1. Overview

This Data Protection Policy sets out the principles, procedures, and technical measures adopted by Rais Opportunities Ltd (“the Company”) to ensure the lawful, secure, and responsible processing of personal data.

The Company recognises that the correct handling of personal data is essential to:

  • Maintaining trust with clients and partners

  • Protecting the rights and freedoms of individuals

  • Complying with applicable legal and regulatory requirements

This document combines:

  • Policy requirements (what must be done)

  • Operational procedures (how it is done)

  • Technical and organisational controls (how it is enforced)

This policy applies to all:

  • Employees

  • Contractors

  • Third-party processors

  • Systems and platforms used by the Company

2. Legal and Regulatory Framework

The Company processes personal data in accordance with:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Applicable EU GDPR requirements (where processing relates to EU data subjects)

Where relevant, the Company also considers:

  • Guidance from the Information Commissioner’s Office

  • Industry best practices

  • ISO 27001 information security principles

3. Definitions

For the purposes of this Policy:

Personal Data
Any information relating to an identified or identifiable individual.

Processing
Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Data Subject
An individual whose personal data is processed.

Data Controller
The entity that determines the purposes and means of processing personal data.
→ The Company acts as a Controller for its own business data. The Company’s Clients act as Data Controllers for their own data.

Data Processor
An entity that processes personal data on behalf of a Controller.
→ The Company also acts as a Processor for its clients.

Special Category Data
Sensitive personal data requiring enhanced protection.

4. Roles and Responsibilities

4.1 Data Protection Lead

Role: Will Young / will@rais.io

The Data Protection Lead is responsible for:

  • Overseeing compliance with this Policy

  • Acting as the primary contact for data protection matters

  • Managing data breaches and regulatory reporting

  • Conducting Data Protection Impact Assessments (DPIAs)

  • Maintaining records of processing activities

4.2 Employees and Contractors

All personnel must:

  • Process personal data only where authorised

  • Follow all procedures set out in this Policy

  • Protect the confidentiality and security of personal data

  • Report any suspected breach immediately

Failure to comply may result in disciplinary action.

4.3 Third Parties

All third-party processors must:

  • Be subject to written Data Processing Agreements (DPAs)

  • Implement appropriate technical and organisational measures

  • Act only on documented instructions

5. Data Protection Principles

The Company adheres to the following principles:

5.1 Lawfulness, Fairness and Transparency

Personal data must be processed lawfully and transparently.

5.2 Purpose Limitation

Data is collected only for specified, legitimate purposes.

5.3 Data Minimisation

Only data necessary for the intended purpose is processed.

5.4 Accuracy

Data must be accurate and kept up to date.

5.5 Storage Limitation

Data is retained only as long as necessary.

5.6 Integrity and Confidentiality

Data must be protected against unauthorised access, loss, or damage.

5.7 Accountability

The Company must be able to demonstrate compliance at all times.

6. Lawful Basis for Processing

The Company processes personal data under the following lawful bases:

Activity Lawful Basis

Client service delivery →. Contract

Employee management → Legal obligation

Business operations → Legitimate interests

Marketing communications → Consent (where required)

A Record of Processing Activities (ROPA) is maintained to document all processing.

7. Data Collection and Processing Activities

The Company processes personal data in the following categories:

7.1 Employee Data

  • Name, contact details

  • Payroll and banking information

  • Emergency contact details

Purpose: Employment administration and legal compliance

7.2 Client Data

  • Name, email, phone number

  • Business contact details

Purpose: Service delivery, communication, billing

7.3 Client Customer Data (Processor Role)

  • Customer contact details

  • Transactional and behavioural data

Purpose: Provision of analytics and business intelligence services

7.4 Data Sources

Data may be obtained:

  • Directly from individuals

  • From client systems

  • From authorised third parties

8. Data Subject Rights

The Company recognises and supports all data subject rights:

  • Right to be informed

  • Right of access

  • Right to rectification

  • Right to erasure

  • Right to restrict processing

  • Right to data portability

  • Right to object

  • Rights related to automated decision-making

See Schedule 1 below for more details on how we support requests relating to these rights.

