Privacy Policy

IRIX & IRIX Viewer · Privacy Policy · Effective Date: 10 June 2026 · Forge Reality CO., LTD., Taipei, Taiwan (R.O.C.)

Forge Reality CO., LTD., a company incorporated under the laws of the Republic of China (Taiwan), with its registered office at Taipei (“Forge Reality,” “we,” “us,” or “our”), provides IRIX and IRIX Viewer (together, the “Services”). This Privacy Policy explains what personal data we collect when you use the Services, how and why we use it, the legal bases on which we rely, with whom we share it, how it may be transferred internationally, how long we keep it, your rights, and how to contact us.

This Privacy Policy is incorporated by reference into, and forms part of, the IRIX Terms of Use and the IRIX Viewer Terms of Use (the “Terms”). Capitalized terms not defined here have the meaning given in the Terms. This Policy describes our privacy practices; it does not reduce any right you have under applicable data-protection law.

PLEASE NOTE: IRIX is an account-based platform for creating, editing, storing, and sharing 3D content; IRIX Viewer is a view-only application that lets share-link recipients open shared content without an account. Some sections below apply only to one of them, as indicated.

1. Who We Are

Forge Reality CO., LTD. is the controller responsible for your personal data processed through the Services, except where we act as a processor on the documented instructions of an institutional customer (for example, a school or hospital operating a Workspace), in which case that institution is the controller and this Policy describes our processing on its behalf. You can reach us at contact@forgereality.ai or by mail at Forge Reality CO., LTD., Taipei, Taiwan (R.O.C.).

2. Scope

This Policy applies to personal data processed through the IRIX platform (iOS, desktop, and web/WebGL applications), the IRIX Viewer application, our hosted backend services at irix.forgereality.ai, and our share-link and QR-code features. It does not apply to third-party services governed by their own privacy policies (see Section 12), or to other Forge Reality products that have their own terms and privacy notices.

3. Personal Data We Collect

3.1 Account and profile data (IRIX platform). When you register for or are added to the platform, we process your name, email address, login credentials (stored in hashed form), your role within a Workspace, and your plan and billing-related records. Payment card details are handled by our third-party payment processor and are not stored on our servers. You must have an account to use the IRIX platform; you do not need an account to use IRIX Viewer.

3.2 User Content. We process the content you upload, import, create, or submit (including 3D model files, textures, project files, annotations, text pins, cover images, names, and descriptions) in order to store it, render it, and make it available to those you share it with. As between you and us, you retain ownership of your User Content, as described in the Terms. You are responsible for the content you provide and should not upload identifiable patient data or other sensitive personal data except where authorized by your institution and permitted by applicable law.

3.3 Share-link access (IRIX Viewer; no account). When you open content shared with you via a share link or QR code, we process the share session token and the request metadata needed to resolve the link and deliver the shared content. You do not need to provide a name or create an account to view shared content.

3.4 Device features and permissions (IRIX Viewer and platform). To open and display content, the application may, with your permission, access: (a) your device camera, to scan QR codes and, in augmented- or mixed-reality (AR/MR) mode, to render content in your surroundings, together with your device’s motion and position sensors for AR/MR tracking; (b) your photo or file storage, where you choose to import an image containing a QR code; and (c) a local cache on your device, where downloaded models and project assets are stored temporarily so the application can display them. Camera frames and AR/MR sensor data are processed on your device to render content and are not stored by us or used to identify you, except as necessary to display content to you. The Services are not designed to collect or process biometric data or other special categories of personal data.

3.5 Technical and usage data. When you use the Services, our servers automatically receive standard request metadata such as your IP address, device and browser type, operating system, and the date, time, and nature of your requests. We use this to operate, secure, and troubleshoot the Services.

3.6 Communications. If you contact us (for example, for support, an IP notice, or a data-rights request), we process the information you provide and our correspondence with you.

4. How We Use Personal Data

We use personal data to: (a) provide, operate, and maintain the Services and deliver shared content to authorized recipients; (b) authenticate users and administer accounts and Workspaces; (c) secure the Services, prevent fraud and abuse, and enforce the Terms; (d) provide support and respond to your requests; (e) understand and improve performance, reliability, and usability; (f) comply with legal obligations and respond to lawful requests; and (g) communicate service-related notices to you. We do not use personal data for advertising, and we do not carry out automated decision-making or profiling that produces legal or similarly significant effects concerning you. We additionally do not use minors’ personal data for marketing, advertising, or profiling.

5. Legal Bases for Processing

Where the GDPR or comparable law applies, we rely on the following legal bases: performance of a contract (to provide the Services you or your institution request); legitimate interests (to secure, maintain, and improve the Services, and to prevent abuse), balanced against your rights; consent (for example, for camera, photo, and motion-sensor access, which you can grant or withdraw through your device settings, and for non-essential cookies); and compliance with a legal obligation. Where Taiwan’s Personal Data Protection Act applies, we process personal data within the scope of the purposes described in this Policy and as otherwise permitted by that Act.

