Privacy Policy

ICwhatUC takes data privacy seriously. This privacy policy explains who we are, how we collect, share and use Personal Information, and how you can exercise your privacy rights. ­

When we refer to ‘we’ (or ‘our’ or ‘us’), that means ICwhatUC. ICwhatUC is our legal company name but we are trading as IrisCX. To keep things simple, we will use our trading name 'IrisCX' throughout this Privacy Notice.

We recommend that you read this privacy policy in full to ensure you are fully informed. However, to make it easier for you to review the parts of this privacy policy that apply to you, we have divided up the document into sections that are specifically applicable to Merchants (Section 3), Data Subjects (Section 4), and Visitors (Section 5). Sections 2 and 6 are applicable to everyone.

If you have any questions or concerns about our use of your Personal Information, then please contact us using the contact details provided at the end of Section 9.

To the extent we provide you with notice of different or additional privacy policies, those policies will govern such interactions.

IrisCX offers a suite of video engagement tools that connects the customer with the call agent through their mobile phone, allowing the agent to see what the customer sees, with the goal of solving the customer’s issue without a physical appointment.

Key Terms

In this privacy policy, these terms have the following meanings:

“Mobile App(s)” means any one or all of the IrisCX applications available for Merchants to use on their mobile devices.

"Merchant" means any person or entity that is registered with us to use the Service.

"Data Subject" is a person a Merchant may contact through our Service. In other words, a Data Subject is anyone on a Merchant’s Customer List or about whom a Merchant has given us information. For example, if you are a Merchant, one of your customers is a Data Subject

"Customer List" is a list of Data Subjects a Member may upload or manage on our platform and all associated information related to those Data Subjects (for example, email addresses).

"Personal Information" means any information that identifies or can be used to identify an individual directly or indirectly. Examples of Personal Information include, but are not limited to, first and last name, date of birth, email address, gender, occupation, or other demographic information.

“Service” incorporates the Website, the Applications and the Platform.

"Platform" - IrisCX Site(s) has the meaning given to it in the Standard Terms of Use.

"Visitor" means, depending on the context, any person who visits any of our IrisCX Sites, offices, or otherwise engages with us at our events or in connection with our marketing or recruitment activities.

"You" and "your" means, depending on the context, either a Merchant, a Data Subject, or a Visitor.

This section applies to the Personal Information we collect and process from a Merchant or potential Merchant through the provision of the Service. If you are not a Member, the Visitors or Data Subjects section of this policy may be more applicable to you and your data. In this section, "you" and "your" refer to Merchants and potential Merchants.

3.1 Information We Collect

The Personal Information that we collect depends on the context of your interactions with IrisCX, your IrisCX account settings, the products and features you use, your location, and applicable law. However, the Personal Information we collect broadly falls into the following categories:

Information you provide to us: You (or your organization) may provide certain Personal Information to us when you sign up for an IrisCX account and use the Service, consult with our customer service team, send us an email, or otherwise communicate with us. This information may include:

• Account information. You may provide us with information in connection with the creation and management of your account for the Services, such as a name, email address and a password to create an IrisCX account.
• Billing information. If you have purchased a paid version of the Services, or if you make another financial transaction using our Services (such as purchasing a Third-Party App), we (and our third party payment processors) will collect information about the purchase or transaction. This includes billing details and credit card information, other account and authentication information.
• Other information. You may otherwise choose to provide us with information when you fill in a form, contact our customer support, respond to surveys or use other features of our Services.

Information we collect automatically: When you use the Service, we may automatically collect or receive certain information about your device and usage of the Service (collectively “Service Usage Data”). In some (but not all) countries, including countries in the European Economic Area (“EEA”), this information is considered Personal Information under applicable data protection laws. We use cookies and other tracking technologies to collect some of this information. For further information, please review the section below and our Cookie Statement available here.

