Privacy Policy for Iris Financial Ecosystem

Effective Date: January 4, 2026 | Last Updated: July 12, 2026 | Version: 2.2

Introduction

Welcome to Iris Financial. We are committed to protecting your privacy and handling your data transparently. This Privacy Policy explains how we collect, use, store, and protect your information when you use our financial management and payment processing services.

This policy covers:

Iris Secure Financial

Web-based accounting and expense management platform

Iris Money

Mobile payment processing application for sellers

Iris Financial Website

Corporate website and marketing pages

Contact Information

1. Information We Collect

1.1 Information You Provide

Account Registration (All Products)

  • Name (first and last)
  • Email address
  • Password (encrypted and never stored in plain text)
  • Company/Business name and information
  • Phone number (optional or required based on product)
  • Physical address (for business verification)
  • Country/Region of operation

Iris Secure Financial (Web Platform) Specific

  • Bank account connections (via Plaid)
  • Transaction details from bank imports
  • Invoices and client information
  • Expense and income records
  • Budget and financial goals
  • Team member information

Iris Money (Mobile App) Specific

  • Business Information: Business category, website URL, tax ID
  • Payment Information: Bank account details for payouts
  • Payment Link Data: Product/service descriptions, prices, currency preferences
  • Transaction Records: Sales history, payment amounts, customer details
  • Branding Assets: Profile picture, logo, brand colors
  • Subscription Tracking Data: Third-party subscriptions you choose to track (Netflix, AWS, etc.)

1.2 Information Collected Automatically

Web Platform

  • IP address
  • Browser type and version
  • Device information
  • Usage data and session information
  • Cookies and session tokens

Mobile App

  • Device Information: Device type, operating system version, unique device identifiers
  • App Usage Data: Features used, screens viewed, session duration
  • Push Notification Token (iOS only, if notifications enabled)
  • Location Data: Country/region based on IP address (not precise GPS location)
  • Log Data: App version, crash reports, error logs

1.3 Information from Third Parties

Plaid Integration (Iris Secure Financial Only)

Bank account information, transaction history (up to 24 months), account balances, and account holder names. We receive this information only with your explicit consent through Plaid's secure connection flow.

Plaid Privacy Policy: https://plaid.com/legal/#privacy-policy

Payment Processors (Iris Money Only)

Stripe: Credit/debit card payment confirmations, transaction status, payment metadata

Privacy Policy: https://stripe.com/privacy

PawaPay: Mobile money payment confirmations, transaction status for MTN, Orange, Airtel, Vodacom payments

Privacy Policy: https://www.pawapay.io/privacy-policy

Important:

We do NOT store full credit card numbers. Card payments are processed securely by Stripe, and we only receive transaction confirmations.

Google Authentication (Optional)

If you sign in with Google, we receive: Name, Email address, Profile picture (optional).

2. How We Use Your Information

2.1 Primary Purposes

Iris Secure Financial (Web)

  • Service Delivery: Expense tracking, invoicing, bank transaction syncing, financial reports, team access management
  • Account Management: User authentication, customer support
  • Financial Operations: Connect to bank accounts via Plaid, import and categorize transactions, track income and expenses

Iris Money (Mobile)

  • Payment Processing: Create and manage payment links, process payments via Stripe and PawaPay, handle customer transactions
  • Payout Management: Process payout requests to your bank account, track payout status
  • Business Tools: Generate sales analytics, track subscription expenses, manage customer disputes
  • Account Management: Verify business information, manage pricing tier/subscription, provide customer support

2.2 Secondary Purposes (Both Products)

  • Service improvement and analytics
  • Security and fraud prevention
  • Legal and regulatory compliance
  • Push notifications for important updates (mobile app only)
  • Marketing communications (with your consent)

3. How We Share Your Information

We DO NOT sell your personal information to third parties.

3.1 Service Providers

Financial Services

Plaid (Iris Secure Financial)

Financial data aggregation, bank connection

Data Shared: Bank credentials (never stored by us), transaction data

Privacy Policy: https://plaid.com/legal/#privacy-policy

Stripe (Iris Money)

Card payment processing

Data Shared: Payment amount, currency, customer email, transaction metadata

Privacy Policy: https://stripe.com/privacy

PawaPay (Iris Money)

Mobile money payment processing (Africa)

Data Shared: Phone number, payment amount, currency, country

Privacy Policy: https://www.pawapay.io/privacy-policy

Infrastructure Providers

  • Hosting Providers (Vercel, Abacus AI, AWS): Application hosting and database storage — Encrypted storage and transmission, SOC 2 Type II certified
  • Database Hosting: PostgreSQL database hosting — Encryption at rest and in transit

