RPOST PRIVACY NOTICE
This is the Privacy Notice of RPost UK Limited and its related entities providing RPost service operations (“RPost”). The registered office of RPost UK Limited is The Glades, Festival Way, Festival Park, Stoke on Trent ST1 5SQ.
This Privacy Notice is in two sections:
A. PERSONAL DATA WE MAY COLLECT FOR CLIENTS WHO USE OUR SERVICES
B. PERSONAL DATA WE MAY COLLECT FOR MARKETING OUR SERVICES
A. PERSONAL DATA WE MAY COLLECT FOR CLIENTS WHO USE OUR SERVICES
Personal data that we may collect
1. RPost provides services only to clients who have agreed their terms and conditions, which deal with data protection issues.
2. RPost has requested all end users update their service operations since May 2017 to the latest versions. Other than those customers that have not updated their service operations since May 2017, or have requested service processing to be in the United States, all RPost service messages for service operations are processed in secure data centre servers housed in the European Union, with facility operations providing high levels of data security.
3. RPost does not collect personal data. The data that RPost systems may store for limited periods of time are related to processing of messages and their content according to the service features requested by the sender or sender organization, and data associated with the customer entity and customer administrator, as well as the email addresses associated with messages the sender opts to have processed with RPost services.
How personal data may be collected
4. Provisioning Service. When provisioning service for end users, the customer, RPost staff or reseller administrators may enter information related to the customer in the RPost service provisioning system, which may include data associated with the customer entity and customer administrator, as well as the email addresses associated with messages the sender opts to have processed with RPost services.
5. Normal Service Operations: When a sender or sender organization routes a message to be processed by RPost service operations, RPost receives information contained in the message at its secure data processing centre servers. RPost processes the message according to the instructions of the sender, and RPost service operations may record information about the message including sender and recipient email addresses and the subject line content. Some of these messages may contain personal data, although not all of them do. RPost does not look at the contents of these messages, although it is aware of the sender’s and receiver’s email addresses. RPost may have to access messages to repair service operations. RPost treats all data as if it was personal, even if it is not. RPost does not modify the content of personal data in any way and much of it is encrypted.
6. When a Customer uses any of RPost’s Services, RPost may collect the following data:
a. Name and addresses of the Customer and its administrator
b. Name and email address of the Sender;
c. Email address of the intended recipient;
d. Size of the message content sent;
e. Passwords associated with the message content;
f. Information listed on the subject field of the messages.
7. RPost supplies main services to track electronic message delivery, record content and timestamp sent and received, encrypt messages in transmission, transmit large files, and manage e-signature processes, as described on its websites seen from its websites:
a. RPost; www.rpost.com
b. RMail; www.rmail.com
c. R-Sign; www.rsign.com
8. RPost retains most data only during message processing. The timeframes of retention vary based on the service features requested and other instructions provided by the sender or sender administrator. For example, Registered Email messages and RMail encrypted email messages are not retained by the RPost systems except for short periods of time required for the processing, compiling, and quality assurance verification of the Registered Receipt email record, which has a normal service operation time period of between several minutes and up to 2 hours from the time of sending, with the variance generally depending on transmission status of each recipient and unless storage extensions are requested by the sender organization by agreement with RPost. RMail e-sign services may retain message content until each recipient of the message sent for recipient signoff has completed the signoff process, with a time limit of 30 days. RMail large file transfer services may retain message content until expiration set by the sender or sender organization within a time parameter of 1 to 90 days, with a default of 14 days. RSign e-signature services may retain message content until each recipient of the message sent for recipient signoff has completed the signoff process, with a time limit of 30 days, and may store on behalf of the sender organization copies of signed messages until the sender purges them, with a normal retention period of one year unless extended by the sender organization by agreement with RPost. RPortal customer administration data (information referenced in #6 above) is retained for the duration of the customer service agreement and may be retained for audit purposes after termination of the agreement, unless the customer opts not to have this information retained, in which case it shall be retained until billing and payment has been completed; and this data may be accessed by sales organizations provisioning service on behalf of the customer, their management entities, and the customer administrator.
