Privacy Policy

Iron Suite: IronHaul, IronGuard, IronLedger

01Who We Are and How to Reach Us

Permian Forge LLC (“Permian Forge,” “we,” “us,” or “our”) is a veteran-owned software company organized under the laws of the State of Texas, United States. We provide the Iron Suite, a set of business-software products for the oilfield services industry, currently comprising IronHaul (dispatch, ticketing, and billing), IronGuard (safety and compliance), and IronLedger (accounts payable and vendor management), together with our website at permianforge.com (collectively, the “Services”).

This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with the Services. You can reach us about privacy matters at:

Privacy and legal inquiries: legal@permianforge.com

General inquiries: hello@permianforge.com

Mailing address: 5900 Balcones Drive #6477 Austin, TX 78731

02Scope of This Policy: Our Two Roles

The Iron Suite is business-to-business software used by oilfield haulers, operators, and service companies (our “Customers”). Because of how the Services work, Permian Forge handles personal information in two distinct roles, and this Policy applies differently to each.

As a controller. For information about the people and businesses who visit our website, contact us, or administer a Customer account (for example, account contacts, billing contacts, and sales prospects), Permian Forge determines how and why that information is used. This Policy governs that information directly.

As a processor (service provider). When our Customers use the Services to run their own operations, they upload and generate data about their own business, including information about their employees, drivers, customers, vendors, and field activity. Permian Forge processes that data on the Customer’s behalf and under the Customer’s instructions. The Customer is the controller of that data; Permian Forge is the processor. Our handling of that data is governed by our agreement with the Customer (including any Data Processing Addendum), and individuals with questions about that data should contact the relevant Customer.

03Information We Collect

3.1 Information you provide to us directly (we act as controller)

• Account and contact information: name, business name, business email address, phone number, job title, and similar details you provide when you create an account, request a demo, contact us, or correspond with us.
• Authentication information: credentials used to sign in to the Services. Passwords are handled by our authentication provider and stored in hashed form; we do not store plaintext passwords.
• Billing and payment information: billing contact details and subscription information. Payment card details are collected and processed directly by our payment processor (see Section 6); Permian Forge does not store full payment card numbers.
• Communications: the content of messages, support requests, and feedback you send us.

3.2 Information collected automatically when you use the Services

• Usage and device data: IP address, browser type, device identifiers, pages viewed, and actions taken, collected through our hosting platform and error-monitoring tools to operate, secure, and improve the Services.
• Cookies and similar technologies: within the Services we use strictly necessary cookies to keep you signed in and to operate the Services, and on our public website we also use analytics cookies (Google Analytics). See Section 8.
• Location data: where a Customer enables location features (for example, mapping a job site or a delivery route), the Services may process geographic location information associated with sites, vehicles, or field activity. This data is typically Customer data processed on the Customer’s behalf (see Section 3.3).

3.3 Customer data (we act as processor)

When Customers use the Services, they submit and generate data about their own business operations. Depending on the products a Customer uses, this may include:

• Information about the Customer’s personnel and drivers, such as names, contact details, employment role, driver license and certification information, and assigned activity;
• Information about the Customer’s own customers, vendors, and contacts, such as business names, addresses, contacts, and billing details;
• Operational records, such as tickets, dispatch and route information, job-site and vehicle location data, safety incidents and inspections, certifications, invoices, and accounts-payable records.

Permian Forge processes this data only to provide the Services to the Customer and as instructed by the Customer. We do not sell this data, do not use it for our own advertising, and do not use it to train artificial-intelligence models.

04How We Use Personal Information

Where we act as a controller, we use personal information to:

• Provide, operate, maintain, and secure the Services and our website;
• Create and administer accounts, authenticate users, and provide customer support;
• Process subscriptions, billing, and payments;
• Communicate with you about your account, service-related notices, and changes to our terms or policies;
• Respond to inquiries, sales requests, and feedback;
• Monitor, diagnose, debug, and improve the Services, including through error and performance monitoring;
• Detect, prevent, and address fraud, abuse, security incidents, and technical issues; and
• Comply with legal obligations and enforce our agreements.

Where we act as a processor, we use Customer data only to provide the Services and as instructed by the Customer under our agreement with them.

05Texas Privacy Law and Your Rights

Permian Forge is a Texas company, and we design our privacy practices with the Texas Data Privacy and Security Act (“TDPSA”), Tex. Bus. & Com. Code Ch. 541, in mind. The TDPSA exempts businesses that qualify as “small businesses” under the U.S. Small Business Administration’s size standards, except with respect to the sale of sensitive personal data, which requires prior consent. Permian Forge believes it currently qualifies as such a small business and, because it does not sell personal data, is exempt from most of the TDPSA’s substantive obligations; regardless of that exemption, we voluntarily honor the rights described below. Permian Forge does not sell personal data or sensitive personal data, does not use personal data for targeted advertising, and does not use personal data to train artificial-intelligence models.

Regardless of whether a specific statutory obligation applies to us, we aim to honor the following choices for personal information we hold as a controller. To the extent provided by applicable law, you may request to:

• Confirm whether we process your personal data and access that data;
• Correct inaccuracies in your personal data;
• Delete personal data we hold about you;
• Obtain a portable copy of personal data you provided to us; and
• Opt out of any sale of personal data or targeted advertising (note: we do not engage in either).

