Privacy Policy

Last updated: 17 March 2026

Privacy Policy

Last updated: 17 March 2026

This Privacy Policy describes how Iris Soft ("we," "us," or "our") collects, uses, stores, and protects your personal data when you visit or make a purchase from our store. This policy applies to all users globally, including those in the European Union (GDPR), the United Kingdom (UK GDPR), the United States (including California residents under CCPA/CPRA), and the Republic of Turkey (KVKK – Law No. 6698).

By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use our services.

1. Data Controller Information

The data controller responsible for your personal data is:

Iris Soft
Support Contact: [email protected]
Website: https://store.irisoft.net/

2. Information We Collect

We collect the following categories of personal data:

2.1 Information You Provide Directly

  • Full name
  • Email address
  • Billing address (including country, city, and postal code)
  • Phone number (where provided)
  • Payment information (processed by our payment processor; we do not store full card numbers)
  • Communications you send us (support tickets, emails)

2.2 Information Collected Automatically

  • IP address
  • Browser type and version
  • Operating system
  • Pages visited, time and date of visit, and clickstream data
  • Referring URLs
  • Device identifiers
  • Cookie data and similar tracking technologies

2.3 Transaction Data

  • Products purchased
  • Order history
  • License keys issued
  • Payment status and transaction IDs

3. Legal Basis for Processing (GDPR / UK GDPR)

For users in the European Economic Area (EEA), the United Kingdom, and other jurisdictions with similar requirements, we process your personal data under the following legal bases:

  • Performance of a Contract (Art. 6(1)(b) GDPR): Processing is necessary to fulfill your purchase, deliver your license keys, and provide customer support.
  • Legal Obligation (Art. 6(1)(c) GDPR): We are required to retain certain transaction data for tax and accounting purposes.
  • Legitimate Interests (Art. 6(1)(f) GDPR): We process certain data to prevent fraud, improve our services, and ensure platform security.
  • Consent (Art. 6(1)(a) GDPR): Where we send marketing communications, we do so only with your explicit prior consent, which you may withdraw at any time.

4. How We Use Your Information

We use the personal data we collect for the following purposes:

  • To process and fulfill your orders and deliver digital products
  • To create and manage your account
  • To send transactional emails (order confirmations, license key delivery, receipts)
  • To provide customer support and respond to your inquiries
  • To detect, prevent, and investigate fraudulent or illegal activity
  • To comply with applicable legal obligations (tax, accounting, regulatory reporting)
  • To analyze usage patterns and improve our platform
  • To send marketing communications, where you have explicitly consented
  • To enforce our Terms of Service and other agreements

5. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. These include:

  • Essential Cookies: Required for the website to function (e.g., session management, shopping cart).
  • Analytics Cookies: Used to understand how visitors interact with our website (e.g., page views, traffic sources). These may be provided by third-party tools such as Google Analytics.
  • Preference Cookies: Remember your settings and preferences.

You may manage or disable non-essential cookies through your browser settings or our cookie consent interface. Please note that disabling certain cookies may affect functionality.

6. Data Sharing and Third Parties

We do not sell your personal data to third parties. We may share your data only in the following limited circumstances:

  • Payment Processors: Your payment information is processed by Lemon Squeezy (and/or other authorized payment service providers). These parties process your financial data in accordance with PCI-DSS standards and their own privacy policies.
  • Email Service Providers: We use third-party email services to deliver transactional and support emails.
  • Analytics Providers: Aggregated and anonymized usage data may be shared with analytics platforms.
  • Legal Authorities: We may disclose your data to law enforcement, courts, or regulatory authorities when required by applicable law or to protect our legal rights.
  • Business Transfers: In the event of a merger, acquisition, or sale of all or part of our assets, your data may be transferred to the successor entity.

All third-party service providers we work with are bound by data processing agreements and are required to protect your data in accordance with applicable laws.

7. International Data Transfers

We operate internationally and your data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home country.

For transfers from the EEA or UK to third countries, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) as approved by the European Commission, or other legally recognized transfer mechanisms. For transfers involving Turkish residents' data, we comply with the cross-border data transfer rules under KVKK.

8. Data Security

We implement industry-standard and enterprise-grade security measures to protect your personal data, including:

  • AES-256 encryption for stored personally identifiable information
  • Argon2id password hashing for all user credentials
  • TLS/SSL encryption for all data transmitted between your browser and our servers
  • Access controls limiting data access to authorized personnel only
  • Regular security audits and vulnerability assessments
  • Secure server infrastructure hosted with reputable providers

Despite our efforts, no method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities in accordance with applicable law (within 72 hours for GDPR purposes where required).

9. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. Specifically:

  • Account data: Retained for the duration of your account and up to 3 years after account deletion, for fraud prevention and dispute resolution.
  • Transaction and order data: Retained for a minimum of 10 years to comply with Turkish tax law (Vergi Usul Kanunu), EU VAT regulations, and other applicable financial record-keeping requirements.
  • Support communications: Retained for 3 years from the date of the last communication.
  • Marketing consent records: Retained until consent is withdrawn and for a reasonable period thereafter as evidence of consent.

When data is no longer required, it is securely deleted or anonymized.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

10.1 Rights Under GDPR / UK GDPR (EEA and UK Residents)

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
  • Right to Restriction of Processing (Art. 18): Request that we limit how we use your data.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority).

10.2 Rights Under KVKK (Turkish Residents)

Under Law No. 6698 (KVKK), you have the right to:

  • Learn whether your personal data is being processed
  • Request information about the purpose and use of your data
  • Know third parties to whom your data is transferred
  • Request correction of incomplete or inaccurate data
  • Request deletion or destruction of data where conditions are met
  • Object to automated processing decisions
  • Request compensation for damages arising from unlawful processing

10.3 Rights Under CCPA/CPRA (California Residents)

California residents have the right to:

  • Know what personal information we collect, use, disclose, or sell
  • Request deletion of personal information
  • Opt out of the sale or sharing of personal information (we do not sell personal information)
  • Non-discrimination for exercising your CCPA rights
  • Correct inaccurate personal information
  • Limit the use of sensitive personal information

To exercise any of your rights, please contact us at [email protected]. We will respond within 30 days (or within the timeframe required by applicable law). We may require you to verify your identity before processing your request.

11. Children's Privacy

Our services are not directed to individuals under the age of 18 (or 16 in certain EEA countries). We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected] and we will take steps to delete such information.

12. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their respective privacy policies.

13. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. We will notify you of material changes by posting the updated policy on our website with a new "Last Updated" date. Where required by law, we will seek your consent before implementing material changes. Your continued use of our services after changes are posted constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:

Email: [email protected]

For KVKK-related requests, you may submit your application in writing to the above email address. We will respond within 30 days as required by Article 13 of KVKK.

← Back to Store