Privacy Policy for using the IRIS Pay for Merchants application
Introduction
This Privacy Policy is applied by “Iris Solutions” Ltd. as a personal data controller when collecting and processing personal data when using the “IRISPay for Merchants” application. The protection of your personal data is important to us. Therefore, we have taken the necessary organizational and technical measures to process your personal data in a lawful, appropriate and transparent manner and to guarantee your rights. With this policy, we would like to provide you with information about the type of your personal data that we process, the purposes for which we process them, for how long we store them, to whom we provide them and what your rights are in relation to the processing. We recommend that you familiarize yourself with this policy as a current or potential user of the “IRISPay for Merchants” application. If you have any questions, you can contact us at the contact details provided below.
Administrator information
The personal data administrator under this privacy policy is „Iris Solutions” Ltd., UIC 204997709. You can contact us at: Sofia, 111B Tsarigradsko Shosse Blvd., Sofia Tech Park, Incubator Building, 1st floor. Email address: bdo@irisbgsf.com.Contact phone number: +359889209055. As a personal data administrator, we are responsible for the collection, processing and protection of your data in accordance with this policy.
Types of personal data we process
Data provided during registration
The application does not perform direct registration and does not collect data directly. The registration process is carried out through the web portal https://paybyclick.irispay.bg, which is opened via a button in the application. When pressing the "Registration" button, the application automatically redirects to a web browser, where users fill out a registration form.
The following data is collected in the registration form:
● First name, last name and family name;
● Email address;
● Phone number;
● Company name;
● Company unique identification code (UIC);
● Password and password confirmation.
Registration is mandatory for the user to benefit from the functionalities of the application. After successful registration, the user can use their email address and password to log in to the application.
Data provided when logging into the application
To access the application, the user must enter their:
● Email address;
● Password created during registration.
The application does not record or store this data locally. It is used only to authenticate the identity through a secure connection to the system servers.
Biometric data
If the device supports biometric authentication (e.g. fingerprint), the user can enable this option in the app.
-
How biometric data is processed:
Biometric data is stored and processed locally on the user's device, with the application using the operating system's built-in authentication features. -
Security:
Biometric data is not transmitted to servers, is not stored by „Iris Solutions” Ltd., and is not shared with third parties.
The user can enable or disable biometric login at any time from the “Menu” tab in the application.
Technical data
When using the application, the following technical data is automatically collected:
● Device type (e.g. smartphone, tablet);
● Operating system and version (e.g. Android 12, iOS 16);
● App version (e.g. 1.2.3);
● IP address;
● Error logs, which may include:
○ Time and date of the error;
○ Description of the error that occurred;
○ Steps that led to the error (e.g., failed to load an interface element).
Purposes of data processing
Your personal data is processed only for legitimate and justified purposes, which include the following:
Providing access to the application and its functionalities
-
To authenticate users when logging into the application;
-
To provide personalized access to application features.
Security maintenance and improvement
-
To protect the application from unauthorized access and cyberattacks;
-
To detect and prevent abuse or security breaches;
Technical support and troubleshooting
-
To analyze and troubleshoot technical errors and malfunctions;;
-
To provide support to users if they encounter difficulties using the application.
Compliance with regulatory requirements
-
To comply with our obligations under applicable law, including General Data Protection Regulations (GDPR);
-
To provide information to regulatory authorities or other competent institutions when required by law.
User experience analysis and improvement
-
To collect data on the use of the application for the purpose of optimization and improvement of its functionalities;
-
To understand the behavior and needs of users in order to offer better and more intuitive services.
Protection against fraud and abuse
-
To investigate and prevent potential fraud, including unauthorized use of accounts or improper transactions.
Your personal data will not be processed for purposes other than those listed above unless your explicit consent is obtained.
Storage technologies
The Application uses the standard mechanisms of the Android and iOS operating systems for encrypted data storage on the User's device. The goal is for the User to gain quick access to the functionalities of the Application, and not to wait for the data to load with each request. The data on the User's device is deleted automatically. The User can also delete this data at any time using the mechanisms provided by the respective mobile platform - Android or iOS.
The application does not use cookies.
Data sharing
Your personal data is not shared with third parties, except in the following cases:
Legal necessity
-
When fulfilling legal obligations or regulatory requirements;
-
When necessary to provide information to government authorities or judicial institutions in accordance with the law.
Technical support
-
Limited access for third-party support when necessary to ensure the functioning of the application;
-
All third parties who have access to data are bound by strict protection and confidentiality measures.
Using analytical tools (Google Analytics)
-
The app uses Google Analytics to collect data about user behavior and how the app is used.
-
This data may include information about:
-
Device type and operating system;
-
IP address (anonymized if applicable);
-
Session duration and navigation within the application.
Data collected through Google Analytics is used only to improve the application and does not allow identification of specific users.
User consent
-
Personal data may be shared with third parties if you have given explicit consent to this.
