IRIS Software Group Limited is committed to protecting and respecting your privacy.
Our primary business is “data processing”.
This means that we process information given to us by other parties. In order to do this, we enter into contracts with organisations (such as accountants and employers) and it is those organisations that control the personal data and have responsibilities to you as the data controller. Data controllers are required to provide you with a detailed explanation of what they do with your personal data and how you may be affected. However, we are under obligations to ensure your data is processed properly too.
It is important you have read and understood the controller’s privacy policy and please contact the relevant organisation for more details about the terms upon which we process data on their behalf.
Where we directly control your data, for example, as a result of an enquiry form on our website or because you are a direct customer of one of our services or products, we set out the details in our Privacy Notice below.
Our Privacy Notice
This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use one of our services.
This notice is layered. So, the first part is a summary but, if you wish, you can easily go directly to the reason we process your personal information and see what we do with it
We’ll tell you:
- why we are able to process your information
- what purpose we are processing it for
- whether you have to provide it to us
- how long we store it for
- whether there are other recipients of your personal information
- whether we intend to transfer it to another country, and
- whether we do automated decision-making or profiling.
The following part of the notice is information we need to tell everybody:
Controller’s contact details
IRIS Software Group Ltd is the overall controller for the personal information we process, unless otherwise stated. Please see Appendix 1 for a list of legal entities falling within the IRIS Software Group.
There are many ways you can contact us, including by phone, email, live chat and post. More details can be seen here.
Our postal address is:
IRIS Software Group Limited, Riding Court House, Riding Court Road, Datchet SL3 9JT.
For general contact please use the Contact Us page of our website.
Data Protection Officer’s contact details
Our Group Data Protection Officer is Vincenzo Ardilio. You can contact him at [email protected] or via our postal address. Please mark the envelope ‘Group Data Protection Officer’. However:
- Data protection enquiries about our products should be directed to the relevant Support team in the first instance. If you do not know how to contact Support contact, then please contact us through our "Contact Us" page.
- Routine data protection enquiries should also be directed through our “Contact Us” page.
- Enquiries about the security of our websites: [email protected].
PART 1: SUMMARY
How do we get information and why?
Most of the personal information we process as Data Controller is provided to us directly by you for one of the following reasons:
- You have made an enquiry to us about our products or services or any other aspect of our business
- You are entering into a contract with us
- You are making a payment to us or have an account with us
- You have made a support request to us in relation to a product
- You wish to attend, or have attended, an event, either in person or online (webinar)
- You subscribe to our e-newsletters, whitepapers or product updates
- You are representing your organisation
- You have asked for information or made a complaint
- You have visited our website – please see our cookie policy for more information about our use of cookies on our websites
We also receive personal information indirectly in the following scenarios:
- Data and mailing lists provided to us by a suppliers (including Media partners), in response to a marketing activity such as an event, a whitepaper or a case study, to provide you with information about goods or services we feel may be of interest to you. We will only contact you if you have consented to this by ticking the relevant box situated on the form on which your data was collected.
- Contact lists purchased from a third party, to enable us to promote our goods or services we feel may be of interest to you. We will only receive your contact details if you have consented for it to be shared with individual organisations.
- We may also upload email addresses to social media platforms (Twitter, LinkedIn) to help target specific ad campaigns to sectors. These actions in regard to personal data are performed on the lawful basis of legitimate interest as described in the GDPR.
If you have consented to receive marketing from us, you can opt-out at any time. You can also manage your preferences by using the preference centres listed below.
If it is not disproportionate or prejudicial, we’ll contact you to let you know we are processing your personal information.
What information do we collect from you?
In most cases you will be aware of the information we use, because you have provided the information to us. The following are examples of the personal information we typically hold:
- Information that you provided by filling in forms on our Websites. This includes subscribing to our services including: events and webinars; newsletters; hints and tips; reports, guides and whitepapers; training and service programmes; and support and product information.
- When you complete a form you will usually be asked for the following:
- Title, first and last name: we will collect this information from you to personalise communications and so that we can verify that we are speaking to the right person when we call.
- The number of partners in your practice: we use this information to determine which IRIS team is best placed to speak to you about your business needs.
- The number of employees for whom you process payroll. This information is used to determine which of our specialist product teams is best placed to discuss your business needs
- The number of clients your practice manages: we use this information to determine which IRIS team is best placed to speak to you about your business needs.
- Valid phone number: we require a valid phone number so that an IRIS representative can follow up on your interest.
- Postal code: a valid UK postcode is required so that your request can be followed up by a relevant geographic team.
- Job title or role: we use this information to determine which team within IRIS is best placed to speak to you about your business need.
