At Rightly, our mission is to give people more control over their personal data. In case you haven’t read our website already, this means building tools that enables you to know where your personal data is, get it back, and tell companies what to do with it. We will never, ever sell your personal data.
- You are in control of your personal data.
- We don’t sell any personal data to third parties, ever.
- Our data handling processes are compliant with the highest data protection regulations in both the UK and EU.
- All of the data held within Rightly is subject to the highest security standards and stored in the UK, with a backup in the EU.
- We are responsible for the data that we process.
- We are fully accountable to the Information Commissioner’s Office (ICO).
- Our data practices and wider business decisions are governed by a strict ethical framework, which you can read more about on our Data Ethics page.
The fine print
Rightly Ltd. is a company registered in England and Wales, and our company number is 10905908. Importantly, we are also registered with the Information Commissioner’s Office. Our registration number is ZA278016. We’re a UK-based company, and our registered office is 120 Common Lance, Culcheth, Warrington WA3 4HN.
The responsible use of personal data and consumer rights are two areas that we champion. As such, all of our data processing operations are in strict compliance with the EU General Data Protection Regulation (“GDPR”) (specifically but not limited to Article 6(1) (b) to (f) and Article 28).
What kind of personal data is processed and for what purpose?
When you use Rightly to send requests to companies regarding your personal data, different types of personal data are processed and stored in order to complete requests. Firstly, the data processed by the ‘data controller’ (Rightly) is primarily the information needed to create an account and identification. These include the name of the recipient of the request, the format of the request, the email address associated with the account, the name of the user’s profile, phone number, date of birth, photographic identity documentation (see our ID Validation page) and other requirements specific to the company’s need to identify you according to their records, such as a customer account number. This information can be shared by our users through Rightly to send to companies of their choosing, that they want to request their data from. Information is also stored when individuals communicate with Rightly via email, phone or other means.
In order to better understand their customers, Rightly also collects anonymised data in surveys and other feedback methods. This helps us improve our service by tailoring our developments.
Our lawful basis for processing your personal data, as required by data protection legislation, is our contract with our users. That contract is as set out in our terms and conditions. If we cannot process your personal data as set out in this notice, we cannot provide you with our service. We also do not currently process any special category data.
A note on ID
As we highlight on our website, in order to act responsibly many companies require a copy of an ID document, to confirm the identity of the person making the request.
We use Google Analytics and other service providers to collect information regarding visitor behaviour and demographics to improve our services and user experience. This information is not used to directly identify anyone. For more information about Google Analytics, please visit www.google.com/privacy/partners/. You can also choose to opt out at any time. To do this, please visit https://tools.google.com/dlpage/gaoptout.
We also use Hotjar, which tells us which parts of our site are popular with our users and which parts need improving. It also lets us get in touch with users for feedback occasionally. You can read about Hotjar’s GDPR commitment here. If you do not want to be contacted for feedback, you can opt out at any time.
By using our services you agree to our terms of service, and as laid out above, to the collection of website usage data and to the use of analytics cookies.
Contact us procedure
Access and disclosure to third parties
Rightly does not sell, and has never sold, the personal data of our users. We must note however that we may be obliged to share or disclose your personal data when required by law or regulatory authorities.
We use a select number of trusted external service providers for certain data analysis, processing and/or storage offerings. Here we mean companies that help us provide services you use, and need to process details about you for this reason. We share as little information as we possibly can. Plus, we encrypt and/or make it impossible for you to be identified by the recipient wherever possible (for instance by using a User ID rather than your name).
Notice regarding third-party websites
The Services may contain links to other websites, and other websites may reference or link to our website or other Services. It must be noted that these other websites are not controlled by Rightly and we encourage our users to read the privacy policies of each website and application with which they interact. While we do our best, we do not always screen, approve or endorse and are therefore not responsible for the privacy practices or content of such other websites or applications. As such, visiting these other websites or applications is at your own risk.
Duration of processing
Within the platform, you can adjust the length of time your personal data will be stored for, up to 120 days.
All other data specified as above will be retained for as long as is necessary for the purpose(s) for which we originally collected it. We may also retain information as required by law.
Rightly stores all of its data in the United Kingdom, with a back up in the EU. We use Amazon Web Services (AWS) as our cloud solution provider for all our storage related to our platform. We also have Cyber Essentials and Cyber Essentials Plus security certifications. To read more about how we keep your data secure, please see our consumer FAQs.
We will not transfer your personal information outside the European Economic Area (EEA). The only circumstances in which users’ data may be transferred outside of the EEA is if the user is based outside the jurisdiction and downloads the data there.
You may be able to access your own registration details over the Internet from locations abroad. This Privacy Notice only covers processing undertaken by Rightly and does not apply to any processing which may be carried out by your own Internet service provider..
We want to communicate with you
Apart from the necessary emails for our service to function, like the email verification email, you have full control over whether you receive emails. You can easily opt out of marketing emails, unsubscribe free of charge, or delete your account if you no longer want to receive emails from Rightly.
Your data is yours alone: your rights
At Rightly we strongly believe that people should be fully informed of their rights, so that they can act upon them should they wish to.
When it comes to your personal data, thanks to GDPR and the Data Protection Act (2018) you have several rights that give you more control.
- Right to access – You have a right to ask for the personal data that we hold about you. We will provide you with your data within 30 days. If we may take longer, we will let you know and explain the reasons for the delay. We will not charge you for such a request, unless we reasonably consider your request to be excessive or repetitive. We also reserve the right to refuse a request if we reasonably consider it unfounded, repetitive or excessive.
- Right to be informed – The notice provides the information you need about how we collect and use your data. If you require any further information, please contact our data protection director at firstname.lastname@example.org
- Right to rectification – If you consider that any information we hold is inaccurate, please let us know and we will take steps to rectify it.
- Right to erasure – In certain circumstances, you have the right to have personal data that we process blocked, erased and destroyed.
- Right to object and restrict – You can ask for your processing of your personal data to be restricted, for example for marketing purposes. You can also object to the processing of your data entirely but this will affect the service we are able to offer.
- Right to portability – You can request your data to be “ported” to another platform, in certain circumstances.
You should note that these rights are not absolute and can be restricted in certain circumstances.
You may also withdraw your consent for us to process your personal data at any time, without affecting the lawfulness of the processing that was carried out prior to withdrawing it. Whenever you withdraw consent, you acknowledge and accept that this may have a negative influence on the quality of Rightly and/or Services. You further agree that Rightly shall not be held liable with respect to any loss and/or damage to your personal data if you choose to withdraw consent.
Please contact our data protection director if you have any further questions. Our data protection director can be contacted at email@example.com or you can contact us by post at our registered office, found at the top of this document.
Further information about your rights are available on the Information Commissioner’s Office website: https://ico.org.uk/make-a-complaint/
Data Protection Officer
Rightly has a Data Protection Director, rather than a Data Protection Officer, as we do not meet the requirements to have such a role under the GDPR. We will keep the need for this position under review and in the meantime keep data protection at the forefront of what we do.
You can contact us here.
Date: 11 June 2020
Version number: 2.0