Sign up for Job Alerts
Want to be notified of suitable positions?
Sign up for Job Alerts and receive details of jobs direct to your inbox
Our primary business is "data processing".
This means that we process information given to us by other parties. In order to do this, we enter into contracts with organisations (such as accountants and employers) and it is those organisations that control the personal data and have responsibilities to you as the data controller. Data controllers are required to provide you with a detailed explanation of what they do with your personal data and how you may be affected. However, we are under obligations to ensure your data is processed properly too.
It is important you have read and understood the controller’s privacy policy and please contact the relevant organisation for more details about the terms upon which we process data on their behalf.
Where we directly control your data, for example, as a result of an enquiry form on our website or because you are a direct customer of one of our services or products, we set out the details in our privacy notice below.
This privacy statement tells you what to expect us to do with your personal information when you make contact with us or use one of our services.
This notice is layered. So, the first part is a summary but, if you wish, you can easily go directly to the reason we process your personal information and see what we do with it.
We’ll tell you:
The following part of the notice is information we need to tell everybody:
IRIS Software Group Ltd is the overall controller for the personal information we process, unless otherwise stated.
Please see appendix 1 for a list of legal entities falling within the IRIS Software Group.
There are many ways you can contact us, including by phone, email, live chat and post. More details can be seen on our contact us page.
Our postal address is:
Heathrow Approach
470 London Road
Slough
SL3 8QY
For general contact please use the Contact Us page of our website.
Data protection officer’s contact details
Our group data protection officer is Vincenzo Ardilio. You can email him via our data protection team email address. You can also contact him via our postal address. Please mark the envelope ‘Group Data Protection Officer’. However:
EU Representative
We have appointed IT Governance Europe Limited to act as our EU representative. If you are based in the EU and wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your rights or general privacy matters, please email our EU representative . Please include reference to "IRIS Capital Ltd" in any correspondence you send to our representative. Alternatively you may contact us directly via email.
Most of the personal information we process as data controller is provided to us directly by you for one of the following reasons:
We also receive personal information from other sources for our marketing campaigns in the following scenarios:
Our lawful basis for our marketing activity
Our legal basis for using personal information for our marketing campaigns is to meet our “legitimate interests”. If it is not
disproportionate or prejudicial, we’ll contact you to let you know we are processing your personal information.
For some kinds of electronic marketing, such as email campaigns, we may require your consent before we can include you in our marketing
campaign. This would apply, for example, if you are a consumer or sole trader or partnership and have had no previous contact with
IRIS. In such cases our lawful basis for using your personal information for this purpose would be your informed consent.
In most cases you will be aware of the information we use, because you have provided the information to us. The following are examples of the personal information we typically hold:
We will continue to keep you informed about our products and services through our direct marketing and regular business contact. We will only
do this where we have a legitimate interest in doing so, in line with your contact preferences and where you have not objected to this contact.
If you are or have been a customer, we will only contact you by electronic means (email or SMS) with information about goods and services similar
to those we previously sold to you or negotiated with you.
We also continue to use your personal data when required for any of the following purposes:
If any of your personal information changes or becomes out of date, please amend your details by letting us know by contacting your account
manager or designated point of contact.
You can update your contact preferences as well as opt-out of any email, direct mail and SMS communications anytime via
our preference centre.
You have a right to access the personal data we hold about you. To obtain a copy of the personal information we hold about you, please contact
IRIS Software Group’s data protection team.
How to exercise your right not to receive direct marketing from us
You can opt-out at any time by informing us. Where you have provided specific consent you can withdraw it at any time. You can manage your preferences by using the preference centre.
IRIS may need to disclose your personal information to third parties in the following instances:
We may disclose your personal information to any member of our Group, which means our subsidiaries, our ultimate holding company and its
subsidiaries.
Service providers: We will disclose your personal information to companies that provide certain services to us.
The service providers are required to keep your personal information confidential and are not permitted to use your personal information for any
other purpose than to carry out the services they are performing for us.
We may need to disclose your personal information to a third party if it is necessary to comply with a legal obligation or the decision of a
judicial authority, a public authority or a government body, or if disclosure is necessary for national security, law enforcement or other public
interest.
Third parties in connection with a business sale: If we make a sale or transfer of assets, or are otherwise involved in a merger or business/asset
transfer, we may transfer your personal information to one or more third parties as part of that transaction.