- Valid email address. We will use your email address to send links to downloads you request, which includes free trials of software, whitepapers, guides and webinars. We will also use your email address to send information about products and services which we believe may interest you.
- We may also ask you for information when you enter a competition or promotion sponsored by us and when you report a problem with our Websites.
- If you contact us through our Websites, whether by sending messages to our email addresses, filling in any forms, using any online chat service or otherwise, we will keep a record of that correspondence.
- We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
- Details of financial transactions you carry out through our Websites and partner websites and of the fulfilment of your orders.
Further use of your information
When you contact us in any of the above scenarios we will keep a record of your contact and we will continue to keep you informed about our products and services through our direct marketing and regular business contact. We will only do this where we have a legitimate interest in doing so, in line with your contact preferences and where you have not objected to this contact. If you are or have been a customer, we will only contact you by electronic means (email or SMS) with information about goods and services similar to those we previously sold to you or negotiated with you.
- We also continue to use your personal data when required for any of the following purposes:
- To carry out our obligations arising from any contracts or agreements between you and us.
- To allow you to participate in interactive features of our service, when you choose to do so.
- To allow you to participate in our competitions and promotions, when you choose to do so.
- To notify you about changes to our service.
- To ensure that content from our Websites is presented in the most effective manner for you and for your computer.
Updating personal information and preferences
If any of your personal information changes or becomes out of date, please amend your details by letting us know by contacting your account manager or designated point of contact.
You can update your contact preferences as well as opt-out of any email, direct mail and SMS communications anytime via our preference centre.
You have a right to access the personal data we hold about you. To obtain a copy of the personal information we hold about you, please contact IRIS Software Group’s Data Protection Officer [email protected]@iris.co.uk.
Use of cookies by IRIS Software Group
We use cookies and you can read more about how we do so and the categories of cookies we use by vising our Cookies page.
Disclosure of your information within IRIS Software Group
We may disclose your personal information to any member of our Group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 736 of the UK Companies Act 2006.
If we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer.
If our business or assets are acquired by a third party, the personal data of our customers would also be transferred.
Disclosure of your information outside of the IRIS Software Group
We may disclose your personal information to third parties if we are under a duty to do so. This would include disclosing or sharing your personal data in order to comply with legal obligation that we are under, or in order to enforce or apply our terms of use and other agreements. This would also include protecting our rights, property, or safety (or that of our customers and others).
We also exchange information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
A summary of your data protection rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Please use the Contact Us page to make a request relating to any of your rights set out below
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the right to object to processing if we are able to process your information in our legitimate interests.
Setting your communication preferences
You can update your communications preferences from IRIS Software Group using the centres below:
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by writing to IRIS Group Limited, Riding Court House, Riding Court Road, Datchet SL3 9JT.
Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
You are not required to pay any charge for exercising your rights. We have one month to respond to you.
PART 2: DETAILED PRIVACY STATEMENTS
When you make an enquiry or contact Support
Purpose and legal basis for processing
When you contact us to make an enquiry, we collect information, including your personal data, so that we can respond to it.
The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when this is necessary for our legitimate interests or those of a third party.
What we need
We need enough information from you to answer your enquiry. If you call us, we will make an audio recording so that we can monitor the performance of our staff for training purposes, establish the facts of transactions and enquiries, ensure compliance with our policies and procedures and any regulations we are subject to.
In certain circumstances we may make notes to provide you with a further service as required.
We will usually add your contact details to our Customer Relationship Management System (CRM) so that we can keep you informed about our products and services.
If you contact us via email or post, we’ll need a return address for the response.
What we do with it
We’ll keep a record of your enquiry so we can get it to the correct area of the business to be dealt with. We’ll also keep a record of our response. We use the information supplied to us to deal with the enquiry and any subsequent issues that may arise, and to check on the level of service we provide.
How long we keep it
Please see our retention schedule.
What are your rights?
As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. Please see Summary of your data protection rights above.
Are there other recipients of your information?
Yes there may be, depending on the way in which you contact us:
When you contact us via social media
We use a third party provider, Hootsuite to manage our social media interactions.
If you send us a private or direct message via social media the message will be stored by Hootsuite for three months. It will not be shared with any other organisations.
When you use our Live Chat service
We use a third party provider to supply and support our Live Chat service, which we use to handle customer enquiries in real time.
If you use the Live Chat service we will collect your name, email address (optional) and the contents of your Live Chat session.
You can request a transcript of your Live Chat session if you provide your email address at the start of your session or when prompted at the end.
When we store records in Microsoft Office 365
We use Office 365 Business, which is a subscription plan that allows us to access Office applications such as Word, Excel and SharePoint over the internet.
