IRIS Software Group Limited is committed to protecting and respecting your privacy.

Our primary business is “data processing”.

This means that we process information given to us by other parties. In order to do this, we enter into contracts with organisations (such as accountants and employers) and it is those organisations that control the personal data and have responsibilities to you as the data controller. Data controllers are required to provide you with a detailed explanation of what they do with your personal data and how you may be affected. However, we are under obligations to ensure your data is processed properly too.

It is important you have read and understood the controller’s privacy policy and please contact the relevant organisation for more details about the terms upon which we process data on their behalf.

Where we directly control your data, for example, as a result of an enquiry form on our website or because you are a direct customer of one of our services or products, we set out the details in our Privacy Notice below.

Our Privacy Notice

This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use one of our services.

This notice is layered. So, the first part is a summary but, if you wish, you can easily go directly to the reason we process your personal information and see what we do with it

We’ll tell you:

  • Why we are able to process your information.
  • What purpose we are processing it for.
  • Whether you have to provide it to us.
  • How long we store it for.
  • Whether there are other recipients of your personal information.
  • Whether we intend to transfer it to another country.
  • Whether we do automated decision-making or profiling.

The following part of the notice is information we need to tell everybody:

Controller’s contact details

IRIS Software Group Ltd is the overall controller for the personal information we process, unless otherwise stated. Please see Appendix 1 for a list of legal entities falling within the IRIS Software Group.

There are many ways you can contact us, including by phone, email, live chat and post. More details can be seen here.

Our postal address is:

Heathrow Approach
470 London Road
Slough
SL3 8QY

For general contact please use the Contact Us page of our website.

Data Protection Officer’s contact details

Our Group Data Protection Officer is Vincenzo Ardilio. You can contact him at dataprotection@iris.co.uk or via our postal address. Please mark the envelope ‘Group Data Protection Officer’. However:

  1. Data protection enquiries about our products should be directed to the relevant Support Team in the first instance. If you do not know how to contact Support, then please contact us through our “Contact Us” page.
  2. Routine data protection enquiries should also be directed through our “Contact Us” page.
  3. Enquiries about the security of our websites: webmaster@iris.co.uk.

PART 1: SUMMARY

How do we get information and why?

Most of the personal information we process as Data Controller is provided to us directly by you for one of the following reasons:

  • You have made an enquiry to us about our products or services or any other aspect of our business.
  • You are entering into a contract with us.
  • You are making a payment to us or have an account with us.
  • You have made a support request to us in relation to a product.
  • You wish to attend, or have attended, an event, either in person or online (webinar).
  • You subscribe to our e-newsletters, whitepapers or product updates.
  • You are representing your organisation.
  • You have asked for information or made a complaint.
  • You have visited our website – please see our cookie policy for more information about our use of cookies on our websites.

We also receive personal information from other sources for our marketing campaigns in the following scenarios:

  • Data and mailing lists provided to us by suppliers (including media partners), in response to a marketing activity such as an event, a whitepaper or a case study, to provide you with information about goods or services we feel may be of interest to you. We will only contact you if you have consented to this by ticking the relevant box situated on the form on which your data was collected.
  • Contact lists purchased from a third party, to enable us to promote our goods or services we feel may be of interest to you. We will only receive your contact details if you have consented for it to be shared with individual organisations.
  • We may upload email addresses to social media platforms (Twitter, LinkedIn). We may also obtain business contact information from publicly available social media (such as LinkedIn). In both cases this is to help us to target specific ad campaigns to the business sectors that are most likely to have an interest in our products and services. These actions in regard to personal data are performed on the lawful basis of legitimate interest as described in the GDPR at Article 6(f).

Our lawful basis for our marketing activity

Our legal basis for using personal information for our marketing campaigns is to meet our “legitimate interests”. If it is not disproportionate or prejudicial, we’ll contact you to let you know we are processing your personal information.

How to exercise your right not to receive direct marketing from us

You can opt-out at any time by informing us. Where you have provided specific consent you can withdraw it at any time. You can manage your preferences by using the preference centres listed below.