9. While many messages are received over the internet by a secure channel to the RPost systems, this is not a requirement. It is the responsibility of the sender, their organization, or messaging provider to transmit their messages to the RPost systems through secure channels such as HTTPS or TLS (Transport Layer Security) or using RPost apps that may be configured to transmit messages encrypted to the RPost systems. While many messages are sent from the RPost systems over the internet by a secure channel to recipient systems, this is not a requirement. It is the responsibility of the sender, their organization, or messaging provider to transmit their messages to the RPost systems with instructions to encrypt the message in transport to the recipient or recipient messaging gateway encrypted or password protected. RPost assumes no responsibility for the security, confidentiality or privacy of files sent to its systems or uploaded to its systems when the encryption options are not used. By using RPost services without encryption options, you acknowledge and agree: (i) to assume sole responsibility for the content of any files sent or uploaded, hosted and/or transmitted; and (ii) to assume any liability arising from your transmission of, and/or any third party’s receipt of, your sent or uploaded files.
10. RPost has requested all end users update their service operations since May 2017 to the latest versions. Other than those customers that have not updated their service operations since May 2017, or have requested service processing to be in the United States, all RPost service messages for service operations are processed in secure data centre servers housed in the European Union, with facility operations providing high levels of data security. Due to the inherent nature of normal Internet messaging protocols, RPost cannot control what geography a sender may be in when they send message from their systems that are directed for processing at its data centre servers housed in the European Union; RPost cannot control what geography a recipient of a sender’s message may be in when they receive or collect a message from the RPost systems that are processed at its data centre servers housed in the European Union; and RPost can neither control the geographic Internet routing of messages transmitted from senders to RPost data centre servers housed in the European Union nor the geographic Internet routing of messages transmitted from the RPost data centre servers housed in the European Union to the intended message recipients. RPost is not responsible for ensuring Internet message routing remains within the geography of the European Union.
What we will do with the personal data we may collect
12. We carry out the Customer’s instructions, according to which services the sender chooses.
13. We use the personal data for billing.
What we will not do with the personal data we may collect
14. We will not transfer data received other than for normal service operations according to the services the sender chooses, which includes making billing data available to the sender customer administrator and those parties that make the RPost services available to the sender via service provisioning systems.
B. PERSONAL DATA WE MAY COLLECT FOR MARKETING OUR SERVICES
Personal data we may collect
• Information that you provide by filling in newsletter, partnership or enquiry forms on our website www.rpost.com, www.rmail,com, www.rsign.com, and other related service websites and marketing landing pages. This information may include, for example, enquiring party name, email address, phone numbers, job title, organisation name.
• Your name, email address, phone numbers, job title, organisation name which you may share through business cards, direct mail, telephonic or in-person contact.
• Personal data which is publicly available from a third party such as held on LinkedIn, Facebook and Twitter.
• When you access our websites noted above and their associated landing pages and websites, details of your visits (including, but not limited to, traffic data, location data, weblogs and other communication data, and the resources that you access).
We may also ask you for information when you contact us for any enquiries, product demos, partnership information or other business interests. If you contact us, we may keep a record of that correspondence.
Where we store your personal data
The data that we collect from you is stored on our Customer Relationship Management (CRM) system and its associated marketing systems. RPost uses third party systems and cannot control where the data from these systems reside, and RPost staff, consultants and sales partners may access some of this information in their efforts to respond to your enquiries in the most suitable manner. Such staff, consultants and sales partners may be engaged in, among other things, the fulfilment of your order and the provision of support services. By submitting your data, you agree to this transfer, storing and/or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.
We maintain strict security standards and procedures with a view to preventing unauthorised access to your data by anyone, including our staff not authorized to have access. All our staff and third parties, whenever we hire them to provide support services, are required to observe our privacy standards and to allow us to audit them for compliance.
Why we require this data
We collect the personal data about you:
• to provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such direct marketing purposes;
• to carry out our obligations arising from any contracts entered into between you and us or to manage our relationship with you;
• to meet our ongoing regulatory and compliance obligations, including in relation to recording and monitoring communications, disclosures to tax authorities, financial service regulators and other regulatory and governmental bodies, and investigating or preventing crime;
• to undertake transactional and statistical analysis, and related research;
• to ensure that content from our Site is presented in the most effective manner for you and for your computer (or mobile device). We may use your information collected from the website to personalise your repeat visits to our website.
We may also use your data to provide you with information about good and services of RPost which may be of interest to you and where you have provided consent we may contact you about these by post, telephone, email or text message.
