Introduction

Rightly, Champions of Data, is an independent data action service committed to championing your rights and helping you police, control and manage your personal data held and used by organisations.

We believe in good data and that used rightly, data makes the world a much better place. Good data helps build strong relationships. It raises understanding, influences decisions and makes life easier.

Rightly's purpose is to help individuals and organisations make good use of data. We help you understand your data rights and obligations and equip you with the tools to manage, share and use data rightly.

Our mission is simple: to make managing your online data as easy as it can be.

Our vision is a future where data is managed, shared and used Rightly.

Key Takeaways

  • When you use our service, via a partner, to gain value from your data, we will share your data back with your selected partner through our platform. We will never sell your data without your consent.
  • You remain in control of your data – you can remove it from the Rightly platform at any time. You can also use our Protect service to ask other companies to remove your data.
  • We use cookies for the purposes of our site functioning and improving our user experience. There’s more detail on this below in our Cookie Policy.
  • We make all efforts to ensure we comply with data protection laws both in the UK and EU.
  • All of the data held within Rightly is subject to the highest security standards.
  • As a data controller, we are responsible for the data that we process.
  • We are fully accountable to the UK data protection authority, the Information Commissioner’s Office (ICO).
  • Our data practices and wider business decisions are governed by a strict ethical framework, which you can read more about on our Data Ethics page.

Our full Privacy Policy is below. If you have any further questions, please do get in touch, we’d love to hear from you.

Data Controller

The data controller for this Policy is Rightly Limited, a company registered in England and Wales, with company number 10905908 (Rightly, we, us, our). We are registered with the ICO, with registration number ZA278016. Our address is 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. You can contact us here.

The responsible use of personal data and consumer rights are two areas that we champion. As such, we make all efforts to comply with applicable data protection laws, including the General Data Protection Regulation (GDPR).

This Policy

This Privacy Policy applies to personal data we process through our website and the Rightly platform. This Privacy Policy explains how Rightly processes, stores and protects this personal data, as well as what your rights are as a data subject.

What we process, why and the legal basis for doing so.

Creating an Account

When you create an account with Rightly, we collect your name and email address and store those in your account. If you choose to register using an Identity Provider (Google or Microsoft for example) then we will collect that information from the provider. We process this data on the basis of entry into a contract with you to provide you with services, which is governed by this Privacy Policy and our Terms of Use.

The Rightly platform is not intended for use by anyone under 18 years of age. If parents or guardians wish to exercise their children’s rights on their behalf, then they can find out more information about this from the ICO here.

Deleting your Account

You can delete your Rightly account at any time by logging in to your account and clicking on the button under “Close my Account” on your dashboard.

Protect Service

Your email inbox provides a great representation of the companies that process your personal information. We’ve designed a technology that searches your inbox to identify the companies you interact with, whilst only collecting and processing the minimum amount of data. You can then select any of those companies and send data rights requests to them directly from your email address. This feature is currently only available for Microsoft and Gmail users.

Analysing Your Inbox

When you allow our technology to search for companies in your inbox, it does so using your Identity Provider’s secure APIs, which control the scope of the data processed.

When using this service, our technology analyses email metadata, which is information about the transmission of an email, such as who it was from and when it was received. It does not retrieve the body of the email.

We do require read-only access to your inbox (your Identity Provider will allow you to grant Rightly permission) in order to perform searches, which allows us to narrow the number of emails we actually need to look at. While we do need to search through the emails in your inbox in order to identify which ones are from companies, the Protect Service does not read any of the content, conversations or attachments within them.

The technology uses your email inbox to build a list of companies for your requests. We store which companies were found during the process to help you build your request. We may add these companies to our list of organisations so other users can send similar requests.

Sending From Your Inbox

Our Protect Service requires permission to send emails on your behalf from your inbox. Your Identity Provider will allow you to grant Rightly permission to do this. The technology allows you to easily make requests directly from your email inbox. You can preview these emails prior to sending them.

Sending your request directly from your inbox enables companies to confirm that any request is coming directly from you. They can then action them and respond directly to your inbox.