You are entering into a contract with us
Purpose and legal basis for processing
When you negotiate with us to buy a product or start using one of our services, we process some personal information so that we can enter into an agreement with you or the organisation that you represent.
The legal basis we rely on to process your personal data is article 6(1)(b) of the GDPR, which allows us to process personal data when this is necessary for the performance of a contract to which you are a party or in order for us to take steps at your request prior to entering into a contract.
What we need
If you are entering into a contract with us we will need your full contact details including address, email and telephone number as well as your job title or position in your business. If we need further information, this will be made clear to you as we will ask you for it at the time.
What we do with it
We store customer contracts and related personal information within dedicated files in our Office 365 system and a contract database. We also hold some contracts in hard copy.
How long we keep it
We keep personal data relevant to contracts until contract expiry and then for a further 6 years. Please see ourretention schedule for more detail.
What are your rights
As we are processing your personal data for the purpose of entering into a contract with you, you have the right in principle to data portability. However, there are limitations as to when this right applies. Please see Summary of your data protection rights above.
Are there other recipients of your information?
We will make your personal information available within the IRIS Software Group on a need-to know basis in order to achieve our legitimate business objectives. If we have sub-contracted any aspect of the product or services you are using, we may need to share your details with the relevant supplier, also on a need to know basis.
Occasionally we receive requests from law enforcement agencies and regulatory bodies for customer contact details and personal data, which might be relevant to an investigation or similar official matter. We must disclose the requested data if we are under a court order to do so. We may also decide to disclose personal data without a court order where we have made an assessment that the information is relevant and proportionate to the issue under investigation.
When dealing with payments or account administration
Purpose and legal basis for processing
When you become a customer of ours, we process personal information to maintain our own accounts and records and to enable us to provide accounting, auditing and related services.
The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when this is necessary for our legitimate interests or those of a third party.
What we need
We need your contact and personal details, the products or services you are using, your financial details and sometimes your employment details (particularly if you are representing your employer).
What we do with it
We use the information we hold to allow us to contact you from time to time with respect to matters of your account such as payments and administration. We will use the information on your products and services to allow for order processing and invoicing, including with respect to renewal agreements. We may also use this information to facilitate the audit of our finances as required by HMRC or statute.
How long we keep it
We will keep this information for as long as you remain a customer of IRIS and for a period of up to 6 years where the information may be required for audit by HMRC or by statute.
Please see our retention schedule for more details.
What are your rights
As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. Please see Summary of your data protection rights above.
Are there other recipients of your information?
We don’t transfer the data we use for our financial accounting purposes to another company or use any automated profiling.
You wish to attend, or have attended, an event
Purpose and legal basis for processing
Our purpose for collecting this information is so we can facilitate the event and provide you with an acceptable service.
The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR. When we collect any information about dietary or access requirements we also need your consent (under article 9(2)(a)) as this type of information is classed as special category data.
What we need
If you wish to attend one of our events, you will be asked to provide your contact information including your organisation’s name and, if offered a place, information about any dietary requirements or access provisions you may need. We may also ask for payment if there is a charge to attend.
What we do with it
If you are not successful in securing a place, we’ll let you know and hold your details on a reserve list in case a place becomes available.
If you are allocated places at an event, we’ll ask for information about any dietary/access requirements. We don’t share this information in any identifiable way with the venue, and we delete it after the event.
Note that when registering for an event or webinar we will share your information with third party providers such as EventBrite, GoToWebinar and WebEx to deliver the event.
We may contact you on behalf of our event sponsors, to promote their products or services where we believe there is a legitimate interest and in line with your preferences.
Do we use any data processors?
Yes – we use data processors who act on our instructions to help facilitate the events (see above).
We may sometimes charge a fee to attend an event. If this happens, our communications about the event will provide details of the data processor we use to collect payments.
How long we keep it
Please see our retention schedule.
What are your rights?
We rely on your consent to process the personal data you give us to facilitate the event. This means you have the right to withdraw your consent at any time. If you do that, we’ll update our records immediately to reflect your wishes. Please also see Summary of your data protection rights above.
You subscribe to our content
What type of content can you subscribe to?
You can subscribe to read Blogs, Case Studies, Industry Reports, Infographics, Knowledge-Base Articles, Newsletters, Presentations, Product Demo’s, Product Updates, Video’s, Webinars, Whitepapers.
Purpose and legal basis for processing
Our purpose for collecting this information is so we can send you the requested content, and our legal basis is your consent which you have indicated by providing us with your details. We may also send you details of other products or services that we think you will be interested in and our legal basis for this is where we believe there you have a legitimate interest and in line with your preferences.
