RPOST PRIVACY NOTICE
This is the Privacy Notice of RPost UK Limited and its related entities (RPost US Inc, RPost Holdings Inc, RCom Limited, RPost Communications Ltd, RPost do Brasil Ltda, and RPost SA Costa Rica, RPost Switzerland GmbH) providing RPost service operations (“RPost”). The registered office of RPost UK Limited is The Glades, Festival Way, Festival Park, Stoke on Trent ST1 5SQ.
This Privacy Notice is in three sections and describes RPost policies with regards to information privacy as it relates to the use of information for the purposes of providing RPost services (any service provided by RPost or with RPost technology participation) and communications with RPost service users (senders, receivers, customer administrators, offerors, or parties related to them) and prospective users (senders, receivers, customer administrators, offerors, or parties related to them):
A)PERSONAL DATA WE MAY COLLECT FOR CLIENTS WHO USE OUR SERVICES
B)PERSONAL DATA WE MAY COLLECT FOR MARKETING OUR SERVICES
C)ADDITIONAL PRIVACY STATEMENT: RMAIL APP FOR GMAIL
A)PERSONAL DATA WE MAY COLLECT FOR CLIENTS WHO USE OUR SERVICES
Personal data that we may collect
- RPost provides services only to clients who have agreed their terms and conditions, which deal with data protection issues.
- RPost has requested all end users update their service operations since May 2017 to the latest versions. Other than those customers that have not updated their service operations since May 2017, or have requested service processing to be in the United States, all RPost service messages for service operations are processed in secure data centre servers housed in the European Union, with facility operations providing high levels of data security.
- RPost does not collect personal data other than as noted below. The data that RPost systems may store for limited periods of time are related to processing of messages and their content according to the service features requested by the sender or sender organization, and data associated with the customer entity and customer administrator, as well as the email addresses associated with messages the sender opts to have processed with RPost services.
How personal data may be collected
- Provisioning Service. When provisioning service for end users, the customer, RPost staff or reseller administrators may enter information related to the customer in the RPost service provisioning system, which may include data associated with the customer entity and customer administrator, as well as the email addresses associated with messages the sender opts to have processed with RPost services.
- Normal Service Operations: When a sender or sender organization routes a message to be processed by RPost service operations, RPost receives information contained in the message at its secure data processing centre servers. RPost processes the message according to the instructions of the sender, and RPost service operations may record information about the message including message envelope and header data such as sender and recipient email addresses and the subject line content; and message transmission data such as IP addresses and transmission server dialog data. Some of these messages may contain personal data, although not all of them do; one if once considers sender and recipient email addresses and IP addresses, as personal data, all of the messages would then be considered to contain this type of personal data. RPost does not look at the contents of these messages but senders may subscript to services that scan message content and recommend processing or automatically process messages in certain ways based on content or message criteria, although it is aware of the sender’s and receiver’s email addresses. RPost may have to access messages to repair service operations. RPost treats all data as if it was personal, even if it is not. RPost does not modify the content of personal data in any way unless specific service features are selected to do so, and much of the content is encrypted.
- When a Customer uses any of RPost’s Services, RPost may collect the following data:
- Name and addresses of the Customer and its administrator
- Name and email address of the Sender;
- Email address of the intended recipient;
- Size of the message content sent;
- Passwords associated with the message content;
- Information listed on the subject field of the messages;
- Server transmission metadata including log files and IP addresses associated with each transmission.
- RPost supplies main services to track electronic message delivery, record content and timestamp sent and received, encrypt messages in transmission, transmit large files, and manage e-signature processes, as described on its websites seen from its websites:
- RPost retains most data only during message processing. The timeframes of retention vary based on the service features requested and other instructions provided by the sender or sender administrator. For example, Registered Email messages and RMail encrypted email messages are not retained by the RPost systems except for short periods of time required for the processing, compiling, and quality assurance verification of the Registered Receipt email record, which has a normal service operation time period of between several minutes and up to 2 hours from the time of sending, with the variance generally depending on transmission status of each recipient and unless storage extensions are requested by the sender organization by agreement with RPost. RMail e-sign services may retain message content until each recipient of the message sent for recipient signoff has completed the signoff process, with a time limit of 30 days. RMail large file transfer services may retain message content until expiration set by the sender or sender organization within a time parameter of 1 to 90 days, with a default of 14 days. RSign e-signature services may retain message content until each recipient of the message sent for recipient signoff has completed the signoff process, with a time limit of 30 days, and may store on behalf of the sender organization copies of signed messages until the sender purges them, with a normal retention period of one year unless extended by the sender organization by agreement with RPost; RPost provides each customer administrator the ability to manage retention of electronic files that they or their users may have sent for e-sign. Upon cancelation of a customer account, RPost intends to schedule for deletion stored files within the customer account. RPortal customer administration data (information referenced in #6 above) is retained for the duration of the customer service agreement and may be retained for audit purposes after termination of the agreement, unless the customer opts not to have this information retained, in which case it shall be retained until billing and payment has been completed; and this data may be accessed by sales organizations provisioning service on behalf of the customer, their management entities, and the customer administrator.
