1. Overview
This Data Protection Policy sets out the principles, procedures, and technical measures adopted by Rais Opportunities Ltd (“the Company”) to ensure the lawful, secure, and responsible processing of personal data.
The Company recognises that the correct handling of personal data is essential to:
Maintaining trust with clients and partners
Protecting the rights and freedoms of individuals
Complying with applicable legal and regulatory requirements
This document combines:
Policy requirements (what must be done)
Operational procedures (how it is done)
Technical and organisational controls (how it is enforced)
This policy applies to all:
Employees
Contractors
Third-party processors
Systems and platforms used by the Company
2. Legal and Regulatory Framework
The Company processes personal data in accordance with:
UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Applicable EU GDPR requirements (where processing relates to EU data subjects)
Where relevant, the Company also considers:
Guidance from the Information Commissioner’s Office
Industry best practices
ISO 27001 information security principles
3. Definitions
For the purposes of this Policy:
Personal Data
Any information relating to an identified or identifiable individual.
Processing
Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
Data Subject
An individual whose personal data is processed.
Data Controller
The entity that determines the purposes and means of processing personal data.
→ The Company acts as a Controller for its own business data. The Company’s Clients act as Data Controllers for their own data.
Data Processor
An entity that processes personal data on behalf of a Controller.
→ The Company also acts as a Processor for its clients.
Special Category Data
Sensitive personal data requiring enhanced protection.
4. Roles and Responsibilities
4.1 Data Protection Lead
Role: Will Young / will@rais.io
The Data Protection Lead is responsible for:
Overseeing compliance with this Policy
Acting as the primary contact for data protection matters
Managing data breaches and regulatory reporting
Conducting Data Protection Impact Assessments (DPIAs)
Maintaining records of processing activities
4.2 Employees and Contractors
All personnel must:
Process personal data only where authorised
Follow all procedures set out in this Policy
Protect the confidentiality and security of personal data
Report any suspected breach immediately
Failure to comply may result in disciplinary action.
4.3 Third Parties
All third-party processors must:
Be subject to written Data Processing Agreements (DPAs)
Implement appropriate technical and organisational measures
Act only on documented instructions
5. Data Protection Principles
The Company adheres to the following principles:
5.1 Lawfulness, Fairness and Transparency
Personal data must be processed lawfully and transparently.
5.2 Purpose Limitation
Data is collected only for specified, legitimate purposes.
5.3 Data Minimisation
Only data necessary for the intended purpose is processed.
5.4 Accuracy
Data must be accurate and kept up to date.
5.5 Storage Limitation
Data is retained only as long as necessary.
5.6 Integrity and Confidentiality
Data must be protected against unauthorised access, loss, or damage.
5.7 Accountability
The Company must be able to demonstrate compliance at all times.
6. Lawful Basis for Processing
The Company processes personal data under the following lawful bases:
Activity → Lawful Basis
Client service delivery →. Contract
Employee management → Legal obligation
Business operations → Legitimate interests
Marketing communications → Consent (where required)
A Record of Processing Activities (ROPA) is maintained to document all processing.
7. Data Collection and Processing Activities
The Company processes personal data in the following categories:
7.1 Employee Data
Name, contact details
Payroll and banking information
Emergency contact details
Purpose: Employment administration and legal compliance
7.2 Client Data
Name, email, phone number
Business contact details
Purpose: Service delivery, communication, billing
7.3 Client Customer Data (Processor Role)
Customer contact details
Transactional and behavioural data
Purpose: Provision of analytics and business intelligence services
7.4 Data Sources
Data may be obtained:
Directly from individuals
From client systems
From authorised third parties
8. Data Subject Rights
The Company recognises and supports all data subject rights:
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights related to automated decision-making
See Schedule 1 below for more details on how we support requests relating to these rights.
