We make personal data management fair, transparent and simple.
That includes helping over 10,000 companies manage their data requests and comply with GDPR, for free.
Why companies like Rightly
Popular with consumers
We make it easy for our users to have more control over their personal data
Security is our priority
All of our user requests are authenticated and transferred securely
Fulfilling requests is easy
Our secure system does not require companies to register to reply to requests
What you should know about us
We make it easy for:
- Consumers to exercise their data rights
- Companies to reply securely in line with their GDPR obligations
Consumers love our platform because:
- Our friendly UX makes having control over your own personal data simple
- Our one-to-many model gives our users one familiar, quick way to send multiple requests at once
- Their Rightly account can store their communications and data in one secure place
For lots of reasons! We're particularly proud of how we help our users get genuinely useful things done with companies using their rights under GDPR.
For example, our users can:
- Find out why they were rejected from a mortgage
- Delete their data from social media
- Get evidence for a redundancy appeal
To discover more about the ways that Rightly can be helpful, give our 'Ways to use Rightly' page a read.
We're governed by our principles:
We value the trust that our users and community put in us. To meet this, we hold ourselves to the highest possible data standards. You can read more about this on our Data Ethics page, or in our Company FAQs below.
We're free to use:
People shouldn't have to pay to exercise their rights, which is why we’ve chosen to keep our services free. That goes for companies, too.
We ensure consumers can exercise their legal rights under GDPR:
If you've a received a request from Rightly, you have 30 days to respond in line with the law.
We want to hear from you:
We're growing Rightly to work for consumers and businesses. Your feedback helps us improve!
Book a call below or email email@example.com.
How does Rightly work?
To read about how our users send and receive requests through Rightly, see our How it works page.
Still have questions? Our customer support team would be happy to help.
What should I do if I receive a request?
If you've received a request from a user, follow the instructions in the user's request and click the link to our secure portal. From here, companies can reply to requests and securely upload data files. Access to this portal is secured with a One Time Password sent to the same inbox a company designates as appropriate for handling data requests.
We go into this in more detail in our Company FAQs, below.
Want to speak to someone?
Speak to a member of our company support team for more information
Why companies trust Rightly
Users are authenticated
All email addresses used in requests are verified and companies can ask users to provide additional ID
All data is encrypted
Data is encrypted at rest and in transit making it impossible for hackers to gain access by brute force or snooping
Only users can see data
Our service permits only the requesting user to access the data files they receive
How to respond to a data request from the user
Responding to a user's request is easy, whether sending confirmation of completion, data files or a message, you have two options:
Firstly, and the method we recommend, you can respond via Rightly's secure web reply portal. No registration is required and all data sent via this method is encrypted. This can be accessed by clicking the link in the request email and entering the One Time Password sent to the same inbox.
Alternatively, you can respond to the user directly by replying to the request email itself. All replies go directly to the user's inbox in their Rightly account. It’s important to note that when companies choose to reply to data requests via email, they don't benefit from any encryption while the data is in transit. This is because email is still based on the old Simple Mail Transfer Protocol (SMTP), which does not encrypt messages during transfer. For this reason, Rightly does not recommend using email for the transfer of any sensitive information.
No problem, simply ask the user for additional data or documentation and explain why it's needed. This can be done by via the secure web reply portal, which can be accessed by clicking the link in the request email, or replying to the request email itself (all replies go directly to the user's inbox on their Rightly account).
For security, companies will be sent a One Time Password needed to access this portal meaning no registration is required. This OTP is sent to the same company inbox requests are received. If there are data points that you will always need in future requests from other Rightly users, please get in touch with us at firstname.lastname@example.org to discuss your requirements.
Our users, the data subjects, have chosen to send their request to you via Rightly because we provide a simple and secure platform to manage personal data with over 10,000 companies.
Our users therefore expect to receive responses to their secure Rightly dashboard, including any associated data files. Should you wish to confirm this with them, you can simply respond to their request.
(See the FAQ: We've just received a request from a user via Rightly, how do we respond?)
The ICO guidelines state that companies can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
In addition, due to the ongoing pandemic, the ICO offers further clarifications on impact to response times:
"We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic."
We would encourage any user to be mindful and accommodating of the above guidance.
Data security and integrity
Encryption at rest
When a user's data is stored on our service it’s always stored in encrypted form. No two files share the same encryption key, making it impossible for hackers to gain access to the data by brute force.
Encryption in transit
Whenever users or companies upload data to our service through our portal, we use strong SSL encryption to make sure it can’t be read by anyone snooping on the internet traffic.
Our service permits only the requesting user (and receiving company) to access the data files they send and receive using our platform. This includes Rightly staff, who do not have access to any data files, ID documentation or PII data beyond the subject's email address and any company/user correspondence messages which are used for ID&V purposes and fulfilling customer support enquiries.
Users include their email address in every request so that companies can locate their account. Rightly also ensures the user has access to this inbox by sending a verification link before it can be included in any request.
If you require additional proof, you can ask the user to provide further documentation such as a passport, driving license or proof of address. Should you need more data points, you can ask the user for these by simply replying to the request (see FAQ: We've just received a request from a user via Rightly, how do we respond?).
All communications from Rightly come from a fixed root domain:
All links to our forms start with https://www.rightly.co.uk/...
All of our outbound emails finish with the suffix '@inbound.rightly.co.uk'
Any further information provided to companies will come from https://rightly-prod-live-eu.s3.amazonaws.com.
If you have any further questions or notice anything suspicious, please contact our company support team at email@example.com as soon as possible.
Our service only permits the requesting user and receiving company to access the data files they send and receive using our platform.
Even Rightly staff do not have access to any data files, ID documentation or PII data beyond the subject's email address and any company/user correspondence messages which are used for ID&V purposes and fulfilling customer support enquiries.
We may use the metadata of requests (date/time, receiving company, industry, responded to, success etc.) along with customer satisfaction data to produce aggregated non-personalised reports to share with interested authorities and regulators.
Company obligations under GDPR
The GDPR entitles people to submit subject access requests (SARs) to data controllers by any means or media.
Even if you have your own system to receive such requests, the UK Information Commissioner’s Office Code of Practice states that you “may not insist on the use of a particular means of delivery for a SAR” [P.13].
Be mindful that our users have chosen to submit their SAR via Rightly, and we've purposefully made it easy for you to respond, verify the identity of the data subject, and securely transfer data back to them to comply with the request.
You have received a SAR from a data subject via the Rightly platform. Rightly does not legally represent, litigate or bring claims on behalf of Rightly users; it is a secure platform for submitting and responding to SARs. As such, the requirements of GDPR apply as normal.
The UK Data Protection Act requires you to respond to a SAR within 30 days. You are entitled to verify the identity of the data subject and Rightly helps you do this (see FAQ: How do we know a request sent via Rightly is from the User?), and to seek additional information from the data subject to clarify the scope of the request where necessary (see FAQ: What if we need more information from the user to fulfil their request?). Please note, however, that simply refusing to comply with a request is likely to amount a breach of your GDPR obligations.
If you fail to respond to a SAR you may be in breach of your obligations under the GDPR. The Rightly platform enables its users to submit complaints to data controllers who fail to respond to data subjects within 30 days. Failure to act upon the complaint may risk further escalations.
If you'd like to discuss any topics mentioned on this page or require any further information about user requests via Rightly, our support team is on hand and would be more than happy to discuss. Please contact us via email at firstname.lastname@example.org.