Privacy
Policy.

1. Who We Are

Continuity AI Ltd ("we", "us", "our") trades under the RightOnQ™ brand. We are registered in England and Wales (Companies House No. 17119848) at Clay Bank Farmhouse, Clay Bank, Hook Norton, Banbury, England, OX15 5PA.

The role we hold under UK GDPR depends on whose personal data is being processed:

For visitors to our website and for our business clients (the people and companies who buy and operate our service), we act as a data controller.

For end recipients of messages — for example, the customers, clients, staff, contractors, agents, residents or service users of our business clients — we act as a data processor, processing their personal data on the documented instructions of the business client (who is the controller). This Privacy Policy describes both roles. Where we act as a processor, the controller is the business client whose dashboard or campaign you have been registered into; data subject requests from end recipients should normally be directed to that controller in the first instance.

Data protection contact: Adam Smith, adam@rightonq.co.uk

2. What Data We Collect

Website visitors (controller): name, company name, email address and message content submitted via our contact form; basic usage data (pages visited, browser type, referring URL) via standard server logs.

Business clients / operators (controller): company name, contact name, email address and billing information; account login credentials (email and hashed password); usage data such as message volumes, delivery and read rates, dashboard activity and audit logs.

End recipients of messages (processor — uploaded by our business clients): mobile phone number; first and/or last name where supplied for personalisation; group, audience or customer tag; message content and replies (including suggested-reply selections on RCS); delivery, read and confirmation receipts; timestamp data.

We do not deliberately collect special category data (such as health, race, religion, sexual life or political opinion). However, the content of messages is determined by our business client and could contain or imply sensitive information. Where this is the case, the business client is responsible for ensuring the data is lawful to send, for identifying any required Article 9 condition, and for giving any required notices to recipients.

3. How We Use Your Data

We use personal data only for the purposes set out below.

To deliver our messaging service. We use mobile phone numbers, names, group or audience tags and message content to deliver scheduled RCS Business Messaging and SMS fallback messages on behalf of our business clients, and to record delivery, read and reply data so the business client can manage responses and follow-up.

To operate our platform. We use business client account, login, billing and usage data to authenticate users, present the dashboard, raise invoices, prevent abuse and maintain audit logs.

To respond to enquiries and contact-list requests. We use contact form data to answer questions submitted via our website and, where requested, to send updates about RightOnQ, RCS Business Messaging and related service information. You can ask us to stop sending updates at any time by contacting adam@rightonq.co.uk.

Lawful basis. For business clients, the lawful basis is contract — processing is necessary to deliver the service you have engaged us for. For website enquirers and contact-list requests, the lawful basis is legitimate interests — namely responding to your enquiry and keeping interested UK businesses informed about our service, unless consent is required for a particular communication. Where we act as processor for end-recipient data, we process it on the business client’s documented instructions under our DPA. The business client is responsible for identifying its Article 6 and, where needed, Article 9 basis, and for PECR compliance before adding recipients to the platform.

We do not sell personal data, do not use end recipient data for advertising or marketing, and do not use automated decision-making that produces legal or similarly significant effects.

4. Messaging Channels and Sub-processors

We deliver messages using carefully selected third-party service providers who help us deliver, secure, monitor and support our service. These include messaging infrastructure, telecoms connectivity and message delivery providers used to route or deliver RCS, SMS and related communications. The provider used for a particular business client may vary by configuration, country, carrier and service requirements.

Where we act as a processor for our business clients, our use of sub-processors is governed by our customer agreements and data processing terms. A current list of material sub-processors is available to customers on request or under the applicable customer agreement. We notify customers of intended additions or replacements where required by those terms.

Where messages are delivered via RCS, branded sender registration, message routing and delivery may also involve Google LLC, mobile carriers and other RCS infrastructure providers.

RCS onboarding and sender registration. Where we help with RCS onboarding, we may process and share business contact details, sender profile information, company descriptions, logos, banner assets, brand colours, example message content, opt-in and opt-out descriptions, use-case information and approval materials with the relevant messaging provider, Google and/or mobile carriers for registration, approval and ongoing sender management.