Communication Services

  • Email Service Providers: For transactional emails, support communications
  • Push Notification Services (iOS only): Apple Push Notification Service (APNs)

Analytics & Monitoring

  • Error Tracking: Crash reporting and performance monitoring (anonymized)
  • Usage Analytics: Feature usage patterns (aggregated and anonymized)

3.2 Legal Requirements

We may disclose your information to:

  • Comply with legal obligations (court orders, subpoenas)
  • Respond to lawful requests from government authorities
  • Protect our rights, property, or safety
  • Prevent fraud, security threats, or illegal activity
  • Enforce our Terms of Service

3.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and prominent notice in the app/website.

4. Data Security

4.1 Security Measures

Encryption

  • TLS 1.2+ for all client-server communications, HTTPS enforced
  • PostgreSQL database encryption at rest
  • Password hashing using bcryptjs (cost factor 10)
  • JWT tokens stored as HTTP-only cookies (web), secure storage (mobile)

Access Controls

  • Role-Based Access Control (RBAC): ADMIN, MEMBER roles
  • Multi-Tenant Isolation: All queries enforce tenant-level separation
  • Automatic session expiry (30 days web, configurable mobile)

Infrastructure Security

  • SOC 2 certified cloud hosting (Vercel, AWS, Abacus AI)
  • DDoS Protection via hosting platform and CDN
  • Rate Limiting on authentication and payment endpoints
  • Security Headers: CSP, HSTS, X-Frame-Options
  • 24/7 monitoring and intrusion detection

Payment Security

  • PCI-DSS Compliance via Stripe (we never store full card numbers)
  • Tokenization: Payment methods tokenized by Stripe
  • Built-in fraud detection by payment processors

4.2 Data Breach Notification

In the event of a data breach affecting your personal information, we will:

  1. Notify affected users within 72 hours with details of the breach
  2. Provide information about what data was compromised
  3. Explain remediation steps and actions we're taking
  4. Notify relevant regulatory authorities as required by law

5. Your Privacy Rights

Summary of Your Rights:

  • Right to Access: Get a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Deletion: Request account and data deletion
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a portable format (JSON, CSV)
  • Right to Object: Opt out of certain data processing activities
  • Right to Withdraw Consent: Revoke consent at any time
  • Right to Opt-Out of Marketing: Unsubscribe from promotional emails

How to Exercise Your Rights:

  • Email: [email protected]
  • Subject Line: "Privacy Rights Request - [Your Request Type]"
  • Include: Your registered email address and specific request
  • Response Time: Within 5 business days (acknowledgment), 30 days (fulfillment)

Region-Specific Rights

GDPR (European Union)

  • All rights listed above
  • Right to lodge a complaint with supervisory authority
  • Right to object to automated decision-making

CCPA (California)

  • Right to know what personal information is collected
  • Right to know if personal information is sold (we don't sell)
  • Right to opt-out of sale (not applicable)
  • Right to non-discrimination

Users in other regions may have additional rights under local laws. Contact us to learn more.

6. Data Retention

Retention Periods by Data Type

Data TypeRetention PeriodReason
Active account dataDuration of accountService delivery
Closed account data90 daysRecovery period
Financial transactions7 yearsTax and legal compliance
Invoices (Iris Secure)7 yearsAccounting requirements
Payment records (Iris Money)7 yearsFinancial regulations
Plaid access tokensActive connection + 30 daysSecurity
Payment processor dataPer processor retention policyDispute resolution
System logs90 daysSecurity and debugging
Marketing dataUntil opt-out + 30 daysCompliance
Backup dataUp to 90 daysDisaster recovery

Data Deletion Process

  1. Account Deletion Request: Email [email protected]
  2. Verification: We verify your identity
  3. Deletion Timeline: Within 30 days of verification
  4. Exceptions: Data retained for legal compliance (financial records) will be anonymized where possible
  5. Confirmation: You'll receive confirmation when deletion is complete

Note: Some data may persist in backups for up to 90 days but will be inaccessible.

See our full Data Retention Policy for more details.

