Skip to main content
Iris is designed with privacy as a core principle. This guide explains how your data is handled, what information is collected, and how to maximize your privacy when using the tool.

The Short Version

Privacy First Approach
  • No user accounts or authentication required
  • No tracking, analytics, or cookies
  • Search queries are not stored
  • Direct API communication with third parties
  • Open source and fully auditable

What We Don’t Collect

Iris is built to respect your privacy. Here’s what we don’t do:

No Accounts

No registration, login, or user authentication system

No Tracking

No analytics, cookies, or behavioral tracking

No Storage

Search queries and results are not stored on our servers

No Data Sales

We don’t collect data, so there’s nothing to sell or share

How Iris Handles Your Data

Image Uploads

When you upload an image for reverse image search:
1

Temporary Upload

Your image is uploaded to ImgBB, a third-party image hosting service. This is necessary to perform reverse image searches across Google Lens, Yandex, and Bing.
2

Auto-Deletion

Images are configured to automatically delete after 10 minutes (600 seconds). This is set via the IMAGE_EXPIRY environment variable.
IMAGE_EXPIRY=600  # Auto-delete after 10 minutes
3

No Local Storage

Iris does not keep any copy of your uploaded images on its servers. Once the temporary ImgBB URL is generated, the image only exists on ImgBB’s infrastructure.
Important ConsiderationsWhile Iris sets images to expire after 10 minutes, ImgBB controls the actual deletion process. For maximum privacy:
  • Use image URLs instead of file uploads when possible
  • Self-host Iris with your own image hosting solution
  • Avoid uploading sensitive or private images

Search Queries

All search queries (username, email, domain, company) are sent directly to third-party APIs:

Username Search

Queries sent to WhatsMyName, Sherlock, and Maigret APIs

Email Lookup

Requests sent to IPQualityScore API

Domain Analysis

Uses public DNS, WHOIS, and SSL certificate data

Company Search

Queries UK Companies House, GLEIF, and SEC EDGAR
Iris acts as a proxy to these services. Your queries pass through the Iris server to reach the APIs, but they are not logged or stored.

Third-Party Services

When you use Iris, your data interacts with various third-party services. Each has its own privacy policy:
ServicePurposePrivacy Policy
ImgBBTemporary image hostingimgbb.com/privacy
IPQualityScoreEmail verification and fraud detectionipqualityscore.com/privacy-policy
WhatsMyNameUsername enumerationPublic API, no account required
SherlockSocial media profile discoveryOpen source project
MaigretUsername OSINTOpen source project
Companies HouseUK company datacompanieshouse.gov.uk/privacy
GLEIFLegal Entity Identifier databasegleif.org/privacy
SEC EDGARUS company filingssec.gov/privacy
Google LensReverse image searchgoogle.com/privacy
YandexReverse image searchyandex.com/legal/privacy
BingReverse image searchmicrosoft.com/privacy
Important NoticeIris has no control over how third-party services handle your queries. We recommend reviewing their privacy policies if you have specific concerns about data handling.

Server Logs

Hosted Instances

If you use a hosted version of Iris (e.g., on Vercel), standard server logs may be maintained:
  • IP addresses - Required for basic server operation
  • Request timestamps - For performance monitoring
  • HTTP request headers - Standard web server logging
  • Error logs - For debugging and stability
Hosting providers like Vercel have their own data retention policies. Check your provider’s privacy policy for details.

Self-Hosted Instances

When you self-host Iris, you have complete control:
  • Configure logging levels via NEXT_PUBLIC_LOG_LEVEL
  • Control server log retention
  • Implement your own privacy policies
  • No data shared with third-party hosting providers

Maximizing Your Privacy

1

Self-Host Iris

The most private way to use Iris is to run it on your own infrastructure:
git clone https://github.com/chinmay505/iris.git
cd iris
npm install
npm run build
npm start
See the Self-Hosting Guide for detailed instructions.
2

Use Your Own API Keys

Configure your own API keys to ensure queries are associated with your accounts:
IMGBB_API_KEY=your_key
IPQS_API_KEY=your_key
COMPANIESHOUSE_API_KEY=your_key
See the API Keys Guide for setup instructions.
3

Disable Logging

Set logging to minimal or disabled in production:
NEXT_PUBLIC_LOG_LEVEL=0  # Disable all logging
4

Use VPN or Tor

Route your traffic through a VPN or Tor for additional anonymity when making OSINT queries.
5

Prefer URLs Over Uploads

For image searches, use image URLs instead of uploading files when possible to avoid temporary storage on ImgBB.

Data Retention

Iris Application

Search Queries

Not stored - Queries are processed in real-time and not saved

Search Results

Not stored - Results are displayed directly from APIs

Uploaded Images

10 minutes - Auto-deleted from ImgBB after expiry

User Sessions

No sessions - No authentication or session management

Third-Party Services

Data retention by third parties varies:
  • ImgBB: Images deleted after configured expiry time (default 10 minutes)
  • IPQualityScore: May log API requests per their privacy policy
  • Other APIs: Each service has different retention policies
When self-hosting, you can implement your own image hosting solution to completely control image data retention.

Security Features

Application Security

  • No authentication system - Reduces attack surface
  • Minimal data storage - Less data to protect
  • Open source code - Fully auditable on GitHub
  • Regular updates - Security patches and dependency updates

API Key Protection

Best Practices for API Keys
  1. Never commit .env files to version control
  2. Use different keys for development and production
  3. Rotate keys periodically
  4. Monitor API usage for anomalies
  5. Revoke keys immediately if compromised

HTTPS Encryption

When deploying Iris:
  • Use HTTPS to encrypt data in transit
  • Configure SSL/TLS certificates
  • Enable HSTS (HTTP Strict Transport Security)
  • Use modern TLS protocols (1.2+)

Privacy by Design

Iris follows privacy-by-design principles:
  1. Data Minimization - Only collect what’s absolutely necessary
  2. Purpose Limitation - Data used only for intended OSINT purposes
  3. Transparency - Open source code allows full inspection
  4. User Control - Self-hosting option gives complete control
  5. Security - Minimal attack surface and regular updates

Compliance

GDPR Considerations

For EU users:
  • No personal data is collected by Iris itself
  • Third-party APIs may be subject to GDPR
  • Self-hosting provides maximum control for compliance
  • No cookies or tracking means no consent banners needed

Data Subject Rights

Since Iris doesn’t store user data:
  • Right to Access - No user data stored to access
  • Right to Erasure - No data to delete
  • Right to Portability - No user data collected
  • Right to Object - No automated decision making

Changes to Privacy Policy

As Iris is open source, any changes to data handling will be:
  1. Visible in the GitHub repository
  2. Documented in release notes
  3. Updated in this documentation
  4. Available for community review
The source code is the ultimate source of truth. You can always review exactly how Iris handles data by inspecting the codebase.

Questions & Support

View Source Code

Inspect how Iris handles your data

Report Issues

Report privacy concerns or bugs

Self-Hosting Guide

Deploy for maximum privacy control

API Configuration

Set up your own API keys
Last Updated: January 2026This privacy documentation reflects the current state of the Iris OSINT tool. For the most up-to-date information, always refer to the source code and latest documentation.

Build docs developers (and LLMs) love

Get started for freeTalk to us