8.1 Handling Requests

  • Requests must be submitted to: will@rais.io

  • Response time: within one month

  • Identity verification is required before disclosure

8.2 Subject Access Requests (SARs)

The Company:

  • Provides data in a structured format

  • Does not charge a fee unless requests are excessive

  • Logs all requests for audit purposes

9. Data Handling Procedures (Operational Controls)

9.1 General Handling Rules

  • Personal data must never be shared informally

  • Access must be strictly controlled

  • Data must only be used for authorised purposes

9.2 Email Handling

  • Personal data should not be transmitted via email where avoidable

  • Where necessary:

    • Data must be minimised

    • Attachments must be encrypted

  • Personal data must be removed from email bodies and stored securely

  • Emails containing personal data must be deleted once stored

9.3 Secure Storage

  • Data must be stored only in approved systems:

    • AWS infrastructure

    • Google Workspace

  • Access must be restricted using permissions

9.4 Data Transfer

  • Only secure methods may be used:

    • SFTP

    • HTTPS

    • Secure cloud sharing

  • Unsecured channels are prohibited

9.5 Physical Data

  • Hard copies must be:

    • Stored in locked containers

    • Shredded when no longer required

9.6 Device Use

  • Devices must be locked when unattended

  • Personal devices may only be used if:

    • Approved

    • Encrypted

    • Secure

10. Data Retention and Disposal

The Company ensures that personal data is not retained longer than necessary for the purposes for which it is processed.

10.1 Retention Principles

  • Retention periods must be defined and documented

  • Data must be reviewed periodically

  • Data no longer required must be securely deleted or anonymised

10.2 Retention Schedule

Data Type Retention Period Rationale

Employee records → 6 years after termination → Legal compliance

Financial records → 10 years → HMRC requirements

Client data → Contract duration → Contractual/legal

Marketing data → 24 months. → Business relevance

10.3 Secure Disposal

When data is no longer required:

  • Electronic data must be:

    • Permanently deleted

    • Removed from backups where feasible

  • Physical data must be:

    • Cross-shredded

    • Securely destroyed

11. Security Measures (Technical & Organisational Controls)

11.1 Core Security Principles

The Company applies:

  • Defence in depth

  • Least privilege access

  • Secure-by-design architecture

11.2 Access Control

  • Access is granted based on role and necessity only

  • Each user has:

    • Unique credentials

    • Defined access level

  • Access rights are:

    • Reviewed regularly

    • Revoked immediately upon role change or termination

11.3 Authentication & Identity Security

  • Multi-Factor Authentication (MFA) is mandatory for:

    • AWS

    • Google Workspace

    • Administrative access

  • Password requirements:

    • Minimum 12 characters or passphrases

    • Must not be reused across systems

  • Credentials must:

    • Never be shared

    • Be stored securely (e.g. encrypted vaults)

11.4 Encryption

All data must be protected using:

  • In transit: TLS 1.2 or higher

  • At rest: AES-256 or equivalent

Encryption applies to:

  • Data transfers

  • Backups

  • Storage systems

11.5 Infrastructure Security

The Company’s production systems are hosted on cloud servers in the E.U. and secured as follows:

  • Use of Identity and Access Management (IAM) roles

  • Restricted access to production environments

  • Separation of environments:

    • Production

    • Staging

    • Development

  • Servers:

    • Isolated within secure network zones

    • Accessible only via controlled entry points

11.6 Application Security

  • Code changes are reviewed before deployment

  • Security testing is performed prior to release

  • Development tools are:

    • Standardised

    • Regularly updated

11.7 Logging and Monitoring

The Company maintains logs to ensure accountability:

  • Logs capture:

    • User access

    • System activity

    • Administrative actions

  • Logs are:

    • Reviewed regularly

    • Retained for 30 days

11.8 Backup and Recovery

  • Data is backed up:

    • Daily

    • Automatically

  • Backups are:

    • Encrypted

    • Stored separately from production

  • Backup integrity is:

    • Tested periodically

11.9 Network and Communication Security

  • All communication is encrypted

  • Public access is restricted

  • DDoS protection is implemented using Cloudflare

11.10 Endpoint Security

  • All devices must:

    • Use antivirus / endpoint protection

    • Be regularly updated

    • Be protected with strong authentication

11.11 Operational Security Practices (From Your Original Controls)

These are preserved and strengthened:

