Privacy Policy

IRIS Software Group Limited is committed to protecting and respecting your privacy.

Our primary business is “data processing”.

This means that we process information given to us by other parties. In order to do this, we enter into contracts with organisations (such as accountants and employers) and it is those organisations that control the personal data and have responsibilities to you as the data controller. Data controllers are required to provide you with a detailed explanation of what they do with your personal data and how you may be affected. However, we are under obligations to ensure your data is processed properly too.

It is important you have read and understood the controller’s privacy policy and please contact the relevant organisation for more details about the terms upon which we process data on their behalf.

Where we directly control your data, for example, as a result of an enquiry form on our website or because you are a direct customer of one of our services or products, we set out the details in our Privacy Notice below.

Introduction to our Privacy Statement

This privacy statement tells you what to expect us to do with your personal information when you make contact with us or use one of our services.

This notice is layered. So, the first part is a summary but, if you wish, you can easily go directly to the reason we process your personal information and see what we do with it

We’ll tell you:

    • Why we are able to process your information.

    • What purpose we are processing it for.

    • Whether you have to provide it to us.

    • How long we store it for.

    • Whether there are other recipients of your personal information.

    • Whether we intend to transfer it to another country.

    • Whether we do automated decision-making or profiling.

Controller’s contact details

IRIS Software Group Ltd is the overall controller for the personal information we process, unless otherwise stated. Please see Appendix 1 for a list of legal entities falling within the IRIS Software Group.

There are many ways you can contact us, including by phone, email, live chat and post. If you have another request and wish to contact us, you can find more information  here.

Our postal address is:

Heathrow Approach
470 London Road
Slough
SL3 8QY

For general contact please use the Contact Us page of our website.

Data Protection Officer’s contact details

Our Group Data Protection Officer is Vincenzo Ardilio. You can contact him at dataprotection@iris.co.uk or via our postal address. Please mark the envelope ‘Group Data Protection Officer’. However:

    1. Data protection enquiries about our products should be directed to the relevant Support Team in the first instance. If you do not know how to contact Support, then please contact us through our “Contact Us” page.

    1. Routine data protection enquiries should also be directed through our “Contact Us” page.

    1. Enquiries about the security of our websites: webmaster@iris.co.uk.

EU Representative

We have appointed Paycheck Plus by IRIS to act as our EU Representative. If you are based in the EU and wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your rights or general privacy matters, please email our Representative at dataprotection@paycheckplus.ie. Please include reference to “IRIS Capital Ltd” in any correspondence you send to our Representative.  Alternatively you may contact us directly at dataprotection@iris.co.uk.

PART 1: SUMMARY

How do we get information and why?

Most of the personal information we process as Data Controller is provided to us directly by you for one of the following reasons:

  • You have made an enquiry to us about our products or services or any other aspect of our business.
  • You are entering into a contract with us.
  • You are making a payment to us or have an account with us.
  • You have made a support request to us in relation to a product.
  • You wish to attend, or have attended, an event, either in person or online (webinar).
  • You subscribe to our e-newsletters, whitepapers or product updates.
  • You are representing your organisation.
  • You have asked for information or made a complaint.
  • You have visited our website – please see our cookie policy for more information about our use of cookies on our websites.

We also receive personal information from other sources for our marketing campaigns in the following scenarios:

  • Data and mailing lists provided to us by suppliers (including media partners), in response to a marketing activity such as an event, a whitepaper or a case study, to provide you with information about goods or services we feel may be of interest to you. We will only contact you if you have consented to this by ticking the relevant box situated on the form on which your data was collected.
  • Contact lists purchased from a third party, to enable us to promote our goods or services we feel may be of interest to you. We will only receive your contact details if you have consented for it to be shared with individual organisations.
  • We may upload email addresses to social media platforms (Twitter, LinkedIn). We may also obtain business contact information from publicly available social media (such as LinkedIn). In both cases this is to help us to target specific ad campaigns to the business sectors that are most likely to have an interest in our products and services. These actions in regard to personal data are performed on the lawful basis of legitimate interest as described in the GDPR at Article 6(f).