6. Cookies and Similar Technologies

On our web/WebGL applications and website, we use cookies and similar technologies (such as local storage) that are: strictly necessary: required to operate the Services, maintain a session, and keep them secure; and preference: to remember choices such as language or theme. We do not currently use third-party advertising or analytics cookies. If we introduce any non-essential (for example, analytics) cookies in the future, we will use them only with your consent where required by law, which you may withdraw at any time. You can also control cookies through your browser settings; blocking strictly necessary cookies may prevent parts of the Services from working. The IRIX Viewer and platform applications use a local cache and local storage on your device to display downloaded content; you can clear this at any time through your device or application settings.

7. How We Share Personal Data

We share personal data only as follows: (a) with service providers and sub-processors who process data on our behalf and under contract (such as cloud hosting, storage, infrastructure, content delivery, payment processing, and communications providers) to operate the Services; (b) with the institutional customer (Workspace Owner/Admin) that administers your account, where you use the Services as a Member of its Workspace; (c) where you share content, with the recipients you choose, who can access it via share link or QR code (share links are not confidential; see the Terms); (d) where required to comply with law, legal process, or a lawful request, or to protect the rights, safety, or property of Forge Reality, our users, or the public; and (e) in connection with a business transfer (merger, acquisition, or sale of assets), subject to this Policy. We do not sell personal data, and we do not share it for cross-context behavioral advertising.

8. International Transfers

The Services are operated from Taiwan, and your personal data may be stored and processed in Taiwan and in other jurisdictions where we or our service providers operate. Where we transfer personal data across borders, we do so in accordance with applicable law, including any transfer restrictions under Article 21 of Taiwan’s Personal Data Protection Act and, where the GDPR applies, Chapter V of the GDPR, using an adequacy decision or appropriate safeguards (such as Standard Contractual Clauses) where required. You may request information about the safeguards we use by contacting us at contact@forgereality.ai.

9. Data Retention

We keep personal data only for as long as necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law. In particular: account and User Content on the IRIX platform are ordinarily retained for the duration of your account and, after expiry or non-renewal of a plan, for up to 90 days, during which access is restored on renewal, after which content may be removed (as described in the Terms); locally cached content on your device for IRIX Viewer is temporary and can be cleared by you at any time through your device settings; and technical logs and request metadata are retained for a limited period for security, troubleshooting, and legal-compliance purposes. When personal data is no longer needed, we delete or anonymize it, subject to legal retention obligations.

10. Security

We apply commercially reasonable technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction, including access controls, encryption in transit, and share session tokens. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; you are responsible for keeping your account credentials confidential.

11. Your Rights

Subject to applicable law, you have the right to access the personal data we hold about you, to request rectification of inaccurate data, erasure, restriction of or objection to certain processing, and portability of data you provided, and to withdraw consent where we rely on it (without affecting prior processing). Where the GDPR applies, you also have the right to lodge a complaint with your local supervisory authority; where Taiwan’s Personal Data Protection Act applies, you have the corresponding rights under that Act. To exercise any of these rights, contact us at contact@forgereality.ai. If you accessed content as a share-link recipient using IRIX Viewer, you may also stop using the Services at any time and clear locally cached content through your device settings. We respond to verified requests without undue delay and within the period required by applicable law.

12. Children’s and Minors’ Data

The Services are intended for educational use. Persons under the minimum age listed for their market (at least 13) may not use the Services. Persons between that minimum age and 18 may use the IRIX platform only as Members of a Workspace administered by a school, institution, or other authorized adult, where any legally required consent has been obtained. We do not use minors’ personal data for marketing, advertising, or profiling. A parent, guardian, or supervising institution may review and request deletion of a minor’s personal data by contacting contact@forgereality.ai, and we will act on a verified request without undue delay and within any period required by applicable law, subject to legal retention obligations.

13. Institutional Customers and Data Processing Agreements

Where you use the Services as a Member of a Workspace administered by an institution, that institution is the controller of the personal data processed for its Workspace, and we act as its processor on its documented instructions. Where applicable data-protection law (such as GDPR Article 28) requires a data-processing agreement, we will enter into our standard data-processing agreement with the institutional customer; a copy is available on request from contact@forgereality.ai.

14. Data Breach Notification

In the event of a personal-data breach affecting you, we will notify affected users and the competent authorities as and when required by applicable law.

15. Third-Party Services

The Services may interoperate with or link to third-party services, such as app marketplaces, hosting providers, and external websites. Those services are governed by their own privacy policies, and we are not responsible for their practices. We encourage you to review the privacy notices of any third-party service you use.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised version on the Services and update the Effective Date above, and for material changes we will provide additional notice (for example, in-app or by email where appropriate) at least 30 days in advance where practicable. Where a change materially affects your rights and applicable law requires your consent, we will obtain it before that change takes effect.

17. How to Contact Us

If you have any questions, requests, or complaints about this Privacy Policy or our handling of your personal data, contact us at contact@forgereality.ai or Forge Reality CO., LTD., Taipei, Taiwan (R.O.C.).

Privacy Policy · Effective Date: 10 June 2026 · Forge Reality CO., LTD., Taipei, Taiwan (R.O.C.)