- While many messages are received over the internet by a secure channel to the RPost systems, this is not a requirement. It is the responsibility of the sender, their organization, or messaging provider to transmit their messages to the RPost systems through secure channels such as HTTPS or TLS (Transport Layer Security) or using RPost apps that may be configured to transmit messages encrypted to the RPost systems. While many messages are sent from the RPost systems over the internet by a secure channel to recipient systems, this is not a requirement. It is the responsibility of the sender, their organization, or messaging provider to transmit their messages to the RPost systems with instructions to encrypt the message in transport to the recipient or recipient messaging gateway encrypted or password protected. RPost assumes no responsibility for the security, confidentiality or privacy of files sent to its systems or uploaded to its systems when the encryption options are not used. By using RPost services without encryption options, you acknowledge and agree: (i) to assume sole responsibility for the content of any files sent or uploaded, hosted and/or transmitted; and (ii) to assume any liability arising from your transmission of, and/or any third party’s receipt of, your sent or uploaded files.
- RPost has requested all end users update their service operations since May 2017 to the latest versions. Other than those customers that have not updated their service operations since May 2017, or have requested service processing to be in the United States, or are customers based in the United States, or are customers that require fall-back processing in the United States, all RPost service messages for service operations are processed in secure data centre servers housed in the European Union, with facility operations providing high levels of data security operated within a secure cloud hosting data centre including AWS or comparable. Due to the inherent nature of normal Internet messaging protocols, RPost cannot control what geography a sender may be in when they send message from their systems that are directed for processing at its data centre servers housed in the European Union; RPost cannot control what geography a recipient of a sender’s message may be in when they receive or collect a message from the RPost systems that are processed at its data centre servers housed in the European Union; and RPost can neither control the geographic Internet routing of messages transmitted from senders to RPost data centre servers housed in the European Union nor the geographic Internet routing of messages transmitted from the RPost data centre servers housed in the European Union to the intended message recipients. RPost is not responsible for ensuring Internet message routing remains within the geography of the European Union. Intended recipients of sender’s messages may receive private or personal information that the sender intended to send to the intended recipient, and RPost systems and servers required to process and administer the sender’s message and sender’s account may receive the private or personal information that the sender intended to send to the intended recipient during processing of the message for the timeframes described above.
What we will do with the personal data we may collect
- We carry out the Customer’s instructions, according to which services the sender chooses.
- We use the personal data for billing.
What we will not do with the personal data we may collect
- We will not transfer data received other than for normal service operations according to the services the sender chooses, which includes making billing data available to the sender customer administrator and those parties that make the RPost services available to the sender via service provisioning systems.
- PERSONAL DATA WE MAY COLLECT FOR MARKETING OUR SERVICES
RPost operates entirely separate infrastructure to (a) host and operate its product marketing website, entirely separate infrastructure to (b) host and operate its support ticketing centre, web support chat and online knowledge base, (c) customer relationship management information, and (d) billing information. Each of these are operated by distinct third-party service and hosting companies.
There is no service message data that is processed by these marketing, support, customer management, an billing systems, other than links redirect users to log-in to user service interfaces (with the service operations systems that are entirely separate from these management systems) and other than user information that a user may submit into a support ticket or forward to RPost for support service investigation. If a user submits a Registered Receipt message to its support centre for support analysis, the user is responsible for removing the HTML appended file before submission to RPost, or to understand that by not removing the HTML appended file on the Registered Receipt email record they are consenting to RPost support staff to have a means of reconstructing message and transmission metadata as part of the support investigation.
Personal data we may collect
- Information that you provide by filling in newsletter, partnership or enquiry forms on our website rpost.com, www.rmail.com, www.rsign.com, and other related service websites and marketing landing pages. This information may include, for example, enquiring party name, email address, phone numbers, job title, organisation name.