Our lawful basis for our marketing activity

Our legal basis for using personal information for our marketing campaigns is to meet our “legitimate interests”. If it is not disproportionate or prejudicial, we’ll contact you to let you know we are processing your personal information.

For some kinds of electronic marketing, such as email campaigns, we may require your consent before we can include you in our marketing campaign.  This would apply, for example, if you are a consumer or sole trader or partnership and have had no previous contact with IRIS.  In such cases our lawful basis for using your personal information for this purpose would be your informed consent.

What information do we use about you?

In most cases you will be aware of the information we use, because you have provided the information to us. The following are examples of the personal information we typically hold:

  • Information that you provided by filling in forms on our Websites. This includes subscribing to our services including: events and webinars; newsletters; hints and tips; reports, guides and whitepapers; training and service programmes; and support and product information.
  • When you complete a form you will usually be asked for the following:
    • Title, first and last name: we will collect this information from you to personalise communications and so that we can verify that we are speaking to the right person when we call.
    • The number of partners in your practice: we use this information to determine which IRIS team is best placed to speak to you about your business needs.
    • The number of employees for whom you process payroll. This information is used to determine which of our specialist product teams is best placed to discuss your business needs
    • The number of clients your practice manages: we use this information to determine which IRIS team is best placed to speak to you about your business needs.
    • Valid phone number: we require a valid phone number so that an IRIS representative can follow up on your interest.
    • Postal code: a valid UK postcode is required so that your request can be followed up by a relevant geographic team.
    • Job title or role: we use this information to determine which team within IRIS is best placed to speak to you about your business need.
    • Valid email address. We will use your email address to send links to downloads you request, which includes free trials of software, whitepapers, guides and webinars. We will also use your email address to send information about products and services which we believe may interest you.
  • We may also ask you for information when you enter a competition or promotion sponsored by us and when you report a problem with our Websites.
  • If you contact us through our Websites, whether by sending messages to our email addresses, filling in any forms, using any online chat service or otherwise, we will keep a record of that correspondence.
  • We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
  • Details of financial transactions you carry out through our Websites and partner websites and of the fulfilment of your orders.

Further use of your information

We will continue to keep you informed about our products and services through our direct marketing and regular business contact. We will only do this where we have a legitimate interest in doing so, in line with your contact preferences and where you have not objected to this contact. If you are or have been a customer, we will only contact you by electronic means (email or SMS) with information about goods and services similar to those we previously sold to you or negotiated with you.

We also continue to use your personal data when required for any of the following purposes:

  • To carry out our obligations arising from any contracts or agreements between you and us
  • To allow you to participate in interactive features of our service, when you choose to do so
  • To allow you to participate in our competitions and promotions, when you choose to do so
  • To notify you about changes to our service
  • To ensure that content from our Websites is presented in the most effective manner for you and for your computer
  • To ensure that our records and the data we hold about you is accurate. To do this we will undertake data validation of your email and phone number
  • We will also check data quality within our CRM systems.

Updating personal information and preferences

If any of your personal information changes or becomes out of date, please amend your details by letting us know by contacting your account manager or designated point of contact.

You can update your contact preferences as well as opt-out of any email, direct mail and SMS communications anytime via our preference centre.

You have a right to access the personal data we hold about you. To obtain a copy of the personal information we hold about you, please contact IRIS Software Group’s Data Protection Officer dataprotection@iris.co.uk.

How to exercise your right not to receive direct marketing from us

You can opt-out at any time by informing us. Where you have provided specific consent you can withdraw it at any time. You can manage your preferences by using the preference centres listed below.

Who do we share information with?

IRIS may need to disclose your personal information to third parties in the following instances:

We may disclose your personal information to any member of our Group, which means our subsidiaries, our ultimate holding company and its subsidiaries.

