Privacy statement

This Privacy Statement sets out how UserLab uses and protects any personal data provided to us, whether by engaging us for market research projects or by participating in projects that we are performing for our clients.  This might be done using our website, via email, by mail or telephone, or by visiting us in person. 

UserLab is committed to ensuring that your privacy is protected. Should we ask you to provide certain data by which you can be identified, you can be assured that it will only be used in accordance with this privacy statement and General Data Protection Regulations (GDPR).

We have also put in place procedures to deal with any suspected personal data breach and will notify you and the Information Commissioner (the UK regulator for data protection matters) should a breach occur, where we are legally required to do so. 

This Privacy Statement was last updated on 6 March 2020.  There may be times that UserLab reviews this Privacy Statement and makes changes, particularly in view of our departure from the European Union and the outcome of any Brexit negotiations.  We advise that you review this policy from time to time.  

Children

UserLab does not intend children to view this Privacy Statement and does not knowingly collect data relating to children.

Company Information

UserLab is the data controller and is responsible for your personal data.

  • Company Name: UserLab Limited 

  • Company Number: 09759799

  • Registered Address: Maybrook House, 27 Grainger St, Newcastle upon Tyne NE1 5JE

  • Email: hello@userlab.co.uk

  • Telephone Number: 0191 500 77 44

Our working practice

  • UserLab observes the Code of Practice of the Market Research Society and qualitative recruitment best practice outlined by the Association of Qualitative Research. Copies of both can be found on the web sites www.mrs.org.uk and www.aqr.org.uk. We also work within the boundaries of the Code of Ethics outlined by the Social Research Association www.the-sra.org.uk

  • In providing the services, we will comply with the  General Data Protection Regulation (GDPR), Data Protection Act 2018 and the Privacy, Electronic and Communications Regulations (PECR) and any other relevant secondary legislation. We gain respondents’ permission to use data for research purposes only, not for use in external promotions or in the public domain.

  • The identity of personal records and data pertaining to any persons who take part in projects are confidential information and will not be revealed to clients or any third party.

Data we process

  • Whenever you complete an online form to take part in research, training or join our panel, we store information you give us like your name, email address, and telephone number. We may also store other information if it’s relevant to the project, such as your age group and your nearest town/city.If you have already volunteered to give feedback to one of our clients, they may share your email address with us so that we can contact you on their behalf. If you take part in our research or training sessions, we may ask for your permission to record the session on video or audio. 

If you get selected to take part in research, we may ask you for your bank details so that we can process your research payment.

Lawful Basis for processing personal data

We will only use your personal data when the law permits us to do so.  Most commonly, we will use your personal data in one or more of the following circumstances:

  • Where we are engaged to conduct market research on your behalf we do so to perform the contract we are about to enter into or have entered into with you;

  • Where we provide basic level information to our clients we do if it is necessary for our legitimate interests.  We give careful consideration to the personal data collected and process this in a responsible and ethical manner that does not negatively impact the individuals who provide their personal details to us; 

  • Where we have obtained your explicit and informed consent (particularly where we process more sensitive data such as that relating to your health, religious beliefs, political affiliations, sexual orientation or use video or audio recordings); and/or

  • Where we need to comply with a legal or regulatory obligation;

  • Where we are engaged to deliver training on your behalf we do so to perform the contract we have entered into with you and our funding partners.

Why we process it

  • The clients we work with follow user-centred design practices, which involves seeking regular feedback from people about their products. It’s our job to help them find people to take part.

  • When a client ask us to find participants for their research project, we use our website and newsletter to share the opportunity and invite people to take part by completing a short online survey.

  • During the training courses we offer, there may be instances where learners need to review and catch up on video recordings of previous lessons.

  • The information you give when you answer our survey questions helps us understand whether you’re going to be a suitable candidate for the particular research opportunity you’ve applied for.

  • Having your contact information means we can get in touch to let you know if you have been successful in your recent application, or invite you to take part in another research opportunity.

  • We use information like your age group, nearest town and IT skills to match you with relevant opportunities that we think you may be interested in.

  • By understanding a little about you, we can improve the quality of our clients service by making changes that will benefit user experience with them.

  • We may contact you after you have participated in a research opportunity by  sending you other opportunities that we think you will be interested in. We will only do so where you have indicated a willingness to be involved in other market research projects.

  • If you take part in an interview or a website testing session, we may wish to share some clips of the sessions with our client to show them what worked well and what didn’t so that they can improve the design of their product/service. Any clips we share will always be anonymised to protect your privacy.

  • When delivering training, we may need to provide evidence that training has taken place to our funding partners and assessors.

What we do with it

  • The systems we use for storing data are fully compliant with General Data Protection Regulation (GDPR) rules and use secure encryption, with multiple layers of account verification.

  • We hold information held in survey responses for 30 days, after which time the data will be erased from our systems.

  • We hold attendance records for 2 years for audit purposes. These records contain the names of participants who have taken part in research, the date of the research, the name of the client and the name of the project.

  • Any personal data you share with us (when you signed up to our panel or applied to take part in research) which we then attach to your profile is always encrypted and stored securely on our systems.

  • If you apply for one of our research adverts and you are selected to take part, we may share your basic contact information with the client who is hosting the session, but we will always ask for your permission if there is a requirement to share more sensitive data with clients who ask for it.

  • Any data transfers which conducted over email are always done so securely using full email and file encryption for additional security.

  • Any documents we use to send data to clients are set to expire after 7 days.

  • If we’ve taken your bank details to make your incentive payment, we will delete these from our system 48 hours after the payment has been confirmed.

  • If we ask you to provide a physical signature on paper to confirm your receipt of an incentive payment, we will always digitise the document and shred the original document immediately.

  • We won’t sell your personal data and we’ll never try to sell you anything.

  • Video recordings and photos from training sessions will be stored for up to 2 years for training and audit purposes but we will remove any personal data from the recordings before storing these.

Sharing your personal data

  • We will only share personal data with our funding partners when we are required to do so for the contract. Examples of this are learner registration forms. We are required to do so for funding purposes.

  • When we provide client reports for design and research projects, your feedback will be anonymised and does not contain any personal data.

  • We may provide some video or audio clips of the sessions in which you were involved but these will not contain identifiers such as your name or contact details.  Where we provide this data we will seek your explicit consent beforehand.

  • We may have to share your personal data with third parties who help support our business.  These third parties are set out below:

    • Service providers acting as processors based in the UK who provide website, IT and system administration services.

    • Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, pension providers and insurers based in the UK who provide consultancy, banking, legal, pension, insurance and accounting services.

    • HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the UK who require reporting of processing activities in certain circumstances.

    • Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice. 

  • We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Cookies

We do not employ cookies on our website.

International Transfers

We do not transfer your personal data outside the European Economic Area (EEA).   We will revise this privacy statement when new legislation takes effect at the end of the transition period.

Your Legal Rights

You have the right to:

  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.  No fee is usually payable for this request.

  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. 

  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms.

  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. 

  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. 

  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, you may also need to make a similar request to our clients in limited cases where we have provided your personal data to them but we will advise you about this at the time you withdraw your consent.

Time limit to respond:

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

How to contact us

  • If you wish to exercise any of the rights set out above, speak to us about any concerns or want to speak to our data controller, please email us at hello@userlab.co.uk with any queries.

To validate our Data Controller status, view our registration on the Information Commissioner’s Office (ICO) website