We only use this technology for the purposes set out above. We do not collect any content or personal information from your emails and we will only ever send request emails where you select and confirm this.

We process this data on the basis of your consent, collected through your Identity Provider. You can revoke this at any time at the relevant management page for your Identity Provider:

We store records of which companies you sent requests to, and what type of GDPR request it was. We process this data on the basis of entry into a contract with you to provide you with services, which is governed by this Privacy Policy and our Terms of Use.

Save Service

Your email inbox provides a great representation of companies for which you have ‘recurring payments’, such as insurance policies, utility contracts and subscription agreements. We’ve designed a technology that searches your inbox to identify such policies and agreements so you can view a list of them in one place as well as set up reminders for those that have renewal dates.

When you allow our technology to search for these companies in your inbox, it does so using your Identity Provider’s secure APIs, which control the scope of the data processed.

When using this service, our technology searches for emails from a defined set of applicable companies, and analyses the content of those emails to collect the data required to deliver the service.

When we process your emails we analyse the content for information such as policy numbers, types, renewal dates and provider details to build a representation of your recurring payments. We store this representation, in encrypted form, on secure storage and use it only for the purposes of delivering the service. We do not store your emails once they have been analysed.

We require read-only access to your inbox in order to perform the searches required to deliver the service. This access is controlled by you through your Identity Provider and you can revoke it at any time.

When we deliver a reminder to you through the service, we will use the contact details you have provided when registering your account to do so. If you registered with us via a partner, we may send your renewal data to that partner in order for them to deliver the reminder.

Sending From Your Inbox

When you use our Save service to email your Insurance providers to negotiate a better price, or cancel auto-renewal, we use the information you provide to compose an email message to the provider. We send the email to your insurer using the credentials provided by your Identity Provider so that the email is sent from your inbox. This enables your insurer to be confident that the message is really from you.

Where you provide additional personal information to help your Insurer to identify you or contact you, we do not retain this information and you will be prompted for it for each request.

You can revoke your permission to send email on your behalf at any time using the links above.

We process this data on the basis of entry into a contract with you to provide you with services, which is governed by this Privacy Policy and our Terms of Use.

When you agree to help us correct errors in our service, we will collect the relevant emails from your inbox for analysis by our team. The content of your emails will be anonymised and stored for a maximum of 90 days after which it will be automatically deleted.

Sensitive Data

Certain types of data are classified as “special category” under the GDPR. This type of data is deemed to be potentially sensitive, as it relates to matters including race, ethnicity, sexuality, sex life, health status and religious or philosophical views. A higher threshold of protection requirements apply to dealing with this data. Rightly will never request you to provide any special category data, but we recognise that we may receive this while scanning your email. Where we process this data, we do so on the basis of our contract.

Providing Support to You

When you request assistance from our support staff, they may access details of requests you have sent through our platform in order to help you.

Information is also stored when you communicate with Rightly via email, phone or other means. This is usually limited to your name, email address and/or phone number depending on how you contact us and any correspondence with us on resolving your enquiry.

We process this data on the basis of our contract with you and/or our legitimate interests in providing an efficient service to you.

Surveys

In order to better understand our customers, Rightly also collects anonymised data in surveys and other feedback methods. This helps us improve our service by tailoring our developments. Participation in surveys is optional and anonymous. Where you choose to participate in a survey, we process this data on the basis of our legitimate interests in understanding your experience on our platform.

When you agree to provide additional feedback as part of a survey, we may collect your name and email address and use those in order to correspond with you. We process this information on the basis of your consent.

Operational Data

When using our platform, we may also record your IP address as part of normal request processing and session management, and to support you and our service in the event of problems occurring. We process this data on the basis of our legitimate interests in providing a secure platform.

Mailing List

If you choose to sign up to our mailing list, we will process your name and email address in order to send you information and updates about our work and platform. We process this data on the basis of your consent.

Data Sharing and Processors

When you use Rightly to send a request to one or more companies, the information you provide will be shared with the companies for the purposes of satisfying your request and on the basis of the contract in place with you.