What we need
If you wish to receive information from us, you will be asked to provide your contact information including your name, your organisation’s name and other details about your organisation.
What we do with it
Your details will be held on our CRM database and the information you have requested will be sent to you. We may also send you details of other products or services.
Are there any other recipients?
We do not routinely disclose your personal data which you have given to us for this purpose however we will keep you informed if have any intention to do so.
How long we keep it
Please see our retention schedule.
What are your rights?
We rely on your consent to process the personal data you give us. This means you have the right to withdraw your consent at any time. As we also rely on legitimate interest, you do have the right to object. If you do that, we’ll update our records immediately to reflect your wishes. Please also see Summary of your data protection rights above
You are representing your organisation
We hold the names and contact details of individuals acting in their capacity as representatives of their organisations, across the business. The legal basis is article 6(1)(c) of the GDPR for any legal obligation or article 6(1)(f) because the processing is within our legitimate interests as a business.
You have asked for information or made a complaint
Purpose and legal basis
Our purpose for collecting this information is so we provide you with the information you have requested and resolve any complaints you have raised with us. We have a legitimate business interest in responding to enquiries, requests for information and complaints under Article 6(1)(f) of the GDPR.
What we need
We need enough information to allow us to deal with your request or to investigate the complaint. This is likely to vary from cases to case. If we need more information from you to help us resolve the issue, we will be in touch.
What we do with it
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We may compile statistics showing information like the number of complaints we receive, but not in a form that identifies anyone.
How long we keep it
Please see our retention schedule.
What are your rights?
As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. Please see Summary of your data protection rights above.
Are there any other recipients?
We do not routinely share enquiries or complaints with other people or organisations but we may need to do so if this is necessary to resolve the issue you have raised. If we decide we need to share details of your complaint outside of IRIS Group, we will let you know before we do so.
Visitors to our website
What we need
When you visit our company websites, we use third-party services to collect internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site.
We also use behavioural retargeting to collect information which allows IRIS and its partners to inform, optimise and serve you with advertising based on your past use of our Websites.
What do we mean when we refer to “partners” of IRIS in relation to our websites?
Generally-speaking, we mean third parties or publicly available sources. We may receive personal data about you from various third parties as set out below:
- Technical & Usage Data from parties such as our analytics providers (including Google), and advertising networks (see below);
- Identity, Contact, Profile, Financial, Transaction, Usage and Technical Data from providers of technical, payment and delivery services;
- Identity, Contact, Profile, Usage and/or Technical Data from social media platforms which are publicly available or through which you may log in or interact with the Site;
Cookies
We use cookies, which are small files with a code that is stored on your device, with your consent. They are retrieved from your device when you next visit the Site. This allows the site to recognise information about your use and browsing.
We use a cookies consent tool on our website which notifies you of our use of cookies when you first enter our site and gives you the opportunity to refuse the use of cookies or to consent by accepting the use of cookies on our site.
Full information on which cookies we use is available in our Cookies Policy, along with guidance about how you can set your browser to refuse all or some cookies (but that may affect some use of the Site).
Do we disclose your information to third parties?
Yes, we do, as set out in the detailed summary below:
Website search engine
Our website search is powered by Elastic Search. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected from searches by either IRIS Group or any third party.
Online advertising
Some of the services listed below may use Cookies to identify you or they may use the behavioural retargeting technique, i.e. displaying ads tailored to your interests and behaviour, including those detected outside this Website. You may opt out of a third-party service's use of cookies by visiting the Network Advertising Initiative opt-out page.
Bing Ads - Bing Ads is an advertising service provided by Microsoft Corporation.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out
Google AdWords - AdWords is an advertising service provided by Google Inc.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.
Remarketing and behavioural retargeting
This type of service allows IRIS and its partners to inform, optimise and serve you with advertising based on your past use of this Website.
This activity is performed by tracking Usage Data and by using Cookies – information that is transferred to the partners that manage the remarketing and behavioural targeting activity.
You can opt out of a third-party service's use of cookies by visiting the Network Advertising Initiative opt-out page. You can also use opt-outs offered by any of the services below:
AdRoll (Semantic Sugar, Inc.)
AdRoll is an advertising service provided by Semantic Sugar, Inc.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.
AdWords Remarketing (Google Inc.)
AdWords Remarketing is a remarketing and behavioural targeting service provided by Google Inc. that connects the activity of this Website with the Adwords advertising network and the Doubleclick Cookie.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.
LinkedIn Website Retargeting (LinkedIn Corporation)
LinkedIn Website Retargeting is a remarketing and behavioural targeting service provided by LinkedIn Corporation that connects the activity of this Website with the LinkedIn advertising network.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.
