Personal Data collection and Processing Policy

Your Personal Data is not only protected by the dedication and high standards of IRIS.AI – it’s also protected by law. The law states that we can only collect, handle and process your Personal Data if we have legal grounds to do so. Those include but are not limited to:

• Fulfill any contract we have with you (in your capacity of a registered User, using our products and services through our Website);
• We have a legal obligation;
• When you have given your consent to the collection, handling, and processing;
• When it is in our legitimate interest;
• When it is of public interest;
• When it is of your vital interest.

In some cases, determined by law, we can process your Personal Data when we have a legitimate interest(s) to do so. Legitimate interest is applied when we have a commercial or business reason to process your Personal Data. During processing, your Personal Data remains protected and we must not process it in a way that would be unfair to you or your interests.

If the reason for processing your Personal Data is a legitimate interest, we will inform you what our legitimate interests are and provide you with the opportunity to raise any questions or objections you might have via various communication channels or by other means.

Generally and above all, we should note that IRIS.AI collects and processes your personal data for the following purposes: (1) to fulfill our obligations as a provider of software which is helping scientist optimize their research processes, as our Services help you: explore scientific content, narrow down a collection of documents with a wide range of smart filters, reading list analysis, auto-generated summaries, autonomous extraction and systematizing of data; use broad variety of smart tools that you can apply and combine as needed; work with most any type of scientific and research content – open access or paywalled research papers, patents, internal documents, greypapers, whitepapers, tech specs, etc. or collection of research uploaded by you; find and create a science map, visit a science map, create a focus study, visit a focus study, find a bookmarked map or paper, create a bookmark, visit a bookmarked map or paper, as well as generally based on your research history, provide you with AI tailored science maps, focus studies and papers suggestions; allow you to ask questions and get answers based on a collection of documents; receive notifications for in tool activities; (2) to deliver the Website’s functionalities in the fullest and most efficient way possible; (3) to deliver information, products and services explicitly requested by our customers (for example, sending out newsletters, etc.); (4) to perform market analysis and statistical research for the purpose of internal marketing and statistical activities relating to IRIS.AI.

For clarity purposes, below you will find lists of the respective types of personal data IRIS.AI collects from the Website users, arranged based on the specific purposes and processes whose implementation requires the collection of personal data, namely:

• Personal data needed to purchase a product – data provided by the users when they make a purchase through the Website as indicated in the Website’s Terms of Service, in particular: (1) first name and (2) family name of the user; and (3) valid email address.
• Personal data needed for execution of the services – (1) first name and (2) family name of the user; (3) valid email address and (4) the account type the user is willing to create.
• Personal data relating to payments made by the user – IRIS.AI uses three payment systems to support payments. In particular, these systems are maintained by the third entities listed below and the respective data, collected when these systems are used, is as follows:
  • Google Pay (https://pay.google.com) – this provider fully processes all payments made by the Website users/buyers, where all banking and financial data (respectively credit and debit cards, including data thereof, etc.) are processed solely by this entity.
  • Link (https://link.co) – this provider fully processes all payments made by the Website users/buyers, where all banking and financial data (respectively credit and debit cards, including data thereof, etc.) are processed solely by this entity.
  • Stripe (https://stripe.com/) – this third entity is a provider of online verification (confirmation) services relating to online payments. When collaborating with this provider, IRIS.AI receives access to the following banking and financial information about its website users – (1) first name and (2) family name of the user; (3) type of bank card; (4) the last four digits of the bank card number; and (5) bank card validity data.
• Data collected through Cookies – for more information, please see Section 3 below – “Rules relating to the cookies used and data collected through cookies”‘
• IP address;
• User browser identifier;
• User device identifier;
• Information about the number of user Website visits;
• Information about the landing page from which a user has reached the Site.

• IP address;
• User browser identifier;
• User device identifier;
• Information about the number of user Website visits;
• Information about the landing page from which a user has reached the Site;
• Data collected through cookies – for more information, please see Section 3 below – “Rules on the cookies used and data collected through cookies”‘

Cookies are essentially small text files sent by the web server to the used browser and stored on your device so the Website can recognize them. There are two types of cookies – permanent and session (temporary) cookies. Permanent cookies are stored as a file on your computer or mobile device for a longer period of time. Session cookies are stored temporarily on your device, when you visit the Website, and are erased relatively soon after you close the Website. Most cookies don’t contain any sensitive information about you or any personal data that can identify you directly.

For further information please, see the Cookie Policy on our website: https://iris.ai/cookie-policy/.

Sometimes we share your personal data with third parties. This is aimed at providing you with the best possible experience when using our Website, and sometimes – to secure and make available our service in general.

