Privacy Policy
Effective: March 28, 2026 · Last updated: May 23, 2026
Irin Observability, LLC ("Irin," "we," "us") operates the Irin Observability monitoring service. This Privacy Policy describes what information we collect, how we use it, and your choices regarding your data.
We believe in collecting the minimum data necessary to provide a useful monitoring service. We do not collect personal information from your monitored servers. We do not sell your data. Period.
1. Information We Collect
From the website and account registration:
| Data | Purpose |
|---|---|
| Name | Account identification, communications |
| Email address | Account login, alert delivery, service communications |
| Company / organization name | Tenant identification, dashboard labeling |
| Password (hashed) | Account authentication; stored using bcrypt, never in plaintext |
| Server hostnames and roles | Monitoring configuration, dashboard setup |
From your monitored servers (via the Grafana Alloy agent):
| Data | Purpose |
|---|---|
| CPU usage metrics | Performance monitoring, capacity alerting |
| Memory usage metrics | Performance monitoring, capacity alerting |
| Disk usage and filesystem metrics | Storage monitoring, fill-rate alerting |
| Network I/O metrics | Connectivity monitoring, throughput visibility |
| System logs (syslog, journald) | Error detection, log search, troubleshooting context |
| Error-level application logs | Application health visibility; aggregate error counts are used in monthly infrastructure reports (see Section 3) |
| Hardware metadata (CPU model, total memory, total disk capacity) | Derived automatically from system metrics during onboarding and reconciled daily. Stored alongside your account record to provide context for monthly infrastructure reports. This is infrastructure capacity data only — no personal information is present in hardware metadata. |
2. Information We Do Not Collect
Irin does not collect, process, or store:
- Personal information of your users or customers
- Application data or database contents
- Business data, financial records, or trade secrets
- Passwords, credentials, or API keys from your servers
- File contents from your servers
- Browsing history, cookies, or tracking data
The monitoring agent collects system-level metrics and logs only. If your application logs contain personal information due to your application's logging configuration, we recommend adjusting your log levels or log format to exclude sensitive data before it reaches the agent.
3. How We Use Your Information
We use the information we collect to:
- Provide the monitoring service by displaying metrics and logs in your dashboards
- Deliver alerts when metrics cross configured thresholds
- Generate monthly infrastructure reports for all tiers, including a narrative summary derived from pre-computed findings. Report generation uses a self-hosted language model running on Irin's own infrastructure. Your data is never sent to a third-party AI provider for this purpose. All AI-generated narrative content is labeled as such in your report.
- Generate plain-English interpretations of active monitoring alerts to provide additional context alongside alert notifications. Alert name, severity, host label, and any configured alert annotations are processed by a self-hosted language model running on Irin's own infrastructure. No alert data is transmitted to any external AI service. AI-generated alert interpretations are labeled as AI-generated in all client-facing displays.
- Communicate with you about your account, service updates, and important notices
- Improve the service based on aggregate, anonymized usage patterns
4. Data Sharing & Third-Party Services
We do not sell, rent, or share your data with third parties for marketing purposes. The following third-party services are used in the operation of Irin:
| Service | Purpose | Data Shared |
|---|---|---|
| Cloudflare | Encrypted tunneling, DNS, website delivery | Encrypted metrics/log traffic transits Cloudflare tunnels; website visitor IP addresses |
| Resend | Transactional email delivery | Recipient email address, email content (alerts, reports, account notifications) |
| Stripe (planned) | Payment processing (paid tier) | Billing information; Irin does not store credit card numbers |
Monthly report narrative generation uses a language model hosted on Irin's own infrastructure. No monitoring data, metrics, logs, or account information is transmitted to any external AI service for this purpose.
5. Data Retention
- Monitoring metrics (Prometheus): retained for 14 days (free tier) or 30 days (paid tiers)
- Logs (Loki): retained for 14 days (free tier) or 30 days (paid tiers)
- Account information: retained for the duration of your account
- Hardware metadata (CPU model, memory, disk capacity): retained for the duration of your account and updated automatically as your infrastructure changes
- Monthly report findings: aggregated infrastructure findings used to generate your monthly reports are retained indefinitely as service records. These findings contain statistical summaries (averages, peaks, event counts) derived from your metrics — not raw metric data. You may request deletion of your report findings at any time by contacting us at [email protected].
- Upon account termination: monitoring data is deleted within 30 days; report findings and account information are deleted upon request
6. Data Security
All monitoring data is transmitted via encrypted connections using Cloudflare tunnels with TLS. Your data is isolated from other customers through separate Grafana organizations, per-tenant authentication tokens, and label-based metric/log segregation. Administrative access to Irin's infrastructure is secured with multi-factor authentication.
While we implement reasonable security measures, no system is perfectly secure. In the event of a security incident affecting your data, we will notify you in accordance with applicable law.
7. Your Rights
You may:
- Request a summary of the data we hold about your account
- Request correction of inaccurate account information
- Request deletion of your account and associated data
- Request deletion of your monthly report findings at any time
- Uninstall the monitoring agent from your servers at any time
To exercise any of these rights, contact us at [email protected].
8. Colorado Privacy Act
Irin acknowledges the Colorado Privacy Act (CPA). At our current scale, Irin does not meet the CPA processing thresholds (100,000+ consumers per year or revenue derived from the sale of personal data of 25,000+ consumers). We do not sell personal data. As our business grows, we will continue to evaluate and comply with applicable privacy regulations.
9. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect information from minors. If you believe we have inadvertently collected such information, please contact us and we will promptly delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the email address on your account with 30 days notice. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
Questions about this Privacy Policy or your data? Contact us at [email protected].