To make a request, contact us at legal@permianforge.com. We will verify your request as required by law and respond within the timeframe required by applicable law. If we decline a request, you may appeal by contacting us at the same address. Where your personal data is Customer data that we process on a Customer’s behalf, we will refer your request to the relevant Customer.

Universal opt-out / Global Privacy Control. Our Services are business tools and do not serve targeted advertising; however, where required, we will make commercially reasonable efforts to recognize universal opt-out mechanisms such as the Global Privacy Control.

06How We Share Information: Service Providers and Sub-Processors

We do not sell personal information. We share information only as described below:

Service providers and sub-processors. We use trusted third-party vendors to host and operate the Services. These vendors process information on our behalf under contractual confidentiality and security obligations. Our current vendors include:

Vendor	Purpose	Data involved
Supabase	Application database, authentication, and file storage	Account, authentication, and Customer data
Vercel	Application hosting and content delivery	Usage/log data, IP address
Stripe	Subscription billing and payment processing	Billing contact, subscription, and payment data
Intuit / QuickBooks	Accounting integration (Permian Forge’s own books; Customer accounting where enabled)	Billing and financial records
Sentry	Error and performance monitoring	Diagnostic/usage data, IP address
Google Maps Platform	Mapping, geocoding, and routing where enabled	Location/site/route data
Resend	Transactional email delivery	Recipient email address, message content
Google Analytics	Website analytics and usage measurement (public marketing website)	Website usage data, device and browser information, approximate location derived from IP, cookie identifiers

The sub-processors that process Customer Data on our Customers’ behalf are listed in our Data Processing Addendum and on our sub-processors page. Google Analytics appears above because it processes visitor data from our public website, where Permian Forge is the controller; it is not a Customer-Data sub-processor.

Payment processing. Card payments are processed by Stripe, Inc. as an independent controller of payment data under its own privacy policy and data processing terms. Permian Forge does not receive or store full card numbers.

Legal and safety. We may disclose information where required by law, subpoena, or legal process, or where necessary to protect the rights, property, or safety of Permian Forge, our Customers, or others.

Business transfers. If Permian Forge is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this Policy.

07Data Retention

We retain personal information for as long as needed to provide the Services and for the purposes described in this Policy, and as required to comply with our legal obligations, resolve disputes, and enforce our agreements.

• Customer data is retained for the duration of the Customer’s subscription. After termination, Customer data is made available for export for a transition window of ninety (90) days, after which it is deleted or de-identified in the ordinary course, subject to the terms of our agreement with the Customer.
• Account and billing records are retained as needed for tax, accounting, and legal purposes, generally for up to seven (7) years after the end of the relevant relationship.
• Backups and logs are retained on a rolling basis and cycle out per our infrastructure providers’ standard retention periods.

08Cookies

Within the Services (our authenticated application), we use strictly necessary cookies and similar technologies to authenticate users, maintain sessions, and operate the Services securely. On our public marketing website we use Google Analytics to measure how visitors find and use the site (for example, pages viewed, device and browser type, and approximate location derived from IP). We use this only for our own internal analytics; we do not sell this information, use it for advertising, or use it to train artificial-intelligence models. Google processes it as our analytics provider under its own terms. You can opt out through your browser settings or Google’s opt-out browser add-on, and we honor recognized universal opt-out signals such as Global Privacy Control where applicable; opting out will not affect your use of the Services.

09Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information, including:

• Encryption of data in transit and at rest through our infrastructure providers;
• Application-layer encryption of particularly sensitive stored credentials (such as third-party integration tokens);
• Tenant isolation and role-based access controls so that each Customer’s data is segregated and access is limited by role;
• Least-privilege access to production systems and secret-management practices that keep credentials out of source code; and
• Monitoring and logging to detect and respond to security events.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10Data Breach Notification

In the event of a breach of system security involving sensitive personal information, Permian Forge will provide notification as required by the Texas Identity Theft Enforcement and Protection Act, Tex. Bus. & Com. Code Ch. 521, and any other applicable law. Where we process Customer data as a processor, we will notify the affected Customer without undue delay after becoming aware of a breach affecting that data, so the Customer can meet its own notification obligations.

11International Users

The Services are operated from the United States and are intended for use by businesses operating in the United States. This Policy is written to reflect U.S. and, in particular, Texas law; the Services are not directed to individuals in the European Economic Area or United Kingdom, and we do not target the Services to those regions. If you access the Services from outside the United States, you understand that your information will be processed in the United States.

12Children’s Privacy

The Services are business tools not directed to children, and we do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us personal information, contact legal@permianforge.com.

13Changes to This Policy

We may update this Policy from time to time. We will post the updated version with a new “Last updated” date. For material changes, we will make reasonable efforts to provide advance notice to account holders (for example, by email to the account contact or an in-Service notice) before those changes take effect. Your continued use of the Services after an update takes effect means you accept the revised Policy.

14Contact Us

Questions or requests regarding this Policy or your personal information may be directed to legal@permianforge.com, or by mail to 5900 Balcones Drive #6477 Austin, TX 78731. The State of Texas is the governing jurisdiction for this Policy.