Service providers: We will disclose your personal information to companies that provide certain services to us.

  • For example if your data is within our CRM system we use third parties to assist us in managing data quality and migration.
  • We also use suppliers to carry out data validation and to assist us in Marketing campaigns. If you sign up to receive our content or via a third party site we will undertake data validation of your phone and email address.

The service providers are required to keep your personal information confidential and are not permitted to use your personal information for any other purpose than to carry out the services they are performing for us.

We may need to disclose your personal information to a third party if it is necessary to comply with a legal obligation or the decision of a judicial authority, a public authority or a government body, or if disclosure is necessary for national security, law enforcement or other public interest.

Third parties in connection with a business sale: If we make a sale or transfer of assets, or are otherwise involved in a merger or business/asset transfer, we may transfer your personal information to one or more third parties as part of that transaction.

Other third parties with your consent: We may also share your personal information with other third parties when you separately consent to such sharing.

IRIS EU-U.S. and UK Extensions to the EU-U.S. Data Privacy Framework Overview

IRIS complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.  IRIS has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The following U.S entities / subsidiaries of IRIS are adhering to the Data Privacy Framework principles.

Accountants World, LLC

Apex Holdings Software Technologies LLC

Apex Software Technologies ES LLC

Apex Software Technologies LLC

Conarc Inc.

Creative Solutions Software Corp (MyPay)

Doc-It Corp.

Doc-It Holdings Inc.

Gator Blocker Corp

IRIS Americas Inc.

IRIS Software and Services Inc

Practice Engine Systems Inc.

 

International Transfer of your Personal Information

Due to the global nature of IRIS business, your personal information may be shared, disclosed and transferred between the various IRIS group companies and other third parties (as described in the above section on Who do we share information with?) where such transfers are required for legitimate business reasons. Such entities may be located outside the EU/UK. Your personal data may be transferred to the US or India where the level of protection for personal information is not the same as in the UK or EU. IRIS take steps and implement measures to keep your personal information secure.

As a member of the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.  IRIS has accountability for the onward transfer of data.  As stated above IRIS will transfer data to a third party for limited and specified purposes.

Transfers to India

If there is a need to transfer your data to India we use safeguards such as the standard contractual clauses and ensure processors are not permitted to extract or download or save data locally.

Transfers to the US

IRIS will not transfer your personal data  for “in the clear” processing in the US. (“In the clear” means processing data in its basic identifiable form). We will endeavour to put in safeguards to protect your rights and freedoms such as anonymising or pseudonymising personal data and withholding encryption keys.

Exceptions to the above

Convertr

IRIS uses a supplier called Convertr to validate customer contacts and new prospect’s email and phone numbers. There may be instances where a validation of an email or phone number occurs outside of the EU for example where a gmail email address is used this may be validated on a server in the US. IRIS has standard contractual clauses in place with Convertr. Your data is encrypted in transit and is not stored by third parties. We consider this to be extremely low risk and unlikely to impact your rights and freedoms.

A summary of your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. IRIS Software Group and its subsidiaries and entities are subject to the investigatory and enforcement powers of the Federal Trade Commission. In compliance with the DPF, IRIS Software Group commits to cooperate and comply respectively with the advice of the panel established by EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF with regard to unresolved complaints concerning our handling of data received in reliance on DPF.

You may, under certain conditions, invoke binding arbitration. To learn more about these conditions and how to invoke binding arbitration, please visit https://www.dataprivacyframework.gov/framework-article/C%E2%80%93Pre-Arbitration-Requirements

IRIS Software Group

Where we have relied on your consent to process Personal Information, you have the right to withdraw such consent. Furthermore, you have the right to limit use and disclosure of your personal data. You can choose to opt out when your personal data is (i) disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally intended

For more information on this principle, please visit:  Your Right to Limit Use and Disclosure of Your Data

If you would like to exercise any of these rights, please submit a ticket via the DPO desk. You also have the option to reach out directly to the contacts listed below.

