POLICIES, TERMS AND CONDITIONS
PRIVACY NOTICE
Last updated: 6 April 2025
Applies to: iSky Research websites, the Radar Online Portal, and all iSky platforms.
Controller: iSky Research, a subsidiary of Retail Finance Intelligence Limited (RFI Global), registered in England and Wales.
Overview
iSky Research ("iSky", "we", "us") is a subsidiary of Retail Finance Intelligence Limited, trading as RFI Global ("RFI Global"), a company registered in England and Wales. iSky specialises in UX research for banking and insurance, providing subscribers with privacy-safe insights drawn from authenticated client account journeys and feature rankings through its Radar Online Portal.
This Privacy Notice explains how we collect, use, store, and share your personal data when you interact with our websites or use our platforms (iSky Platforms), and describes your rights under applicable data protection law.
iSky Research is the data controller for the personal data described in this Notice. Where RFI Global processes data on our behalf, it acts as a data processor subject to appropriate contractual safeguards.
Scope and Applicable Law
This Notice applies to all iSky platforms and services globally. iSky operates internationally and is committed to compliance with the following data protection frameworks:
Jurisdiction | Applicable Law | Supervisory Authority |
United Kingdom / EU | UK GDPR; EU GDPR (Reg. 2016/679) | ICO (UK); Lead SA (EU) |
United States | State privacy laws incl. CCPA/CPRA, VCDPA, and applicable federal law | FTC; State AGs |
Australia | Privacy Act 1988 (Cth); Australian Privacy Principles (APPs) | Office of the Australian Information Commissioner (OAIC) |
Singapore | Personal Data Protection Act 2012 (PDPA) | Personal Data Protection Commission (PDPC) |
Where local law imposes stricter requirements, we apply those requirements to residents of the relevant jurisdiction. References to GDPR in this Notice encompass both the UK GDPR and EU GDPR unless otherwise specified.
Personal Data We Collect
We collect the following categories of personal data:
- Identity, contact and business information - name, title, email address, job title, and company name.
- Account information - username, password or equivalent credentials, and records of your use of our platforms.
- Communications - records of correspondence with us, including emails and support requests.
- Technical and usage information - device identifiers, IP address, and information about how you interact with our platforms, collected in part through cookies and similar technologies. Please refer to our Cookie Notice for details.
We do not collect special category personal data (e.g. health data, biometric data) in the ordinary course of our services. All client account journey data made available through the Radar Portal is processed and presented in anonymised, PII-redacted form before any subscriber accesses it.
How We Use Your Personal Data
The table below sets out the purposes for which we process personal data and the legal basis we rely on under applicable law. In the UK and EU, we rely on the bases set out in Article 6 UK/EU GDPR. Equivalent bases apply under other applicable frameworks.
Purpose | Legal Basis |
Providing our services, managing your account, and enabling access to the Radar Portal | Performance of a contract; legitimate interests (service delivery and relationship management) |
Responding to queries, complaints, and support requests | Legitimate interests (customer service quality and staff training) |
Sending marketing communications and newsletters about our platform and services | Legitimate interests where permitted by law; consent where required (e.g. PECR, CAN-SPAM, Australian Spam Act, Singapore PDPA) |
Conducting market research and building anonymised analytics about platform use | Legitimate interests; consent where data is collected via non-essential cookies |
Improving platform functionality and security; preventing fraud and unauthorised access | Legitimate interests (protecting our business and users) |
Complying with legal obligations, responding to regulatory or law enforcement requests | Legal obligation; legitimate interests (supporting legitimate investigations) |
Tax, accounting, audit, and record-keeping | Legal obligation; legitimate interests (business management) |
We have conducted legitimate interests assessments (LIAs) for all processing carried out on that basis. We do not make solely automated decisions that produce legal or similarly significant effects on individuals.
Data Retention
We retain personal data for as long as necessary to fulfil the purposes described in this Notice, and for such further period as is required to comply with legal or regulatory obligations, defend legal claims, or meet applicable statutory retention periods.
When data is no longer required, it is securely deleted or anonymised in accordance with our data retention policy. Where applicable, we comply with the specific retention requirements of the Australian Privacy Act and Singapore PDPA.
Sharing Your Personal Data
We share personal data only as described below and, where required, subject to appropriate data processing agreements or standard contractual protections:
- RFI Global group - as iSky's parent company, RFI Global may access personal data for internal reporting, IT support, and group-level compliance purposes. RFI Global is bound by appropriate intra-group data processing arrangements.
- Service providers - third-party providers supporting our operations (e.g. hosting, analytics, marketing automation) act as data processors under written agreements restricting use to our documented instructions.
