Privacy Center


The following describes how we at Really Social protect your data in relation to GDPR

What is the GDPR?

The General Data Protection Regulation (GDPR)  is a new regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the exportation of personal data of an EU citizen outside of the EU. This replaces the previous Data Protection Act (DPA).

This is overseen by the Information Commissioner Office (ico) and comes into force in the 25th May 2018.

Your Rights

GDPR defines your rights as the following;

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data processing
  • Right to data portability
  • Right to object
  • Right related to automated decision making

Key Principles of personal Data

  • Processed lawfully, fairly and in a transparent manner.
  • Personal data to be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Kept in a form which permits identification for no longer that is necessary for the purpose of which the personal data that are inaccurate.
  • Processed in a manner that ensures appropriate security.

What have we done to prepare for GDPR

We are always improving technology, organisational and security measures across the company.

We have and are implementing changes

Company training: We have a commitment to be compliant with GDPR, everyone working at Really Social understands GDPR and their responsibility.

Audit: We have done a company wide data audit, to document what data we hold, where it comes from and how it’s processed. Allowing us to keep track of the data in regards to where it is stored and how it is used. This is an ongoing document that allows us to make sure data is protected.

Updated our privacy policy: We have updated our privacy policy so you can see how we handle your data and how long we hold it for, and how you can contact us.

Basis and consent: By signing up to the service Really Social Media provides, you are entering into an agreement which gives us legitimate basis to process your data, in line with GDPR requirements. However to allow us to news and offers we will make sure it’s obvious you will be entering into this and you can unsubscribe from these updates at any time.

Your Rights: GDPR allows you the right to see a full copy of the data we hold about you, and the right to request it is fully deleted from our system (although we might have to keep some record to ensure that you are not contacted in the future, or to comply with any legal obligations)

How can you manage access to your information (DSR requests)

If you have an account with us, you may access, correct, or request a correction/deletion of your personal data by contact us at We will aim to respond to this request within 20 days or less, which is well within the GDPR requirement of 30 days.


Who are your sub-processors?

Version 1.0

Date: 15 May 2018


We share certain information with companies that may be considered our "sub-processors" under GDPR to provide our service.

What is a subprocessor

A subprocessor is a third party data processor, who in agreement with Really Social Media has or potentially will have access to or process data (which may contain personal data). Really Social engages different types of Sub Processors to perform various functions as explained below. Really Social uses careful consideration and a reasonable selection process to look into the sub processors security, privacy and confidentiality practices.


Service: Digital Ocean

Use: Cloud Service Provider

Country: UK (London data center)


SOC 1 Type II, SOC 2 Type III, ISO/IEC 27001:2013, PCI-DSS, Privacy Shield, DPA

See more

Service: AWS (Amazon Web Services)

Use: Cloud Service Provider

Country: UK (London data center)


GDPR Link, ISO 27001, Privacy Shield, DPA with SCC




Service Name Use Country Regulations
Freshworks (Freshchat, FreshDesk & FreshSales) Customer Support: to communicate with our customers. Sometimes these communications includes the personal information. GDPR
Whats App Business GDPR

Privacy Shield

Facebook Messenger
Google Apps For Business United States GDPR
Campaign Monitor United States
Postmark To process our transaction emails emails, such as welcome email, invoices etc United States GDPR

Error Monitoring and Analytics

Service Name Use Country Regulations
Bugsnag Error Reporting United States GDPR

Type II: SOC 1, SOC 2, SOC 3, SSAE 16 / ISAE 3402

ISO 27001, ISO 27017, ISO 27018

Baremetrics Payment analytics United States GDPR

Payment and Card information

Really Social Does not store any payment card information all processing is handled by the below sub processors according to their terms of service and privacy policies.


Service Name Use Country Regulations
Stripe Outsourced payment management United States Privacy Policy
Moonclerk Outsourced payment management United States Privacy Policy

Responsible Disclosure Policy

We take the security of our systems seriously, and we value the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users. if you’ve discovered a security issue, please do not share it publicly. Instead report it to the Head of Technology instead details below; 


We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Really Social Media until we’ve had 90 days to resolve the issue.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research;
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.


  • and
  • Our mobile applications.

Out of scope

Any services hosted by 3rd party providers and services are excluded from scope. These services include:

  • List them?

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Scope’ section
  • UI and UX bugs and spelling mistakes
  • Network level Denial of Service (DoS/DDoS) vulnerabilities

Things we do not want to receive:

  • Personally identifiable information (PII)
  • Credit card holder data

How to report a security vulnerability?

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
  • Your name/handle and a link for recognition in our Hall of Fame.

Contact Details

Really Social

17 Cross Street Court,
Cross Street