Go to page content

Privacy policy

Introduction

At Rightly, our mission is to give people more control over their personal data. In case you haven’t read our website already, this means building tools that enables you to know where your personal data is, get it back, and tell companies what to do with it. We will never, ever sell your personal data.

The idea of a privacy policy that’s difficult to understand goes against the essence of Rightly. We think companies should be transparent about how they handle personal data, and it shouldn’t take ages to read the key points. In that spirit, we’ve broken down the key takeaways from our privacy policy below. If you’d like to read the full thing, it’s just below this next section.

Key takeaways

  1. You remain in control of your data – you can remove it from the Rightly platform at any time you choose.
  2. We don’t sell any personal data to third parties, ever.
  3. We use cookies for the purposes of our site functioning and improving our user experience. There’s more detail on this below and in our Cookie policy.
  4. We make all efforts to ensure we comply with data protection laws both in the UK and EU.
  5. All of the data held within Rightly is subject to the highest security standards.
  6. As a data controller, we are responsible for the data that we process.
  7. We are fully accountable to the UK data protection authority, the Information Commissioner’s Office (ICO).
  8. Our data practices and wider business decisions are governed by a strict ethical framework, which you can read more about on our Data Ethics page.

Our full Privacy Policy is below. If you have any further questions, please do get in touch, we’d love to hear from you.

Data controller

The data controller for this Policy is Rightly Limited, a company registered in England and Wales, with company number 10905908 (Rightly, we, us, our). We are registered with the ICO, with registration number ZA278016. Our address is 120 Common Lance, Culcheth, Warrington WA3 4HN. You can contact us here.

The responsible use of personal data and consumer rights are two areas that we champion. As such, we make all efforts to comply with applicable data protection laws, including the General Data Protection Regulation (GDPR).

This Policy

This Privacy Policy applies to personal data we process through our website and the Rightly platform. This Privacy Policy explains how Rightly processes, stores and protects this personal data, as well as what your rights are as a data subject.

What we process, why and the legal basis for this

Creating an account

When you create an account with Rightly, we collect your name and email address and store those in your account. If you choose to register using a social media account (Google or Facebook for example) then we will collect that information from the social media provider. We process this data on the basis of entry into a contract with you to provide you with services, which is governed by this Privacy Policy and our Terms of Use.

The Rightly platform is not intended for use by anyone under 13 years of age. If parents or guardians wish to exercise their children’s rights on their behalf, then they can find out more information about this from the ICO here.

Making a request

When you use our platform to send requests to companies about your data, we collect personal information from you in order to support those requests. We process this data on the basis of our contract with you. At a minimum, this information includes:

  • Your name
  • Your email address

Companies often ask for identification, or other information, in the course of satisfying these requests, so you may also choose to provide us with additional data including, but not limited to:

  • Phone number
  • Address
  • Date of birth
  • Account numbers/references with your selected companies
  • Photographic Identity documentation

Searching for companies in your inbox

Your email inbox provides a great representation of the companies that process your personal information, so we’ve designed a technology that allows you to use it to your advantage whilst only collecting and processing the minimum amount of data. This feature is currently only available for Gmail users.

When you allow our technology to search for companies in your inbox, it does so securely using Google’s OAUTH2 protocol, which controls precisely the scope of the data processed.

Our technology scans only:

  • Email threads between you and a relevant list of companies
  • Email metadata, which is information about the transmission of an email, such as who it was from and when it was sent

We do however require read-only access to your inbox (view your email messages and settings) in order to perform searches, which allows us to narrow the number of emails we actually need to look at.

The technology uses your email inbox to build a list of companies for your requests. We don’t collect any content or personal information from your emails. We do however store which companies were found during the process to help you build your request.

We process this data on the basis of your consent, collected through Google’s OAUTH2 protocol. You can revoke this consent at any time by going to https://myaccount.google.com/, clicking on ’Security’, then ‘Manage Third-Party Access’, selecting Rightly from that list, and clicking ‘Remove Access’

Receiving a response to your request and obtaining your authority

When you make a request to a company using Rightly, you can choose to receive the company’s response either via your Rightly account or via your email address. This choice is in the form of a limited “authority” which you can adopt and sign to allow Rightly to act on your behalf in exercising your rights under data protection laws.