Device information: We collect information about the device and applications you use to access the Service, such as your IP address, your operating system, your browser ID, and other information about your system and connection. If you are using our services on mobile we may also collect information about the cellular network associated with your mobile device, your mobile device’s operating system or platform, the type of mobile device you use, your mobile device’s name and unique device ID, and information about the features of our Mobile App that you accessed.

Log data: Our web servers keep log files that record data each time a device accesses those servers and the nature of each access, including originating IP addresses and your activity in the Service (such as the date/time stamps associated with your usage, pages and files viewed, searches and other actions you take (for example, which features you used)), device event information (such as system activity, error reports (sometimes called ‘crash dumps’)), and hardware settings. We may also access metadata and other information associated with files that you upload into our Service.

Usage data: We collect usage data about you whenever you interact with our Service, which may include the dates and times you access the Service and your browsing activities (such as what portions of the Service you used). This information allows us to improve the content and operation of the Service, and facilitate research and analysis of the Service.

Information we collect from other sources: From time to time, we may obtain information about you from third-party sources, such as public databases, social media platforms, third-party data providers, and our joint marketing partners.

Examples of the information we receive from other sources include demographic information (such as age and gender), device information (such as IP addresses), location (such as city and state), and online behavioral data (such as information about your use of social media websites, page view information and search results and links). We use this information, alone or in combination with other Personal Information we collect, to enhance our ability to provide relevant marketing and content to you and to develop and provide you with more relevant products, features, and service.

3.2 Use of Personal Information (Merchant)

We may use the Personal Information we collect or receive through the Service (alone or in combination with other data we source) for the purposes and on the legal bases identified below:

• To bill and collect money owed to us by you to perform our contract with you for the use of the Service or where we have not entered into a contract with you, in accordance with our terms of use and our legitimate interests to operate and administer our Service. This includes sending you emails, invoices, receipts, notices of delinquency, and alerting you if we need a different credit card number. We use third parties for secure credit card transaction processing, and those third parties collect billing information to process your orders and credit card payments. To learn more about the steps we take to safeguard that data, see the "Our Security" section of this privacy policy.
• To send you system alert messages in reliance on our legitimate interests in administering the Service and providing certain features. For example, we may inform you about temporary or permanent changes to our Service, such as planned outages, or send you account, security or compliance notifications, such as new features, version updates, releases, abuse warnings, and changes to this privacy policy.
• To communicate with you about your account and provide customer support to perform our contract with you for the use of the Service or where we have not entered into a contract with you, in reliance on our legitimate interests in administering and supporting our Service. For example, if you use our Mobile Apps, we may ask you if you want to receive push notifications about activity in your account. If you have opted in to these push notifications and no longer want to receive them, you may turn them off through your operating system.
• To enforce compliance with our Standard Terms of Use and applicable law, and to protect the rights and safety of our Merchants in reliance on our legitimate interest to protect against misuse or abuse of our Service and to pursue remedies available. This may include developing tools and algorithms that help us prevent violations.
• To meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms.
• To provide information to representatives and advisors, including attorneys and accountants, to help us comply with legal, accounting, or security requirements in reliance on our legitimate interests.
• To prosecute and defend a court, arbitration, or similar legal proceeding.
• To respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.
• To provide, support and improve the Service to perform our contract with you for the use of the Service or where we have not entered into a contract with you, in reliance on our legitimate interests in administering and improving the Service and providing certain features.
• To provide suggestions to you and to provide tailored features within our Service that optimize and personalize your experience in reliance on our legitimate interests in administering the Service and providing certain features.
• To better understand your needs and the needs of users in the aggregate, diagnose problems, analyze trends, perform analytics, conduct research and improve the features and usability of the Services, test and troubleshoot new products and better understand and market to our users
• To analyze the Website or the other Services and information about our visitors and users, including research into our user demographics and user behavior
• To create aggregate (non-identifiable) statistics about users of the Services with a view to introducing improvements and improving usability of the Services
• To keep our Services safe. We use Account Data to verify accounts and activity, maintain the integrity of our Services, and to keep the Services safe and secure
• To personalize the Service, content and advertisements we serve to you in reliance on our legitimate interests in supporting our marketing activities and providing certain features within the Service. We may use your Personal Information to serve you specifically, such as to deliver marketing information, product recommendations and non-transactional communications (e.g., email, telemarketing calls, text, or push notifications) about us, in accordance with your marketing preferences and this privacy policy.