What information do we collect from you?

In most cases you will be aware of the information we use, because you have provided the information to us. The following are examples of the personal information we typically hold:

  • Information that you provided by filling in forms on our Websites. This includes subscribing to our services including: events and webinars; newsletters; hints and tips; reports, guides and whitepapers; training and service programmes; and support and product information.
  • When you complete a form you will usually be asked for the following:

    • Title, first and last name: we will collect this information from you to personalise communications and so that we can verify that we are speaking to the right person when we call.
    • The number of partners in your practice: we use this information to determine which IRIS team is best placed to speak to you about your business needs.
    • The number of employees for whom you process payroll. This information is used to determine which of our specialist product teams is best placed to discuss your business needs
    • The number of clients your practice manages: we use this information to determine which IRIS team is best placed to speak to you about your business needs.
    • Valid phone number: we require a valid phone number so that an IRIS representative can follow up on your interest.
    • Postal code: a valid UK postcode is required so that your request can be followed up by a relevant geographic team.
    • Job title or role: we use this information to determine which team within IRIS is best placed to speak to you about your business need.
    • Valid email address. We will use your email address to send links to downloads you request, which includes free trials of software, whitepapers, guides and webinars. We will also use your email address to send information about products and services which we believe may interest you.
  • We may also ask you for information when you enter a competition or promotion sponsored by us and when you report a problem with our Websites.
  • If you contact us through our Websites, whether by sending messages to our email addresses, filling in any forms, using any online chat service or otherwise, we will keep a record of that correspondence.
  • We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
  • Details of financial transactions you carry out through our Websites and partner websites and of the fulfilment of your orders.

Further use of your information

When you contact us in any of the above scenarios we will keep a record of your contact and we will continue to keep you informed about our products and services through our direct marketing and regular business contact. We will only do this where we have a legitimate interest in doing so, in line with your contact preferences and where you have not objected to this contact. If you are or have been a customer, we will only contact you by electronic means (email or SMS) with information about goods and services similar to those we previously sold to you or negotiated with you.

We also continue to use your personal data when required for any of the following purposes:

  • To carry out our obligations arising from any contracts or agreements between you and us
  • To allow you to participate in interactive features of our service, when you choose to do so
  • To allow you to participate in our competitions and promotions, when you choose to do so
  • To notify you about changes to our service
  • To ensure that content from our Websites is presented in the most effective manner for you and for your computer

Updating personal information and preferences

If any of your personal information changes or becomes out of date, please amend your details by letting us know by contacting your account manager or designated point of contact.

You can update your contact preferences as well as opt-out of any email, direct mail and SMS communications anytime via our preference centre.

You have a right to access the personal data we hold about you. To obtain a copy of the personal information we hold about you, please contact IRIS Software Group’s Data Protection Officer dataprotection@iris.co.uk.

Use of cookies by IRIS Software Group

We use cookies and you can read more about how we do so and the categories of cookies we use by vising our cookies page.

Disclosure of your information within IRIS Software Group

We may disclose your personal information to any member of our Group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 736 of the UK Companies Act 2006.

If we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer.

If our business or assets are acquired by a third party, the personal data of our customers would also be transferred.

Disclosure of your information outside of the IRIS Software Group

We may disclose your personal information to third parties if we are under a duty to do so. This would include disclosing or sharing your personal data in order to comply with legal obligation that we are under, or in order to enforce or apply our terms of use and other agreements. This would also include protecting our rights, property, or safety (or that of our customers and others).

We also exchange information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

A summary of your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Please use the Contact Us page to make a request relating to any of your rights set out below:

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to processing if we are able to process your information in our legitimate interests.

Setting your communication preferences

You can update your communications preferences from IRIS Software Group using the preference centre:

You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by writing to:

Heathrow Approach
470 London Road
Slough
SL3 8QY

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

PART 2: DETAILED PRIVACY STATEMENTS

When you make an enquiry or contact Support

Purpose and legal basis for processing

When you contact us to make an enquiry, we collect information, including your personal data, so that we can respond to it.