8.1 Handling Requests
Requests must be submitted to: will@rais.io
Response time: within one month
Identity verification is required before disclosure
8.2 Subject Access Requests (SARs)
The Company:
Provides data in a structured format
Does not charge a fee unless requests are excessive
Logs all requests for audit purposes
9. Data Handling Procedures (Operational Controls)
9.1 General Handling Rules
Personal data must never be shared informally
Access must be strictly controlled
Data must only be used for authorised purposes
9.2 Email Handling
Personal data should not be transmitted via email where avoidable
Where necessary:
Data must be minimised
Attachments must be encrypted
Personal data must be removed from email bodies and stored securely
Emails containing personal data must be deleted once stored
9.3 Secure Storage
Data must be stored only in approved systems:
AWS infrastructure
Google Workspace
Access must be restricted using permissions
9.4 Data Transfer
Only secure methods may be used:
SFTP
HTTPS
Secure cloud sharing
Unsecured channels are prohibited
9.5 Physical Data
Hard copies must be:
Stored in locked containers
Shredded when no longer required
9.6 Device Use
Devices must be locked when unattended
Personal devices may only be used if:
Approved
Encrypted
Secure
10. Data Retention and Disposal
The Company ensures that personal data is not retained longer than necessary for the purposes for which it is processed.
10.1 Retention Principles
Retention periods must be defined and documented
Data must be reviewed periodically
Data no longer required must be securely deleted or anonymised
10.2 Retention Schedule
Data Type → Retention Period → Rationale
Employee records → 6 years after termination → Legal compliance
Financial records → 10 years → HMRC requirements
Client data → Contract duration → Contractual/legal
Marketing data → 24 months. → Business relevance
10.3 Secure Disposal
When data is no longer required:
Electronic data must be:
Permanently deleted
Removed from backups where feasible
Physical data must be:
Cross-shredded
Securely destroyed
11. Security Measures (Technical & Organisational Controls)
11.1 Core Security Principles
The Company applies:
Defence in depth
Least privilege access
Secure-by-design architecture
11.2 Access Control
Access is granted based on role and necessity only
Each user has:
Unique credentials
Defined access level
Access rights are:
Reviewed regularly
Revoked immediately upon role change or termination
11.3 Authentication & Identity Security
Multi-Factor Authentication (MFA) is mandatory for:
AWS
Google Workspace
Administrative access
Password requirements:
Minimum 12 characters or passphrases
Must not be reused across systems
Credentials must:
Never be shared
Be stored securely (e.g. encrypted vaults)
11.4 Encryption
All data must be protected using:
In transit: TLS 1.2 or higher
At rest: AES-256 or equivalent
Encryption applies to:
Data transfers
Backups
Storage systems
11.5 Infrastructure Security
The Company’s production systems are hosted on cloud servers in the E.U. and secured as follows:
Use of Identity and Access Management (IAM) roles
Restricted access to production environments
Separation of environments:
Production
Staging
Development
Servers:
Isolated within secure network zones
Accessible only via controlled entry points
11.6 Application Security
Code changes are reviewed before deployment
Security testing is performed prior to release
Development tools are:
Standardised
Regularly updated
11.7 Logging and Monitoring
The Company maintains logs to ensure accountability:
Logs capture:
User access
System activity
Administrative actions
Logs are:
Reviewed regularly
Retained for 30 days
11.8 Backup and Recovery
Data is backed up:
Daily
Automatically
Backups are:
Encrypted
Stored separately from production
Backup integrity is:
Tested periodically
11.9 Network and Communication Security
All communication is encrypted
Public access is restricted
DDoS protection is implemented using Cloudflare
11.10 Endpoint Security
All devices must:
Use antivirus / endpoint protection
Be regularly updated
Be protected with strong authentication
11.11 Operational Security Practices (From Your Original Controls)
These are preserved and strengthened:
No personal data stored on unauthorised devices
No sharing of credentials under any circumstances
Use of secure vaults for sensitive information
Regular internal security checks
Separation of duties across systems
12. Sub-Processors and Third Parties
The Company uses third-party service providers, including:
AWS (hosting infrastructure)
Google Workspace (email and document storage)
12.1 Third-Party Requirements
All sub-processors must:
Be subject to Data Processing Agreements (DPAs)
Implement appropriate security measures
Comply with UK GDPR requirements
12.2 Vendor Risk Management
Vendors are reviewed periodically
Security practices are assessed
High-risk vendors require additional controls
13. International Data Transfers
Where personal data is transferred outside the UK:
The Company will ensure appropriate safeguards are in place, including:
UK International Data Transfer Agreements (IDTAs)
Standard Contractual Clauses (SCCs)
Adequacy decisions
14. Data Protection Impact Assessments (DPIAs)
DPIAs are conducted where processing may pose high risk.