  • No personal data stored on unauthorised devices

  • No sharing of credentials under any circumstances

  • Use of secure vaults for sensitive information

  • Regular internal security checks

  • Separation of duties across systems

12. Sub-Processors and Third Parties

The Company uses third-party service providers, including:

  • AWS (hosting infrastructure)

  • Google Workspace (email and document storage)

12.1 Third-Party Requirements

All sub-processors must:

  • Be subject to Data Processing Agreements (DPAs)

  • Implement appropriate security measures

  • Comply with UK GDPR requirements

12.2 Vendor Risk Management

  • Vendors are reviewed periodically

  • Security practices are assessed

  • High-risk vendors require additional controls

13. International Data Transfers

Where personal data is transferred outside the UK:

The Company will ensure appropriate safeguards are in place, including:

  • UK International Data Transfer Agreements (IDTAs)

  • Standard Contractual Clauses (SCCs)

  • Adequacy decisions

14. Data Protection Impact Assessments (DPIAs)

DPIAs are conducted where processing may pose high risk.

14.1 When DPIAs are Required

  • New systems or technologies

  • Large-scale data processing

  • Profiling or analytics involving individuals

14.2 DPIA Process

  • Identify risks

  • Assess necessity and proportionality

  • Define mitigation measures

  • Document outcomes

15. Data Breach Management

15.1 Reporting

All data breaches must be reported immediately to:

Will Young: will@rais.io

15.2 Investigation

The Company will:

  • Assess impact and scope

  • Identify root cause

  • Implement remediation

  • Notify the Client within 48 hours if breach affects their data

15.3 Regulatory Notification

Where required:

  • The Information Commissioner’s Office is notified within 72 hours

15.4 Data Subject Notification

Where risk is high:

  • Affected individuals are informed without delay

  • If affected individuals are Customers of the Company’s Client, the Company’s Client, as Data Controller, will notify those affected individuals

16. Training and Awareness

  • All staff receive:

    • Data protection training

    • Security awareness training

  • Training is:

    • Provided at onboarding

    • Refreshed annually

17. Governance, Audit and Continuous Improvement

The Company maintains ongoing compliance through:

  • Annual policy reviews

  • Internal audits

  • Security assessments

  • Continuous improvement of controls

17.1 Record Keeping

The Company maintains:

  • Records of processing activities

  • Incident logs

  • Training records

  • Audit results

 



Schedule 1 - GDPR support from RAIS 

The following section illustrates how We will help You with consumer ‘rights requests’

For the purposes of the information below, any reference to “Processor”, “We”, “Us” or “Ourselves” means, Rais Opportunities Ltd. and any reference to “Controller” or “You” means you, the Client. 



RIGHT OF ACCESS REQUESTS

A data subject may make a subject access request (“SAR”) at any time to find out more about the personal data which the Controller holds about them. We will make it easier for the Controller to fulfil such requests by providing You with access to the data subject’s “customer profile” page which includes details of the data held about them. You are not obliged to actually provide the specific details of the data held unless the data subject makes a right of data portability request (see below). In such cases we will provide You with an export feature that will allow You to export data from our platform and share it with a data subject in an appropriate format e.g. Microsoft Excel spreadsheet or Adobe PDF file. 



RIGHT TO RECTIFICATION OR DATA QUALITY REQUESTS

A data subject may inform the Controller that personal data held by the Controller is inaccurate or incomplete, requesting that it be rectified. In such cases We will provide the Controller the means to update personal data about the data subject within our platform. 

IMPORTANT: any update made on Our platform to an email address, first name or last name, will update the Controller’s email marketing platform accordingly, but not their e-commerce system.

Example 1. A data subject, who has made a previous purchase, states that the email address they are getting emails to is incorrect, then the Controller can use our platform to input a new email address against this data subject and unsubscribe the previous email address for them. This will subsequently update the email marketing platform in order to ensure that email campaigns are sent to the correct email address. It will not update the email address used to make the purchase, on the e-commerce platform. 

Example 2. A data subject, who has made a previous purchase, states that their postal address has changed, because they are no longer paying for their postal redirection service. The Controller finds this customer on their e-commerce platform and updates their billing address (it’s important that the update is made to the billing address as this is the address RAIS uses when it comes to providing address details for Direct Mail). RAIS consequently receives a notification from the e-commerce platform and updates this customer with their new address details. If the Controller chooses to only update the data subject’s address in RAIS, then RAIS will not update the e-commerce platform. Please note that RAIS will always be updated by source data systems like your e-commerce platform. So if a customer repurchases and provides a new or amended billing address then RAIS will be updated again.  

