Managing your data requests is simple and secure with Rightly.
We help over 10,000 companies comply with GDPR and build positive relationships with their customers, for free.
Why companies like working with us
Our data handling practices, security processes and business model are available to view.
Security is our priority
Our authentication, transfer and wider security processes are above the industry standard.
Fulfilling requests is easy
Requests via Rightly are clear and simple to answer, unlike general enquiries.
We make data requests simpler for everyone.
Who we are
We're a unique, innovative start up with a singular goal: to make data request management simple.
We know how difficult it can be for businesses to confidently and securely handle GDPR requests, which is why we built Rightly. We're passionate about connecting businesses to consumers and making GDPR requests as easy as possible for everyone.
Our secure system and hands-on support team enable companies to stay on top of requests, build trust with their customers and shape Rightly's development through valued feedback.
How users submit requests
When users submit requests to companies through Rightly they are asked to choose a type:
Rightly Assisted Requests:
- What are users asking companies to do? Fulfil their data rights request using the PII and verified identity information provided and not ask the user to complete the company's own forms and processes
- Why do users choose this option? Rightly users make requests to an average of more than 10 companies therefore find it much more efficient to provide their information once via Rightly than to fill it in for each company separately
- What can companies expect from users? Every Rightly Assisted request will contain the Subject's:
- Name and verified email address
- Verified mobile number
- Government ID document authenticity check
- Biometric face match to image in the ID document
- Liveness detection to ensure this is a real person
- Digitally signed statement of authority for Rightly to act on their behalf in submitting the request
Submit Only Requests:
- What are users asking companies to do? Link them to your standard tools, forms and processes so they can complete and submit their data rights requests to you directly
- Why do users choose this option? Users may select Submit Only where they are sending a request to one company or prefer to provide their identity and personal information to you directly
- What can companies expect from users? Every Submit Only request will contain the Subject's name and verified email address so you can reply to them and link them to your data rights procedure
Our partnership with Yoti
Yoti is an internationally recognised global identity platform that works with governments, businesses and NGOs. Our partnership with Yoti ensures that we meet the highest ID & V standards, by facilitating document and liveness checks on all IDs. Their use of photo ID and facial biometrics enable us to prevent fraud attacks and the usage of fake IDs.
Yoti are ISO 27001, CIFAS and B Corp certified.
We don't want user data
We value the trust that our users and business community put in us. To meet this, we hold ourselves to the highest possible data standards. These include minimising both the collection and storage of user data.
For example, it is company policy to automatically delete all data sent back by companies every three months. Users are warned of this in advance in order to download any relevant data, and can adjust the frequency of deletion.
Why we're free
We’re free for the people and businesses that use our service because we believe it should be easy to manage personal data. We don’t share or sell any data with third parties for profit, and there aren’t any adverts or hidden costs.
We pride ourselves on being the ethical data company. Fortunately, we’re privately funded by two investors who share our ethos.
Every single service is built around the protection of consumers and getting the most of their data at the least cost to their own privacy and integrity. In the future, we’ll look to monetise Rightly in the most ethical way possible. This may include affiliate linking or adopting a freemium service.
What should I do if I receive a request?
If you've received a request from a user, follow the instructions in the user's request and click the link to our secure portal. From here, companies can reply to requests and securely upload data files. Access to this portal is secured with a One Time Password sent to the same inbox a company designates as appropriate for handling data requests.
We go into this in more detail in our Company FAQs, below.
Why companies trust Rightly
Users are authenticated
All email addresses used in requests are verified and companies can ask users to provide additional ID
All data is encrypted
Data is encrypted at rest and in transit making it impossible for hackers to gain access by brute force or snooping
Only users can see data
Our service permits only the requesting user to access the data files they receive
How to respond to a data request from the user
Responding to a user's request is easy, whether sending confirmation of completion, data files or a message, you have two options:
Firstly, and the method we recommend, you can respond via Rightly's secure web reply portal. No registration is required and all data sent via this method is encrypted. This can be accessed by clicking the link in the request email and entering the One Time Password sent to the same inbox.
Alternatively, you can respond to the user directly by replying to the request email itself. All replies go directly to the user's inbox in their Rightly account. It’s important to note that when companies choose to reply to data requests via email, they don't benefit from any encryption while the data is in transit. This is because email is still based on the old Simple Mail Transfer Protocol (SMTP), which does not encrypt messages during transfer. For this reason, Rightly does not recommend using email for the transfer of any sensitive information.