- Your organisation - where you access the Radar Portal through an account associated with your employer or organisation (our subscriber), we may share account usage information with that organisation.
- Professional advisers - legal, accounting, insurance, and other business advisers, to the extent necessary for the provision of their services.
- Law enforcement and regulatory authorities - where required by applicable law, court order, or to protect our legitimate legal interests.
- Business transfers - in the event of a merger, acquisition, or sale of iSky or its assets, personal data may be disclosed to advisers and transferred to a successor entity.
International Data Transfers
iSky and RFI Global operate internationally. Your personal data may be transferred to and processed in countries outside the UK, EEA, Australia, or Singapore, including the United Kingdom, Australia, Singapore, Hong Kong SAR, and the United States.
Where we transfer personal data outside a jurisdiction in a manner that requires a lawful transfer mechanism, we rely on one or more of the following, as applicable:
- UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs)
- Adequacy decisions issued by the UK Secretary of State or European Commission
- The PDPC's approved cross-border transfer mechanisms under the Singapore PDPA
- The OAIC's approved cross-border disclosure mechanisms under the Australian Privacy Act
You may request further information about the specific safeguards applied to your data by contacting us using the details in the contact section below.
Cookies
We use cookies and similar technologies on iSky Platforms. Full details of the cookies we use, their purposes, and how to manage your preferences are set out in our Cookie Notice, which forms part of this Privacy Notice. We rely on your consent to use non-essential cookies.
Your Data Protection Rights
Depending on your jurisdiction, you may have some or all of the following rights in relation to your personal data:
Right | Description | Applies Under |
Access | Request a copy of the personal data we hold about you | GDPR / UK GDPR, AU Privacy Act, SG PDPA, US state laws |
Rectification / Correction | Request correction of inaccurate or incomplete data | GDPR / UK GDPR, AU Privacy Act, SG PDPA, US state laws |
Erasure / Deletion | Request deletion of your personal data in certain circumstances | GDPR / UK GDPR, US state laws (CCPA/CPRA) |
Restriction of processing | Request that we restrict processing of your data | GDPR / UK GDPR |
Data portability | Receive your data in a structured, machine-readable format | GDPR / UK GDPR, CCPA/CPRA |
Objection | Object to processing based on legitimate interests or for direct marketing | GDPR / UK GDPR |
Opt-out of sale / sharing | Opt out of the sale or sharing of your data for targeted advertising | CCPA/CPRA and applicable US state laws |
Withdraw consent | Withdraw consent at any time where processing is consent-based | All frameworks |
Non-discrimination | Not be discriminated against for exercising privacy rights | CCPA/CPRA and US state laws |
Lodge a complaint | Complain to the relevant supervisory authority | All frameworks |
To exercise any of these rights, please contact us using the details in the contact section below. We will respond within the timeframe required by applicable law (e.g. one month under GDPR; 45 days under CCPA; 30 days under Singapore PDPA; 30 days under the Australian Privacy Act). Certain rights are subject to legal exceptions, which we will identify when responding to your request.
Right to Lodge a Complaint
You have the right to lodge a complaint directly with the relevant supervisory authority at any time - you are not required to contact us first. The relevant authority will depend on your jurisdiction:
- United Kingdom: Information Commissioner's Office (ICO) - ico.org.uk
- European Union: The data protection authority in your EU member state of residence or place of work
- Australia: Office of the Australian Information Commissioner (OAIC) - oaic.gov.au
- Singapore: Personal Data Protection Commission (PDPC) - pdpc.gov.sg
- United States: Your state Attorney General or relevant state privacy regulator
We would, however, welcome the opportunity to address your concerns directly before you contact a supervisory authority. Please reach out to us in the first instance using the contact details in the contact section below.
Contact Us
For questions about this Notice, to exercise your data protection rights, or for any privacy-related enquiries, please contact our Data Protection and Privacy Team:
Contact | Details |
Privacy Enquiries / Data Protection Team | privacy@rfi.global |
General enquiries (iSky) | team@iskyresearch.com |
Entity | iSky Research, a subsidiary of Retail Finance Intelligence Limited (RFI Global) |
Registered jurisdiction | England and Wales |
Note: iSky Research and RFI Global have not designated a statutory Data Protection Officer under Article 37 UK/EU GDPR where this is not required. Privacy and data protection enquiries are handled by our Data Protection and Privacy Team at the address above.
Updates to This Notice
We may update this Notice from time to time to reflect changes in the way we process personal data, changes to our business (including our relationship with RFI Global), or updates required by law or regulation. The current version will always be published on our website with the date of last update noted at the top of this Notice. Where changes are material, we will provide additional notice as required by applicable law.