The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when this is necessary for our legitimate interests or those of a third party.

What we need

We need enough information from you to answer your enquiry. If you call us, we will make an audio recording so that we can monitor the performance of our staff for training purposes, establish the facts of transactions and enquiries, ensure compliance with our policies and procedures and any regulations we are subject to.

In certain circumstances we may make notes to provide you with a further service as required.

We will usually add your contact details to our Customer Relationship Management System (CRM) so that we can keep you informed about our products and services.

If you contact us via email or post, we’ll need a return address for the response.

What we do with it

We’ll keep a record of your enquiry so we can get it to the correct area of the business to be dealt with. We’ll also keep a record of our response. We use the information supplied to us to deal with the enquiry and any subsequent issues that may arise, and to check on the level of service we provide.

How long we keep it

Please see our retention schedule.

What are your rights?

As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. Please see summary of your data protection rights above.

Are there other recipients of your information?

Yes there may be, depending on the way in which you contact us:

When you contact us by email

At times of peak workloads (for example, tax year-end), we use IRIS KPO to assist us with providing support.  IRIS KPO is based in India. Any transfer of personal data to IRIS KPO is governed by the safeguards we put in place such as the EU Model Data Protection Clauses.  IRIS KPO holds the ISO27001:2013 certification for Information Security Management Systems.  For more information, please contact dataprotection@iris.co.uk.

When you contact us via social media

We use a third party provider, Hootsuite to manage our social media interactions.

If you send us a private or direct message via social media the message will be stored by Hootsuite for three months. It will not be shared with any other organisations.

When you use our Live Chat service

We use a third party provider to supply and support our Live Chat service, which we use to handle customer enquiries in real time.

If you use the Live Chat service we will collect your name, email address (optional) and the contents of your Live Chat session.

You can request a transcript of your Live Chat session if you provide your email address at the start of your session or when prompted at the end.

At times of peak workloads (for example, tax year-end), we use IRIS KPO to assist us with providing support. IRIS KPO is based in India. Any transfer of personal data to IRIS KPO is governed by the safeguards we put in place such as the EU Model Data Protection Clauses. IRIS KPO holds the ISO27001:2013 certification for Information Security Management Systems. For more information, please contact dataprotection@iris.co.uk.

When we store records in Microsoft Office 365

We use Office 365 Business, which is a subscription plan that allows us to access Office applications such as Word, Excel and SharePoint over the internet.

You are entering into a contract with us

Purpose and legal basis for processing

When you negotiate with us to buy a product or start using one of our services, we process some personal information so that we can enter into an agreement with you or the organisation that you represent.

The legal basis we rely on to process your personal data is article 6(1)(b) of the GDPR, which allows us to process personal data when this is necessary for the performance of a contract to which you are a party or in order for us to take steps at your request prior to entering into a contract.

What we need

If you are entering into a contract with us we will need your full contact details including address, email and telephone number as well as your job title or position in your business. If we need further information, this will be made clear to you as we will ask you for it at the time.

What we do with it

We store customer contracts and related personal information within dedicated files in our Office 365 system and a contract database. We also hold some contracts in hard copy.

How long we keep it

We keep personal data relevant to contracts until contract expiry and then for a further 6 years.

What are your rights

As we are processing your personal data for the purpose of entering into a contract with you, you have the right in principle to data portability. However, there are limitations as to when this right applies. Please see Summary of your data protection rights above.

Are there other recipients of your information?

We will make your personal information available within the IRIS Software Group on a need-to know basis in order to achieve our legitimate business objectives. If we have sub-contracted any aspect of the product or services you are using, we may need to share your details with the relevant supplier, also on a need to know basis.

Occasionally we receive requests from law enforcement agencies and regulatory bodies for customer contact details and personal data, which might be relevant to an investigation or similar official matter. We must disclose the requested data if we are under a court order to do so. We may also decide to disclose personal data without a court order where we have made an assessment that the information is relevant and proportionate to the issue under investigation.