Please use the Privacy Rights Form to make a request relating to any of your rights set out below:

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

For more information on this principle, please visit:  Your Right to Limit Use and Disclosure of Your Data

 

Your right to object to processing

You have the right to object to processing if we are able to process your information in our legitimate interests.

Setting your communication preferences

You can update your communications preferences from IRIS Software Group using the preference centre.

You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by writing to:

Heathrow Approach
470 London Road
Slough
SL3 8QY

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

Use of cookies by IRIS Software Group

We use cookies and you can read more about how we do so and the categories of cookies we use by vising our cookies page.

PART 2: DETAILED PRIVACY STATEMENTS

When you make an enquiry or contact Support

Purpose and legal basis for processing

Our support teams are based in the UK & India and when you contact us to make an enquiry, we collect information, including your personal data, so that we can respond to it.

The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when this is necessary for our legitimate interests or those of a third party.

What we need

We need enough information from you to answer your enquiry. When we speak to you, we will make an audio recording so that we can monitor the performance of all our staff. This is for training purposes, establish the facts of transactions and enquiries, ensure compliance with our policies and procedures and any regulations we are subject to.

In certain circumstances we may make notes to provide you with a further service as required.

We will usually add your contact details to our Customer Relationship Management System (CRM) so that we can keep you informed about our products and services.

If you contact us via email or post, we’ll need a return address for the response.

What we do with it

We’ll keep a record of your enquiry so we can get it to the correct area of the business to be dealt with. We’ll also keep a record of our response. We use the information supplied to us to deal with the enquiry and any subsequent issues that may arise, and to check on the level of service we provide.

How long we keep it

Please see our retention schedule.

What are your rights?

As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. Please see summary of your data protection rights above.

Are there other recipients of your information?

Yes there may be, depending on the way in which you contact us:

When you contact us by email

At times of peak workloads (for example, tax year-end), we use IRIS KPO to assist us with providing support.  IRIS KPO is based in India. Any transfer of personal data to IRIS KPO is governed by the safeguards we put in place such as the EU Model Data Protection Clauses.  IRIS KPO holds the ISO27001:2013 certification for Information Security Management Systems.  For more information, please contact dataprotection@iris.co.uk.

When you contact us via social media

We use a third party provider, Hootsuite to manage our social media interactions.

If you send us a private or direct message via social media the message will be stored by Hootsuite for three months. It will not be shared with any other organisations.

When you use our Live Chat service

We use a third party provider to supply and support our Live Chat service, which we use to handle customer enquiries in real time.

If you use the Live Chat service we will collect your name, email address (optional) and the contents of your Live Chat session.

You can request a transcript of your Live Chat session if you provide your email address at the start of your session or when prompted at the end.

At times of peak workloads (for example, tax year-end), we use IRIS KPO to assist us with providing support. IRIS KPO is based in India. Any transfer of personal data to IRIS KPO is governed by the safeguards we put in place such as the EU Model Data Protection Clauses. IRIS KPO holds the ISO27001:2013 certification for Information Security Management Systems. For more information, please contact dataprotection@iris.co.uk.

When we store records in Microsoft Office 365

We use Office 365 Business, which is a subscription plan that allows us to access Office applications such as Word, Excel and SharePoint over the internet.

You are entering into a contract with us

Purpose and legal basis for processing

When you negotiate with us to buy a product or start using one of our services, we process some personal information so that we can enter into an agreement with you or the organisation that you represent.

The legal basis we rely on to process your personal data is article 6(1)(b) of the GDPR, which allows us to process personal data when this is necessary for the performance of a contract to which you are a party or in order for us to take steps at your request prior to entering into a contract.

What we need

If you are entering into a contract with us we will need your full contact details including address, email and telephone number as well as your job title or position in your business. If we need further information, this will be made clear to you as we will ask you for it at the time.