Twitter Remarketing (Twitter, Inc.)
Twitter Remarketing is a remarketing and behavioural targeting service provided by Twitter, Inc. that connects the activity of this Website with the Twitter advertising network.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out. Privacy Shield participant.
Website analytics and tag management
The services contained in this section enable IRIS monitor and analyse web traffic and can be used to keep track of User behaviour.
Google Analytics with anonymised IP (Google Inc.)
Google Analytics is a web analysis service provided by Google Inc. (“Google”). Google utilises the Data collected to track and examine the use of this Website, to prepare reports on its activities and share them with other Google services.
Google may use the Data collected to contextualize and personalize the ads of its own advertising network.
This integration of Google Analytics anonymizes your IP address. It works by shortening Users' IP addresses within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the complete IP address be sent to a Google server and shortened within the US.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out. Privacy Shield participant.
ResponseTap (ResponseTap Limited)
ResponseTap is an analytics service provided by ResponseTap Limited.
Personal Data collected: Cookies and Usage Data.
Place of processing: United Kingdom – Privacy Policy. - Opt Out
Google Tag Manager (Google LLC)
Google Tag Manager is a tag management service provided by Google LLC.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy - Opt Out - Privacy Shield participant.
Marketing automation and user database administration
This type of service allows IRIS to build user profiles by starting from an email address, a personal name, or other information that the User provides to us, as well as to track User activities through analytics features. Some of these services may also enable the sending of timed messages to you, such as emails based on specific actions performed on this Website.
Marketo Lead Generation (Marketo, Inc.)
Marketo Lead Generation is a User database management service provided by Marketo, Inc.
Personal Data collected: email address and various types of Data as specified in the privacy policy of the service.
Place of processing: United States – Privacy Policy - Opt Out - Privacy Shield participant.
Embedded videos
This type of service allows you to view content hosted on external platforms directly from the pages of this Website and interact with them.
This type of service might still collect web traffic data for the pages where the service is installed, even when Users do not use it.
Wistia widget (Wistia, Inc.)
Wistia is a video content visualization service provided by Wistia, Inc. that allows this Website to incorporate content of this kind on its pages.
Personal Data collected: Cookies and Usage Data.
Place of processing: United States – Privacy Policy. - Opt Out - Privacy Shield participant.
Security and performance
We use a third-party web application firewall to help maintain the security and performance of our website. The service checks that traffic to the site is behaving as would be expected. The service will block traffic that is not using the site as expected. To provide this service, our security provider processes site visitors’ IP addresses.
Purpose and legal basis for processing
The purpose for implementing the above is to:
- Ensure any advertising is relevant to you – our use of cookies is based on your consent which you give when you continue to use our site after the appearance of the initial notification about cookies
- maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests and does not detrimentally affect your rights and freedoms.
What are your rights?
As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data by altering your preferences on both our sites and our partners sites. Please see Summary of your data protection rights above.
Appendix 1 - IRIS Software Group subsidiaries that may collect personal data
Where your data is being collected by any of the following IRIS Group subsidiaries, where they are acting as data controller, this will be made clear at the point of collection:
- Cascade Human Resources Ltd
- IRIS Business Software Ltd
- IRIS Capital Ltd
- IRIS KPO Resourcing (India) Private Ltd
- IRIS Payroll Solutions Ltd
- KashFlow Ltd
- Keytime Holdings Ltd
- PTP Software Ltd
Appendix 2 - Our websites
Appendix 3 – IRIS customer-facing retention schedule
Record | Trigger | Retention Period |
Corporate complaints, including complaints regulated by the FCA | End of financial year in which case closed | 6 years |
General individual complaints | End of financial year in which case closed | 3 years |
Personal data disclosure requests (police enquiries and third parties) | End of financial year in which file closed | 3 years |
General enquiries (record of correspondence) | 2 years | |
Customer support/JIRA correspondence | End of financial yea | 3 years |
Call recordings (general) | End of call | 2 months |
Call recordings (specific - relating to complaints or open matters) | Last action | Filed with matter they relate to and subject to the same retention requirements as the matter they relate to. |
Customer Contracts (signed) | Expiry of contract | 6 years |
Pre-contract advice and contract negotiations | End of financial year in which negotiations completed | 2 years |
Financial transactions and prime documents | End of financial year | Up to 6 years |
Non-customer, customer/prospect personal data held for marketing and sales purposes that have not engaged. This information is collected through event bookings, white papers, newsletter subscriptions and other similar interactions with IRIS | First contact | 6 months |