Other third parties with your consent: We may also share your personal information with other third parties when you separately consent to such
sharing.
International Transfer of your Personal Information
Due to the global nature of IRIS business, your personal information may be shared, disclosed and transferred between the various IRIS group companies and other third parties (as described in the above section on Who do we share information with?) where such transfers are required for legitimate business reasons. Such entities may be located outside the EU/UK. Your personal data may be transferred to the US or India where the level of protection for personal information is not the same as in the UK or EU. IRIS take steps and implement measures to keep your personal information secure.
Transfers to India
If there is a need to transfer your data to India we use safeguards such as the standard contractual clauses and ensure processors are not permitted to extract or download or save data locally.
Transfers to the US
IRIS will not transfer your personal data for “in the clear” processing in the US. (“In the clear” means processing data in its basic identifiable form). We will endeavour to put in safeguards to protect your rights and freedoms such as anonymising or pseudonymising personal data and withholding encryption keys.
Exceptions to the above
Convertr
IRIS uses a supplier called Convertr to validate customer contacts and new prospect’s email and phone numbers. There may be instances
where a validation of an email or phone number occurs outside of the EU for example where a gmail email address is used this may be validated
on a server in the US. IRIS has standard contractual clauses in place with Convertr. Your data is encrypted in transit and is not stored by third
parties. We consider this to be extremely low risk and unlikely to impact your rights and freedoms.
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Please use the privacy rights form to make a request relating to any of your rights set out below:
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the right to object to processing if we are able to process your information in our legitimate interests.
Setting your communication preferences
You can update your communications preferences from IRIS Software Group using the preference centre.
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data)
if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise
your right to prevent such processing by writing to:
Heathrow Approach
470 London Road
Slough
SL3 8QY
Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation
to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering
into a contract and the processing is automated.
You are not required to pay any charge for exercising your rights. We have one month to respond to you.
We use cookies and you can read more about how we do so and the categories of cookies we use by visting our cookies page.
Purpose and legal basis for processing
Our support teams are based in the UK & India and when you contact us to make an enquiry, we collect information, including your personal data,
so that we can respond to it.
The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when this is
necessary for our legitimate interests or those of a third party.
What we need
We need enough information from you to answer your enquiry. When we speak to you, we will make an audio recording so that we can monitor the
performance of all our staff. This is for training purposes, establish the facts of transactions and enquiries, ensure compliance with our policies
and procedures and any regulations we are subject to.
In certain circumstances we may make notes to provide you with a further service as required.
We will usually add your contact details to our Customer Relationship Management System (CRM) so that we can keep you informed about our products
and services.
If you contact us via email or post, we’ll need a return address for the response.
What we do with it
We’ll keep a record of your enquiry so we can get it to the correct area of the business to be dealt with. We’ll also keep a record of our response. We use the information supplied to us to deal with the enquiry and any subsequent issues that may arise, and to check on the level of service we provide.
How long we keep it
Please see our retention schedule.
What are your rights?
As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. Please see summary of your data protection rights above.
Are there other recipients of your information?
Yes there may be, depending on the way in which you contact us:
When you contact us by email
At times of peak workloads (for example, tax year-end), we use IRIS KPO to assist us with providing support. IRIS KPO is based in India. Any transfer of personal data to IRIS KPO is governed by the safeguards we put in place such as the EU Model Data Protection Clauses. IRIS KPO holds the ISO27001:2013 certification for Information Security Management Systems. For more information, please contact our data protection team.
When you contact us via social media
We use a third party provider, Hootsuite to manage our social media interactions.
If you send us a private or direct message via social media the message will be stored by Hootsuite for three months. It will not be shared with
any other organisations.
When you use our Live Chat service
We use a third party provider to supply and support our Live Chat service, which we use to handle customer enquiries in real time.
If you use the Live Chat service we will collect your name, email address (optional) and the contents of your Live Chat session.
You can request a transcript of your Live Chat session if you provide your email address at the start of your session or when prompted at the
end.
At times of peak workloads (for example, tax year-end), we use IRIS KPO to assist us with providing support. IRIS KPO is based in India. Any
transfer of personal data to IRIS KPO is governed by the safeguards we put in place such as the EU Model Data Protection Clauses. IRIS KPO holds
the ISO27001:2013 certification for Information Security Management Systems. For more information, please
contact our data protection team.
When we store records in Microsoft Office 365
We use Office 365 Business, which is a subscription plan that allows us to access Office applications such as Word, Excel and SharePoint over the internet.