3.3 Third-Party Integrations

We may use the Personal Information we collect or receive through the Service, as a processor and as otherwise stated in this privacy policy, to enable your use of the integrations and plugins you choose to connect to your IrisCX account.

3.4 Cookies and Tracking Technologies

We and our third-party partners may use various technologies to collect and store Service Usage Data when you use our Service (as discussed above), and this may include using cookies and similar tracking technologies, such as pixels, and web beacons. These technologies allow us to collect information such as the recipient’s IP address, browser, email client type and other similar data as further described above details. We use this information to measure the performance of your IrisCX account, to provide analytics information, enhance the effectiveness of our Service, and for other purposes described above. Reports are also available to us when we send email to you, so we may collect and review that information.

Our use of cookies and other tracking technologies is discussed in more detail in our Cookie Statement available here.

3.5 Your Data Protection Rights

We believe that exercising your data protection rights is important regardless of where you reside, therefore we offer this service to all Merchants. You have the right to:

• Request a copy of the personal information we hold about you in a structured, commonly used and machine-readable format.
• Rectify any inaccurate personal information we hold about you.
• Withdraw your consent where we have relied upon your consent to process your information.
• Erase the personal information we hold about you subject to certain exceptions.
• If technically feasible, have your personal information transmitted to another data controller in a machine readable format at your request.
• Restrict processing of your personal information in certain circumstances.
• Object to our use of your personal information for our legitimate interests, for profiling and for direct marketing purposes.
• Not be subject to a decision which is based solely on automated processing where that decision produces a legal effect on you or otherwise significantly affects you. We do not make automated decisions of this nature.
• Lodge a complaint to the appropriate data-protection authority if you have concerns about how we process your personal data.
• Similarly, if Personal Information is collected or processed on the basis of consent, the data subject can withdraw their consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your Personal Information conducted in reliance on lawful processing grounds other than consent.

You can use the ‘Data Access Gateway’ functionality offered as part of this privacy center to exercise any of these rights, where technically feasible and where doing so does not interfere with a preexisting contract. Any changes you make will be directly and automatically reflected in the data source you have selected. If we receive a request from one of your Data Subjects, we will either direct the Contact to reach out to you, or, if appropriate, we may respond directly to their request.

This section applies to the information we process about our Merchants’ Data Subjects as a data controller. Our Service is intended for use by our Merchants. As a result, for much of the Personal Information we collect and process about Data Subjects through the Service, we act as a processor on behalf of our Merchants. IrisCX is not responsible for the privacy or security practices of our Merchants, which may differ from those set forth in this privacy policy. Please check with individual Merchants about the policies they have in place. For purposes of this section, "you" and "your" refer to Data Subjects.

4.1 Information We Collect

The Personal Information that we may collect or receive about you broadly falls into the following categories:

(i) Information we receive about Data Subjects from our Merchants: A Merchant may provide Personal Information about you to us through the Service. When a Merchant uploads their Customer List or integrates the Service with another website or service the Member may provide us with certain contact information or other Personal Information about you such as your name, email address, address, or telephone number.

When you use the service either directly through us or a Merchant we may collect:

• user generated content (such as messages, posts, comments, pages, profiles, images, feeds or communications exchanged)
• contact details (such as name, email address, telephone number)
• additional individual information (such as age, gender, employer, profession, geographic
• location, education information, financial status, habits and preferences)
• information relating to an individual’s real time location

(ii) Information we collect automatically: When you interact with a Merchant who uses our service, we may collect information about your device and location. We use cookies and other tracking technologies to collect some of this information. Our use of cookies and other tracking technologies is discussed more below and in more detail in our Cookie Statement available here.