IRIS.AI does not grant usage rights, and does not sell, reveal or share your information (personal data under GDPR) with other entities or non-related companies, unless this is necessary to provide you with the services you requested and you have given your permission, or in any of the following hypotheses:

• Information is provided to our trusted partners working on assignments made by IRIS.AI based on contractual relationships and under confidentiality agreements. This third-party entities include, but are not limited to:
• Stripe (agreement) – IRIS.AI accepts payments by credit and debit cards (as set out in the Website’s Terms of Service) for your purchase. Where payments are administered by Stripe, the process will guarantee the highest levels of user personal data protection. For more information, please visit: https://stripe.com/en-gb-es/legal/end-users).
• Google Pay (agreement) – IRIS.AI accepts payments by credit and debit cards (as set out in the Website’s Terms of Service) for your purchase, where payments are fully administered by a third entity – Google Pay based on an agreement (Google Pay processes personal data based on assignments made by IRIS.AI, where the process guarantees the highest level of user personal data protection, for more information, please visit: https://payments.google.com/payments/apis-secure/u/0/get_legal_document?ldo=0&ldt=privacynotice&ldl=en). When using Google Pay, IRIS.AI has no access to any user financial data (the only personal data access we have via Google Pay is access to the names and email addresses as set out in the Website’s Policy and Terms of Service).
• Link (agreement) – IRIS.AI accepts payments by credit and debit cards (as set out in the Website’s Terms of Service) for your purchase, where payments are fully administered by a third entity – Link based on an agreement (Link processes personal data based on assignments made by IRIS.AI, where the process guarantees the highest level of user personal data protection, for more information, please visit: https://link.co/privacy). When using Link, IRIS.AI has no access to any user financial data (the only personal data access we have via Link is access to the names and email addresses as set out in the Website’s Policy and Terms of Service).
• Google Analytics – to see the reasons for using Google Analytics, please see Section 3: Cookie Policy (https://privacy.google.com/, https://policies.google.com/technologies/partner-sites).
• Facebook Tracking Pixel (https://www.facebook.com/privacy/policy).
• Hubspot Pixel – to see the reasons for using Hubspot, please see Section 3: Cookie Policy (https://legal.hubspot.com/privacy-policy).
• Escalon Services Norway AS (agreement) – a company providing accounting services for IRIS.AI.
• Amazon Web Services (AWS) – cloud server provider. IRIS. AI uses the servers and cloud infrastructure of AWS for storage of personal data. All data collected by IRIS.AI is stored electronically in Ireland and Germany, Europe. For more information, please visit: https://aws.amazon.com/privacy/ and https://aws.amazon.com/compliance/data-privacy-faq/.
• Information needed to fulfill our legal obligations based on legitimate requests coming from authorized government authorities, including but not limited to judicial authorities; investigative authorities; tax authorities, etc. (under the Law on Electronic Communications, The Criminal Code, the Law on the Ministry of Interior, the Law on the Judiciary, etc.)

If you do not wish us to send the information to some of our partners, you can withdraw your consent by editing your cookie preferences in the GDPR Cookie Consent plugin pop up window, which appears in the down left corner of the page when you first visit our Webpage.

Personal data is stored up until there is a legitimate ground for us to delete them or up until the following:

We do not perform automated decision-making, including profiling.

IRIS.AI have implemented all kinds of technical and organizational measures to guarantee the security of all Website user data in line with all mandatory requirements of the applicable EU and local law and to ensure that processing is carried out in accordance with the GDPR, including:

1. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

2. the ability to restore the availability and access to Personal data in a timely manner in the event of a physical or technical incident;

3. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

IRIS.AI has prepared detailed General Security Guidelines, which describe in great detail the processes of storage, encryption and generally ensuring the protection of the personal data of the users of the Website; obligations to comply with security measures by IRIS.AI’s employees; a manual for action in the event of an incident; protection from viruses and malicious attacks, etc.

These measures are designed to implement data protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the Regulation and protect your rights.

IRIS.AI does not perform direct user personal data transfer to countries outside the EU and the EEA.

However, some of our partners may transfer data outside the EEA. The Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. In this regard, when transferring personal information outside the EU, EEA to the US, we will include the standard data protection clauses approved by the European Commission under Article 46.2 of the General Data Protection Regulation (GDPR) into our contract with these US-based companies and other partners. Access to such safeguards are available on request. For more information, please see our partners’ privacy policies.

If we transfer your Personal Data outside of the EEA within our corporate group or business partners, we will ensure the same protection standards as within the EEA by relying on the following:

• The country receiving your Personal Data is recognized by the European Commission as having the same level of protection as within the EEA. You can find more information on the European Commission website.
• We are signing only contracts that require the recipient to adhere to the same protection standards of your Personal Data as those within the EEA.

Personal data is stored up until there is a legitimate ground for us to delete them or up until the following:

You delete your own account

You are solely responsible for properly deleting your account. Please note that we will not accept requests via phone, mail, or by other informal means to delete your account.

