Privacy Policy

1. Background and introduction

Rightly is a tool which enables you to make requests for, review and manage your personal data held by data controllers; all from one central place.

At Rightly, you have full control over your data. We do not sell or give away your data nor do we have any plans to do so.

This notice relates to Rightly and the users of our products. We act as a controller and we are responsible for the personal data that we process. This Notice informs you how we protect your personal data and informs you about your rights under data protection laws, including the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA).

This notice explains how and why we collect, use and store your data. It also explains how we keep your information secure and what your rights are.

2. Who we are

We are a registered office is at First Floor Flat, 5 Benbow Road, London, United Kingdom, W6 0AT. We are a company registered in England and Wales (Company number: 10905908).

We are registered on the Information Commissioner’s Office Register (number ZA278016)

3. What information do we process?

In order to help you manage your data we need to collect, process and hold your personal information. However, whenever we process your data we do so with your awareness and control.

That data that we process is divided into the following three categories

  1. Your ‘request information’ – The information related to the requests you have made. This includes information concerning to whom the request was made and the format of such requests. This might also include information related to your specific circumstances, such as information in relation to your dealings with a particular company.
  • The email address used to set up the account
  • User profile name
  • Phone number
  • Date of birth
  • Photographic identity – We do not have access to this document.

We offer users the opportunity to use third party applications in order to verify your identity. We only rely on such third party applications if the user tells us to. Users are asked to read and verify the data protection policies of such third parties, as we are not responsible for how they may process personal data. We will never share anything other than the information you provide us for your profile.

Most of the information on your profile is not accessible to Rightly. We are only able to access your profile name and email address

Where is this stored: This information is stored on Rightly’s servers. However, as above, we do not have access to the majority of this information and we will never have access to your identification information.

2. Your ‘request information’ – The information related to the requests you have made. This includes information concerning to whom the request was made and the format of such requests. This might also include information related to your specific circumstances, such as information in relation to your dealings with a particular company.

Where is this stored: This information is stored on Rightly’s servers. However, as above, we do not have access to the majority of this information and we will never have access to your identification information.

3. Your ‘received information’ – this is the information you receive from other organisations. We do not have access to this information. This is purely for you as a user and only the user can gain access to it.

Note that we are developing tools to help users parse through information and find specific information that they may be looking for. This may allow our tools to find and sift through “special category” data, a term used to indicate particularly sensitive data that might be processed, for example, information about racial or ethnic origin or health. We will not have access to that information and our tools will be used by the user exclusively for their own purposes.

Sometimes, companies send the wrong information to the wrong user. In order to guard against this, we have developed a security features to ensure that we match the correct information received to the correct user. This will never be matched based on special category data. Rather, our tools will use bland information such as postcode to ensure matches. Members of Rightly’s team will not be involved in this process and do not have access to any matching data or processes. Rather, we can only let an individual know that there has been a security issue and advise the related data controller that there may be an issue with the data received.

Where is this information stored: Any personal data received is stored on your own storage medium, such as your phone. Rightly does not store this information. Alternatively, we use UK based cloud servers, which can only be accessed with user control and consent.

As we make clear above, we do not have access to much information ourselves. Where we process information, we aim to do so because a user has requested the tools to be used in a particular way. We will not have access to the information you receive from a company nor do we wish to have access to such information.

4. Lawful basis for processing data

Data protection laws (including the GDPR and DPA) requires data controllers to have a lawful reason (or “lawful basis”) to process personal data. Our lawful basis for processing are set out fully below. However, we are a user-based system. We want users to know and understand that they are fully in control of how their data is used and will be used. Rightly is ultimately about user control; that is what we do.

  • Contract – To fulfil our contractual duties to users or to enter into a contract with you. That contract is as set out in our terms and conditions. If we cannot process your personal data as set out in this notice, we cannot provide you with our service.
  • Special category data – We do not currently process any special category data. However, as detailed above, we have tools in development that may allow users to filter through data received to find particular information. This may involve the tool processing special category data. In those circumstances, we will only process such special category information with user consent. We will make sure you provide specific and informed consent for such processing should it occur, through interactive dialogue boxes on the platform. We will not store, have access to or process that data.

You should be aware that we might process your personal information without your knowledge or consent only where this is required or permitted by law, such as following a request from law enforcement.

5. Do we share your personal data?

We share your data with data controllers when you make a subject access request. You as a user will be fully in control of this process and we will not be involved beyond facilitating the request.

We will never share your data with any third party without control. We do not share your information for marketing purposes nor do we have any third party processors involved in our development. We do not share any user information with third parties to “improve” our services or to any advertisers. Users are fully in control of what information is shared and why.

6. How long do we hold your personal data

We hold your data for as long as we continue to provide services to you and you are a user. If you wish to stop being a user, we will remove your information from our systems.