No problem, simply ask the user for additional data or documentation and explain why it's needed. This can be done by via the secure web reply portal, which can be accessed by clicking the link in the request email, or replying to the request email itself (all replies go directly to the user's inbox on their Rightly account).
For security, companies will be sent a One Time Password needed to access this portal meaning no registration is required. This OTP is sent to the same company inbox requests are received. If there are data points that you will always need in future requests from other Rightly users, please get in touch with us at firstname.lastname@example.org to discuss your requirements.
Our users, the data subjects, have chosen to send their request to you via Rightly because we provide a simple and secure platform to manage personal data with over 10,000 companies.
Our users therefore expect to receive responses to their secure Rightly dashboard, including any associated data files. Should you wish to confirm this with them, you can simply respond to their request.
(See the FAQ: We've just received a request from a user via Rightly, how do we respond?)
The ICO guidelines state that companies can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
In addition, due to the ongoing pandemic, the ICO offers further clarifications on impact to response times:
"We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic."
We would encourage any user to be mindful and accommodating of the above guidance.
Data security and integrity
Encryption at rest
When a user's data is stored on our service it’s always stored in encrypted form. No two files share the same encryption key, making it impossible for hackers to gain access to the data by brute force.
Encryption in transit
Whenever users or companies upload data to our service through our portal, we use strong SSL encryption to make sure it can’t be read by anyone snooping on the internet traffic.
Our service permits only the requesting user (and receiving company) to access the data files they send and receive using our platform. This includes Rightly staff, who do not have access to any data files, ID documentation or PII data beyond the subject's email address and any company/user correspondence messages which are used for ID&V purposes and fulfilling customer support enquiries.
Users include their email address in every request so that companies can locate their account. Rightly also ensures the user has access to this inbox by sending a verification link before it can be included in any request.
If you require additional proof, you can ask the user to provide further documentation such as a passport, driving license or proof of address. Should you need more data points, you can ask the user for these by simply replying to the request (see FAQ: We've just received a request from a user via Rightly, how do we respond?).
All communications from Rightly come from a fixed root domain:
All links to our forms start with https://www.right.lyt.ly
All of our outbound emails finish with the suffix '@inbound.right.ly'
Any further information provided to companies will come from https://rightly-prod-live-eu.s3.amazonaws.com.
If you have any further questions or notice anything suspicious, please contact our company support team at email@example.com as soon as possible.
Our service only permits the requesting user and receiving company to access the data files they send and receive using our platform.
Even Rightly staff do not have access to any data files, ID documentation or PII data beyond the subject's email address and any company/user correspondence messages which are used for ID&V purposes and fulfilling customer support enquiries.
We may use the metadata of requests (date/time, receiving company, industry, responded to, success etc.) along with customer satisfaction data to produce aggregated non-personalised reports to share with interested authorities and regulators.
Company obligations under GDPR
The GDPR entitles people to submit subject access requests (SARs) to data controllers by any means or media.
Even if you have your own system to receive such requests, the UK Information Commissioner’s Office Code of Practice states that you “may not insist on the use of a particular means of delivery for a SAR” [P.13].
Be mindful that our users have chosen to submit their SAR via Rightly, and we've purposefully made it easy for you to respond, verify the identity of the data subject, and securely transfer data back to them to comply with the request.
You have received a SAR from a data subject via the Rightly platform. Rightly does not legally represent, litigate or bring claims on behalf of Rightly users; it is a secure platform for submitting and responding to SARs. As such, the requirements of GDPR apply as normal.
The UK Data Protection Act requires you to respond to a SAR within 30 days. You are entitled to verify the identity of the data subject and Rightly helps you do this (see FAQ: How do we know a request sent via Rightly is from the User?), and to seek additional information from the data subject to clarify the scope of the request where necessary (see FAQ: What if we need more information from the user to fulfil their request?). Please note, however, that simply refusing to comply with a request is likely to amount a breach of your GDPR obligations.
If you fail to respond to a SAR you may be in breach of your obligations under the GDPR. The Rightly platform enables its users to submit complaints to data controllers who fail to respond to data subjects within 30 days. Failure to act upon the complaint may risk further escalations.
If you'd like to discuss any topics mentioned on this page or require any further information about user requests via Rightly, our support team is on hand and would be more than happy to discuss. Please contact us via email at firstname.lastname@example.org