Disclosure of your information
We may disclose personal data for internal and administrative purposes and where you give consent to provide you with information regarding our products, services, future marketing events and job opportunities.
We may disclose personal data to third parties that are specifically engaged by us to provide services to us, in which case we will require those parties to keep that information confidential and secure and use it solely for the purposes of providing the specified services to us
How long we will store your data
Personal data held by us will be kept confidential. How long we hold your personal data for will vary and will be determined by various criteria, including:
• the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and
• legal obligations – laws or regulations may set a minimum period for which we have to keep your personal data.
• In the event that RPost, in its sole discretion, determines or suspects that any uploaded file(s) constitute(s), or may give rise to, a violation of any law, copyright, trademark, regulation or the RPost service agreement, or you are otherwise in breach of any provision of the service agreement, RPost reserves the right to remove your stored file(s) and/or to deactivate links to stored file(s) without further notice to you.
Your rights in relation to your data
• You have a right to request a record of the information which we hold about you. If you wish to make an application to obtain this information, please contact us.
• We take reasonable steps to ensure that the personal data we collect, use or disclose is accurate, complete and up-to-date. • If you wish us to erase or restrict using your data, please contact us. We may need to discuss with you the basis of your request, as there may be circumstances where we are legally entitled to continue processing your personal data and/or to refuse your request.
• If you have previously provided your consent to our use of your data and you wish to withdraw consent, please contact us. We may need to discuss with you whether our use of your data needs to continue for lawful purposes.
• The law gives us 30 days to action your request for personal data held by us.
• If you have any complaints in relation to the way we have used your personal data, please contact us in the first instance. You also have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (Tel: 0303 123 1113), if you think we have infringed your rights.
C. ADDITIONAL PRIVACY STATEMENT: RMAIL APP FOR GMAIL
The RMail app for Gmail routes outbound Gmail SMTP messages to RMail services by modifying the recipient addresses with a domain extension (e.g. .rpost.biz). The messages are routed using a wildcard MX record and the added recipient domain extensions are removed for processing when received by the RMail service. (For example: To: firstname.lastname@example.org is modified to: email@example.com en route from Gmail servers to RMail service servers; the DNS Lookup for *.rpost.biz is MX 10 gate.r1.rpost.net)
In the RMail for Gmail app, the RMail software downloads the draft message to be sent, modifies the recipient addresses in the draft as noted above, sends the modified message to the modified destination as noted above, and deletes the original draft message. Additionally, the RMail software modifies the addresses in the sent item after sending and in the user contacts after sending, to reflect the original correct recipient addresses (without the RMail added domain extension).
Updating the sent item requires listing and downloading the sent item with modified addresses, creating a replacement sent item with the correct original addresses, deleting the sent item with modified addresses. To delete a message (sent item), the only Google provided scope available is https://mail.google.com/ (https://developers.google.com/gmail/api/v1/reference/users/messages/delete). That scope covers all of the RMail software needs apart from the Gmail Contacts API used to update the contacts address to return it to its original unmodified address (without the RMail added extension). For contacts management, the RMail software uses: https://www.google.com/m8/feeds/
Therefore, the RMail app for Gmail applies for the above mentioned two scopes, the minimum that the RMail app for Gmail needs. A summary of Scopes and APIs used follow. Scopes:
https://mail.google.com/ and https://www.google.com/m8/feeds/. APIs: (a)
https://www.googleapis.com/gmail/v1/users/userId/messages (e) https://www.googleapis.com/gmail/v1/users/userId/messages/id/modify (f)
https://accounts.google.com/o/oauth2/token and (k)
D. RPOST’S PRIVACY PHILOSOPHY
RPost uses best efforts to abides by each respective country’s privacy rules and principles as service is taken up in the country. RPost abides by practices and procedures to meet the requirements of the European General Data Protection Regulation, the National Privacy Principles of Australia, and the U.S. Privacy Act 1988, as well as other privacy laws specific to other countries and territories.
How to contact us
Please contact us if you have any questions about our Privacy Notice or information we hold about you:
• By electronic transmission: https://www.rpost.com/contact/
• or write to: Privacy Team, RPost UK Ltd, The Glades, Festival Way, Festival Park, Stoke on Trent, ST1 5SQ
Changes to our Privacy Notice
This notice was updated on 11 March 2019. We reserve the right to change this notice at any time.