International transfers. Some providers we use, including messaging providers, RCS infrastructure providers, analytics providers, form processors, payment processors and cloud providers, may process personal data outside the UK. Where personal data is transferred internationally, we use appropriate safeguards such as the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, the EU SCCs with the UK Addendum, adequacy arrangements, or equivalent lawful transfer mechanisms. Copies of relevant safeguards are available from us on request where applicable.

5. Who Else We Share Data With

In addition to the messaging, telecoms connectivity and delivery providers described in section 4, we share data only as necessary to operate our service:

• Cloud hosting and platform providers — for secure data storage, application hosting and operational logging.
• Payment processors — Stripe and GoCardless — for billing of business clients only.
• Form and email processors — including Formspree or any replacement form processor — for website enquiries and contact-list requests.
• Analytics providers — Google Analytics, where analytics consent has been given, to understand how the website is used.
• HMRC, regulators and law enforcement — where we are required to do so by law or where it is necessary to protect our rights or those of others.

We put written processing terms and appropriate safeguards in place with processors where required. A current list of material sub-processors is available to customers on request or under the applicable customer agreement. Material additions or replacements will be notified in advance to business clients in accordance with our Terms & Conditions.

6. Recipient Opt-Out

Recipients can opt out of further messages at any time by replying STOP (or an equivalent localised keyword) to any message, or by using opt-out controls offered within RCS where available. Opt-out requests are processed promptly on the messaging platform and the relevant business client is notified so that they can update their internal records. The business client is responsible for ensuring opted-out recipients are not re-registered without fresh documented permission or another valid lawful basis.

7. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, in line with the following schedule:

• Message content, replies and delivery/read receipts — retained for 12 months from the date of sending and then deleted from our systems. Note that our messaging sub-processors may apply their own minimum retention periods to certain message metadata for billing reconciliation, regulatory and abuse-prevention purposes; deleted data may also persist in their backups for a short period before final removal.
• Business client account, billing and tax records — retained for the duration of the contract plus 6 years (HMRC requirements).
• End recipient records (name, mobile number, group tag) — retained while the business client maintains the recipient on the platform, and deleted within 30 days of the recipient being removed from the platform or the client’s contract ending, subject to any sub-processor minimum retention periods.
• Website enquiries — retained for 12 months from receipt.
• Contact-list requests — retained until you ask us to remove you, or until we no longer need the contact record for service updates.
• RCS onboarding and sender-registration materials — retained for the duration of the client relationship and for up to 6 years afterwards where needed for contract, audit, regulatory, carrier or dispute purposes.
• Analytics and cookie-consent records — retained according to the settings of the relevant analytics and consent tools, and reviewed periodically.
• Audit logs and security records — retained for up to 24 months for fraud, abuse and security investigations.

8. Your Rights

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your data, subject to our legal retention obligations
• Restriction — request we limit processing of your data
• Portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interests
• Opt out of messages — reply STOP to any message at any time

To exercise any right, contact adam@rightonq.co.uk. We will respond within one calendar month. Where you are an end recipient and the business client controls your data, we may need to refer you to that controller; we will tell you who to contact.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

9. Data Security

We implement appropriate technical and organisational measures to protect personal data, including HTTPS encryption for all data in transit, encryption at rest for stored data, role-based access controls, multi-factor authentication for administrative access, audit logging and regular security reviews. Our messaging sub-processors are independently assessed against recognised security standards.

In the event of a personal data breach, we will notify the ICO where required and, where feasible, within 72 hours of becoming aware of the breach. We will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms. Where we act as a processor, we will notify the relevant business client (the controller) without undue delay so that they can meet their own notification obligations.

10. Cookies and Embedded Content

Our website uses essential cookies necessary for the site to function. Where you give consent through our cookie banner, we may also use Google Analytics cookies to understand how the site is used. We do not use advertising cookies and we do not sell or share personal data for advertising. Some pages may embed video content (for example, hosted on YouTube or Vimeo) for product demonstration purposes; if you play that content, the relevant video provider may set cookies on your device under their own terms.

11. Changes to This Policy and Contact

We may update this Privacy Policy from time to time. Material changes will be communicated to business clients by email at least 30 days before they take effect. The current version is always available at www.rightonq.co.uk/privacy/.

Continuity AI Ltd (trading as RightOnQ™), Clay Bank Farmhouse, Clay Bank, Hook Norton, Banbury, England, OX15 5PA. Contact: adam@rightonq.co.uk