What we do with it

We store customer contracts and related personal information within dedicated files in our Office 365 system and a contract database. We also hold some contracts in hard copy.

How long we keep it

We keep personal data relevant to contracts until contract expiry and then for a further 6 years. Please see our retention schedule at Appendix 3 for more detail.

What are your rights

As we are processing your personal data for the purpose of entering into a contract with you, you have the right in principle to data portability. However, there are limitations as to when this right applies. Please see Summary of your data protection rights above.

Are there other recipients of your information?

We will make your personal information available within the IRIS Software Group on a need-to know basis in order to achieve our legitimate business objectives. If we have sub-contracted any aspect of the product or services you are using, we may need to share your details with the relevant supplier, also on a need to know basis.

Occasionally we receive requests from law enforcement agencies and regulatory bodies for customer contact details and personal data, which might be relevant to an investigation or similar official matter. We must disclose the requested data if we are under a court order to do so. We may also decide to disclose personal data without a court order where we have made an assessment that the information is relevant and proportionate to the issue under investigation.

When dealing with payments or account administration

Purpose and legal basis for processing

When you become a customer of ours, we process personal information to maintain our own accounts and records and to enable us to provide accounting, auditing and related services.

The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when this is necessary for our legitimate interests or those of a third party.

What we need

We need your contact and personal details, the products or services you are using, your financial details and sometimes your employment details (particularly if you are representing your employer).

What we do with it

We use the information we hold to allow us to contact you from time to time with respect to matters of your account such as payments and administration. We will use the information on your products and services to allow for order processing and invoicing, including with respect to renewal agreements. We may also use this information to facilitate the audit of our finances as required by HMRC or statute.

How long we keep it

We will keep this information for as long as you remain a customer of IRIS and for a period of up to 6 years where the information may be required for audit by HMRC or by statute.

Please see our retention schedule at Appendix 3 for more details.

What are your rights

As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. Please see summary of your data protection rights above.

Are there other recipients of your information?

We don’t transfer the data we use for our financial accounting purposes to another company or use any automated profiling.

You wish to attend, or have attended, an event

Purpose and legal basis for processing

Our purpose for collecting this information is so we can facilitate the event and provide you with an acceptable service.

The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR. When we collect any information about dietary or access requirements we also need your consent (under article 9(2)(a)) as this type of information is classed as special category data.

What we need

If you wish to attend one of our events, you will be asked to provide your contact information including your organisation’s name and, if offered a place, information about any dietary requirements or access provisions you may need. We may also ask for payment if there is a charge to attend.

What we do with it

If you are not successful in securing a place, we’ll let you know and hold your details on a reserve list in case a place becomes available.

If you are allocated places at an event, we’ll ask for information about any dietary/access requirements. We don’t share this information in any identifiable way with the venue, and we delete it after the event.

Note that when registering for an event or webinar we will share your information with third party providers such as ON24, EventBrite, GoToWebinar and WebEx to deliver the event.

We may contact you on behalf of our event sponsors, to promote their products or services where we believe there is a legitimate interest and in line with your preferences.

Do we use any data processors?

Yes – we use data processors who act on our instructions to help facilitate the events (see above).

We may sometimes charge a fee to attend an event. If this happens, our communications about the event will provide details of the data processor we use to collect payments.

How long we keep it

Please see our retention schedule at Appendix 3.

What are your rights?

We rely on your consent to process the personal data you give us to facilitate the event. This means you have the right to withdraw your consent at any time. If you do that, we’ll update our records immediately to reflect your wishes. Please also see summary of your data protection rights above.

You subscribe to our content

What type of content can you subscribe to?

You can subscribe to read Blogs, Case Studies, Industry Reports, Infographics, Knowledge-Base Articles, Newsletters, Presentations, Product Demonstrations, Product Updates, Video’s, Webinars and Guides.