You can delete your account at any time by opening the user profile link in the global navigation bar at the right top of your screen in Academic Tools and bottom left corner in the Researcher Workspace. The account screen provides a “My information” bar, at the bottom of which a simple no questions asked “Delete” cancellation button is provided.

All of your content will be immediately deleted from the Service upon deletion. This information cannot be recovered once your account is deleted. If you delete your account before the end of your current paid up period, your deletion will take effect immediately, meaning you will not be charged again, but no refund will be given for the unused part of the already paid period.

We delete latent user accounts

“Latent users” are users who have not taken any Service significant action (hereby called “User activity”) within the last 2 years.

“User activity” is each activity that is essential to the Service we provide and to what it does – helping scientists optimize their research processes. Examples of such User activities include but are not limited to: creating a science map, visiting a science map, creating a dataset, visiting a dataset, creating a bookmark, visiting a bookmarked map, etc. Most actions in the Service are considered User activity, but there are few exceptions, such as user authentication (i.e. login) and browsing my content section. We believe that those two are not essential to the Service and what it does, that is why they are excluded from that category.

In case your account becomes a Latent user account, we may delete it, unless you take any User activity action, as described above. We will notify you automatically 30 days, 5 days and 1 day prior to the deletion date and time. If no User activity is registered after the notifications, your data will be downloaded and sent to you via email and afterwards deleted from our servers.

Other cases we can delete user accounts

Iris.ai, in its sole discretion, has the right to suspend or terminate your account and refuse any and all current or future use of the Service, or any other Iris.ai service, for any reason at any time (for example, including but not limited to law infringement, fraudulent actions, etc.). Such suspension or termination of the Service will result in the deactivation or deletion of your account or your access to your account, and the forfeiture and relinquishment of all content in your account. Iris.ai reserves the right to refuse service to anyone for any reason at any time.

In the event that Iris.ai takes action to suspend or terminate an account, we will make a reasonable effort to provide the affected account owner with a copy of their account contents upon request, unless the account was suspended or terminated due to unlawful conduct.

For the purposes of measuring user behavior on the Website, we store personal data based on the period of validity of the respective cookie recording.

Right of access: to your personal data: you have the right to receive confirmation from us as to whether we process your personal data and, if this is the case, you have the right to access your personal data and information.

Right of rectification of personal data: if you discover that the personal data we process on you is incorrect, you have the right to make us correct this personal data.

Right of erasure of personal data (the right to be forgotten): under certain circumstances, if your personal data is processed illegally or you have withdrawn your consent (if the personal data processing is based on consent), you have the right to request and receive erasure of your personal data by us.

Right to restrict processing: under certain circumstances, for example if you doubt the accuracy of your personal data or have objected to our legitimate goal for processing your personal data, you have the right to request us to restrict the processing of your personal data until a solution is found.

The right to object: under certain circumstances, for example if you doubt our legitimate interest in processing your personal data, you have the right to object to such processing based on reasons related to your particular situation.

Right to data portability: if your personal data is processed automatically based on your consent or for the purpose of performing our contractual obligations, you have the right to request us to provide you with your personal data in a machine-readable format to transfer them to another data controller.

Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint in terms of the processing of your personal data by us with the respective competent supervisory authority under the legislation of the Kingdom of Norway and under Chapter VI of the GDPR or any other applicable EU regulation or international agreement.

This Privacy Policy is an integral part of the Terms of Service in force for the services available on the Website. It should be interpreted in relation to them in terms of purchasing products from the Website.

In the event of any disputes between a user and IRIS.AI, these disputes shall be settled in the spirit of mutual understanding and compromise. If impossible, the competent authority to resolve any possible disputes shall be the respective court, applying the respective local and EU legislation applicable as of the moment of resolving the problem.

IRIS.AI reserves the right to make changes to this Privacy Policy at any given moment by publishing the changed terms and conditions on the Website. In this case, you will be asked to accept the changed Privacy Policy once again.

Contacts:
Personal Data Controller: www.iris.ai is owned by Iris AI AS, a limited liability legal entity (AKSJESELSKAP), established and existing under the legislation of the Kingdom of Norway, with registration number 916 246 269, having its registered office and principal place of business in: Kingdom of Norway, Bærum municipality, Stabekk region 1368, Michelets vei 54B, email address: founders@iris.ai.

Data Protection Officer: Victor Botev; email address: victor@iris.ai.

(Please note that any data subject access requests under Regulation (EU) 2016/679 sent by mail or courier require additional identification by presenting an ID document by the data subject or by sending the request by email, where this request shall be e-signed by the data subject. Data access requests can also be sent by a legalized proxy of the data subject, where in this case, the proxy should provide a duly notarized power of attorney).