7. Cookies and Tracking

Web Platform (Iris Secure Financial)

  • Essential Cookies: Session management, authentication (required for service)
  • Analytics Cookies: Usage patterns, feature adoption (optional, can be disabled)
  • Preference Cookies: UI settings, language preferences

Mobile App (Iris Money)

  • No Cookies: Mobile apps use secure storage instead of browser cookies
  • Analytics: In-app analytics for crash reporting and feature usage (can be disabled in settings)
  • Session Tokens: Stored securely in device keychain (iOS) or secure storage (Android)

Cookie Control

  • Web: Control via browser settings or cookie consent banner
  • Mobile: Control via app settings > Privacy
  • Note: Disabling essential cookies/storage may affect service functionality

8. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

If we discover that we have collected information from a child under 18, we will delete the information immediately, terminate the account, and notify the email address on file.

If you believe a child has provided us with personal information, contact: [email protected]

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States (cloud hosting, payment processors), the European Union (data centers), and other countries where our service providers operate.

Safeguards

  • Standard Contractual Clauses (SCCs): For EU data transfers
  • Adequacy Decisions: Transfer to countries with adequate data protection
  • Encryption: All data encrypted in transit and at rest
  • Contractual Protections: Data processing agreements with all vendors

10. Third-Party Links and Services

Our services may contain links to third-party websites, apps, or services (e.g., payment processors, social media).

Important:

We are not responsible for the privacy practices of third parties. Please review their privacy policies before providing information.

Third Parties We Link To:

11. Push Notifications (Mobile App)

What We Send

  • Payment confirmations and receipts
  • Payout status updates
  • Dispute alerts and customer messages
  • Subscription payment reminders
  • Important security alerts

Your Control

  • Disable Notifications: Device Settings > Iris Money > Notifications
  • Selective Notifications: App Settings > Notifications (choose which types)
  • Note: Disabling may delay important account updates

iOS Only: Push notifications currently supported on iOS. Android support coming soon.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, new features or services, legal or regulatory requirements, and user feedback.

Notification of Changes

  • Material Changes: Email notification + in-app/website banner
  • Minor Changes: Updated "Last Updated" date + website posting
  • Effective Date: Changes take effect 30 days after notification
  • Your Options: Continued use = acceptance; object = account closure option

Version History

  • Version 1.0 (January 4, 2026): Initial policy for Iris Secure Financial
  • Version 2.0 (April 19, 2026): Updated to cover Iris Money mobile app and unified ecosystem
  • Version 2.1 (July 3, 2026): Added Section 15 (SMS Communications) covering the Iris Financial SMS program, Text-to-Give, and opt-in/opt-out disclosures
  • Version 2.2 (July 12, 2026): Updated Section 15 to describe the guided, reply-based Text-to-Give flow with card-on-file (removing payment-link references), corrected opt-in keyword list (organization keyword plus START/YES/UNSTOP; removed GIVE as a universal keyword), clarified YES as a transactional confirmation token, and confirmed STOPALL as a supported opt-out keyword

13. Product-Specific Privacy Information

Iris Secure Financial (Web)

  • Primary Data Flow: Plaid → Bank Transactions → Our Database → Your Dashboard
  • Key Risk: Bank account access via Plaid (you control, can revoke anytime)
  • Data Sharing: Only with Plaid for bank connection functionality
  • Unique Feature: Team access (admins can see all org data)

Iris Money (Mobile App)

  • Primary Data Flow: Customer Payment → Stripe/PawaPay → Our Database → Your Account
  • Key Risk: Payment processing (PCI-DSS compliant, we don't store card numbers)
  • Data Sharing: With Stripe and PawaPay for payment processing
  • Unique Feature: Public payment links (customer info shared only after payment)

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy:

General Inquiries

Email: [email protected]

Subject Line: "Privacy Inquiry"

Response Time: Within 5 business days

Privacy Rights Requests

Email: [email protected]

Subject Line: "Privacy Rights Request"

Response Time: Acknowledgment within 5 business days, fulfillment within 30 days

Security Incidents

Email: [email protected]

Phone: +1-508-365-9038

Response Time: Within 4 hours during business hours, 24/7 for critical issues

Data Protection Officer

Support Team

Email: [email protected]

15. SMS Communications

15.1 SMS Program Description

Iris Financial (operated by Iris Secure Technology Solutions LLC) sends transactional SMS messages to users who have explicitly opted in. Messages are sent exclusively through the Iris Financial platform at irisfinancial.tech. This SMS program is fully independent from any other Iris Secure product — consent collected here is never used for communications from irissecure.tech, Iris Workplace, or WeMeet.

