Rightly, Champions of Data, is an independent data action service committed to championing your rights and helping you police, control and manage your personal data held and used by organisations.
We believe in good data and that used rightly, data makes the world a much better place. Good data helps build strong relationships. It raises understanding, influences decisions and makes life easier.
Rightly's purpose is to help individuals and organisations make good use of data. We help you understand your data rights and obligations and equip you with the tools to manage, share and use data rightly.
Our mission is simple: to make managing your online data as easy as it can be.
Our vision is a future where data is managed, shared and used Rightly.
The data controller for this Policy is Rightly Limited, a company registered in England and Wales, with company number 10905908 (Rightly, we, us, our). We are registered with the ICO, with registration number ZA278016. Our address is 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. You can contact us here.
The responsible use of personal data and consumer rights are two areas that we champion. As such, we make all efforts to comply with applicable data protection laws, including the General Data Protection Regulation (GDPR).
- What we process, why and the legal basis for doing so
When you register to help Rightly with our research and use the service, we collect your name and email address and add you to the list of registered users of the service.
When you access the service and connect your Google/Microsoft account, we collect your name and email address from your identity provider.
When you grant permission for Rightly to scan your email in order to conduct the research under the service, we search for messages from a known list of companies and extract those messages to our secure storage.
We use your messages to help improve our algorithms to enable future services for Rightly users. We will not use your data for any other purpose.
The service is not intended for use by anyone under 18 years of age.
- Sensitive data
Certain types of data are classified as “special category” under the GDPR. This type of data is deemed to be potentially sensitive, as it relates to matters including race, ethnicity, sexuality, sex life, health status and religious or philosophical views. A higher threshold of protection requirements apply to dealing with this data. Rightly will never request you to provide any special category data, but we recognise that we may receive this while scanning your email. Where we process this data, we do so on the basis of our contract.
- Providing support to you
Information is also stored when you communicate with Rightly via email, phone or other means. This is usually limited to your name, email address and/or phone number depending on how you contact us and any correspondence with us on resolving your enquiry.
We process this data on the basis of our contract with you and/or our legitimate interests in providing an efficient service to you.
- Operational Data
When using the service, we may also record your IP address as part of normal request processing and session management, and to support you and our service in the event of problems occurring. We process this data on the basis of our legitimate interests in providing a secure platform.
- Data sharing and processors
We do not share your data with any third parties unless required to do so in response to a lawful request by the authorities.
Our service is built on carefully selected third party providers who may process your data on our behalf. We engage these providers on terms that ensure the confidentiality and security of your data.
The list below sets out the third parties we engage as processors and provides more information about their data protection practices.
Hotjar. We use Hotjar to handle the signup for the service. You can read about Hotjar’s GDPR commitment here.
- International transfers
Where we transfer your data outside the UK or EU to a country deemed to have a lower standard of data protection in place, for example to a third party processor based in the US, we will ensure that your data is appropriately protected by meeting the obligations on us under GDPR and ensuring there is a transfer safeguard in place with the recipient, for example the Standard Contractual Clauses issued by the European Commission.
Your data will be retained for a maximum of six months after which it will be removed from all Rightly controlled storage.
We may also retain information as required by law.
Rightly Limited is an ISO 27001:2013 accredited organisation. ISO 27001:2013 is the international standard for Information Security Management. This certification means our policies, processes, and procedures are regularly subjected to an independent audit and have been assessed as meeting the standards of ISO 27001:2013. Our auditors are Alcumus.com (ISOQAR) and our certificate number is 20004.
While we do our best to protect personal data, any information transmitted over the internet remains vulnerable to interception – for this reason the transmission of any personal data to use is therefore at the data subject’s own risk. To read more about how we keep your data secure, please see our consumer FAQs.
Third party links
Our website or platform may contain links to other websites or applications which are not controlled by Rightly. Rightly are not responsible for the privacy practices or content of such other websites or applications. As such, visiting these other websites or applications is at your own risk.
At Rightly we strongly believe that people should be fully informed of their rights, so that they can act upon them should they wish to.
Under GDPR and data protection laws, there are certain rights that may be available to you with respect to your personal data:
- Right to access – You have a right to ask for the personal data that we hold about you. We will provide you with your data within 30 days. If we may take longer, we will let you know and explain the reasons for the delay. We will not charge you for such a request, unless we reasonably consider your request to be excessive or repetitive. We also reserve the right to refuse a request if we reasonably consider it unfounded, repetitive or excessive.
- Right to be informed – The notice provides the information you need about how we collect and use your data.
- Right to rectification – If you consider that any information we hold is inaccurate, please let us know and we will take steps to rectify it.
- Right to erasure – In certain circumstances, you have the right to have personal data that we process blocked, erased and destroyed.
- Right to object and restrict – You can ask for your processing of your personal data to be restricted, for example for marketing purposes. Where your data is processed on the basis of consent, you may also withdraw your consent to that processing at any time. You can also object to the processing of your data entirely but this may affect the service we are able to offer.
- Right to portability – You can request your data to be “ported” to another platform, in certain circumstances.
Please note, these rights are not absolute and may be restricted in certain circumstances. To exercise your rights or if you require any further information, please contact our data protection director at firstname.lastname@example.org or via post to our registered address.
If you are unsatisfied with the way we handle a request or believe we have processed your data unlawfully, you also have the right to make a complaint to the ICO https://ico.org.uk/make-a-complaint/. If you are based outside the UK, you can also contact your national data protection authority for further information.
Changes and revisions
29th September 2022
- Initial revision