When dealing with payments or account administration

Purpose and legal basis for processing

When you become a customer of ours, we process personal information to maintain our own accounts and records and to enable us to provide accounting, auditing and related services.

The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when this is necessary for our legitimate interests or those of a third party.

What we need

We need your contact and personal details, the products or services you are using, your financial details and sometimes your employment details (particularly if you are representing your employer).

What we do with it

We use the information we hold to allow us to contact you from time to time with respect to matters of your account such as payments and administration. We will use the information on your products and services to allow for order processing and invoicing, including with respect to renewal agreements. We may also use this information to facilitate the audit of our finances as required by HMRC or statute.

How long we keep it

We will keep this information for as long as you remain a customer of IRIS and for a period of up to 6 years where the information may be required for audit by HMRC or by statute.

What are your rights

As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. Please see summary of your data protection rights above.

Are there other recipients of your information?

We don’t transfer the data we use for our financial accounting purposes to another company or use any automated profiling.

You wish to attend, or have attended, an event

Purpose and legal basis for processing

Our purpose for collecting this information is so we can facilitate the event and provide you with an acceptable service.

The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR. When we collect any information about dietary or access requirements we also need your consent (under article 9(2)(a)) as this type of information is classed as special category data.

What we need

If you wish to attend one of our events, you will be asked to provide your contact information including your organisation’s name and, if offered a place, information about any dietary requirements or access provisions you may need. We may also ask for payment if there is a charge to attend.

What we do with it

If you are not successful in securing a place, we’ll let you know and hold your details on a reserve list in case a place becomes available.

If you are allocated places at an event, we’ll ask for information about any dietary/access requirements. We don’t share this information in any identifiable way with the venue, and we delete it after the event.

Note that when registering for an event or webinar we will share your information with third party providers such as EventBrite, GoToWebinar and WebEx to deliver the event.

We may contact you on behalf of our event sponsors, to promote their products or services where we believe there is a legitimate interest and in line with your preferences.

Do we use any data processors?

Yes – we use data processors who act on our instructions to help facilitate the events (see above).

We may sometimes charge a fee to attend an event. If this happens, our communications about the event will provide details of the data processor we use to collect payments.

How long we keep it

Please see our retention schedule.

What are your rights?

We rely on your consent to process the personal data you give us to facilitate the event. This means you have the right to withdraw your consent at any time. If you do that, we’ll update our records immediately to reflect your wishes. Please also see summary of your data protection rights above.

You subscribe to our content

What type of content can you subscribe to?

You can subscribe to read Blogs, Case Studies, Industry Reports, Infographics, Knowledge-Base Articles, Newsletters, Presentations, Product Demonstrations, Product Updates, Video’s, Webinars and Guides.

Purpose and legal basis for processing

Our purpose for collecting this information is so we can send you the requested content, and our legal basis is your consent which you have indicated by providing us with your details. We may also send you details of other products or services that we think you will be interested in and our legal basis for this is where we believe there you have a legitimate interest and in line with your preferences.

What we need

If you wish to receive information from us, you will be asked to provide your contact information including your name, your organisation’s name and other details about your organisation.

What we do with it

Your details will be held on our CRM database and the information you have requested will be sent to you. We may also send you details of other products or services.

Are there any other recipients?

We do not routinely disclose your personal data which you have given to us for this purpose however we will keep you informed if have any intention to do so.

How long we keep it

Please see our retention schedule.

What are your rights?

We rely on your consent to process the personal data you give us. This means you have the right to withdraw your consent at any time. As we also rely on legitimate interest, you do have the right to object. If you do that, we’ll update our records immediately to reflect your wishes. Please also see summary of your data protection rights above

You are representing your organisation

We hold the names and contact details of individuals acting in their capacity as representatives of their organisations, across the business. The legal basis is article 6(1)(c) of the GDPR for any legal obligation or article 6(1)(f) because the processing is within our legitimate interests as a business.

You have asked for information or made a complaint

Purpose and legal basis

Our purpose for collecting this information is so we provide you with the information you have requested and resolve any complaints you have raised with us. We have a legitimate business interest in responding to enquiries, requests for information and complaints under Article 6(1)(f) of the GDPR.

