Privacy Statement

This Privacy Statement explains how James Brew, trading as Iryss ("IRYSS", "we", "us"), collects, uses, and protects personal data. It covers two distinct relationships: people who visit our website or enquire about IRYSS, and the optician practices who use the IRYSS platform. Patient data processed inside the platform is governed by a separate Data Processing Agreement — see section 10.

1. Who we are

IRYSS is a patient retention platform for independent optician practices in the United Kingdom and Ireland, operated by James Brew, a sole trader trading as "Iryss", of Ashgrove Avenue, Comber, County Down, Northern Ireland.

For the purposes of UK GDPR and the EU General Data Protection Regulation (EU GDPR), James Brew (trading as Iryss) is the data controller for personal data collected through our website and enquiry channels. For patient data processed within the IRYSS platform, we act as a data processor on behalf of each practice — see section 10.

You can reach our data protection contact at privacy@theiryss.com.

2. Scope of this statement

This statement applies to:

• Website visitors and enquirers — anyone who browses theiryss.com, books a demo, or contacts us.
• Practice users — staff at practices that subscribe to IRYSS, in respect of their own account and contact details.

It does not govern our processing of patient personal data on behalf of practices. That processing is governed by the Data Processing Agreement entered into between IRYSS and each practice (section 10).

3. What we collect

Information you give us

• Your name, email address, phone number, and practice name when you book a demo or contact us.
• Account details — name, work email, role — if your practice subscribes to IRYSS.
• The content of any correspondence you send us.

Information we collect automatically

• Basic technical data when you visit our website: IP address, browser type, device type, pages viewed, and referring site.
• This is collected through privacy-respecting analytics and, where applicable, cookies (section 5).

We do not collect special category data (such as health information) about website visitors. Special category data is only ever processed within the platform, on behalf of practices, under a Data Processing Agreement.

4. How we use it & legal basis

• Responding to demo requests and enquiries — legal basis: legitimate interests (responding to a request you initiated) or steps prior to entering a contract.
• Providing and administering the IRYSS service to subscribing practices — legal basis: performance of a contract.
• Sending occasional updates about IRYSS to practices and prospects — legal basis: legitimate interests, or consent where required. You can opt out at any time.
• Improving our website and service — legal basis: legitimate interests.
• Meeting legal and regulatory obligations — legal basis: legal obligation.

Where we rely on legitimate interests, we have considered whether those interests are overridden by your rights, and we believe they are not. You can object to this processing — see section 9.

5. Cookies & analytics

Our website uses a minimal set of cookies and similar technologies. These fall into:

• Strictly necessary — required for the site to function. These do not require consent.
• Analytics — help us understand how the site is used so we can improve it. We use these only with your consent where required by law.

You can control or block cookies through your browser settings. Blocking some cookies may affect how the website works.

6. Who we share data with

We do not sell personal data. We share it only with service providers who help us run IRYSS, each bound by contract to protect it:

• Hosting and infrastructure providers, who host our website and platform.
• Scheduling tools (such as Cal.com) used to book demos.
• Email and communications providers used to correspond with you.
• Analytics providers, as described in section 5.
• Professional advisers — accountants, lawyers — where necessary.
• Authorities or regulators, where we are legally required to do so.

A current list of our sub-processors is available on request from privacy@theiryss.com.

7. International transfers

We aim to keep personal data within the UK and the European Economic Area (EEA). Where any transfer outside the UK or EEA is necessary, we ensure an appropriate safeguard is in place — such as UK or EU adequacy regulations, the UK International Data Transfer Agreement, or EU Standard Contractual Clauses.

8. Data retention

We keep personal data only as long as necessary for the purposes set out above:

• Enquiry and demo data — up to 24 months from your last contact with us, unless you become a customer.
• Customer account data — for the duration of the subscription and a reasonable period afterwards for legal, accounting, and audit purposes.
• Correspondence — as long as needed to handle your query and meet our legal obligations.

When data is no longer needed, we securely delete or anonymise it.

9. Your rights

Under UK GDPR and EU GDPR you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data erased, in certain circumstances.
• Restrict or object to our processing, in certain circumstances.
• Receive your data in a portable format.
• Withdraw consent at any time, where we rely on consent.

To exercise any of these rights, email privacy@theiryss.com. We will respond within one month. There is normally no charge.

10. The IRYSS platform & patient data

This means the practice decides what patient data is processed and why; IRYSS processes it only on the practice's documented instructions. This relationship is governed by a Data Processing Agreement (DPA) that forms part of every practice's subscription. The DPA sets out the security measures, sub-processor terms, breach notification process, and data return and deletion obligations that apply to patient data.

If you are a patient of a practice that uses IRYSS and you have a question about your data, please contact your optician practice directly — they are the controller of your data. We will support the practice in responding to your request.

11. Security

We take the security of personal data seriously and use appropriate technical and organisational measures, including encryption in transit and at rest, access controls, and regular review of our practices. No system is perfectly secure, but we work to protect data against unauthorised access, loss, or misuse, and we will notify you and the relevant regulator of any breach where we are legally required to do so.

12. Changes to this statement

We may update this statement from time to time. When we make material changes, we will update the "last updated" date above and, where appropriate, notify you directly. We encourage you to review this page periodically.

13. Contact & complaints

For any privacy question, or to exercise your rights, contact us at privacy@theiryss.com or write to us at Ashgrove Avenue, Comber, County Down, Northern Ireland.

If you are not satisfied with our response, you have the right to complain to a data protection regulator:

• United Kingdom — the Information Commissioner's Office (ICO), ico.org.uk.
• Ireland — the Data Protection Commission (DPC), dataprotection.ie.

We would, however, appreciate the chance to address your concerns before you approach the regulator, so please do contact us first.