• Device information: We collect information about the device and applications you use to access emails sent through our Service, such as your IP address, your operating system, your browser ID, and other information about your system and connection.
• Usage data: It is important for us to ensure the security and reliability of the Service we provide. Therefore, we also collect usage data about your interactions with video sessions conducted through the Service, which may include dates and times you engage in a video session and your browsing activities (such as what pages are viewed and which emails are opened). This information also allows us to ensure compliance with our Standard Terms of Use and Acceptable Use Policy, to monitor and prevent service abuse, and to ensure we attain certain usage standards and metrics in relation to our Service. We also collect information regarding the performance of the Service. This information allows us to improve the content and operation of the Service and facilitate research and perform analysis into the use and performance of the Service.

If you are using the Services by invitation of a IrisCX customer, whether that customer is your employer, another organization, or an individual, that customer determines its own policies regarding storage, access, modification, deletion, sharing, and retention of Content, which may apply to your use of the Services. Please check with the customer about the policies and settings it has in place.

4.2 Use of Personal Information

We may use the Personal Information we collect or receive about you in reliance on our (and where applicable, our Merchants’) legitimate interests for the following purposes:

• To enforce compliance with our Standard Terms of Use and applicable law. This may include utilizing usage data and developing tools and algorithms that help us prevent violations.
• To protect the rights and safety of Merchants, third parties, or IrisCX.
• To meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms.
• To provide information to representatives and advisors, including attorneys and accountants, to help us comply with legal, accounting, or security requirements.
• To prosecute and defend a court, arbitration, or similar legal proceeding.
• To respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.
• To provide, support and improve the Service.
• To perform data analytics projects. Our data analytics projects use data from IrisCX accounts, including your Personal Information, to provide and improve the Service. We use information, like your service history, provided to us by Merchants, so we can make more informed predictions, decisions, and products for our Merchants. If you prefer your data not to be used in this manner, you can opt out of data analytics projects at any time by emailing us at personaldatarequests@IrisCX.com.
• To carry out other business purposes. To carry out other legitimate business purposes, as well as other lawful purposes about which we will notify you.

4.3 Cookies and Tracking Technologies

We and our third-party partners may use various technologies to collect and store Service Usage Data when you use our Service (as discussed above), and this may include using cookies and similar tracking technologies, such as pixels, web beacons, and if you use our Mobile Apps, through our SDKs deployed on your mobile device. Do they send web beacons to see if people initiate a session or anything? Both web beacons and SDKs allow us to collect information such as the recipient’s IP address, browser, email client type and other similar data as further described above details. We use this information to measure the performance of your IrisCX account, to provide analytics information, enhance the effectiveness of our Service, and for other purposes described above. Reports are also available to us when we send email to you, so we may collect and review that information. Our use of cookies and other tracking technologies is discussed in more detail in our Cookie Statement available here.

4.4 Your Data Protection Rights

We believe that exercising your data protection rights is important regardless of where you reside, therefore we offer this service to all Merchants. You have the right to

• Request a copy of the personal information we hold about you in a structured, commonly used and machine-readable format
• Rectify any inaccurate personal information we hold about you
• Withdraw your consent where we have relied upon your consent to process your information
• Erase the personal information we hold about you subject to certain exceptions
• If technically feasible, have your personal information transmitted to another data controller in a machine readable format at your request
• Restrict processing of your personal information in certain circumstances
• Object to our use of your personal information for our legitimate interests, for profiling and for direct marketing purposes
• Not be subject to a decision which is based solely on automated processing where that decision produces a legal effect on you or otherwise significantly affects you. We do not make automated decisions of this nature.
• Lodge a complaint to the appropriate data-protection authority if you have concerns about how we process your personal data.
• Similarly, if Personal Information is collected or processed on the basis of consent, the data subject can withdraw their consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your Personal Information conducted in reliance on lawful processing grounds other than consent.