Where you adopt the authority and choose to receive responses via Rightly, we will process that response and any associated data – for example data disclosed by a company in response to an access request you make. We process this data on the basis of our contract with you.

Without an authority from you, companies can still provide responses to you through the Rightly platform, but it is highly unlikely they will provide copies of data or other information they hold about you to Rightly.

Rightly provides a safe platform to receive responses and data from companies you make requests to. We encrypt your data and will only ever access it in limited circumstances – for example, with your permission to respond to a support request you make or in cases where law enforcement requires us to do so.

Sensitive data

Certain types of data are classified as “special category” under the GDPR. This type of data is deemed to be potentially sensitive, as it relates to matters including race, ethnicity, sexuality, sex life, health status and religious or philosophical views. A higher threshold of protection requirements apply to dealing with this data. Rightly will never request you to provide any special category data, but we recognise that we may receive this from a company in response to a request you make through Rightly. Where we process this data, we do so on the basis of your consent – collected through the authority.

Providing support to you

In the course of satisfying your requests, you may communicate with companies via the Rightly platform, and your correspondence, including attachments, are stored in the platform. Our support staff may access your correspondence in the course of helping you with problems, but do not have access to any attachments or Identity documents attached to your requests or account. Where you provide us with authority to act on your behalf in making requests, we may also access your correspondence with companies in order to improve fulfilment of those requests.

Information is also stored when you communicate with Rightly via email, phone or other means. This is usually limited to your name, email address and/or phone number depending on how you contact us and any correspondence with us on resolving your enquiry.

We process this data on the basis of our contract with you and/or our legitimate interests in providing an efficient service to you.

Surveys

In order to better understand our customers, Rightly also collects anonymised data in surveys and other feedback methods. This helps us improve our service by tailoring our developments. Participation in surveys is optional and anonymous. Where you choose to participate in a survey, we process this data on the basis of our legitimate interests in understanding your experience on our platform.

Operational Data

When using our platform, we may also record your IP address in our web server logs as part of normal request processing, and to support you and our service in the event of problems occurring. We process this data on the basis of our legitimate interests in providing a secure platform.

Mailing list

If you choose to sign up to our mailing list, we will process your name and email address in order to send you information and updates about our work and platform. We process this data on the basis of your consent.

Data sharing and processors

When you use Rightly to send a request to one or more companies, the information you provide will be shared with the companies for the purposes of satisfying your request and on the basis of the contract in place with you.

We also work with carefully selected third party providers to perform certain data processing tasks on our behalf. We engage these providers on terms that ensure the confidentiality and security of your data. Except as set out below, Rightly does not share your data with any other third parties unless required to do in response to a lawful request by authorities.

The list below sets out the third parties we engage as processors and provides more information about their data protection practices.

  1. Zendesk. Our support system is Zendesk, and submissions to our Contact Us form raise tickets in Zendesk. Their privacy policy can be found here.
  2. Segment. Segment acts as a hub for all our analytics data, and forwards the information to HotJar, Google Analytics and Amplitude. Their privacy policy can be found here.
  3. Hotjar. We use Hotjar to tell us which parts of our site are popular with our users and which parts need improving. It also lets us get in touch with users for feedback occasionally. You can read about Hotjar’s GDPR commitment here. If you do not want to be contacted for feedback, you can opt out at any time.
  4. Heroku. We use Heroku as our cloud solution provider for all our storage related to our platform. Heroku’s privacy policy is available here.
  5. Google Analytics. We use Google Analytics and other service providers to collect information regarding visitor behaviour and demographics to improve our services and user experience. This information is not used to directly identify anyone. For more information about Google Analytics, please visit https://privacy.google.com/businesses/compliance/. You can also choose to opt out at any time. To do this, please visit https://tools.google.com/dlpage/gaoptout.
  6. Amplitude. To help us identify problems and bugs, as well as give us more insight about how people use our system, we use Amplitude. Using Amplitude also allows us to focus our development team’s effort on how to improve our service, rather than spend lots of time trying to work out what the issues are in the first place. You can find their privacy policy here.
  7. Sendgrid. We use SendGrid to send you email notifications about your requests, and will share your email address with them for this purpose. Your email address remains within our SendGrid account and is not used by SendGrid for any other purpose. Sendgrid’s privacy policy is here.
  8. TrustID. If you provide photographic ID, we may also share your identity document with TrustID (a government approved identity provider), for validation purposes, so that we can prove to your chosen companies that you are who you say you are. See our ID Validation page for more information. TrustID’s privacy policy is here.

