For Businesses

Doing Data Rightly

Our Vision

The public is losing faith in companies to handle their personal data, due to the behaviour of a few key organisations. In this climate, even the best companies struggle to show how their use of personal data is trustworthy.

We believe that there is a better way for businesses to demonstrate good data practice.

At Rightly, we build the tools that facilitate a better and more honest relationship between businesses and consumers.

We achieve this through our unique collaborative approach, continuing to build and improve solutions to help businesses celebrate responsible and honest data practice.

Build Trust with your Customers
We help companies build trust by giving clarity back to their customers. Our platform allows the user to quickly understand company personal data use and celebrates company best practice.

Save Time
Keeping personal data up to date and handling GDPR requests are time consuming. Our technology solutions streamline these processes and let you get back to running your business.

Reduce Risk
Our intelligent system ensures the data is sent to the right person on time and helps you keep on top of your obligations.

Data Security at Rightly

We are unable to see any data that is exchanged between the data subject and the controller.

We work closely with our cloud provider, Amazon Web Services, and web security firms to ensure that we exceed expectations for data security.

We hold the following publicly accredited certifications:

CyberEssential - Certificate

CyberEssentials Plus - Certificate

...and we are working towards ISO27001.

Security Features of our System:

Cross site scripting (XSS) protection, Cross site request forgery (CSRF) protection, SQL injection protection, Clickjacking protection, SSL/HTTPS Encryption, Host header validation, Cookie-based session security.

Organisations FAQ

Below are some questions companies ask before responding to requests through our platform. If you have any others, please feel free to email us at:

I’ve just received a request from your platform, what should I do?
You have received a request directly from the data subject. If you are satisfied that the data subject has met your criteria for identification and verification, then respond by sending their data, either securely using the built in webform or replying like normal to the email.

Can Rightly see the data that is sent back?
No - our systems are set up such that we cannot see the contents of any request or response. We do not want to be able to see this data.

How are you sure that your users are who they say they are?
We use two-factor authentication to validate the phone number and email address used to set up an account.

We use the expertise of third party ID service to authenticate the passport or drivers license that our users provide us.

In order to send requests, users must scan their government ID using TrustID's advanced verification process. We can send TrustID certificates to companies that require ID verification, which is the preferred solution as it follows the principle of data minimisation and leverages the expertise of TrustID. You can find a sample certificate here:



More information on our collaboration with TrustID can be found on their website,

If you prefer to validate the original ID themselves instead of the certificate, a copy of the ID can be attached to the request.

Organisations can choose from the following three options:

  1. No ID required
  2. Trust ID certificate required
  3. Original ID required

Please send your ID preferences to

How do I know that communications really come from Rightly?
All communications from Rightly come from a fixed root domain...

  • All links in our emails will start with either:
  • All of our outbound emails finish with the suffix ''

Do not respond to anything else.

Your website says you are in closed beta - are the requests I receive genuine?
Yes, we are currently conducting live tests on the system, allowing access to a small group of our early access signups.

How long does Rightly hold user data?
That’s up to the user. They can delete their information whenever they want. We recommend to new users a default deletion period of one year, but this can be adjusted.

Do you charge for your services?
The platform is free for both consumers and businesses. We are building additional features that consumers and businesses may want to pay for - the main platform will always be free.

Is Rightly a ‘third party’? Why isn’t there proof to act on behalf?
Just as Gmail or Outlook is not considered a third party when communicating with customers, Rightly is the tool that they have used to communicate with you. Rightly cannot and will not read the information inside the user account.

Preventing misuse of the platform
We have a zero-tolerance policy for abuse of personal data laws on our platform. We have designed the tool to prevent any user misusing it for anything other than its intended purpose (control over their data). If you believe a user is being misused, please let us know and we will investigate immediately.