You can use the ‘Data Access Gateway’ functionality offered as part of this privacy center to exercise any of these rights, where technically feasible and where doing so does not interfere with a preexisting contract. Any changes you make will be directly and automatically reflected in the data source you have selected. If we receive a request from one of your Data Subjects, we will either direct the Contact to reach out to you, or, if appropriate, we may respond directly to their request.

This section applies to Personal Information that we collect and process when you visit the IrisCX Sites, and in the usual course of our business, such as in connection with our recruitment, events, sales and marketing activities or when you visit our offices. In this section, "you" and "your" refer to Visitors.

5.1 Information We Collect

(i) Information you provide to us on the IrisCX Sites or otherwise: Our IrisCX Sites offer various ways to contact us, such as through form submissions, email or phone, to inquire about our company and Service. For example, we may ask you to provide certain Personal Information when you express an interest in obtaining information about us or our Service, take part in surveys, subscribe to marketing, apply for a role with IrisCX, or otherwise contact us. We may also collect Personal Information from you in person when you attend our events or trade shows, if you visit our offices (where you will be required to register as a visitor and provide us with certain information that may also be shared with our service providers) or via a phone call with one of our sales representatives. You may choose to provide additional information when you communicate with us or otherwise interact with us, and we may keep copies of any such communications for our records.

The Personal Information we collect may include:

• Business contact information (such as your name, phone number, email address and country);
• Professional information (such as your job title, institution or company); Nature of your communication;
• Marketing information (such as your contact preferences); and
• Any information you choose to provide to us when completing any ‘free text’ boxes in our forms.

(ii) Information we collect automatically through the IrisCX Sites: When you visit our IrisCX Sites or interact with our emails, we use cookies and similar technologies such as pixels or web beacons, alone or in conjunction with cookies, to collect certain information automatically from your browser or device. In some countries, including countries in the EEA, this information may be considered Personal Information under applicable data protection laws. Our use of cookies and other tracking technologies is discussed more below, and in more detail in our Cookie Statement available here.

The information we collect automatically includes:

• Device information: such as your IP address, your browser, device information, unique device identifiers, mobile network information, request information (speed, frequency, the site from which you linked to us (“referring page”), the name of the website you choose to visit immediately after ours (called “exit page”), information about other websites you have recently visited and the web browser you used (software used to browse the internet) including its type and language)
• Usage data: such as information about how you interact with our service, IrisCX Sites, and other websites (such as the pages and files viewed, searches, operating system and system configuration information and date/time stamps associated with your usage).

5.2 Use of Personal Information

We may use the information we collect through our IrisCX Sites and in connection with our events and marketing activities (alone or in combination with other data we collect) for a range of reasons in reliance on our legitimate interests, including:

• To provide, operate, optimize, and maintain the IrisCX Sites.
• To send you marketing information, product recommendations and non- transactional communications (e.g., email, telemarketing calls, text, or push notifications) about us, in accordance with your marketing preferences, including information about our products, services, promotions or events as necessary for our legitimate interest in conducting direct marketing or to the extent you have provided your prior consent.
• For recruitment purposes if you have applied for a role with IrisCX.
• To respond to your online inquiries and requests, and to provide you with information and access to resources or services that you have requested from us.
• To manage the IrisCX Sites and system administration and security.
• To manage event registrations and attendance, including sending related communications to you.
• To register visitors to our offices for security reasons and to manage non- disclosure agreements that visitors may be required to sign.
• To improve the navigation and content of the IrisCX Sites.
• To identify any server problems or other IT or network issues. To process transactions and to set up online accounts.
• To compile aggregated statistics about site usage and to better understand the preferences of our Visitors.
• To help us provide, improve and personalize our marketing activities.
• To facilitate the security and continued proper functioning of the IrisCX Sites.
• To carry out research and development to improve our IrisCX Sites, products and services.
• To conduct marketing research, advertise to you, provide personalized information about us on and off our IrisCX Sites, and to provide other personalized content based on your activities and interests to the extent necessary for our legitimate interests in supporting our marketing activities or advertising our Service or instances where we seek your consent.
• To carry out other legitimate business purposes, as well as other lawful purposes, such as data analysis, fraud monitoring and prevention, identifying usage trends and expanding our business activities in reliance on our legitimate interests.
• To cooperate with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws to the extent this requires the processing or disclosure of Personal Information to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of our IrisCX Sites and Service, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, or responding to lawful requests.