International transfers

Where we transfer your data outside the UK or EU to a country deemed to have a lower standard of data protection in place, for example to a third party processor based in the US, we will ensure that your data is appropriately protected by meeting the obligations on us under GDPR and ensuring there is a transfer safeguard in place with the recipient, for example the Standard Contractual Clauses issued by the European Commission.

Retention

In general, we retain data for as long as is necessary for the purpose(s) for which we originally collected it. We may also retain information as required by law.

Within the platform, you can adjust the length of time that data sent in response to your requests will be stored, up to 120 days.

Information security

We take all reasonable steps to ensure that personal data is processed securely and treated in accordance with this Policy. We have technical and organisational measures in place to prevent unauthorised access to personal data, including limiting staff and processor access to data in accordance with specific job responsibilities or contractual obligations, the encryption of data where possible, the institution of security protocols and staff training. We also have Cyber Essentials and Cyber Essentials Plus security certifications.

Though we do our best to protect personal data, any information transmitted over the internet remains vulnerable to interception – for this reason the transmission of any personal data to use is therefore at the data subject’s own risk. To read more about how we keep your data secure, please see our consumer FAQs.

Third party links

Our website or platform may contain links to other websites or applications which are not controlled by Rightly. Rightly are not responsible for the privacy practices or content of such other websites or applications. As such, visiting these other websites or applications is at your own risk.

Cookies

We use cookies on our website to facilitate proper functioning and analyse how users interact with the site. Non-essential cookies, for example for statistics or analytics, are deployed only on the basis of user consent. You can adjust your cookie preferences at any time by clearing the cookie cache in your web browser, which will present you with the cookie consent management platform when you visit the Rightly website again. Further information about our use of cookies is available in our Cookie Policy.

Your rights

At Rightly we strongly believe that people should be fully informed of their rights, so that they can act upon them should they wish to.

Under GDPR and data protection laws, there are certain rights that may be available to you with respect to your personal data:

  1. Right to access – You have a right to ask for the personal data that we hold about you. We will provide you with your data within 30 days. If we may take longer, we will let you know and explain the reasons for the delay. We will not charge you for such a request, unless we reasonably consider your request to be excessive or repetitive. We also reserve the right to refuse a request if we reasonably consider it unfounded, repetitive or excessive.
  2. Right to be informed – The notice provides the information you need about how we collect and use your data.
  3. Right to rectification – If you consider that any information we hold is inaccurate, please let us know and we will take steps to rectify it.
  4. Right to erasure – In certain circumstances, you have the right to have personal data that we process blocked, erased and destroyed.
  5. Right to object and restrict – You can ask for your processing of your personal data to be restricted, for example for marketing purposes. Where your data is processed on the basis of consent, you may also withdraw your consent to that processing at any time. You can also object to the processing of your data entirely but this may affect the service we are able to offer.
  6. Right to portability – You can request your data to be “ported” to another platform, in certain circumstances.

Please note, these rights are not absolute and may be restricted in certain circumstances. To exercise your rights or if you require any further information, please contact our data protection director at privacy@rightly.co.uk or via post to our registered address.

If you are unsatisfied with the way we handle a request or believe we have processed your data unlawfully, you also have the right to make a complaint to the ICO https://ico.org.uk/make-a-complaint/. If you are based outside the UK, you can also contact your national data protection authority for further information.

Changes and revisions

We may revise our Privacy Policy from time to time. The most current version of our Privacy Policy will always be on our site, and we will list the data and nature of change below. Should a change to the Privacy Policy result in a material impact to the processing of personal data, we will contact affected data subjects to inform them of these changes as required by law.

Last updated 4th June 2021: Policy language revised, legal bases set out in connection to processing purposes.