If you are unsure about the process to go through when fulfilling right to rectification requests, then please contact support@rais.io for help!



RIGHT TO ERASURE REQUEST

A data subject may request that the Controller erases the personal data it holds about them if it is no longer necessary for the Company to hold that personal data with respect to the purpose for which it was originally collected or processed or if they wish to withdraw their consent to the Controller holding and processing their personal data. In such cases We will provide You with the means to erase the personal data held about this data subject on our platform effectively anonymising them. This will consequently unsubscribe any email addresses we hold on the data subject within your email marketing platform. 

IMPORTANT: RAIS syncs with a single email list. If you use multiple email lists through programmes like Mailchimp, you dramatically increase the risk of not fulfiling right to erasure requests. This is because unsubscribe actions within Mailchimp are associated with individual lists. If a data subject exists on multiple lists then You must ensure that they are unsubscribed from all lists they are a member of. RAIS will only unsubscribe them from the list we sync with (usually your main marketing list). 

WHY UNSUBSCRIBE AND NOT DELETE:  deleting an email address actually carries a greater risk of re-subscribing that email address at a later date, especially when switching email marketing platforms. We therefore strongly recommend that you maintain a suppression list of unsubscribed email address, which you take with you if you switch email marketing platforms. That way any email address which was earlier deleted is less likely to be added to the new platform as subscribed. 

If you are unsure about the process to go through when fulfilling right to erasure requests, then please contact support@rais.io for help! 



RIGHT TO RESTRICT PROCESSING REQUESTS

A data subject may request that the Controller ceases processing the personal data it holds about them.  In such cases We will enable the Controller to retain only the amount of personal data pertaining to that data subject that is necessary to ensure that no further processing of their personal data takes place. 

Simply put this means that we provide You with the ability to unsubscribe the data subject from all marketing activities. This will continue to allow Us to process any future transactions that the data subject may make in order for you to carry out business performance analysis. 



RIGHT OF DATA PORTABILITY REQUESTS

A data subject may request that the Controller provides them with a copy of the personal data held on them in order to transfer it to another Data Controller. In such cases our export feature, mentioned above in the Right of Access section, will enable this to happen, as You will be able to export data from RAIS and provide it to the data subject. 



RIGHT TO OBJECT REQUESTS

A data subject has the right to object to the Controller processing their personal data based on a) legitimate interests (including profiling), b) direct marketing (including profiling), and c) processing for scientific and/or historical research and statistics purposes. 

In the case of legitimate interest, unless you can prove otherwise, You will have to stop processing by using Our delete feature that will anonymise the data subject and their data. 

In the case of direct marketing, You will have to stop processing by using Our delete feature that will anonymise the data subject and their data. 

In the case of processing for scientific and/or historical research and statistics purposes, the data subject must, ‘demonstrate grounds relating to his or her particular situation’. This is a harder one to manage. Depending on the grounds the data subject provides, You can either choose to use the delete feature to anonymise them or the unsubscribe feature to maintain processing for analysis purposes but stop processing for marketing purposes. 



RIGHTS RELATING TO AUTOMATED DECISION-MAKING

This is an important one. The GDPR states that:

In the event that the Controller uses personal data for the purposes of automated decision-making and those decisions have a legal (or similarly significant effect) on data subjects, data subjects have the right to challenge to such decisions under the Regulation, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from the Company.

Firstly, the automated decision making we provide you with includes our automated analysis of data subjects and subsequent assignment of data subjects to segments (e.g. lifecycle segments, email marketing segments etc.), which creates metadata tags about the data subject. 

But importantly, you decide how to use this metadata. It is not automatically used in an autonomous manner. We therefore do not believe that any processes You deploy which use these automatically generated metadata have a legal (or similarly significant effect) on data subjects. 

A legal effect might include whether or not to grant a data subject a loan, mortgage etc, based on the data subject inputting data into an online form and an algorithm automatically processing that data and deciding whether to grant the loan or not. You can see in such cases how such automated processing can have a legal effect or similar on a data subject and how there is no human interaction involved at all.