5.3 Public Information and Third-Party Websites

• Blog. We have public blogs on the IrisCX Sites. Any information you include in a comment on our blog may be read, collected, and used by anyone. If your Personal Information appears on our blogs and you want it removed, contact us at privacy@IrisCX.com If we are unable to remove your information, we will tell you why.
• Social media platforms and widgets. The IrisCX Sites include social media features, such as the Facebook Like button. These features may collect information about your IP address and which page you are visiting on our IrisCX Site, and they may set a cookie to make sure the feature functions properly. Social media features and widgets are either hosted by a third party or hosted directly on our IrisCX Site. We also maintain presences on social media platforms, including Facebook, Twitter, and Instagram. Any information, communications, or materials you submit to us via a social media platform is done at your own risk without any expectation of privacy. We cannot control the actions of other users of these platforms or the actions of the platforms themselves. Your interactions with those features and platforms are governed by the privacy policies of the companies that provide them.
• Links to third-party websites. The IrisCX Sites include links to other websites, whose privacy practices may be different from ours. If you submit Personal Information to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.
• Contests and sweepstakes. We may, from time to time, offer surveys, contests, sweepstakes, or other promotions on the IrisCX Sites or through social media (collectively, "Promotions"). Participation in our Promotions is completely voluntary. Information requested for entry may include Personal Information such as your name, address, date of birth, phone number, email address, username, and similar details. We use the information you provide to administer our Promotions. We may also, unless prohibited by the Promotion’s rules or law, use the information provided to communicate with you, or other people you select, about our Service. We may share this information with our affiliates and other organizations or service providers in line with this privacy policy and the rules posted for our Promotions.

5.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and use Personal Information about you, including to serve interest-based advertising. For further information about the types of cookies and tracking technologies we use, why, and how you can control them, please see our Cookie Statement available here.

5.5 Your Data Protection Rights

We believe that exercising your data protection rights is important regardless of where you reside, therefore we offer this service to all Merchants. You have the right to

• Request a copy of the personal information we hold about you in a structured, commonly used and machine-readable format
• Rectify any inaccurate personal information we hold about you
• Withdraw your consent where we have relied upon your consent to process your information
• Erase the personal information we hold about you subject to certain exceptions
• If technically feasible, have your personal information transmitted to another data controller in a machine readable format at your request
• Restrict processing of your personal information in certain circumstances
• Object to our use of your personal information for our legitimate interests, for profiling and for direct marketing purposes
• Not be subject to a decision which is based solely on automated processing where that decision produces a legal effect on you or otherwise significantly affects you. We do not make automated decisions of this nature.
• Lodge a complaint to the appropriate data-protection authority if you have concerns about how we process your personal data.
• Similarly, if Personal Information is collected or processed on the basis of consent, the data subject can withdraw their consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your Personal Information conducted in reliance on lawful processing grounds other than consent.

You can use the ‘Data Access Gateway’ functionality offered as part of this privacy center to exercise any of these rights, where technically feasible and where doing so does not interfere with a preexisting contract. Any changes you make will be directly and automatically reflected in the data source you have selected. If we receive a request from one of your Data Subjects, we will either direct the Contact to reach out to you, or, if appropriate, we may respond directly to their request.

