Managing your data requests is simple and secure with Rightly.
We help over 10,000 companies comply with GDPR and build positive relationships with their customers, for free.
Why companies like working with us
Our data handling practices, security processes and business model are available to view.
Security is our priority
Our authentication, transfer and wider security processes are above the industry standard.
Fulfilling requests is easy
Requests via Rightly are clear and simple to answer, unlike general enquiries.
We make data requests simpler for everyone.
Who we are
We're a unique, innovative start up with a singular goal: to make managing online personal data as easy as possible. Central to this is making data request management simple for companies.
We know how difficult it can be for businesses to confidently and securely handle GDPR requests, which is one of the reasons we built Rightly. We're passionate about connecting businesses to consumers and making GDPR requests hassle-free for everyone.
Our secure system and hands-on support team enable companies to stay on top of requests, build trust with their customers and shape Rightly's development through valued feedback.
What should I do if I receive a request?
If you've received a request from a user, follow the instructions in the user's request and click the link to our secure request response page. From here, companies can reply to requests and securely upload data files. Access to the response page is secured with a One Time Password (OTP) sent to the same inbox a company designates as appropriate for handling data requests.
We go into this in more detail in our Company FAQs, below.
How users submit requests
When users submit requests to companies through Rightly, they select from one of two submission types: Rightly Assisted or Submit Only.
Rightly Assisted Requests:
- What are users asking companies to do?
Fulfil their data rights request using the PII and verified identity information provided and for this type of request please do not ask the user to complete additional forms or processes. They are not obliged to and all the information you need to identify the requester is included in the request.
- Why do users choose this option?
People love the fact that through Rightly they have the option to contact multiple companies at once regarding their data requests. However, it’s important companies receive the right information about the individual so they can get on with fulfilling the request efficiently. That's why through a Rightly Assisted submission companies can expect to receive a complete ID, verification and security checked request.
- What ID&V will be provided?
Every Rightly Assisted request will contain the Subject's:
- Name and verified email address
- Verified mobile number
- Government ID document authenticity check
- Biometric face match to image in the ID document
- Liveness detection to ensure this is a real person
- Digitally signed statement of authority for Rightly to act on their behalf in submitting the request
Submit Only Requests:
- What are users asking companies to do?
Link them to your standard tools, forms and processes so they can complete and submit their data rights requests to you directly.
- Why do users choose this option?
To speed up the process of locating a companies privacy contact details, to benefit from the one-to-many contact feature or perhaps where they are sending a request to just one company and would prefer to provide their identity and personal information directly.
- What can companies expect from users?
Every Submit Only request will contain the Subject's name and verified email address so you can reply to them and link them to your data rights procedure
Our partnership with Yoti
Yoti is an internationally recognised global identity platform that works with governments, businesses and NGOs. Our partnership with Yoti ensures that we meet the highest ID & V standards, by facilitating document and liveness checks on all IDs. Their use of photo ID and facial biometrics enable us to prevent fraud attacks and the usage of fake IDs.
Yoti are ISO 27001, CIFAS and B Corp certified.
We don't want user data
We value the trust that our users and business community put in us. To meet this, we hold ourselves to the highest possible data standards. These include minimising both the collection and storage of user data.
We don't have access to information provided back to our mutual customers and any data held is automatically deleted after three months. Rightly users are warned of this in advance in order to download any relevant data, and can adjust the frequency of deletion.
Why we're free
We’re free for the people and businesses that use our service because we believe it should be easy to manage personal data. We're privately funded by investors who share our values and data ethics.
We don't sell any data and there are no adverts or hidden costs. In the future, we may charge for the additional features and services we develop.
For further FAQs, keep scrolling!
Book a call below or email firstname.lastname@example.org
Want to speak to someone?
Speak to a member of our company support team for more information
Why companies trust Rightly
Users are authenticated
All email addresses used in requests are verified and companies can ask users to provide additional ID
All data is encrypted
Data is encrypted at rest and in transit making it impossible for hackers to gain access by brute force or snooping
Only users can see data
Our service permits only the requesting user to access the data files they receive
How to respond to a data request from the user
The 'type' of the request will be clear from the email received and once any ID&V requirements are met you can get on with fulfilling it!
Whether that's letting the requester know that you don't hold any data on them, letting them know that their records have been deleted in line with an Erasure Request or providing their personal data file in response to a SAR, all of these fulfilment types can be managed via the One Time Password (OTP) protected 'Request response page'.
To access the Request response page click on the 'Respond to this Request' button. If buttons aren't an option you can also use the following safe URL www.rightly.co.uk/respond/company/ to access the page. No registration is required and all data sent via this method is encrypted.