We also work with carefully selected third party providers to perform certain data processing tasks on our behalf. We engage these providers on terms that ensure the confidentiality and security of your data.

Except as set out below, Rightly does not share your data with any other third parties unless required to do so in response to a lawful request by authorities.

The list below sets out the third parties we engage as processors and provides more information about their data protection practices.

  1. Zendesk. Our support system is Zendesk, and submissions to our Contact Us form raise tickets in Zendesk. Their privacy policy can be found here.
  2. Segment. Segment acts as a hub for all our analytics data, and forwards the information to HotJar, Google Analytics, Facebook and Amplitude. Segment provides many features to help protect user privacy, including the ability to remove all personal information from analytics events before forwarding to their destinations. Their privacy policy can be found here.
  3. Hotjar. We use Hotjar to tell us which parts of our site are popular with our users and which parts need improving. It also lets us get in touch with users for feedback occasionally. You can read about Hotjar’s GDPR commitment here. If you do not want to be contacted for feedback, you can opt out at any time.
  4. Amazon Web Services (AWS). We use AWS as our cloud solution provider for all our storage related to our platform. AWS’s privacy policy is available here.
  5. Google Analytics. We use Google Analytics and other service providers to collect information regarding visitor behaviour and demographics to improve our services and user experience. This information is not used to directly identify anyone. For more information about Google Analytics, please visit https://privacy.google.com/businesses/compliance/. You can also choose to opt out at any time. To do this, please visit https://tools.google.com/dlpage/gaoptout.
  6. Google AdWords. We use Google AdWords for paid advertising and use some of their tracking to help monitor the effectiveness of our campaigns. Their privacy policy is here. You can opt out at any time by visiting their Settings page.
  7. Facebook. We use Facebook for paid advertising and use their conversion tracking so that we know which of our advertising campaigns are working best on their platform. We make every effort to minimise the data sent to Facebook in order to protect your privacy including filtering/limiting the events we sent to them. Facebook’s privacy policy is here, and their EU Data Transfer Addendum is here.
  8. Microsoft (Bing). We use Bing for paid advertising, and use their conversion tracking to monitor the effectiveness of our advertising campaigns. Their privacy policy is here, and you can control your privacy settings on their platform here.
  9. Twitter. We use Twitter for paid advertising and use their conversion tracking to monitor the effectiveness of our advertising campaigns. Their privacy policy is here.
  10. Amplitude. To help us identify problems and bugs, as well as give us more insight about how people use our system, we use Amplitude. Using Amplitude also allows us to focus our development team’s effort on how to improve our service, rather than spend lots of time trying to work out what the issues are in the first place. You can find their privacy policy here.
  11. Sendgrid. We use SendGrid to send you email notifications about your requests, and will share your email address with them for this purpose. Your email address remains within our SendGrid account and is not used by SendGrid for any other purpose. Sendgrid’s privacy policy is here.
  12. Mailchimp. We use Mailchimp for marketing communications and some transactional emails and share your contact details with them for this purpose. Your details remain within our account and are not used for any other purpose. Mailchimp’s privacy policy is here.

International Transfers

Where we transfer your data outside the UK or EU to a country deemed to have a lower standard of data protection in place, for example to a third party processor based in the US, we will ensure that your data is appropriately protected by meeting the obligations on us under GDPR and ensuring there is a transfer safeguard in place with the recipient, for example the Standard Contractual Clauses issued by the European Commission.

Retention

In general, we retain data for as long as is necessary for the purpose(s) for which we originally collected it. We may also retain information as required by law.

Information Security

Rightly Limited is an ISO 27001:2013 accredited organisation. ISO 27001:2013 is the international standard for Information Security Management. This certification means our policies, processes, and procedures are regularly subjected to an independent audit and have been assessed as meeting the standards of ISO 27001:2013. Our auditors are Alcumus.com (ISOQAR) and our certificate number is 20004.

While we do our best to protect personal data; to read more about how we keep your data secure, please see our consumer FAQs.