- Your name, email address, phone numbers, job title, organisation name which you may share through business cards, direct mail, telephonic or in-person contact.
- Personal data which is publicly available from a third party such as held on LinkedIn, Facebook and Twitter and other social media applications.
- When you access our websites noted above and their associated landing pages and websites, details of your visits (including, but not limited to, traffic data, location data, weblogs and other communication data, and the resources that you access).
We may also ask you for information when you contact us for any enquiries, product demos, partnership information or other business interests. If you contact us, we may keep a record of that correspondence.
Where we store your personal data
The data that we collect from you is stored on our Customer Relationship Management (CRM) system and its associated marketing systems. RPost uses third party systems and cannot control where the data from these systems reside, and RPost staff, consultants and sales partners may access some of this information in their efforts to respond to your enquiries in the most suitable manner. Such staff, consultants and sales partners may be engaged in, among other things, the fulfilment of your order and the provision of support services. By submitting your data, you agree to this transfer, storing and/or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.
We maintain strict security standards and procedures with a view to preventing unauthorised access to your data by anyone, including our staff not authorized to have access. All our staff and third parties, whenever we hire them to provide support services, are required to observe our privacy standards and to allow us to audit them for compliance.
Why we require this data
We collect the personal data about you:
- to provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such direct marketing purposes;
- to carry out our obligations arising from any contracts entered into between you and us or to manage our relationship with you;
- to meet our ongoing regulatory and compliance obligations, including in relation to recording and monitoring communications, disclosures to tax authorities, financial service regulators and other regulatory and governmental bodies, and investigating or preventing crime;
- to undertake transactional and statistical analysis, and related research;
- to ensure that content from our Site is presented in the most effective manner for you and for your computer (or mobile device). We may use your information collected from the website to personalise your repeat visits to our website.
We may also use your data to provide you with information about good and services of RPost which may be of interest to you and where you have provided consent we may contact you about these by post, telephone, email or text message.
Disclosure of your information
We will not share your information with third parties for a purpose that is materially different from original purpose(s) without your consent.”
We may disclose personal data for internal and administrative purposes and where you give consent to provide you with information regarding our products, services, future marketing events and job opportunities.
We may disclose personal data to third parties that are specifically engaged by us to provide services to us, in which case we will require those parties to keep that information confidential and secure and use it solely for the purposes of providing the specified services to us
We may disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
How long we will store your data
Personal data held by us will be kept confidential. How long we hold your personal data for will vary and will be determined by various criteria, including:
- the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and
- legal obligations – laws or regulations may set a minimum period for which we have to keep your personal data.
- In the event that RPost, in its sole discretion, determines or suspects that any uploaded file(s) constitute(s), or may give rise to, a violation of any law, copyright, trademark, regulation or the RPost service agreement, or you are otherwise in breach of any provision of the service agreement, RPost reserves the right to remove your stored file(s) and/or to deactivate links to stored file(s) without further notice to you.
Your rights in relation to your data
- As a customer of the service, you have a right to view the information RPost holds about you and your users by requesting access to your customer RPortal account administrator access; this information being email addresses of users within the customer domain or account, along with the potential of user names if submitted by the customer administrator, or contact information of a person if provided to RPost. If you are not the customer administrator, it is your responsibility to request such access from your customer administrator.
- We take reasonable steps to ensure that the personal data we collect, use or disclose is accurate, complete and up-to-date and is protected with appropriate security.
- If you wish us to erase any documents stored associated with your use as an originating sender of RPost service, you may cancel your RPost customer account which will restrict you from originating new messages or accessing your account data, and any documents stored. Upon cancelation of a customer account, RPost intends to schedule for deletion stored documents within the customer account. Upon cancelation, you may still have access as a free user, and your use will constitute continued use as a customer and may prevent or defer deletion of any documents stored however RPost may continue with deletion procedures for non-paying customers.
- RPost considers usage data about a customer’s use of the RPost services as required to be retained to continue processing your personal data and/or comply with potential regulatory or commercial audit requests.
- RPost considers information that it may use for marketing purposes that may include your name and email address is information restricted from access to the public other than from when RPost communicates using this information to you, and you may request to opt-out of such communications using technical means provided by RPost in such communications. If you feel these technical means are not restrictive enough, you may request erasure from RPost marketing databases by submitting such a request on this form using the “Other” category and specifying your request in detail; RPost may undertake a process to evaluate the request over a reasonably period of time of no less than 90 days and may require you to provide information to identify yourself prior to taking action. Contact form for such requests: https://www.rpost.com/contact/
- If you have previously provided your consent to our use of your data and you wish to withdraw consent, you may cancel your services account with RPost, remove any RPost software from your systems, and cease using RPost services. Our retention of use logs may continue for lawful purposes.
