Go to page content

Privacy policy

Introduction

At Rightly, our mission is to give people more control over their personal data. In case you haven’t read our website already, this means building tools that enables you to know where your personal data is, get it back, and tell companies what to do with it. We will never, ever sell your personal data.

The idea of a privacy policy that’s difficult to understand goes against the essence of Rightly. We think companies should be transparent about how they handle personal data, and it shouldn’t take ages to read the key points. In that spirit, we’ve broken down the key takeaways from our privacy policy below. If you’d like to read the full thing, it’s just below this next section.

Key takeaways

  1. You are in control of your personal data.
  2. We don’t sell any personal data to third parties, ever.
  3. We use cookies for the purposes of our site functioning and improving our user experience. There’s more detail on this below and in our Cookie policy.
  4. Our data handling processes are compliant with the highest data protection regulations in both the UK and EU.
  5. All of the data held within Rightly is subject to the highest security standards and stored in the UK, with a backup in the EU.
  6. We are responsible for the data that we process.
  7. We are fully accountable to the Information Commissioner’s Office (ICO).
  8. Our data practices and wider business decisions are governed by a strict ethical framework, which you can read more about on our Data Ethics page.

Our full privacy policy is below. If you have any further questions, please do get in touch, we’d love to hear from you.

The fine print

Rightly Ltd. is a company registered in England and Wales, and our company number is 10905908. Importantly, we are also registered with the Information Commissioner’s Office. Our registration number is ZA278016. We’re a UK-based company, and our registered office is 120 Common Lance, Culcheth, Warrington WA3 4HN.

For the purposes of this Privacy Policy, personal data is defined as an information which may directly or indirectly relate to an identified or identifiable natural person. The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier. Such identifiers include location data, name, an online identifier, identification number, or to one or more factors specific to the physical, physiological, genetic, mental, commercial, cultural or social identity of that natural person (the “Personal Data”).

This Privacy Policy applies to personal data processed by Rightly in our business, including on our website and other online or offline offerings (a “Service” or collectively, the “Services”). Rightly enables the visitors of its site www.rightly.co.uk and platform to be in control of their personal data. We note that Rightly acts as a ‘data controller’ and therefore are responsible for the personal data that they process. Rightly provides controls to allow its visitors and users to have control over the privacy of personal data captured by our service. This privacy policy explains how Rightly processes, stores and protects this personal data, as well as what your rights are as a user under current data protection legislation.

The responsible use of personal data and consumer rights are two areas that we champion. As such, all of our data processing operations are in strict compliance with the EU General Data Protection Regulation (“GDPR”) (specifically but not limited to Article 6(1) (b) to (f) and Article 28).

What kind of personal data is processed and for what purpose?

Usage data

When you use Rightly to send requests to companies regarding your personal data, different types of personal data are processed and stored in order to complete requests. Firstly, the data processed by the ‘data controller’ (Rightly) is primarily the information needed to create an account and identification. These include the name of the recipient of the request, the format of the request, the email address associated with the account, the name of the user’s profile, phone number, date of birth, photographic identity documentation (see our ID Validation page) and other requirements specific to the company’s need to identify you according to their records, such as a customer account number. This information can be shared by our users through Rightly to send to companies of their choosing, that they want to request their data from. Information is also stored when individuals communicate with Rightly via email, phone or other means.

In order to better understand their customers, Rightly also collects anonymised data in surveys and other feedback methods. This helps us improve our service by tailoring our developments.

Lawful basis

Our lawful basis for processing your personal data, as required by data protection legislation, is our contract with our users. That contract is as set out in our terms and conditions. If we cannot process your personal data as set out in this notice, we cannot provide you with our service. We also do not currently process any special category data.

A note on ID

As we highlight on our website, in order to act responsibly many companies require a copy of an ID document, to confirm the identity of the person making the request.

In order to reduce back and forth between the company and person making the request, as well as to prevent false requests, we verify all ID documents via TrustID. TrustID is a third party application, also trusted and used by the government, to ensure that documentation is not fraudulent. After verifying the document, TrustID delete the ID from their system within 7 days. You can view TrustID’s privacy policy here.

Cookies

Rightly uses cookies to facilitate proper site function and to improve our website. Cookies are text files which are downloaded to your device when you visit a website, and there are many different types.

Some of the cookies that we use respond to the actions of our users, such as remembering their privacy or cookie preferences. While you can choose to block this type of cookie, it would mean that parts of our website wouldn’t function properly. These cookies do not store any personally identifiable information. You can deactivate or restrict cookies at any point by changing the settings of your web browser, and cookies that are already stored can be deleted at any time. You can read our cookie policy here.

Analytics

We use Google Analytics and other service providers to collect information regarding visitor behaviour and demographics to improve our services and user experience. This information is not used to directly identify anyone. For more information about Google Analytics, please visit www.google.com/privacy/partners/. You can also choose to opt out at any time. To do this, please visit https://tools.google.com/dlpage/gaoptout.

We also use Hotjar, which tells us which parts of our site are popular with our users and which parts need improving. It also lets us get in touch with users for feedback occasionally. You can read about Hotjar’s GDPR commitment here. If you do not want to be contacted for feedback, you can opt out at any time.

To help us identify problems and bugs, as well as give us more insight about how people use our system, we use Amplitude. Using Amplitude also allows us to focus our development team’s effort on how to improve our service, rather than spend lots of time trying to work out what the issues are in the first place. You can find their privacy policy here.

