Data Protection Notice

Data Protection Notice

On May 25, 2018, the General Data Protection Regulation (GDPR) became fully enforceable across the European Union (EU), creating a higher standard for data protection, privacy, and security for the processing of personal data from the EU. The GDPR applies to the processing of personal data (PII) regardless of where that takes place in the world and impacts any company that handles personal data of EU and by extension UK citizens and others within the EU / EEA.

In June 2022, The Data Protection Act 2018 applies in the UK specifying those Data Protection Principles that apply to all UK organisations that process data.

The Data Protection Principles include the following requirements:

  • Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person would reasonably expect.
  • Personal data should only be collected to fulfil a specific purpose and it should only be used for that purpose. All businesses must specify why they need the personal data when they collect it.
  • Personal data should be held no longer than necessary to fulfil its purpose.
  • People covered by the GDPR have the right to request and access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another business or organisation.

GDPR adds some new requirements regarding how all businesses should protect individuals' personal data that they collect and process. At “RFA” we strongly believe that your data privacy is very important and, we already have solid security and privacy practices in place that go beyond the requirements of the GDPR.

Does “RFA” offer a Data Processing Agreement?

“RFA” is committed to GDPR compliance in full. We offer a data processing addendum (DPA) for our customers and clients who collect data from citizens within the EEA region and by extension the UK. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers, clients and where appropriate third-party vendors.

Our DPA / Data Processing Agreements and applicable addendums provide for our Terms of Service.

Is “RFA” DPA 2018 compliant?

Yes, Our Terms and Conditions and associated agreements and addendums have been updated to reflect strict DPA 2018 requirements & compliance to ensure complete compliance and data safety.

An extensive standardised DPA has been added as an extension of our Terms and Conditions and includes both the relevant information on data processing along with a list of sub-processors.

By reviewing our product, its processes and procedures to make sure we meet the necessary UKGDPR and GDPR standards:

  1. Privacy Policies / Legal

Compliant. Updated policies and contract language and DPAs. RFA’s Data Privacy Policy can be found on our Website

  1. Data Protection / Security

Compliant. Updated guidelines, implemented two-factor authentication where required, audited vendors and IT systems.

  1. Data Subject Access Requests / Rights (SAR)

Compliant. Developed processes for SAR requests.

  1. Data Management / Mapping

Compliant. Completed data mapping and inventory of systems that manage personal data, including implementation of data retention guidelines, data minimisation standards, and de-identification methods.

  1. Awareness / Training

Compliant. Conducted training and implemented additional data controls at the functional level.

  1. Data Breach Notification

Compliant. Updated enterprise Security Incident Response Plans.

  1. Data Protection Officer

Compliant. We have appointed Dan Carter as our Data Protection Officer. They can be contacted at

  1. Which Sub-Processors does “RFA” use? (optional)

We only work with industry standard service providers for Our Service to be able to supply a service that is up to the highest standards of availability, stability, security and privacy. In other words, we are building on the shoulders of giants. We provide a full and up-to-date list of our Sub-Processors.

  1. Are your Sub-Processors also GDPR compliant?

Yes, we have in place written Data Processing Agreements (“DPA”) with all of Our Sub-Processors.

  1. Data Inventory

We have reviewed and identified all the areas of “RFA” where we collect and process Customer data; categorising and recording all data from cookies to help desk and User conversations. We have fully validated our legal basis for collecting and processing personal data and ensured that we are applying appropriate security and privacy safeguards across our entire infrastructure and software ecosystem. 

  1. Risk assessment

We implement data impact assessments (DPIA) where this is a process requirement for GDPR in considering the processing of PII.

Any time we introduce a change to the way we handle personal data, a DPIA is conducted. Where a risk is identified, “RFA” will seek to mitigate the data privacy and security risk to anyone who interacts with the “RFA” platform. We will continue to execute this risk assessment process as we expand the “RFA” offerings.

Breach management

“RFA” has in place a breach management and communication plan. We constantly update our processes to comply with the GDPR regulations concerning the escalation process and requirements for data subject notification.

Your rights under GDPR

Users and customers are free to opt-out and be forgotten as per the DPA 2018 Right-To-Be-Forgotten principles. Where you seek to exercise your rights all relevant member data will be permanently deleted in our user database, and any peripheral data such as ideas will be transferred to an anonymous placeholder. 

You’re always welcome to contact us in case you’d like to access, correct, amend or delete information that we hold about you.

Clear and concise legal terms

At “RFA” we practice transparency internally and we believe that transparency extends to our Customers. With our updated Privacy Policy, we openly describe which personal data we are collecting, processing, why, how we use it, who we share it with and how long we store it. We have always made an effort to keep the language in our Privacy Policy as clear as possible and we have updated these notices to describe how we are respecting and protecting your personal data. We hope you find it concise, transparent, intelligible and easily accessible.


We continually review and where required update our cookie policy and other relevant and applicable policies to provide you with complete transparency into what is being set when you visit our site and how it's being used. Please refer to our cookie policy for further guidance and steps you can take in order to control how your browser handles cookies.

Individual Data Subject's Rights

We are committed to helping our customers meet the data subject rights requirements of GDPR. “RFA” processes or stores all personal data in fully vetted, DPA compliant vendors. We do store all conversation and personal data for up to 7 years in line with Statute of Limitations unless your account is deleted. In which case, we dispose of all data in accordance with our Terms of Service and Privacy Policy, within 60 days. Information regarding legal transactions between Customers and “RFA” will be stored for up to 10 years. We are aware that if you are working with EU customers, you need to be able to provide them with the ability to access, update, retrieve and remove personal data and will assist you with any such GDPR related requests free of charge.