14.1 When DPIAs are Required
New systems or technologies
Large-scale data processing
Profiling or analytics involving individuals
14.2 DPIA Process
Identify risks
Assess necessity and proportionality
Define mitigation measures
Document outcomes
15. Data Breach Management
15.1 Reporting
All data breaches must be reported immediately to:
Will Young: will@rais.io
15.2 Investigation
The Company will:
Assess impact and scope
Identify root cause
Implement remediation
Notify the Client within 48 hours if breach affects their data
15.3 Regulatory Notification
Where required:
The Information Commissioner’s Office is notified within 72 hours
15.4 Data Subject Notification
Where risk is high:
Affected individuals are informed without delay
If affected individuals are Customers of the Company’s Client, the Company’s Client, as Data Controller, will notify those affected individuals
16. Training and Awareness
All staff receive:
Data protection training
Security awareness training
Training is:
Provided at onboarding
Refreshed annually
17. Governance, Audit and Continuous Improvement
The Company maintains ongoing compliance through:
Annual policy reviews
Internal audits
Security assessments
Continuous improvement of controls
17.1 Record Keeping
The Company maintains:
Records of processing activities
Incident logs
Training records
Audit results
Schedule 1 - GDPR support from RAIS
The following section illustrates how We will help You with consumer ‘rights requests’
For the purposes of the information below, any reference to “Processor”, “We”, “Us” or “Ourselves” means, Rais Opportunities Ltd. and any reference to “Controller” or “You” means you, the Client.
RIGHT OF ACCESS REQUESTS
A data subject may make a subject access request (“SAR”) at any time to find out more about the personal data which the Controller holds about them. We will make it easier for the Controller to fulfil such requests by providing You with access to the data subject’s “customer profile” page which includes details of the data held about them. You are not obliged to actually provide the specific details of the data held unless the data subject makes a right of data portability request (see below). In such cases we will provide You with an export feature that will allow You to export data from our platform and share it with a data subject in an appropriate format e.g. Microsoft Excel spreadsheet or Adobe PDF file.
RIGHT TO RECTIFICATION OR DATA QUALITY REQUESTS
A data subject may inform the Controller that personal data held by the Controller is inaccurate or incomplete, requesting that it be rectified. In such cases We will provide the Controller the means to update personal data about the data subject within our platform.
IMPORTANT: any update made on Our platform to an email address, first name or last name, will update the Controller’s email marketing platform accordingly, but not their e-commerce system.
Example 1. A data subject, who has made a previous purchase, states that the email address they are getting emails to is incorrect, then the Controller can use our platform to input a new email address against this data subject and unsubscribe the previous email address for them. This will subsequently update the email marketing platform in order to ensure that email campaigns are sent to the correct email address. It will not update the email address used to make the purchase, on the e-commerce platform.
Example 2. A data subject, who has made a previous purchase, states that their postal address has changed, because they are no longer paying for their postal redirection service. The Controller finds this customer on their e-commerce platform and updates their billing address (it’s important that the update is made to the billing address as this is the address RAIS uses when it comes to providing address details for Direct Mail). RAIS consequently receives a notification from the e-commerce platform and updates this customer with their new address details. If the Controller chooses to only update the data subject’s address in RAIS, then RAIS will not update the e-commerce platform. Please note that RAIS will always be updated by source data systems like your e-commerce platform. So if a customer repurchases and provides a new or amended billing address then RAIS will be updated again.