Simply, we will retain your data for as long as you determine. You have control over whether you wish to delete your data and when.

7. How do we keep data secure?

We have security measures in place to ensure appropriate security for your personal data. We seek to protect against unauthorised or unlawful processing, as well as protecting against accidental loss, destruction or damage.

We take the following measures to protect your data:

  • We only have limited access to your personal information, as we have detailed above.
  • We employ a double verification process on set up, to ensure the identity of users.
  • Received information from a data controller is kept securely and separately from your account information for added security. This received information will not be accessible by Rightly staff.
  • As we cannot access full profiles, there is a limit to what we can do if a user needs access to data. We can reset a profile but will maintain a record of such “reset” profiles for audit purposes.
  • Only authorised staff of the firm will have access to your data as held by us. Staff will have access only to the data necessary for the purposes to which they have been given access.
  • All persons who have access within the firm will do so in adherence to the law and this notice. All such persons also understand their professional duties of confidentiality and legal professional privilege.
  • We use secure browsers to protect malware or other unintended intrusions into our database.
  • We ensure that user access is strictly controlled and password protected but would emphasise that you are responsible for keeping this password confidential.

Although we take such measures we are not liable for losses caused by the acts of third parties, such as a malware attack on external serves which we could not prevent or by loss of information by a third party.

8. Data Protection Officer

We have not appointed a Data Protection Officer, as we do not meet the requirements to have such a role under the GDPR. However, we have a Data Protection Director in order to ensure that we put fundamental rights at the forefront of all we do.

We will maintain the need for a DPO under review as we develop new tools and grow.

9. Your rights

We passionately believe in the exercise of rights, whether over your data or any other fundamental right. Accordingly, it is important for us to know that you understand the rights you have over your data. In particular:

  • Right to access – You have a right to ask for the personal data we hold about you. We will ask for proof of identity before acceding to such a request, to preserve your privacy. However, once we are satisfied as to your identity, we will delete those identity documents. We provide you with your data within 30 days (as required by law). If we may take longer, we will let you know and explain the reasons for the same. [We will not charge you for such a request, unless we reasonably consider your request to be excessive or repetitive. We also reserve the right to refuse a request if we reasonably consider it unfounded, repetitive or excessive].
  • Right to be informed – The notice provides the information you need about how we collect and use your data. If you require any further information, please contact our data protection director at
  • Right to rectification – If you consider that any information we hold is inaccurate, please let us know and we will take steps to rectify it. As above, we only have access to certain information so we encourage you to ensure you input the correct information when creating an account. We can reset accounts if required to rectify information that we cannot access.
  • Right to erasure – In certain circumstances, you have the right to have personal data that we process blocked, erased and destroyed.
  • Right to object and restrict – You can ask for your processing of your personal data to be restricted, for example for marketing purposes. You can also object to the processing of your data entirely but this will affect the service we are able to offer.
  • Right to portability – You can request your data to be “ported” to another platform, in certain circumstances.

You should note that these rights are not absolute and can be restricted in certain circumstances.

Please contact our data protection director if you have any further questions. Our data protection director can be contacted at

Further information about your rights are available on the Information Commissioner’s Office website:

10. Where we store and process your personal data

Rightly is based in the United Kingdom and we will not transfer your personal information outside the European Economic Area (EEA). The only circumstances in which users’ data may be transferred outside of the EEA is if the user is based outside the jurisdiction and downloads the data there.

You may be able to access your own registration details over the Internet from locations abroad. This Privacy Notice only covers processing undertaken by Rightly and does not apply to any processing which may be carried out by your own Internet service provider.

11. Data protection Impact Assessment

As present, we have not conducted a Data Protection Impact Assessment (DPIA) as we do not consider that we meet the GDPR requirements to do so. However, as we roll out new features, expand and grow we do plan to conduct a DPIA. We will publish the DPIA on our website and liaise with the relevant supervisory authority (the Information Commissioner).

12. Complaints

We are hopeful that you will not have a need to complain, as we take your data protection and privacy seriously. Indeed, we trust that you will be pleased by the approach taken in this notice. However, should you find it necessary to complain please contact our data protection director on Our current data protection director is Thomas Andrews.

Should we be unable to resolve your matter, you have a right to complain to the relevant supervisor authority, (the regulator of information), the Information Commissioner. The Information Commissioner’s Office have online guidance on how to complain to them, here:

13. Changes to this notice

This notice is liable to change, as the data protection regime evolves. When we make significant changes, we will notify clients by email. We will also revise the published notice on our website, as well as keeping a record of the changes.

14. Cookies

Our website uses cookies. We have a separate policy on cookies, available here:

We encourage you to review your cookie policies on our website and any other website you visit.