General Information

5.6 How We Share Information

We may share and disclose your Personal Information to the following types of third parties for the purposes described in this privacy policy (for purposes of this section, "you" and "your" refer to Merchants, Data Subjects, and Visitors unless otherwise indicated):

(i) Our service providers: Sometimes, we share your information with our third-party service providers working on our behalf for the purposes described in this privacy policy. For example, companies we’ve hired to help us provide and support our Service or assist in protecting and securing our systems and services and other business- related functions.

Other examples include analyzing data, hosting data, engaging technical support for our Service, processing payments, and delivering content.

Advertising partners: We may partner with third-party advertising networks, exchanges, and social media platforms (like Facebook) to display advertising on the IrisCX Sites or to manage and serve our advertising on other sites, and we may share Personal Information of Merchants and Visitors with them for this purpose. We and our third-party partners may use cookies and other similar tracking technologies, such as pixels and web beacons, to gather information about your activities on the IrisCX Sites and other sites in order to provide you with targeted advertising based on your browsing activities and interests. For more information, please see our Cookie Statement available here.

(ii) Any competent law enforcement body, regulatory body, government agency, court or other third party where we believe disclosure is necessary (a) as a matter of applicable law or regulation, (b) to exercise, establish, or defend our legal rights, or (c) to protect your vital interests or those of any other person.

(iii) A potential buyer (and its agents and advisors) in the case of a sale, merger, consolidation, liquidation, reorganization, or acquisition. In that event, any acquirer will be subject to our obligations under this privacy policy, including your rights to access and choice. We will notify you of the change either by sending you an email or posting a notice on our IrisCX Site.

(iv) Any other person with your consent.

5.7 Legal Basis for Processing Personal Information

If you are located in the EEA or UK, our legal basis for collecting and using the Personal Information described above will depend on the Personal Information concerned and the specific context in which we collect it.

However, we will normally collect and use Personal Information from you where the processing is in our legitimate interests and not overridden by your data-protection interests or fundamental rights and freedoms. Our legitimate interests are described in more detail in this privacy policy in the sections above titled “Use of Personal Information”, but they typically include improving, maintaining, providing, and enhancing our technology, products, and services; ensuring the security of the Service and our IrisCX Sites; and supporting our marketing activities.

If you are a Merchant, we may need the Personal Information to perform a contract with you. In some limited cases, we may also have a legal obligation to collect Personal Information from you. If we ask you to provide Personal Information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your Personal Information is mandatory or not, as well as of the possible consequences if you do not provide your Personal Information.

Where required by law, we will collect Personal Information only where we have your consent to do so.

If you have questions or need further information concerning the legal basis on which we collect and use your Personal Information, please contact us using the contact details provided in the "Questions and Concerns" section below.

5.8 Your Choices and Opt-Outs

Merchants and Visitors who have opted in to our marketing emails can opt out of receiving marketing emails from us at any time by clicking the "unsubscribe" link at the bottom of our marketing messages.

Also, all opt-out requests can be made by emailing us using the contact details provided in the "Questions and Concerns" section below. Please note that some communications (such as service messages, account notifications, billing information) are considered transactional and necessary for account management, and Merchants cannot opt out of these messages unless you cancel your IrisCX account.

5.9 Our Security

We take appropriate and reasonable technical and organizational measures designed to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Information. For further information about our security practices, please see our Security page available here. If you have any questions about the security of your Personal Information, you may contact us at privacy@IrisCX.com.

IrisCX accounts require a username and password to log in. Merchants must keep their username and password secure, and never disclose it to a third party. Because the information in a Member’s IrisCX account is private, account passwords are hashed, which means we cannot see a Member’s password. We cannot resend forgotten passwords either. We will only provide Merchants with instructions on how to reset them.