Purpose and legal basis for processing

Our purpose for collecting this information is so we can send you the requested content, and our legal basis is your consent which you have indicated by providing us with your details. We may also send you details of other products or services that we think you will be interested in and our legal basis for this is where we believe there you have a legitimate interest and in line with your preferences.

What we need

If you wish to receive information from us, you will be asked to provide your contact information including your name, your organisation’s name and other details about your organisation.

What we do with it

Your details will be held on our CRM database and the information you have requested will be sent to you. We may also send you details of other products or services.

Are there any other recipients?

We use third party suppliers to undertake data validation of your email and phone number. To undertake the validation we may need to transfer your telephone or email address outside the EU/UK.  Please refer to International Transfer of your Personal Information for further information and for the measures we put in place to ensure your data remains secure.

How long we keep it

Please see our retention schedule at Appendix 3.

What are your rights?

We rely on your consent to process the personal data you give us. This means you have the right to withdraw your consent at any time. As we also rely on legitimate interest, you do have the right to object. If you do that, we’ll update our records immediately to reflect your wishes. Please also see summary of your data protection rights above

You are representing your organisation

We hold the names and contact details of individuals acting in their capacity as representatives of their organisations, across the business. The legal basis is article 6(1)(c) of the GDPR for any legal obligation or article 6(1)(f) because the processing is within our legitimate interests as a business.

You have asked for information or made a complaint

Purpose and legal basis

Our purpose for collecting this information is so we provide you with the information you have requested and resolve any complaints you have raised with us. We have a legitimate business interest in responding to enquiries, requests for information and complaints under Article 6(1)(f) of the GDPR.

What we need

We need enough information to allow us to deal with your request or to investigate the complaint. This is likely to vary from cases to case. If we need more information from you to help us resolve the issue, we will be in touch.

What we do with it

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We may compile statistics showing information such as the number of complaints we receive, but not in a form that identifies anyone.

How long we keep it

Please see our retention schedule at Appendix 3.

What are your rights?

As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. Please see summary of your data protection rights above.

Are there any other recipients?

We do not routinely share enquiries or complaints with other people or organisations but we may need to do so if this is necessary to resolve the issue you have raised. If we decide we need to share details of your complaint outside of IRIS Group, we will let you know before we do so.

Visitors to our website

What we need

When you visit our company websites, we use third-party services to collect internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site.

We also use behavioural retargeting to collect information which allows IRIS and its partners to inform, optimise and serve you with advertising based on your past use of our Websites.

What do we mean when we refer to “partners” of IRIS in relation to our websites?

Generally-speaking, we mean third parties or publicly available sources. We may receive personal data about you from various third parties as set out below:

  • Technical & Usage Data from parties such as our analytics providers (including Google), and advertising networks (see below).
  • Identity, Contact, Profile, Financial, Transaction, Usage and Technical Data from providers of technical, payment and delivery services.
  • Identity, Contact, Profile, Usage and/or Technical Data from social media platforms which are publicly available or through which you may log in or interact with the Site.

Cookies

  • We use cookies, which are small files with a code that is stored on your device, with your consent. They are retrieved from your device when you next visit the Site. This allows the site to recognise information about your use and browsing.
  • We use a cookies consent tool on our website which notifies you of our use of cookies when you first enter our site and gives you the opportunity to refuse the use of cookies or to consent by accepting the use of cookies on our site.
  • Full information on which cookies we use is available in our Cookies Policy, along with guidance about how you can set your browser to refuse all or some cookies (but that may affect some use of the Site).

Security and performance

We use a third-party web application firewall to help maintain the security and performance of our website. The service checks that traffic to the site is behaving as would be expected. The service will block traffic that is not using the site as expected. To provide this service, our security provider processes site visitors’ IP addresses.

Purpose and legal basis for processing

The purpose for implementing the above is to:

  • Ensure any advertising is relevant to you – our use of cookies is based on your consent which you give when you continue to use our site after the appearance of the initial notification about cookies.
  • Maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests and does not detrimentally affect your rights and freedoms.

