How can we help?

Yes, we are registerd with the ICO. All the data is stored in the Uk and we have full control.

Every page requested by the browser is fully encrypted and for single use only. This means if another browser try to use the same URL it will not work for them.

We complete a number of checks to ensure CSRF and CORS cannot occur when processing payments. These checks include hash key computation, and a final check confirms the payments have been accepted and taken, at which point the platform shows the payment as validated. The high standard of encryption across the platform prevents attempts.

Rightgun uses Secure Socket Layers (SSL) and TLS 1.2 to stop ‘man in the middle’ attacks.

Rightgun includes state-of-the-art data security architecture and controls. The platform is designed and engineered to use ‘privacy by design and privacy by default’ principles. We rely on the latest standards and best practices and will continue to be supported as the platform develops.
The following measures are in place to ensure the security of personal data that is stored and that may be transferred during planned and authorised workflow on the platform.

• Firewall - The database is never exposed beyond an internal firewall. The internal firewall technology is constantly reviewed and upgraded to the latest standards.
• Penetration testing - Penetration tests are performed at least every 20 days. Any issues identified are immediately evaluated and acted upon. We also support third-party penetration testing by security establishments.
• Source code encryption - All the source code that is packaged and deployed to the platform is binary encrypted, preventing reverse engineering by hackers.
• Private Key encryption - We enforce private key encryption technology to encrypt data packets. Private key encryption serves two purposes:
• The first is authentication where the approach verifies the user.
• The second is the encryption of data. This approach assures that data in transit is secure and that it can only be accessed by an authenticated user upon receipt.
• Secure sockets layer (SSL) - We use Secure Sockets Layer (SSL) technology for all communication and web services. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and secure.
• Protecting against SQL injection - SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). We have best practices and measures in place to prevent SQL injection, and regular testing is conducted after every version upgrade to protect against it.
• Encryption standards - We offer a high level of encryption of data on any local device. The platform also protects against the possibility that native applications, if not adequately encrypted, can be reversed engineered for malicious reasons. To ensure that this cannot happen, the binary files are compressed, optimised, and obfuscated.
• We use AES 256 encryption web services for all mobile device communication. The web services API can only be accessed via public access token using a unique identifier and is encrypted using AES256 encryption algorithm.
• All transmitted data packets are also encrypted by private public key and further encapsulated by industry standard SSL layer providing very high levels of data security.
• We use transport layer security (TLS) 1.2 protocol for all communications. This ensures privacy and data security between our applications and our users on the internet.

All the credit and debit card details are stored securely within our payment gateway which is fully SCA (Strong Customer Authentication) compliant.

No, we only keep your data to provide services to you. We don’t advertise on our site, and we don’t use your data for consumer analytics.

The European Union (EU) introduced its data protection standard over 20 years ago through the Data Protection Directive 95/46/EC. Because the EU required each member state to implement Directives into national law, we have ended up with a patchwork of different national privacy laws.
Over time, technological developments have introduced new challenges to the protection of personal data. In response to this situation the EU has developed the General Data Protection Regulation (GDPR), which is directly applicable as law across all past and present member states. The process of the United Kingdom leaving the EU does not alter the need for UK-based organisations to ensure full compliance with GDPR.
GDPR is relevant to any organisation, whether based inside or outside the EU that processes personal data from EU-based individuals. Personal data, also known as personal information or personally identifiable information in other parts of the world, is any information relating to an individual that enables them to be directly or indirectly identified, for example by reference to identifiers such as names, identification numbers, location data, online identifiers (including pseudonymous identifiers) or to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity. With new and strengthened rights for individuals, accountability requirements for companies, and increased scrutiny by regulators, organisations collecting and handling personal data in the EU, both offline and online, will need to consider and manage their data handling practices and use cases more carefully than before.

The GDPR imposes restrictions on the storage and transfer of personal data outside the European Union, to third party countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined. Details are available on the ICO website here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/.
All the data captured via the Rightgun UK platform is stored and processed within the UK. We do not move data outside of the UK. All the customer data is housed and processed in two data centres in separate London locations: a primary data centre and failover data centre.
The legal ownership of the data resides with the customer.

GDPR gives individuals the right to rectify personal data that is inaccurate or to have incomplete personal data completed.
Article 16 of GDPR states:
“The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.
In addition to the ability to rectify or update personal data, Article 17 gives data subjects the right to erase personal data on request in specific situations. This right is also commonly referred to as “the right to be forgotten”.
Rightgun UK enables data subjects who are registered users of the platform to request erasure or full deregistration of their data.
An anonymised record of technical transaction information is retained for the purposes of accurate historical and security management.

Existing data protection legislation requires organisations to ensure that they only collect the personal data they need for the purposes they have specified. Organisations are also required to ensure that the personal data they collect is sufficient for the purpose for which it was collected. Data that has been collected for one purpose cannot be repurposed without further consent. GDPR further strengthens this principle, stating that data should be “adequate, relevant and limited to what is necessary for the purpose it was collected.”