- RPost considers information you may have submitted as a recipient requesting to sign an agreement sent for e-sign by an RPost service user, or information you may have added to an email in reply to an RPost reply service (i.e. Registered Encrypted Reply, Registered Reply, E-Signoff, RSignoff) is under control of the RPost customer and any requests related to this content should be made to that specific RPost service customer that originated the message from which you replied to.
- If you have any complaints in relation to the way we have used your personal data, please contact us in the first instance. You also have the right to lodge a complaint with the information commissioner’s office of your country or the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF (Tel: 0303 123 1113), if you think we have infringed your rights, and under certain conditions, you have the right to invoke binding arbitration.
- ADDITIONAL PRIVACY STATEMENT: RMAIL APP FOR GMAIL
The RMail app for Gmail routes outbound Gmail SMTP messages to RMail services by modifying the recipient addresses with a domain extension (e.g. .rpost.biz). The messages are routed using a wildcard MX record and the added recipient domain extensions are removed for processing when received by the RMail service. (For example: To: firstname.lastname@example.org is modified to: email@example.com en route from Gmail servers to RMail service servers; the DNS Lookup for *.rpost.biz is MX 10 gate.r1.rpost.net)
In the RMail for Gmail app, the RMail software downloads the draft message to be sent, modifies the recipient addresses in the draft as noted above, sends the modified message to the modified destination as noted above, and deletes the original draft message. Additionally, the RMail software modifies the addresses in the sent item after sending and in the user contacts after sending, to reflect the original correct recipient addresses (without the RMail added domain extension).
Updating the sent item requires listing and downloading the sent item with modified addresses, creating a replacement sent item with the correct original addresses, deleting the sent item with modified addresses. To delete a message (sent item), the only Google provided scope available is https://mail.google.com/ (https://developers.google.com/gmail/api/v1/reference/users/messages/delete). That scope covers all of the RMail software needs apart from the Gmail Contacts API used to update the contacts address to return it to its original unmodified address (without the RMail added extension). For contacts management, the RMail software uses: https://www.google.com/m8/feeds/
Therefore, the RMail app for Gmail applies for the above mentioned two scopes, the minimum that the RMail app for Gmail needs. A summary of Scopes and APIs used follow. Scopes: https://mail.google.com/ and https://www.google.com/m8/feeds/. APIs: (a) https://www.googleapis.com/gmail/v1/users (b) https://www.googleapis.com/gmail/v1/users/userId/drafts (c) https://www.googleapis.com/gmail/v1/users/userId/labels (d) https://www.googleapis.com/gmail/v1/users/userId/messages (e) https://www.googleapis.com/gmail/v1/users/userId/messages/id/modify (f) https://www.googleapis.com/gmail/v1/users/userId/profile (g) https://www.googleapis.com/upload/gmail/v1/users (h) https://www.googleapis.com/upload/gmail/v1/users/userId/messages/send (i) https://accounts.google.com/o/oauth2 (j) https://accounts.google.com/o/oauth2/token and (k) https://www.google.com/m8/feeds/contacts/.
- RPOST’S PRIVACY PHILOSOPHY
RPost uses best efforts to abides by each respective country’s privacy rules and principles as service is taken up in the country. RPost abides by practices and procedures to meet the requirements of the European General Data Protection Regulation and Privacy Shield, the National Privacy Principles of Australia, and the U.S. Privacy Act 1988, as well as other privacy laws specific to other countries and territories.
The U.S. based RPost entities are subject to the investigatory and enforcement powers of the Federal Trade Commission, while all RPost entities commit to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC), and comply with the advice given by such authorities with regard to unresolved Privacy Shield complaints concerning data transferred from the EU and Switzerland.
In instances where RPost shares your information with third parties, RPost shall remain liable under the principles of Privacy Shield if such third parties process such personal information in a manner inconsistent with the Principles, to the extent that RPost’s actions were responsible for the event giving rise to the damage.
How to Contact Us
Please contact us if you have any questions about our Privacy Notice or information we hold about you:
- or write to: Privacy Team, RPost UK Ltd, The Glades, Festival Way, Festival Park, Stoke on Trent, ST1 5SQ
Changes to our Privacy Notice
This notice was updated on September 27, 2019. We reserve the right to change this notice at any time.