Legal

Privacy Policy

Effective date: April 8, 2026 · Ironwood Dynamics LLC

The short version: CarryGuard does not collect your name, email address, phone number, or any information that identifies you as a person. We never have and we never will.

Who we are

CarryGuard is built and operated by Ironwood Dynamics LLC, a Wyoming limited liability company. Questions or concerns about this policy can be sent to hello@getcarryguard.com.

What we collect

CarryGuard generates an anonymous UUID on first launch. That UUID, along with your subscription tier and subscription status, is the entire set of data we store. We do not collect your name, email address, phone number, mailing address, date of birth, social security number, or any other personally identifiable information. There is no account to create and no profile to fill out.

Location data

GPS is used on-device only to determine which jurisdiction you are currently in. Your precise coordinates are never transmitted to our servers — not now, not ever. On the Guardian tier, location data that you choose to share during a duress event is sent only to the trusted contacts you have configured yourself. It never passes through Ironwood Dynamics.

The vault

CarryGuard's vault is the system of record for every acknowledgment the app writes — what you agreed to, when, and under which version. On Free tier the vault exists without a lock; it holds your acknowledgments in the clear. On Carrier and Guardian, a primary PIN locks the vault, and documents stored inside are encrypted on-device with AES-256. We cannot read the contents of your vault and we have no mechanism to decrypt it. The vault PIN is stored only on your device and never leaves it. Acknowledgment records are append-only. You can withdraw consent, but nothing is deleted — the withdrawal is itself a record. You can export your data anytime, indefinitely, regardless of subscription status. If you lose your PIN, we cannot recover your vault for you — that is the trade-off of a truly private vault.

Duress behavior

At every PIN surface across the app, entering your duress PIN produces a plausible decoy result — a decoy vault, a decoy export, a decoy settings screen — nothing on screen, in logs, or in telemetry distinguishes duress from a normal unlock. This happens locally, on your device, at every tier from Carrier up. Guardian tier adds a silent evidence chain on top: a photo from the front camera, GPS coordinates, a timestamp, and a device fingerprint are captured and transmitted to the trusted contacts you configured. Ironwood Dynamics never receives, stores, or has access to that data. The chain is configured by you, triggered by you, and routed only to people you have chosen.

Third-party services

CarryGuard uses a small number of third-party services to keep the app running. RevenueCat handles subscription entitlement state and receives only your anonymous UUID — no PII is passed. Stripe processes payments; we do not store card details on our servers. Railway hosts our API and processes only your anonymous UUID and subscription status.

Crash reporting and analytics

We collect anonymous crash reports containing the operating system version, app version, and stack trace so we can fix bugs. No UUID is attached to these reports. CarryGuard contains no behavioral analytics, no tracking pixels, and no advertising SDKs of any kind.

Data retention and deletion

Your anonymous UUID and subscription tier — the only records stored on our servers — are retained for up to 90 days after cancellation for billing dispute purposes, and then permanently deleted. Your vault and its contents live on your device and are not touched by cancellation. You can export your vault indefinitely while the app is installed, and downgrading a tier never modifies vault contents or PIN configuration. You can request server-side UUID deletion at any time by emailing hello@getcarryguard.com with the UUID shown in your app settings. Deletion requests are confirmed within 7 business days.

Children

CarryGuard is not directed at users under the age of 18, and we do not knowingly collect any data from minors.

Changes to this policy

If we make material changes to this policy, we will update the effective date above and surface an in-app notice so you are not caught off guard. The core anonymous-by-design architecture of CarryGuard will never change.

Contact

Questions about this policy or about your data can be sent to hello@getcarryguard.com. Ironwood Dynamics LLC, Wyoming.