If you are unsure about the process to go through when fulfilling right to rectification requests, then please contact support@rais.io for help!
RIGHT TO ERASURE REQUEST
A data subject may request that the Controller erases the personal data it holds about them if it is no longer necessary for the Company to hold that personal data with respect to the purpose for which it was originally collected or processed or if they wish to withdraw their consent to the Controller holding and processing their personal data. In such cases We will provide You with the means to erase the personal data held about this data subject on our platform effectively anonymising them. This will consequently unsubscribe any email addresses we hold on the data subject within your email marketing platform.
IMPORTANT: RAIS syncs with a single email list. If you use multiple email lists through programmes like Mailchimp, you dramatically increase the risk of not fulfiling right to erasure requests. This is because unsubscribe actions within Mailchimp are associated with individual lists. If a data subject exists on multiple lists then You must ensure that they are unsubscribed from all lists they are a member of. RAIS will only unsubscribe them from the list we sync with (usually your main marketing list).
WHY UNSUBSCRIBE AND NOT DELETE: deleting an email address actually carries a greater risk of re-subscribing that email address at a later date, especially when switching email marketing platforms. We therefore strongly recommend that you maintain a suppression list of unsubscribed email address, which you take with you if you switch email marketing platforms. That way any email address which was earlier deleted is less likely to be added to the new platform as subscribed.
If you are unsure about the process to go through when fulfilling right to erasure requests, then please contact support@rais.io for help!
RIGHT TO RESTRICT PROCESSING REQUESTS
A data subject may request that the Controller ceases processing the personal data it holds about them. In such cases We will enable the Controller to retain only the amount of personal data pertaining to that data subject that is necessary to ensure that no further processing of their personal data takes place.
Simply put this means that we provide You with the ability to unsubscribe the data subject from all marketing activities. This will continue to allow Us to process any future transactions that the data subject may make in order for you to carry out business performance analysis.
RIGHT OF DATA PORTABILITY REQUESTS
A data subject may request that the Controller provides them with a copy of the personal data held on them in order to transfer it to another Data Controller. In such cases our export feature, mentioned above in the Right of Access section, will enable this to happen, as You will be able to export data from RAIS and provide it to the data subject.
RIGHT TO OBJECT REQUESTS
A data subject has the right to object to the Controller processing their personal data based on a) legitimate interests (including profiling), b) direct marketing (including profiling), and c) processing for scientific and/or historical research and statistics purposes.
In the case of legitimate interest, unless you can prove otherwise, You will have to stop processing by using Our delete feature that will anonymise the data subject and their data.
In the case of direct marketing, You will have to stop processing by using Our delete feature that will anonymise the data subject and their data.
In the case of processing for scientific and/or historical research and statistics purposes, the data subject must, ‘demonstrate grounds relating to his or her particular situation’. This is a harder one to manage. Depending on the grounds the data subject provides, You can either choose to use the delete feature to anonymise them or the unsubscribe feature to maintain processing for analysis purposes but stop processing for marketing purposes.
RIGHTS RELATING TO AUTOMATED DECISION-MAKING
This is an important one. The GDPR states that:
In the event that the Controller uses personal data for the purposes of automated decision-making and those decisions have a legal (or similarly significant effect) on data subjects, data subjects have the right to challenge to such decisions under the Regulation, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from the Company.
Firstly, the automated decision making we provide you with includes our automated analysis of data subjects and subsequent assignment of data subjects to segments (e.g. lifecycle segments, email marketing segments etc.), which creates metadata tags about the data subject.
But importantly, you decide how to use this metadata. It is not automatically used in an autonomous manner. We therefore do not believe that any processes You deploy which use these automatically generated metadata have a legal (or similarly significant effect) on data subjects.
A legal effect might include whether or not to grant a data subject a loan, mortgage etc, based on the data subject inputting data into an online form and an algorithm automatically processing that data and deciding whether to grant the loan or not. You can see in such cases how such automated processing can have a legal effect or similar on a data subject and how there is no human interaction involved at all.