Third Party Links

Our website or platform may contain links to other websites or applications which are not controlled by Rightly. Rightly are not responsible for the privacy practices or content of such other websites or applications. As such, visiting these other websites or applications is at your own risk.

Cookies

Cookies are small files stored on your computer by your browser when you visit a website.

They can be used for many reasons, but we use cookies for three purposes only:

  • Functional Cookies: these cookies are needed to make the site function correctly and to store your preferences with respect to other cookies.
  • Analytics Cookies: these cookies are optional and are used to improve our site traffic and performance, and to improve our user experience.
  • Advertising Cookies: these cookies are optional and are used to help us monitor the performance of our advertising campaigns. An important point is that while we do use adverts to publicise our site, we never advertise on our site - so there are no cookies for that purpose.

Non-essential cookies (Analytics and Advertising cookies), are deployed only on the basis of user consent. You can adjust your cookie preferences at any time by clearing the cookie cache in your web browser, which will present you with the cookie consent options when you revisit the Rightly website.

Your Rights

At Rightly we strongly believe that people should be fully informed of their rights, so that they can act upon them should they wish to.

Under GDPR and data protection laws, there are certain rights that may be available to you with respect to your personal data:

  1. Right to access – You have a right to ask for the personal data that we hold about you. We will provide you with your data within 30 days. If we may take longer, we will let you know and explain the reasons for the delay. We will not charge you for such a request, unless we reasonably consider your request to be excessive or repetitive. We also reserve the right to refuse a request if we reasonably consider it unfounded, repetitive or excessive.
  2. Right to be informed – This policy provides the information you need about how we collect and use your data.
  3. Right to rectification – If you consider that any information we hold is inaccurate, please let us know and we will take steps to rectify it.
  4. Right to erasure – In certain circumstances, you have the right to have personal data that we hold about you erased. We may be required by law to retain some data for a period of time.
  5. Right to object and restrict – You can ask for the processing of your personal data to be restricted, for example for marketing purposes. Where your data is processed on the basis of consent, you may also withdraw your consent to that processing at any time. You can also object to the processing of your data entirely but this may affect the service we are able to offer.
  6. Right to portability – You can request a copy of your personal data to be sent to another data controller or to yourself.

Please note, these rights are not absolute and may be restricted in certain circumstances. To exercise your rights or if you require any further information, please contact our data protection team at privacy@rightly.co.uk or via post to our registered address.

If you are unsatisfied with the way we handle a request or believe we have processed your data unlawfully, you also have the right to make a complaint to the ICO https://ico.org.uk/make-a-complaint/. If you are based outside the UK, you can also contact your national data protection authority for further information.

Changes and Revisions

We may revise our Privacy Policy from time to time. The most current version of our Privacy Policy will always be on our site, and we will list the data and nature of change below. Should a change to the Privacy Policy result in a material impact to the processing of personal data, we will contact affected data subjects to inform them of these changes as required by law.

Update History

18th September 2023

  • Added clause for sharing data with partner for delivery of renewal reminders when users register through a partner.
  • Added language for Policy Negotiation feature
  • Added anonymisation and retention clause for users who agree to share their emails with us to improve our service

19th January 2023

  • Improved language to make the policy clearer
  • Added policies for Rightly Save service
  • Removed Yoti from third party processor list

18th August 2022

  • Removed AWIN from processors list

29th July 2022

  • Updated Inbox scanner section
  • Added Bing and Twitter to processors list

16th March 2022

  • Added Mailchimp, Google AdWords and AWIN to processors list

17th February 2022:

  • Removed references to Facebook’s Limited Data Use option as this only applies to Facebook users in California
  • Added references to the privacy protecting features of Segment that we use
  • Updated IP address logging to include use for session management
  • Replaced reference to Heroku with AWS

7th January 2022:

  • Removed TrustID and added Yoti and Facebook to Third Parties list.
  • Removed CyberEssentials and CyberEssentials Plus references
  • Added ISO27001 certification details

1st December 2021:

  • Revised Gmail sending to reflect sending directly from the end-user’s account.