What we need

We need enough information to allow us to deal with your request or to investigate the complaint. This is likely to vary from cases to case. If we need more information from you to help us resolve the issue, we will be in touch.

What we do with it

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We may compile statistics showing information such as the number of complaints we receive, but not in a form that identifies anyone.

How long we keep it

Please see our retention schedule.

What are your rights?

As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. Please see summary of your data protection rights above.

Are there any other recipients?

We do not routinely share enquiries or complaints with other people or organisations but we may need to do so if this is necessary to resolve the issue you have raised. If we decide we need to share details of your complaint outside of IRIS Group, we will let you know before we do so.

Visitors to our website

What we need

When you visit our company websites, we use third-party services to collect internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site.

We also use behavioural retargeting to collect information which allows IRIS and its partners to inform, optimise and serve you with advertising based on your past use of our Websites.

What do we mean when we refer to “partners” of IRIS in relation to our websites?

Generally-speaking, we mean third parties or publicly available sources. We may receive personal data about you from various third parties as set out below:

  • Technical & Usage Data from parties such as our analytics providers (including Google), and advertising networks (see below).
  • Identity, Contact, Profile, Financial, Transaction, Usage and Technical Data from providers of technical, payment and delivery services.
  • Identity, Contact, Profile, Usage and/or Technical Data from social media platforms which are publicly available or through which you may log in or interact with the Site.

Cookies

We use cookies, which are small files with a code that is stored on your device, with your consent. They are retrieved from your device when you next visit the Site. This allows the site to recognise information about your use and browsing.

We use a cookies consent tool on our website which notifies you of our use of cookies when you first enter our site and gives you the opportunity to refuse the use of cookies or to consent by accepting the use of cookies on our site.

Full information on which cookies we use is available in our Cookies Policy, along with guidance about how you can set your browser to refuse all or some cookies (but that may affect some use of the Site).

Do we disclose your information to third parties?

Yes, we do, as set out in the detailed summary below:

Website search engine

Our website search is powered by Elastic Search. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected from searches by either IRIS Group or any third party.

Survey tools

GetFeedback – Collection and processing of customer satisfaction data for the purposes of NPS scoring
Personal Data collected: Cookies and Personal Data.
Place of processing: United States

Online advertising
Some of the services listed below may use Cookies to identify you or they may use the behavioural retargeting technique, i.e. displaying ads tailored to your interests and behaviour, including those detected outside this Website. You may opt out of a third-party service’s use of cookies by visiting the Network Advertising Initiative opt-out page.

Bing Ads – Bing Ads is an advertising service provided by Microsoft Corporation.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.

Google AdWords – AdWords is an advertising service provided by Google Inc.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.

Remarketing and behavioural retargeting
This type of service allows IRIS and its partners to inform, optimise and serve you with advertising based on your past use of this Website.
This activity is performed by tracking Usage Data and by using Cookies – information that is transferred to the partners that manage the remarketing and behavioural targeting activity.
You can opt out of a third-party service’s use of cookies by visiting the Network Advertising Initiative opt-out page. You can also use opt-outs offered by any of the services below:

AdRoll (Semantic Sugar, Inc.)
AdRoll is an advertising service provided by Semantic Sugar, Inc.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.

AdWords Remarketing (Google Inc.)
AdWords Remarketing is a remarketing and behavioural targeting service provided by Google Inc. that connects the activity of this Website with the AdWords advertising network and the Doubleclick Cookie.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.

LinkedIn Website Retargeting (LinkedIn Corporation)
LinkedIn Website Retargeting is a remarketing and behavioural targeting service provided by LinkedIn Corporation that connects the activity of this Website with the LinkedIn advertising network.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.

Twitter Remarketing (Twitter, Inc.)
Twitter Remarketing is a remarketing and behavioural targeting service provided by Twitter, Inc. that connects the activity of this Website with the Twitter advertising network.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out. Privacy Shield participant.