Data security
We implement modern organizational, technical and physical measures to ensure the security of your personal data. Our goal is to protect data from loss, unauthorized access, disclosure or misuse.
The measures we are implementing include:
Data encryption
-
All data transmitted between the application and our servers is protected by SSL/TLS encryption.
-
Biometric data used for login is processed and stored locally on the device and is not sent to servers.
Limited access
-
Access to the servers on which data is stored is strictly limited to authorized employees and subcontractors.
-
All persons with access to the data undergo regular information protection training and are bound by contractual confidentiality obligations.
Regular testing and updates
-
We perform regular vulnerability and security tests on the application as well as the server infrastructure.
-
Our software systems are regularly updated to meet the latest security standards.
Biometric data protection
-
Biometric data, such as Face ID or fingerprint, is processed using secure technologies built into the device's operating system.
-
The app does not have access to this data, which is stored only locally on the device.
Backups
-
Data is backed up regularly to ensure recovery in the event of loss or technical failure. The back-ups are stored in a secure environment.
Despite the measures taken, it is important to note that no security system can guarantee absolute security. We recommend that users keep their devices updated and use strong passwords for maximum protection.
„Iris Solutions” Ltd. is committed to continuing to improve security measures in accordance with the latest technological advances and requirements of regulatory authorities.
Data retention period
Your personal data is kept for a period of time necessary to perform the requested services and is stored for a period until the expiry of the statutory period related to the obligation to keep them or to file a lawsuit, but not more than 5 (five) years from the lapse of the basis for processing.
As an End User, you may at any time before the expiry of the period for storing your Personal Data described here, request their deletion (if the data is not processed for the legitimate interest of the Administrator), and if their complete deletion is impossible - they are subject to anonymization.
Your rights
At any time during the processing of your Personal Data, you as an End User have the following rights as provided for in the current Bulgarian and European legislation:
-
Right of access: Right to access your personal data and provide information about the purposes of processing, categories of personal data, recipients to whom Personal Data is disclosed, storage periods, etc.
-
Right to rectification: You have the right to request the Administrator to correct inaccurate personal data relating to you without undue delay;
-
Right to erasure (the “right to be forgotten”) – Right to have your personal data erased on the following grounds: – the personal data are no longer necessary for the purposes for which they were collected/processed; – when you deregister and delete the Application; – when you withdraw your consent, in cases where the data processing is based on consent; – the personal data must be erased for compliance with a legal obligation under Union or national law; – when the data have been processed unlawfully; – when you have objected to their processing and there is no other basis for their processing.
-
Right to restriction: Right to request restriction of the processing of your personal data in the following cases: – the accuracy of the personal data is contested by you for a period that allows the Administrator to verify the accuracy of the personal data; – unlawful processing has been established, but you only want the processing of your data to be restricted, instead of having it deleted; – you want your personal data to be stored, although the Administrator no longer needs them for the purposes of the processing, as you will use them for the establishment, exercise or defense of your legal claims; – if you object to the processing of your personal data for the period of verification of its validity.
-
Right to object: Right to object to receiving commercial communications; right to object to your personal data being provided to third parties;
-
Right to data portability: The right to receive the Personal Data concerning you that you have provided to the Administrator in a structured, commonly used and machine-readable format, and you have the right to transfer these data to another administrator without hindrance from the Administrator, where the processing is based on our legitimate interest or a contractual obligation.
-
Right to lodge a complaint: If you believe that your rights in relation to the processing of your personal data have been violated, you have the right to lodge a complaint with the Personal Data Protection Commission. The current contact details and the conditions for filing a complaint with the Personal Data Protection Commission can be found on the commission's website www.cpdp.bg. As of the date of the last update of this notice, the contact details are: Address of the Personal Data Protection Commission: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.; E-mail: kzld@cpdp.bg
As an End User, you may exercise the rights described above, in case they are not available as a functionality through the Application, by submitting a written application to the Administrator's address and/or e-mail address specified above. Your request should contain sufficient data to be able to be unequivocally identified, and contact details - address, telephone number and/or e-mail for feedback. The Personal Data Administrator prepares a response to the submitted request within 14 (fourteen) days of its receipt.
You can receive any information regarding your rights or other issues related to the protection of personal data from the Administrator through the communication channels listed below.
Privacy Policy Updates
-
For all other issues relating to the processing of personal data that are not regulated in this document, the provisions of the PDPA and the Regulation apply.
-
The Personal Data Administrator reserves the right to make changes to this Policy at any time, ensuring similar protection of your Personal Data in all cases. The changes shall enter into force upon their publication, unless otherwise stated therein.
-
If you have any questions about the way we process your personal data, or if you wish to exercise your rights, please contact us using our contact details provided below.
Contact
If you have any questions about this Privacy Policy or the way we process your data, you can contact us:
-
Имейл: bdo@irisbgsf.com
-
Address: Sofia, 111B Tsarigradsko Shose Blvd., Sofia Tech Park, Incubator Building, 1st floor
-
Phone: +359889209055