What are your rights?

As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data by altering your preferences on both our sites and our partners sites. Please see summary of your data protection rights above.

Appendix 1 – IRIS Software Group subsidiaries that may collect personal data

Where your data is being collected by any of the following IRIS Group subsidiaries, where they are acting as data controller, this will be made clear at the point of collection:

  • IRIS Business Software Ltd
  • IRIS Capital Ltd
  • IRIS KPO Resourcing (India) Private Ltd
  • KashFlow Ltd
  • Staffology Ltd

Appendix 3 – IRIS customer-facing retention schedule

Record Trigger Retention Period
Corporate complaints, including complaints regulated by the FCA End of financial year in which case closed 6 years
General individual complaints End of financial year in which case closed 3 years
Personal data disclosure requests (police enquiries and third parties) End of financial year in which case closed 3 years
General enquiries (record of correspondence) 2 years
Customer support/JIRA correspondence End of financial year 3 years
Call recordings (general) End of call 3 months
Call recordings (specific – relating to complaints or open matters) Last action Filed with matter they relate to and subject to the same retention requirements as the matter they relate to.
Customer Contracts (signed) Expiry of contract 6 years
Pre-contract advice and contract negotiations End of financial year in which negotiations completed 2 years
Financial transactions and prime documents End of financial year Up to 6 years
Non-customer, customer/prospect personal data held for marketing and sales purposes that have not engaged. This information is collected through event bookings, white papers, newsletter subscriptions and other similar interactions with IRIS. First contact 24 months

Disclosure: all forms of responsible disclosure are welcomed. This includes any vulnerabilities found in IRIS products. IRIS takes the security of its products and services seriously, and fully supports good faith reports made by security researchers. You can contact our product security team by emailing bug reports to product-security@iris.co.uk.

Appendix 4 – US Privacy Statement

Here at IRIS Software, we extend our commitment to protecting and respecting privacy in every location where we conduct business. IRIS partners with businesses and partners throughout the United States. The US consumers have specific rights regarding their personal information, which vary depending on where the consumer resides. A consumer may invoke the consumer rights authorized pursuant to this subsection at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke.

Your Data Rights 

  • The right to opt-out from the sale of their personal data, or use of personal data for targeted advertising and certain types of profiling
  • The right to know whether a controller is collecting personal data
  • The right to access personal data that a controller has collected about them
    • the categories of personal information it has collected about that consumer
    • the categories of sources from which the personal information is collected
    • the business or commercial purpose for collecting or selling personal information
    • the categories of third parties with whom the business shares personal information
    • the specific pieces of personal information it has collected about that consumer
  • The right to correct personal data
  • The right to delete personal data

In order to provide services, IRIS must collect and process information about you.  The information collected will be used for clearly stated business purposes and outlined in our overall privacy policy above.

 

Data Disclosure Request

You have the right to request that IRIS disclose certain information to you about our collection and use of your personal information over the past 12 months.

Once we receive and confirm your verifiable consumer request, we will disclose to you:

  • The categories of Personal Information we collected about you
  • The categories of sources for the Personal Information we collected about you
  • Our business or commercial purpose for collecting that Personal Information
  • The specific pieces of Personal Information we collected about you

Data Deletion Request 

You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the personal information,
  • Provide a good or service that you requested
  • Fulfill a contractual obligation to you
  • Comply with a legal obligation

To exercise the access, data portability, and deletion rights described above, please submit a verifiable request to us by either:

By Email

Please submit a written request to

privacynorthamerica@iris.co.uk

By online submission

Please complete the form

Submit your request to exercise your privacy rights here

 

Response Timing and Format 

We strive to deliver outstanding service and will respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

If you would like further information about any of the information outlined in this privacy policy or have any other questions about how we collect, store or use your personal information, you may email us at North America Privacy Team.