This is where it gets a bit meta, we use Segment to give you much more control over your cookie preferences. Segment gives you a more detailed summary of each third party, and you can opt in to some and opt out of others, it’s up to you. Check out their privacy policy here.

By using our services you agree to our terms of service, and as laid out above, to the collection of website usage data and to the use of analytics cookies.

Contact us procedure

Ourcontact us procedure is via a trusted third party, Zendesk. To see their privacy policy, please click here.

Access and disclosure to third parties

Rightly does not sell, and has never sold, the personal data of our users. We must note however that we may be obliged to share or disclose your personal data when required by law or regulatory authorities.

We use a select number of trusted external service providers for certain data analysis, processing and/or storage offerings. Here we mean companies that help us provide services you use, and need to process details about you for this reason. We share as little information as we possibly can. Plus, we encrypt and/or make it impossible for you to be identified by the recipient wherever possible (for instance by using a User ID rather than your name).

Notice regarding third-party websites

The Services may contain links to other websites, and other websites may reference or link to our website or other Services. It must be noted that these other websites are not controlled by Rightly and we encourage our users to read the privacy policies of each website and application with which they interact. While we do our best, we do not always screen, approve or endorse and are therefore not responsible for the privacy practices or content of such other websites or applications. As such, visiting these other websites or applications is at your own risk.

Duration of processing

Within the platform, you can adjust the length of time your personal data will be stored for, up to 120 days.

All other data specified as above will be retained for as long as is necessary for the purpose(s) for which we originally collected it. We may also retain information as required by law.

Data storage

Rightly stores all of its data in the United Kingdom, with a back up in the EU. We use Amazon Web Services (AWS) as our cloud solution provider for all our storage related to our platform. We also have Cyber Essentials and Cyber Essentials Plus security certifications. To read more about how we keep your data secure, please see our consumer FAQs.

We will not transfer your personal information outside the European Economic Area (EEA). The only circumstances in which users’ data may be transferred outside of the EEA is if the user is based outside the jurisdiction and downloads the data there.

You may be able to access your own registration details over the Internet from locations abroad. This Privacy Notice only covers processing undertaken by Rightly and does not apply to any processing which may be carried out by your own Internet service provider..

We want to communicate with you

Apart from the necessary emails for our service to function, like the email verification email, you have full control over whether you receive emails. You can easily opt out of marketing emails, unsubscribe free of charge, or delete your account if you no longer want to receive emails from Rightly.

Your data is yours alone: your rights

At Rightly we strongly believe that people should be fully informed of their rights, so that they can act upon them should they wish to.

When it comes to your personal data, thanks to GDPR and the Data Protection Act (2018) you have several rights that give you more control.

  1. Right to access – You have a right to ask for the personal data that we hold about you. We will provide you with your data within 30 days. If we may take longer, we will let you know and explain the reasons for the delay. We will not charge you for such a request, unless we reasonably consider your request to be excessive or repetitive. We also reserve the right to refuse a request if we reasonably consider it unfounded, repetitive or excessive.
  2. Right to be informed – The notice provides the information you need about how we collect and use your data. If you require any further information, please contact our data protection director at privacy@rightly.co.uk
  3. Right to rectification – If you consider that any information we hold is inaccurate, please let us know and we will take steps to rectify it.
  4. Right to erasure – In certain circumstances, you have the right to have personal data that we process blocked, erased and destroyed.
  5. Right to object and restrict – You can ask for your processing of your personal data to be restricted, for example for marketing purposes. You can also object to the processing of your data entirely but this will affect the service we are able to offer.
  6. Right to portability – You can request your data to be “ported” to another platform, in certain circumstances.

You should note that these rights are not absolute and can be restricted in certain circumstances.

You may also withdraw your consent for us to process your personal data at any time, without affecting the lawfulness of the processing that was carried out prior to withdrawing it. Whenever you withdraw consent, you acknowledge and accept that this may have a negative influence on the quality of Rightly and/or Services. You further agree that Rightly shall not be held liable with respect to any loss and/or damage to your personal data if you choose to withdraw consent.

Please contact our data protection director if you have any further questions. Our data protection director can be contacted at privacy@rightly.co.uk or you can contact us by post at our registered office, found at the top of this document.

Further information about your rights are available on the Information Commissioner’s Office website: https://ico.org.uk/make-a-complaint/

Data Protection Officer

Rightly has a Data Protection Director, rather than a Data Protection Officer, as we do not meet the requirements to have such a role under the GDPR. We will keep the need for this position under review and in the meantime keep data protection at the forefront of what we do.

Revisions to this Privacy policy

We may revise our Privacy policy according to new developments or advances in legislation and the wider data protection landscape. The most current version of our Privacy policy will always be on our site, and we will put a written notice on our site to notify our users of any revisions.

If you have an account with us, we’ll notify you of any notable changes by sending you an email to the email address associated with your account, unless you have unsubscribed from all email communications. Please note that your use of the site and/or Services following the effective date of any modifications to the Privacy Policy will constitute your acceptance of the Privacy Policy, as modified. All changes to this Privacy Policy automatically take effect on the sooner of the day you use the site and/or services following the effective data of any modifications to this Privacy Policy, as modified.

Contact details

You can contact us here.

You can also read more about Rightly on our How it works page, or About us page. Or, to read more about data, check out our blog.

Date: 11 June 2020

Version number: 2.0

Language: English