Privacy Policy

Iron Infrastructure, LLC — Effective March 29, 2026 · Version 2.0

1. Who We Are

Iron Infrastructure, LLC ("Company," "we," "us," "our") is a Texas limited liability company that operates the GunStore.io platform — a gun store management system for federally licensed firearms dealers (FFLs). Our principal office is located at 11844 Bandera Road, Suite 480, Helotes, TX 78023.

This Privacy Policy applies to all users of the GunStore.io platform, including store subscribers (FFLs who use the platform to manage their business) and their end customers (individuals who interact with the platform through invoices, signing flows, or SMS messages).

2. Our Role: Data Controller and Data Processor

We act in two capacities depending on the data involved:

  • Data Controller — for subscriber account data (store owner name, email, billing information, FFL documentation). We determine the purposes and means of processing this data.
  • Data Processor — for end-customer data entered by subscribers (customer names, phone numbers, order details, compliance records). Subscribers determine the purposes; we process the data on their behalf to provide the Platform services.

3. Information We Collect

Subscriber Information

  • Account details: name, email address, phone number, business name, business address
  • FFL documentation: FFL number, license type, expiration date, SOT status
  • Billing information: payment method details (tokenized — we do not store full card numbers)
  • Usage data: login activity, feature usage, platform interactions

End-Customer Information (entered by Subscribers)

  • Contact information: name, phone number, email address, mailing address
  • Transaction information: order details, item descriptions, pricing, payment status
  • Compliance information: data required by federal and state law for firearms transfers (e.g., ATF Form 4473 data, serial numbers)
  • Communication records: SMS messages, email correspondence related to orders
  • Signing records: electronic signature data, audit trails, authentication events, IP addresses, device information

Automatically Collected Information

  • Device and browser data: IP address, browser type, operating system, device identifiers
  • Usage analytics: pages visited, features used, session duration (collected via privacy-respecting analytics)
  • Cookies: essential cookies for authentication and session management. We do not use third-party advertising cookies. See Section 11 for details.

4. How We Use Information

  • Provide, operate, and maintain the GunStore.io platform
  • Process subscriptions, billing, and payments
  • Send transactional communications (account notices, billing alerts, service updates)
  • Facilitate order management, invoicing, and document signing on behalf of subscribers
  • Send transactional SMS messages to end customers on behalf of subscribers (order confirmations, invoice alerts, shipping updates, pickup reminders)
  • Verify FFL status and maintain compliance records
  • Comply with ATF record-keeping requirements where applicable
  • Detect and prevent fraud, abuse, and security threats
  • Improve the Platform through aggregated, de-identified usage analytics

5. SMS Communications

The Platform sends transactional SMS messages to end customers on behalf of subscribing stores. These messages relate to order activity and include:

  • Order confirmations and status updates
  • Invoice notifications and payment reminders
  • Shipping and delivery updates
  • Firearm transfer completion notices
  • Pickup reminders with store hours and location

Message frequency varies based on order activity. Message and data rates may apply. End customers may opt out at any time by replying STOP to any message. Reply HELP for assistance.

Subscribers are responsible for obtaining proper consent from their customers before enabling SMS messaging. For details, see our SMS Consent Policy.

6. Information Sharing and Sub-Processors

We do not sell, rent, or trade personal information to third parties. We share information only as necessary to provide the Platform:

Sub-Processor Purpose Data Shared
FluidPay Payment processing & invoicing Customer name, email, invoice amounts, tokenized payment data
Infobip SMS message delivery Phone numbers, message content
Amazon Web Services (AWS) Cloud infrastructure & hosting All platform data (encrypted at rest and in transit)
Cloudflare CDN, DNS, DDoS protection IP addresses, request metadata

We also disclose information when required by law, including responses to ATF inspections, court orders, subpoenas, and NICS background check processes.

7. Data Security

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • API credentials and sensitive configuration are encrypted at rest using AES-256-CBC
  • Payment card data is never stored on our systems — all payment credentials are tokenized by our payment processor
  • Access to production systems is restricted by role-based access controls
  • Subscriber data is isolated through multi-tenant access controls — subscribers cannot access other subscribers' data
  • We conduct regular security reviews of our codebase and infrastructure

8. Data Retention

Data Category Retention Period
Subscriber account data Duration of subscription + 90 days for data export
End-customer transaction records Minimum 7 years (tax/accounting requirements)
ATF compliance records (bound book) Minimum 20 years (federal requirement)
Electronic signature audit trails Minimum 7 years
SMS consent records Duration of relationship + 5 years
Usage analytics (aggregated) Indefinite (de-identified)

9. Your Rights

All Users

You may request access to, correction of, or deletion of your personal information by contacting us at [email protected]. Note that certain records required by federal law (e.g., ATF bound book entries) cannot be deleted.

Texas Residents (TDPSA)

Under the Texas Data Privacy and Security Act, Texas residents have the right to:

  • Confirm whether we are processing your personal data
  • Access your personal data
  • Correct inaccuracies in your personal data
  • Delete your personal data (subject to legal retention requirements)
  • Obtain a portable copy of your personal data
  • Opt out of the sale of personal data (we do not sell personal data)

To exercise these rights, contact us at [email protected]. We will respond within 45 days.

California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act, California residents have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of personal information (subject to legal exceptions)
  • Opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising)
  • Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at [email protected]. We will respond within 45 days.

10. Children's Privacy

The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

11. Cookies and Tracking

  • Essential cookies: Used for authentication, session management, and security. These are required for the Platform to function and cannot be disabled.
  • Analytics: We use privacy-respecting analytics to understand Platform usage in aggregate. No personal data is shared with third-party advertising networks.
  • No advertising cookies: We do not use third-party advertising cookies or tracking pixels.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to subscribers at least 30 days before taking effect. Non-material changes will be posted on this page with an updated effective date. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices: