Privacy policy
Last updated 03/01/2024
Summary of key points
This summary provides key points from our privacy notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.
What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.
Do we process any sensitive personal information? We do not process sensitive personal information.
Do we receive any information from third parties? We may receive information from public databases, marketing partners, social media platforms, and other outside sources.
How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so.
In what situations and with which parties do we share personal information? We may share information in specific situations and with specific third parties.
What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information.
How do you exercise your rights? The easiest way to exercise your rights is by submitting a data subject access request, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.
Want to learn more about what we do with any information we collect? See more details below.
TABLE OF CONTENTS
WHAT INFORMATION DO WE COLLECT?
Personal information you disclose to us
Information automatically collected
HOW DO WE PROCESS YOUR INFORMATION?
WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
HOW DO WE HANDLE YOUR SOCIAL LOGINS?
IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?
HOW LONG DO WE KEEP YOUR INFORMATION?
DO WE COLLECT INFORMATION FROM MINORS?
CONTROLS FOR DO-NOT-TRACK FEATURES
DO WE MAKE UPDATES TO THIS NOTICE?
General Data Protection Regulation (GDPR)
Legal Basis for Processing Personal Data
HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?
What information do we collect?
Personal information you disclose to us
In Short: We collect personal information that you provide to us.
We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.
Sensitive Information. We do not process sensitive information.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.
Information automatically collected
In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.
We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.
Like many businesses, we also collect information through cookies and similar technologies.
How do we process your information?
In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.
We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
When and with whom do we share your personal information?
In Short: We may share information in specific situations described in this section and/or with the following third parties.
We may need to share your personal information in the following situations:
- Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
- Affiliates. We may share your information with our affiliates, in which case we will require those affiliates to honor this privacy notice. Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us.
- Business Partners. We may share your information with our business partners to offer you certain products, services, or promotions.
Do we use cookies to track your behaviour?
In Short: No, we don't use cookies to track you.
We may use similar tracking technologies (like email pixels) to check if you open an email. Like almost all web applications RateHighly uses cookies to handle sessions (persistent logins) so you don’t need to log in or out. Our providers such as Zendesk or Intercom may also use cookies for the same purpose (e.g. providing persistent sessions with our customer service provider). Since we only use cookies for transactional and necessary purposes RateHighly is not required to show you a cookie banner when accessing the service (good news!). We do use other methods to monitor our service for the purpose of making improvements and understanding our customers better, but we don’t need to use cookies to achieve this. See the Use of Cookies section below for more information.
How do we handle your social logins?
In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.
Our Services offer you the ability to register and log in using your third-party social media account details (like your Google account logins). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name and email address, as well as other information you choose to share with us on sign up or login.
We will use the information we receive only for the purposes that are described in this privacy notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information, and how you can set your privacy preferences on their sites and apps.
Is your information transferred internationally?
In Short: We may transfer, store, and process your information in countries other than your own.
Our servers are located in Ireland. If you are accessing our Services from outside, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information (see "WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?" above), in and other countries.
If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this privacy notice and applicable law.
How long do we keep your information?
In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law.
We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
To secure your data, we have put in place technical, organizational, and personnel procedural measures to safeguard personal data against loss, theft, and unauthorised access, uses, or modifications. These measures meet the requirements of the GDPR, and we require any third party service providers we use to do the same. Security and testing are performed on systems containing personal data to verify and control effectiveness. Security of these systems is monitored continuously.
Your data is only ever saved on secure servers, which may only be accessed by a few authorized personnel. When you use a form on our website to transmit data to us, this transmission is only performed over an encrypted TLS connection.
Do we collect information from minors?
In Short: We do not knowingly collect data from or market to children under 18 years of age.
We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at support@ratehighly.com.
What are your privacy rights?
In Short: You may review, change, or terminate your account at any time.
Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.
However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
Account Information
If you would at any time like to review or change the information in your account or terminate your account, you can:
Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.
Controls for do-not-track features
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.
Do we make updates to this notice?
In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.
We may update this privacy notice from time to time. The updated version will be indicated by an updated "Revised" date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.
General Data Protection Regulation (GDPR)
In Short: We are committed to protecting your personal information and going above and beyond the requirements of the GDPR (EU) 2016/679 (“GDPR”).
For the purposes of this policy and data protection laws we are the data controller, meaning we determine the purpose and means of processing of your personal data. If you have questions about our processing of personal data, you will find our contact information and the contact details for our Data Protection Officer in the section below.
There may be situations when more than one data controller processes your information, such as when you access the RateHighly website through a widget. In these situations, we act as an independent data controller over our processing activities and make determinations over how data will be processed independently from other data controllers. We are not responsible for the processing of other data controllers, including customers, and you should contact them directly regarding questions about how they process your personal data. If you have questions about our processing of personal data, you will find our contact information and the contact details for our Data Protection Officer in the section below.
The controller, sometimes referred to as the responsible entity, according to Art. 4 Nr. 7 of the GDPR is: RateHighly LTD; 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. The data protection office is Bill Franklin, of the same address above, who can be contacted at bill@ratehighly.com.
Data Protection Principles
The GDPR sets out the principles which must be complied with by any party handling personal data. RateHighly will comply with these principles, as detailed in Article 5 of the GDPR;
- Processed lawfully, fairly, and in a transparent manner in relation to the data subject;
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes subject to appropriate safeguards, and provided that there is no risk of breaching the privacy of the data subject;
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
- Accurate and where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by GDPR in order to safeguard the rights and freedoms of the data subject;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures;
Article 5(2) states that the controller is responsible for and must be able to demonstrate compliance with the data protection principles.
Accountability
The GDPR obliges organizations to demonstrate that their processing activities are compliant with the data protection principles. The principle of accountability seeks to guarantee the enforcement of these principles. We will demonstrate compliance in the following ways:
- by maintaining record schedules which will include details on Personal Data collected, held, or processed in line with Article 30 – ‘Records of Processing Activities’;
- upon request, these records will be disclosed to the relevant lead authority in the applicable jurisdiction.
Legal Basis for Processing Personal Data
In order to process personal data, a lawful ground must exist. A number of permitted grounds for processing are enumerated in Article 6 of the GDPR.
One ground for the processing of personal data is Article 6, Paragraph 1(a) of the GDPR, which is the freely given consent of the data subject to do so. This consent is bound to a particular purpose. For example, we may collect personal data such as your name and email address when you subscribe to our newsletter.
A second ground for the processing of personal data is to fulfill the requirements of a contract, as specified in Article 6, Paragraph 1(b) of the GDPR. Performance of contract is understood to include the initiation of a commercial relationship. This ground applies to RateHighly when a user completes our contact form or contacts our Support or Sales team using any other means to obtain a non-binding quotation.
Article 6, Paragraph 1(c) of the GDPR permits the processing of personal data where a legal requirement to do so exists.
Article 6, paragraph 1(d) permits the processing of personal data in exceptional circumstances, where doing so is necessary to protect the vital interests of the data subject.
It is also possible that personal data will be processed on the basis of Article 6, paragraph 1(f) of the GDPR. This is the so-called “legitimate interests” ground, which is interpreted with reference to Recital 47 of the GDPR. The GDPR treats this as a “fallback ground”, which only applies where no other previously listed lawful ground for processing applies. When this ground is relied upon, an assessment must carefully weigh the legitimate interests of the data subject against the legitimate interests of the data controller.
What Personal Data We Collect
Unless expressly stated, the provision of your personal data is not required or obligatory. The personal data that we collect about you broadly falls into the categories set out below. Some of this information you provide voluntarily when you interact with RateHighly services, websites, and/or application. Other types of information may be collected automatically from your device, such as Device and Service Data. From time to time, we may also receive personal data about you from third party service providers (as further described below).
|
Category of personal data |
What this can include |
Third Party Service Providers that may process this data (see more detailed information in section below entitled Third Party Service Providers) |
|---|---|---|
|
Contact Data |
Name, email address, mailing address, telephone number, department, role, company name |
AWS, ChartMogul, Cloudflare, DigitalOcean, Google Workspace, Intercom, PostMark, LinkedIn, Notion, Twilio, SendGrid, Shortcut, Slack, Stripe, Trello, Zendesk |
|
Account Data |
Name, email address, company name, unique identifier (such as customer ID), mailing address, department, role, and details about subscriptions and services you have purchased from RateHighly, including subscription or plan name, sign up date |
AWS, ChartMogul, Cloudflare, DigitalOcean, Google Workspace, Intercom, PostMark, LinkedIn, Notion, Twilio, SendGrid, Shortcut, Slack, Stripe, Trello, Zendesk |
|
Professional Data |
Educational and professional history, certifications, interests and accomplishments, job and salary preferences, professional resumes and CVs, job applications, interviewing information, assessments, references, hiring results, and other optional data you send |
AWS, DigitalOcean, Google Workspace |
|
Financial Data |
Bank account and/or payment card details |
Stripe |
|
Billing Data |
Billing address and payment history |
Google Workspace, Stripe |
|
Communications Data |
If you correspond with us by email or otherwise, or if you connect your email account to our platform, we may retain the content of such messages and our responses |
AWS, ChartMogul, Cloudflare, DigitalOcean, Google Workspace, Intercom, Postmark, LinkedIn, Notion, SendGrid, Shortcut, Slack, Stripe, Trello, Zendesk |
|
Cookie Data |
Data from trackers like cookies, pixels, clear GIFs, and/or web widgets stored on your device, including cookie IDs and settings. For more details, see the section entitled Use of Cookies below |
ChartMogul, Cloudflare, Intercom, Postmark, LinkedIn, SendGrid, Stripe, Zendesk |
|
Device and Service Data |
Internet protocol (IP) address, geolocation data, unique identifier, login data, date and time of access, name of your Internet Service Provider, browser type and version, time zone setting, operating system and platform and other technology on the devices you use to access our websites or use our services |
AWS, Cloudflare, DigitalOcean, Postmark, Intercom, SendGrid, Stripe, Zendesk |
|
Activity Data |
Requested URI, date and time of request, amount of data transferred to you in response, whether the request was successfully processed or not, referring website from which you made the request, navigation paths between pages, query string, usage data, pages viewed, links clicked, and interaction and duration data |
AWS, ChartMogul, Cloudflare, Postmark, DigitalOcean, Intercom, SendGrid, Stripe, Zendesk |
|
Sensitive Data |
RateHighly does not collect any sensitive data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sexual life or orientation, except with specific consent or as necessary for compliance purposes |
N/A |
Use of Cookies
In addition to the previously listed data, cookies will be saved on your computer when you use our website. Cookies are small pieces of textual data which are saved on your hard disk by your web browser, through which RateHighly, who sets the cookie’s contents, can collect certain information about you. Cookies cannot execute any code, nor transfer any viruses to your computer. We use them in order to anonymously or pseudonymously analyse the use of the website and present relevant offers to you.
This website uses the following types of cookies, whose scope and functionality is detailed in the following paragraphs.
- transient cookies (see paragraph 1)
- persistent cookies (see paragraph 2)
Transient cookies are automatically deleted when you close your browser. They are used particularly as session cookies. These save a so-called “session ID” which is used to link subsequent requests made by your browser to each other. Through this, your computer can be recognized when you return to our website. These session cookies are deleted, when you log out, or close your browser.
Persistent cookies are only deleted after a predetermined duration, which can be different for each cookie. You can delete these persistent cookies anytime, though, in the “Settings” configuration of your browser. We advise you that, if you do so, not all functionality of this website will be available.
Previously set cookies can be deleted through the settings of your browser. You may also be able to prevent the placement of some cookies on your computer through the relevant settings of your internet browser. We advise you that preventing the placement of cookies on your computer can mean that not all functionality of our website is available without limitations. Moreover, due to a lack of industry standard for recognizing Do Not Track browser signals, it’s possible that third party service providers may continue to collect your personal data through cookies.
Third Party Service Providers
In order to operate and perform functions such as hosting our application, storing and analyzing data, processing payments, communicating with you, and providing and optimizing our services, we use third party service providers. Some of these third party service providers are located outside the European Economic Area. We shall disclose your information to third parties only when you have authorised us to do so, it is necessary as part of business practices, or when there is a legal or statutory obligation to do so. Whenever we disclose information to third parties, we will only disclose that amount of personal information necessary to meet such business need or legal requirement.
We only engage third party service providers after a comprehensive review which carefully considers each third party service provider’s competence, as well as their technical and organizational data protection measures. The results of this review are recorded in writing. To protect your personal data, we also sign data processing agreements, complete with standard contractual clauses, as applicable, that comply with Article 28 of the GDPR with third party service providers.
Notwithstanding anything to the contrary in this policy, please note that to the extent that you elect to provide the RateHighly application access to your Google user data, our use of your Google user data will be further limited as follows:
- The RateHighly application will only use access to read your Google user name and email address for the purpose of uniquely authenticating you and creating a RateHighly user account.
- The RateHighly application will not transfer this Google user data to others unless doing so is necessary to provide, support, and improve these features, for security purposes, to comply with applicable law, or as part of a merger, acquisition, or sale of assets.
- The RateHighly application will not use this Google user data for serving advertisements.
- The RateHighly application will not allow humans to read your Google user data unless we have your affirmative agreement or doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for our internal operations, and then only when the data have been aggregated and anonymized.
- The RateHighly application’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
We may amend this section from time to time to comply with the Google API Services User Data Policy, to the extent it relates to our use of such Google user data. For the avoidance of doubt, the additional restrictions contained in this section shall only apply to Google user data received through the Google OAuth API, to the extent such use is applicable to you.
Here are the details of our main third party service providers:
INFRASTRUCTURE
We use DigitalOcean, Amazon Web Services (AWS), and CloudFlare to host the RateHighly application, cache, and database servers in Ireland, in addition to other managed services such as a Content Distribution Network (CDN). We store customer data in accordance with good security practices. For instance databases are encrypted at rest and all inter-service communication is encrypted and - where applicable - within a Virtual Private Cloud (VPC) and authenticated. We use other security measures to protect customer data and accounts including a Web Application Firewall (WAF) and other techniques not listed.
COMMUNICATIONS
We use SendGrid and PostMark to send mail to our clients and customers of our clients. SendGrid will process customer information, including names and email addresses in accordance with their privacy policy.
OPERATIONS
We use Intercom, ChartMogul, Slack, Google Workspace, Notion, Sentry, and Zendesk for internal operations, such as monitoring abuse, improving reliability of the service, responding to customer support tickets, or improving the product. These services may process your information for the above purposes, including: abuse prevention, customer service, marketing, sales, improving reliability and information security, and product development.
PAYMENTS
We use Stripe as our payment processor.
How can you contact us about this notice?
If you have questions or comments about this notice, you may contact us by email at support@ratehighly.com or by post at:
RateHighly LTD
71-75 Shelton Street
Covent Garden
London, WC2H 9JQ
United Kingdom
How can you review, update, or delete the data we collect from you?
Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information, please fill out and submit a data subject access request.