Purpose and legal basis for processing
When you negotiate with us to buy a product or start using one of our services, we process some personal information so that we can enter into
an agreement with you or the organisation that you represent.
The legal basis we rely on to process your personal data is article 6(1)(b) of the GDPR, which allows us to process personal data when this is
necessary for the performance of a contract to which you are a party or in order for us to take steps at your request prior to entering into a
contract.
What we need
If you are entering into a contract with us we will need your full contact details including address, email and telephone number as well as your job title or position in your business. If we need further information, this will be made clear to you as we will ask you for it at the time.
What we do with it
We store customer contracts and related personal information within dedicated files in our Office 365 system and a contract database. We also hold some contracts in hard copy.
How long we keep it
We keep personal data relevant to contracts until contract expiry and then for a further 6 years. Please see our retention schedule.
What are your rights
As we are processing your personal data for the purpose of entering into a contract with you, you have the right in principle to data portability. However, there are limitations as to when this right applies. Please see Summary of your data protection rights above.
Are there other recipients of your information?
We will make your personal information available within the IRIS Software Group on a need-to know basis in order to achieve our legitimate business
objectives. If we have sub-contracted any aspect of the product or services you are using, we may need to share your details with the relevant supplier,
also on a need to know basis.
Occasionally we receive requests from law enforcement agencies and regulatory bodies for customer contact details and personal data, which might be
relevant to an investigation or similar official matter. We must disclose the requested data if we are under a court order to do so. We may also decide
to disclose personal data without a court order where we have made an assessment that the information is relevant and proportionate to the issue under
investigation.
Purpose and legal basis for processing
When you become a customer of ours, we process personal information to maintain our own accounts and records and to enable us to provide accounting,
auditing and related services.
The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when this is
necessary for our legitimate interests or those of a third party.
What we need
We need your contact and personal details, the products or services you are using, your financial details and sometimes your employment details (particularly if you are representing your employer).
What we do with it
We use the information we hold to allow us to contact you from time to time with respect to matters of your account such as payments and administration. We will use the information on your products and services to allow for order processing and invoicing, including with respect to renewal agreements. We may also use this information to facilitate the audit of our finances as required by HMRC or statute.
How long we keep it
We will keep this information for as long as you remain a customer of IRIS and for a period of up to 6 years where the information may be required
for audit by HMRC or by statute.
Please see our retention schedule.
What are your rights
As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. Please see summary of your data protection rights above.
Are there other recipients of your information?
We don’t transfer the data we use for our financial accounting purposes to another company or use any automated profiling.
Purpose and legal basis for processing
Our purpose for collecting this information is so we can facilitate the event and provide you with an acceptable service.
The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR. When we collect any information
about dietary or access requirements we also need your consent (under article 9(2)(a)) as this type of information is classed as special category
data.
What we need
If you wish to attend one of our events, you will be asked to provide your contact information including your organisation’s name and, if offered a place, information about any dietary requirements or access provisions you may need. We may also ask for payment if there is a charge to attend.
What we do with it
If you are not successful in securing a place, we’ll let you know and hold your details on a reserve list in case a place becomes
available.
If you are allocated places at an event, we’ll ask for information about any dietary/access requirements. We don’t share this
information in any identifiable way with the venue, and we delete it after the event.
Note that when registering for an event or webinar we will share your information with third party providers such as ON24, EventBrite, GoToWebinar
and WebEx to deliver the event.
We may contact you on behalf of our event sponsors, to promote their products or services where we believe there is a legitimate interest and in
line with your preferences.
Do we use any data processors?
Yes – we use data processors who act on our instructions to help facilitate the events (see above).
We may sometimes charge a fee to attend an event. If this happens, our communications about the event will provide details of the data processor
we use to collect payments.
How long we keep it
Please see our retention schedule.
What are your rights?
We rely on your consent to process the personal data you give us to facilitate the event. This means you have the right to withdraw your consent at any time. If you do that, we’ll update our records immediately to reflect your wishes. Please also see summary of your data protection rights above.
What type of content can you subscribe to?
You can subscribe to read Blogs, Case Studies, Industry Reports, Infographics, Knowledge-Base Articles, Newsletters, Presentations, Product Demonstrations, Product Updates, Video’s, Webinars and Guides.