15.2 Information We Collect for SMS

When you opt in to receive SMS messages from Iris Financial, we collect:

  • Mobile phone number
  • Name (if provided at opt-in)
  • Date, time, and method of opt-in consent
  • Exact opt-in language shown at time of consent
  • IP address at time of consent
  • Message delivery status and interaction logs

15.3 How We Use SMS Data

We use your mobile phone number solely to send:

  • Iris Pay transaction confirmations and payment alerts
  • Text-to-Give donation processing confirmations and receipts
  • Donor giving statements and church/nonprofit fund notifications
  • Invoice payment reminders
  • Supplier order and delivery notifications
  • PawaPay mobile money transaction confirmations for African market users
  • Account security alerts specific to the Iris Financial platform

15.4 SMS Data Sharing

Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes. SMS opt-in data is shared only with:

  • Telnyx Inc. — our SMS delivery provider, solely for message transmission
  • Wireless carriers — for message routing and delivery
  • As required by applicable law or court order

SMS consent collected on the Iris Financial platform is never shared with or reused by any other Iris Secure product.

15.5 Opt-In

You may opt in by:

  • Checking the SMS consent checkbox on the Iris Financial registration or account settings page (checkbox is unchecked by default)
  • Texting your organization's unique giving keyword (provided by your church or nonprofit) to our number to begin a guided giving conversation
  • Replying START, YES, or UNSTOP to resume messages after a prior opt-out
  • Providing written consent during onboarding

The exact consent language shown at opt-in is:

"By providing your mobile number and checking this box, you agree to receive recurring account, transaction, and donation-related text messages from Iris Financial (Iris Secure Technology Solutions LLC). Message frequency varies. Message and data rates may apply. Reply HELP for help and STOP to unsubscribe. Consent is not a condition of any purchase or donation."

Consent is not a condition of any purchase, donation, or use of our services.

15.6 Opt-Out

Reply STOP to any message at any time. Additional opt-out keywords: STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT. You will receive one final confirmation message and no further messages unless you re-enroll. You may also opt out by emailing [email protected] or toggling off SMS notifications in your account settings.

15.7 Message Frequency and Rates

Message frequency varies based on your account activity — up to 4 messages per month on average. Message and data rates may apply depending on your carrier and plan. Iris Financial is not responsible for any carrier charges.

15.8 Help

Reply HELP to any message or contact us at [email protected] or +1-508-365-9038.

15.9 Opt-In and Opt-Out Keywords

  • Opt-in / resume keywords: START, YES, UNSTOP — plus your organization's own unique giving keyword to begin a giving conversation
  • Opt-out keywords: STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT
  • Help keywords: HELP, INFO

Note: YES also serves as a transactional confirmation within an active giving conversation (for example, confirming a repeat gift we flag as a possible duplicate). In that context YES authorizes that specific gift and is not a general marketing opt-in.

15.10 Donation-Specific Disclosure

Our Text-to-Give feature uses a guided, reply-based conversation — not payment links texted to you. After a donor begins (by texting the organization's unique giving keyword or replying to a prompt), we ask how much they would like to give and, where applicable, which fund. A first gift is completed once through a secure, single-use card page; with the donor's permission the card is then securely saved so future gifts can be completed by confirming via text, and we may ask the donor to confirm an amount before charging. If a saved card is declined, we send a secure link to update it. Donations are charged on the receiving organization's own payment account through our payment processor. Iris Financial does not add fees to SMS donations. Standard message and data rates from your carrier still apply.

15.11 Supported Carriers

All major US wireless carriers including AT&T, Verizon, T-Mobile, and regional carriers. Iris Financial is not liable for delayed or undelivered messages.

15.12 International SMS

For users in DRC, Morocco, Senegal, and other African markets, outbound transaction notifications are sent via registered Alphanumeric Sender ID ("IrisFinancial"). These are one-way notifications — recipients cannot reply to international messages. Opt-out for international users is managed through in-app account settings.

15.13 SMS Data Retention

  • SMS opt-in consent records: 4 years (TCPA compliance requirement)
  • Message delivery logs: 12 months then automatically purged
  • Opt-out records: Maintained indefinitely to prevent future messaging

16. Legal Compliance

This Privacy Policy is designed to comply with:

  • General Data Protection Regulation (GDPR) — European Union
  • California Consumer Privacy Act (CCPA) — California, USA
  • Children's Online Privacy Protection Act (COPPA) — USA
  • Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada
  • Payment Card Industry Data Security Standard (PCI-DSS) — Via Stripe
  • Other applicable international data protection laws

Last Updated: July 3, 2026

Effective Date: January 4, 2026

Version: 2.1

Approved By: Support Team

By using Iris Secure Financial or Iris Money, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.