric template; the relationship for fingerprint enrollment is between you and your safe's sensor. Where any biometric processing is attributed to us, our legal basis is your explicit consent (Article 9(2)(a)), obtained at enrollment.
Children. The Services are not intended for children under 16; see Section 10.
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you in the app or by email. We review this policy at least once every 12 months. Your continued use of the Services after an update means you accept the revised policy.
Biometric re-consent. For material changes to how we handle biometric functionality or to the Biometric Data Notice & Consent, we will obtain your affirmative in-app re-consent (a fresh biometric consent) before the changed practice applies to you, rather than relying on continued use as acceptance. This is a specific exception to the general "continued use means acceptance" rule above.
Revivo Project Inc., dba Iron Lock 1303 E Warner Avenue, Santa Ana, CA 92705, USA Email: info@shopironlock.com Website: https://shopironlock.com
If the EU or UK GDPR applies to you, the additional information in Section 13 also applies.
This Privacy Policy is provided for transparency and does not constitute legal advice. Iron Lock is a trademark / DBA of Revivo Project Inc.