Website analytics and tag management
The services contained in this section enable IRIS to monitor and analyse web traffic and can be used to keep track of user behaviour.

Google Analytics with anonymised IP (Google Inc.)
Google Analytics is a web analysis service provided by Google Inc. (“Google”). Google utilises the Data collected to track and examine the use of this Website, to prepare reports on its activities and share them with other Google services.
Google may use the Data collected to contextualize and personalize the ads of its own advertising network.
This integration of Google Analytics anonymizes your IP address. It works by shortening Users’ IP addresses within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the complete IP address be sent to a Google server and shortened within the US.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out. Privacy Shield participant.

ResponseTap (ResponseTap Limited)
ResponseTap is an analytics service provided by ResponseTap Limited.
Personal Data collected: Cookies and Usage Data.
Place of processing: United Kingdom – Privacy Policy. – Opt Out.

Google Tag Manager (Google LLC)
Google Tag Manager is a tag management service provided by Google LLC.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out – Privacy Shield participant.

Marketing automation and user database administration
This type of service allows IRIS to build user profiles by starting from an email address, a personal name, or other information that the User provides to us, as well as to track User activities through analytics features. Some of these services may also enable the sending of timed messages to you, such as emails based on specific actions performed on this Website.

Marketo Lead Generation (Marketo, Inc.)
Marketo Lead Generation is a User database management service provided by Marketo, Inc.
Personal Data collected: email address and various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy – Opt Out – Privacy Shield participant.

Embedded videos
This type of service allows you to view content hosted on external platforms directly from the pages of this Website and interact with them.
This type of service might still collect web traffic data for the pages where the service is installed, even when users do not use it.

Wistia widget (Wistia, Inc.)
Wistia is a video content visualization service provided by Wistia, Inc. that allows this Website to incorporate content of this kind on its pages.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy. – Opt Out – Privacy Shield participant.

Security and performance

We use a third-party web application firewall to help maintain the security and performance of our website. The service checks that traffic to the site is behaving as would be expected. The service will block traffic that is not using the site as expected. To provide this service, our security provider processes site visitors’ IP addresses.

Purpose and legal basis for processing

The purpose for implementing the above is to:

  • Ensure any advertising is relevant to you – our use of cookies is based on your consent which you give when you continue to use our site after the appearance of the initial notification about cookies.
  • Maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests and does not detrimentally affect your rights and freedoms.

What are your rights?

As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data by altering your preferences on both our sites and our partners sites. Please see summary of your data protection rights above.

Appendix 1 – IRIS Software Group subsidiaries that may collect personal data

Where your data is being collected by any of the following IRIS Group subsidiaries, where they are acting as data controller, this will be made clear at the point of collection:

  • Cascade Human Resources Ltd
  • IRIS Business Software Ltd
  • IRIS Capital Ltd
  • IRIS KPO Resourcing (India) Private Ltd
  • IRIS Payroll Solutions Ltd
  • KashFlow Ltd
  • Keytime Holdings Ltd
  • PTP Software Ltd

Appendix 2 – Our websites

Appendix 3 – IRIS customer-facing retention schedule

RecordTriggerRetention Period
Corporate complaints, including complaints regulated by the FCAEnd of financial year in which case closed6 years
General individual complaints
End of financial year in which case closed
3 years
Personal data disclosure requests (police enquiries and third parties)
End of financial year in which case closed
3 years
General enquiries (record of correspondence)2 years
Customer support/JIRA correspondenceEnd of financial year3 years
Call recordings (general)End of call3 months
Call recordings (specific – relating to complaints or open matters)Last actionFiled with matter they relate to and subject to the same retention requirements as the matter they relate to.
Customer Contracts (signed)Expiry of contract6 years
Pre-contract advice and contract negotiationsEnd of financial year in which negotiations completed2 years
Financial transactions and prime documentsEnd of financial yearUp to 6 years
Non-customer, customer/prospect personal data held for marketing and sales purposes that have not engaged. This information is collected through event bookings, white papers, newsletter subscriptions and other similar interactions with IRIS.First contact6 months