Alternatively, you can respond to the user directly by replying to the request email or their personal email. It’s important to note that when companies choose to reply to data requests via email, they don't benefit from any encryption while the data is in transit. This is because email is still based on the old Simple Mail Transfer Protocol (SMTP), which does not encrypt messages during transfer. For this reason, Rightly does not recommend using email for the transfer of any sensitive information.
To contact the requester, you have three options.
- Navigate to the Request response page and select:
‘Need further ID&V or can't locate any data? Get in touch to ask for more information or close the request'
You’ll now be able to select a contact reason and message your customer. This is the most secure method of communication.
2. By replying directly to the request email received
3. By emailing the requesters personal email
Our mutual customers have chosen to send their request via Rightly because we provide a helpful and secure platform through which they can manage their personal data. As such their preference would be to receive responses to their secure Rightly account, including any personal data files or information that is provided back as a result of a SAR.
However, communication and request fulfilment via Rightly is not an obligation. Companies can respond to their customer through their preferred channel.
We are confident that Rightly offers the most secure and impartial channel as we are committed not scanning inboxes in the way other providers do, exposing sensitive data to third parties.
The ICO guidelines state that data requests are normally responded to within one calendar month.
If a number of requests have been sent by an individual or your the request is complex, this timeframe can be extended by a further two months. If this looks likely, please let the requester know within one month that more time is needed and why. (FAQ: How do we contact or message the requester?)
In addition, due to the ongoing pandemic, the ICO offers further clarifications on impact to response times:
"We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic."
We would encourage any user to be mindful and accommodating of the above guidance.
Data security and integrity
We take the security of user data extremely seriously and hold ISO27001 (Certificate No. 20004-ISMS-001), CyberEssentials Plus and CyberEssentials certifications. This means that the processes we follow in the development and maintenance of our service have been reviewed and audited by an independent auditor and found to meet all of these standards.
Our service is deployed on Heroku, which is itself a business certified to ISO27001, and SOC2 Type 2 (amongst others). To validate our internal efforts, it is also subjected to regular penetration testing by an external service.
Customer data is stored in secure storage and encrypted at rest and in transit. In addition to the protections offered by using encrypted storage, we further encrypt all data files sent or received using the Rightly platform with AES-GCM keys securely derived for each file (individually) using an HMAC-based Key Derivation Function (HKDF).
Access to customer data is restricted to trained and authorised staff, and no staff have access to any customer data files shared back via the One Time PAssword (OTP) protected company response page.
Users of the Rightly service are required to verify their personal email address before any request is submitted. Only this verified email is included in any request information submitted by that individual.
For Rightly Assisted requests, the following additional forms of ID&V are included:
No company is obliged to progress with handling a request until they are confident of the requesters legitimacy and safety.
All communications from Rightly come from a fixed root domain:
- All links to our forms start with https://www.rightly.co.uk
- All of our outbound correspondence emails finish with the suffix '@inbound.rightly.co.uk'
- Any further information provided to companies will come from https://rightly-prod-live-eu.s3.amazonaws.com.
If you have any concerns about communication received, please contact our support team at email@example.com
Our service only permits the requesting user and receiving company to access the data files they send and receive using our platform.
Even Rightly staff do not have access to any data files, ID documentation or PII data beyond the subject's email address and any company/user correspondence messages which are used for ID&V purposes and fulfilling customer support enquiries.
We may use the metadata of requests (date/time, receiving company, industry, responded to, success etc.) along with customer satisfaction data to produce aggregated non-personalised reports to share with interested authorities and regulators.
Company obligations under GDPR
For 'Submit Only' requests, companies can reply to the individuals request file, however we would recommend that providing the individual with guidance and links through to existing internal processes is the best course of action.
For 'Rightly Assisted' requests, the request has been expressly made. Individuals are providing Rightly with the authority to act on their behalf, along with ID&V that goes beyond the threshold that the majority of companies set. They are requesting that they are not linked to an alternative submission as it is not compulsory for them to complete a step such as this for their request to be complied with.
Sufficient ID&V should already be included for this request type so If a company wants to ask for more information about the request eg. Further scope relating to a SAR the requester can be contacted directly regarding this.
The GDPR entitles people to submit subject access requests (SARs) to data controllers by any means or media, if you have received a SAR from a data subject via the Rightly platform the requirements of GDPR apply as normal.
If you don't respond to a SAR you may be in breach of your obligations under the GDPR. The Rightly platform enables its users to submit complaints to data controllers who fail to respond to data subjects within one calendar month. Failure to act upon the complaint may risk further escalations.