5.10 International Transfers

(i) We operate in Canada

Our servers and offices are located in the Canada, so your information may be transferred to, stored, or processed in the Canada. We adhere to PIPEDA in Canada along with state specific laws such as Alberta PIPA and BC PIPA. Furthermore, our privacy practices are designed to comply with global privacy laws such as GDPR, CCPA etc. We also have a comprehensive Data Processing Agreement available for Merchants which we make available here.

(ii) Data transfers from Switzerland, United Kingdom, or the EEA to the United States

IrisCX participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all Personal Information received from EEA member countries, United Kingdom, and Switzerland, respectively, in reliance on each Privacy Shield Framework, to each Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield website available here.

A list of Privacy Shield participants is maintained by the Department of Commerce and is available here.

IrisCX is responsible for the processing of Personal Information we receive under each Privacy Shield Framework and subsequently transfer to a third party acting as an agent on our behalf. We comply with the Privacy Shield Principles for all onward transfers of Personal Information from the EEA, United Kingdom, and Switzerland, including the onward transfer liability provisions.

With respect to Personal Information received or transferred pursuant to the Privacy Shield Frameworks, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

We retain Personal Information where we have an ongoing legitimate business or legal need to do so. Our retention periods will vary depending on the type of data involved, but, generally, we'll refer to these criteria in order to determine retention period:

• Whether we have a legal or contractual need to retain the data. Whether the data is necessary to provide our Service.
• Whether our Merchants have the ability to access and delete the data within their IrisCX accounts.
• Whether our Merchants would reasonably expect that we would retain the data until they remove it or until their IrisCX accounts are closed or terminated.

When we have no ongoing legitimate business need to process your Personal Information, we will either delete or anonymize it or, if this is not possible (for example, because your Personal Information has been stored in backup archives), then we will securely store your Personal Information and isolate it from any further processing until deletion is possible.

The California Consumer Privacy Act (“CCPA”) provides consumers with specific rights regarding their Personal Information. You have the right to request that businesses subject to the CCPA (which may include our Merchants with whom you have a relationship) disclose certain information to you about their collection and use of your Personal Information over the past 12 months. In addition, you have the right to ask such businesses to delete Personal Information collected from you, subject to certain exceptions. If the business sells Personal Information, you have a right to opt-out of that sale. Finally, a business cannot discriminate against you for exercising a CCPA right.

When offering services to its Merchants, IrisCX acts as a “service provider” under the CCPA and our receipt and collection of any consumer Personal Information is completed on behalf of our Merchants in order for us to provide the Service. Please direct any requests for access or deletion of your Personal Information under the CCPA to the Member with whom you have a direct relationship.

Consistent with California law, if you choose to exercise your applicable CCPA rights, we won’t charge you different prices or provide you a different quality of services. If we ever offer a financial incentive or product enhancement that is contingent upon you providing your Personal Information, we will not do so unless the benefits to you are reasonably related to the value of the Personal Information that you provide to us.

7.1 Do not Track

Certain state laws require us to indicate whether we honor “Do Not Track” settings in your browser. IrisCX adheres to the standards set out in this Privacy Policy and does not monitor or follow any Do Not Track browser requests.

We may change this privacy policy at any time and from time to time. The most recent version of the privacy policy is reflected by the version date located at the top of this privacy policy. All updates and amendments are effective immediately upon notice,

which we may give by any means, including, but not limited to, by posting a revised version of this privacy policy or other notice on the IrisCX Sites. We encourage you to review this privacy policy often to stay informed of changes that may affect you. Our electronically or otherwise properly stored copies of this privacy policy are each deemed to be the true, complete, valid, authentic, and enforceable copy of the version of this privacy policy that was in effect on each respective date you visited the IrisCX Site.

If you have any questions or comments, or if you have a concern about the way in which we have handled any privacy matter, please contact us by postal mail or email at: privacy@ICwhatUC.com