Purpose and legal basis for processing
Our purpose for collecting this information is so we can send you the requested content, and our legal basis is your consent which you have indicated by providing us with your details. We may also send you details of other products or services that we think you will be interested in and our legal basis for this is where we believe there you have a legitimate interest and in line with your preferences.
What we need
If you wish to receive information from us, you will be asked to provide your contact information including your name, your organisation’s name and other details about your organisation.
What we do with it
Your details will be held on our CRM database and the information you have requested will be sent to you. We may also send you details of other products or services.
Are there any other recipients?
We use third party suppliers to undertake data validation of your email and phone number. To undertake the validation we may need to transfer your telephone or email address outside the EU/UK. Please refer to International Transfer of your Personal Information for further information and for the measures we put in place to ensure your data remains secure.
How long we keep it
Please see our retention schedule.
What are your rights?
We rely on your consent to process the personal data you give us. This means you have the right to withdraw your consent at any time. As we also rely on legitimate interest, you do have the right to object. If you do that, we’ll update our records immediately to reflect your wishes. Please also see summary of your data protection rights above
You are representing your organisation
We hold the names and contact details of individuals acting in their capacity as representatives of their organisations, across the business. The legal basis is article 6(1)(c) of the GDPR for any legal obligation or article 6(1)(f) because the processing is within our legitimate interests as a business.
Purpose and legal basis
Our purpose for collecting this information is so we provide you with the information you have requested and resolve any complaints you have raised with us. We have a legitimate business interest in responding to enquiries, requests for information and complaints under Article 6(1)(f) of the GDPR.
What we need
We need enough information to allow us to deal with your request or to investigate the complaint. This is likely to vary from cases to case. If we need more information from you to help us resolve the issue, we will be in touch.
What we do with it
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the
complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We may compile
statistics showing information such as the number of complaints we receive, but not in a form that identifies anyone.
How long we keep it
Please see our retention schedule.
What are your rights?
As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. Please see summary of your data protection rights above.
Are there any other recipients?
We do not routinely share enquiries or complaints with other people or organisations but we may need to do so if this is necessary to resolve the issue you have raised. If we decide we need to share details of your complaint outside of IRIS Group, we will let you know before we do so.
What we need
When you visit our company websites, we use third-party services to collect internet log information and details of visitor behaviour patterns.
We do this to find out such things as the number of visitors to the various parts of the site.
We also use behavioural retargeting to collect information which allows IRIS and its partners to inform, optimise and serve you with advertising
based on your past use of our websites.
What do we mean when we refer to “partners” of IRIS in relation to our websites?
Generally-speaking, we mean third parties or publicly available sources. We may receive personal data about you from various third parties as set out below:
Cookies
We use a third-party web application firewall to help maintain the security and performance of our website. The service checks that traffic to the site is behaving as would be expected. The service will block traffic that is not using the site as expected. To provide this service, our security provider processes site visitors’ IP addresses.
Purpose and legal basis for processing
The purpose for implementing the above is to:
What are your rights?
As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data by altering your preferences on both our sites and our partners sites. Please see summary of your data protection rights above.
Where your data is being collected by any of the following IRIS Group subsidiaries, where they are acting as data controller, this will be made clear at the point of collection:
Record | Trigger | Retention Period |
---|---|---|
Corporate complaints, including complaints regulated by the FCA | End of financial year in which case closed | 6 years |
General individual complaints | End of financial year in which case closed | 3 years |
Personal data disclosure requests (police enquiries and third parties) | End of financial year in which case closed | 3 years |
General enquiries (record of correspondence) | 2 years | |
Customer support/JIRA correspondence | End of financial year | 3 years |
Call recordings (general) | End of call | 3 months |
Call recordings (specific – relating to complaints or open matters) | Last action | Filed with matter they relate to and subject to the same retention requirements as the matter they relate to. |
Customer Contracts (signed) | Expiry of contract | 6 years |
Pre-contract advice and contract negotiations | End of financial year in which negotiations completed | 2 years |
Financial transactions and prime documents | End of financial year | Up to 6 years |
Non-customer, customer/prospect personal data held for marketing and sales purposes that have not engaged. This information is collected through event bookings, white papers, newsletter subscriptions and other similar interactions with IRIS. | First contact | 24 months |
Disclosure: all forms of responsible disclosure are welcomed. This includes any vulnerabilities found in IRIS products. IRIS takes the security of its products and services seriously, and fully supports good faith reports made by security researchers. To email bug reports you can contact our to product security team .