Data Protection / Privacy Policy

Last updated on: 22/04/2024

Who are Critical research?

Critical Research Limited (company number 06566825) is a private limited company registered in England and Wales, registered address Unit 7 Baden Place, Crosby Row, London, United Kingdom, SE1 1YW (collectively referred to as “Critical”, “we”, “us”, or “our”) that operates as an independent market research agency based in London.

This Data Protection Policy sets out the personal data that we process whilst carrying out our day-to-day activities and operations and whilst using our website. For additional information, please see our Website Terms of Use:

The safety and privacy of your data is very important to us and we take every step possible to ensure the safeguarding of your data. We follow the Code of Conduct of the Market Research Society and comply with UK Data Protection Act 2018, UK GDPR and we are registered with the Information Commissioner’s Office as a data controller (registration number: Z1615219)

Depending on the nature of our engagement, we will be either the processor or the controller of your personal data. If you have any questions or queries about how we handle your personal data, including any requests to exercise your legal rights, please contact us on [email protected].

What is personal data?

Personal data is information about who you are, where you live, what you do and more. It’s any and all information that identifies you as data subject.

If a document, file or image identifies a person, or could be used in combination with other information to identify them, then it’s personal data. This applies even if the information doesn’t include a person’s name.

However, information is only personal data if it relates to someone who’s alive. Data protection laws don’t apply after someone has died.

The types of personal data we collect about you

Personal data means any information about an individual from which that person can be identified.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity data includes your name(s), username or similar identifier, marital status, title, DOB and gender
  • Financial data includes first name, last name, any previous names, username or similar identifier, marital status, title, date of birth, gender.
  • Contact data includes your billing address, email address and telephone numbers
  • Transactional data includes data about payments to and from you and other details of services you’ve purchased from us
  • Technical data includes your IP address
  • Marketing and communications data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

Where possible, we will anonymise personal data. We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity.

How do we collect your personal data?

We use different methods to collect data from and about you including through:

  • Your interactions with us. You may give us your personal data by corresponding with us through our site, by post, phone, email or through any of our market research surveys.
  • Third parties or publicly available sources. We will receive personal data about you from various third parties such as online panel companies and sampling houses.
  • Contact, Financial and Transaction Data is collected from providers of technical, payment and delivery services in the UK.
  • Technical Data is collected from the following parties:
    1. analytics providers such as Google based outside the UK;
    2. advertising networks; and
    3. search information providers.
  • Identity and Contact Data is collected from publicly available sources such as Companies House and the Electoral Register based inside the UK.

If you would like more information concerning where your data was collected please contact:  [email protected]

Legal Basis

The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases to collect your personal data:

  • Where you have given consent for the processing of data for a specific purpose
  • Processing is necessary to meet contractual obligations entered by you
  • Processing is necessary to conduct our business and pursue our legitimate interests
  • Processing is necessary for compliance with our legal obligations

We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you opt in to our marketing and newsletters.

We will not contact children under the age of 18 without the explicit consent of their parent or guardian.

Purposes for which we will use your personal data

The personal data we collect will be used for the following purposes:

Purpose/UseType of dataLegal basis
To register you as a new customer



Performance of a contract with you such as to carry out the agreed services
To make payment to you where we have offered a financial incentive for taking part in a survey



Transactional data

Performance of a contract with you such as to make payment



To verify responses from you in a market research study



Necessary for our legitimate interests
Dealing with enquiries and requests about our services from you including job applications



Necessary for our legitimate interests

To manage our relationship with you which will include:

(a) Notifying you about changes to our terms or privacy policy

(b) Dealing with your requests, complaints and queries

(c) To respond to any requests you make to us

(d) Internal record keeping



Marketing and Communications

Performance of a contract with you

Necessary to comply with a legal obligation

Necessary for our legitimate interests (to keep our records updated and manage our relationship with you

To enable you to partake in a prize draw, competition or complete a survey




Marketing and Communications

Performance of a contract with you

Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

To carry out market research through your voluntary participation in surveys




Necessary for our legitimate interests (to study how customers use our products/services and to help us improve and develop our products and services).


To respond to duly authorised information requests of governmental authorities or where required by law





Necessary to comply with a legal obligation

On occasion, we may handle sensitive personal data, this would include data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

We sometimes collect this information to carry out our research obligations on behalf of our clients, and in these instances, our grounds for processing such sensitive data is based on explicit consent.

Third-party Marketing

We will get your express consent before we share your personal data with any third party for their own direct marketing purposes.


We will never pass your personal data on to other organisations for them to use for their own marketing purposes except where you have given us explicit permission to do so.

However, we may disclose your personal data where necessary with the third parties who provide a service to us such as market research fieldwork agencies, email services providers or data processors. We require these third parties to comply strictly with our instructions and Data Protection laws and we make sure that appropriate controls are in place.

We enter into contracts with all our third parties and regularly monitor their activities to ensure they are complying with our policies and procedures.

Where personal data is required by law such as judicial reviews, court orders, or legal process we may also disclose your personal data to such third parties as and when requested.

Sharing personal data

We only share personal data with third parties where certain safeguards and contractual arrangements are in place. We only share personal; data with third parties if:

  • our service providers have a need to know the information for the purposes of providing the contracted services;
  • if required, we have received the necessary consent from a data subject;
  • the third party has agreed to comply with the required data security requirements and has adequate measures in place;
  • the transfer complies with any applicable cross-border restrictions; and
  • a fully executed written contract that contains UK GDPR-approved third party clauses has been obtained.

Some of the service providers we use are:

  • Cint;
  • Purespectrum; and

International Transfers

We will sometimes need to transfer your data outside of the UK, to make sure we can deliver on our services or because our clients are based outside of the UK.

We will always ensure safeguards are put in place by completing one of these measures:

  • Checking that the UK has an adequacy agreement in place with the country that your data is being transferred to (The transfer will be with a country that has Data Protection laws recognised by the UK Data Protection Act)
  • A contractual agreement is in place with the receiver of the data that requires them to protect your data to the same standards on the UK Data Protection Act 2018

How do we ensure your personal data is secure?

We take our responsibilities very seriously in ensuring your personal data is secure.

As such, we take every reasonable precaution to safeguard your information so that it is protected from loss, theft, or misuse. These precautions include secure servers, controlled access to our computer systems, anti-virus systems, encryption of any personal data, and physical security of our offices.

We have policies and procedures in place to ensure the confidentiality and security of data. We inform and train our staff based on these policies and procedures.

For research purposes only, we may have to transfer your data to a 3rd party that provides us with support and services, we require them to safeguard all personal data and maintain security measures as prescribed by our company.

Retention Period

Generally, personal data will be anonymised or deleted within six months of a project being finished unless prior permission has been received (you consented for us to contact you for periodic research on an ongoing basis).

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.


For certain market research studies, we offer an incentive for participation. Our staff will administer all incentive payments. In order to administer these, we may collect details such as your name and email address (e.g. to send an Amazon voucher). Unless you have previously consented, your personal data will only be used for the purpose of sending an incentive and will be deleted as per our retention period.


We will not contact children under the age of 18 without the explicit consent of their parent or guardian.

What are my rights?

Under the UK’s data protection laws, you have the following rights:

  • Right of erasure: Your right to have your personal details deleted
  • Right to be informed
  • Right to access data: Your right to access the personal data we hold
  • Right of rectification: Your right to change the personal data we hold for you
  • Right to restrict processing: to request that we limit the way that your personal data is used
  • Right to object: your right to stop or prevent us from processing their personal data
  • Right to Data Portability: the right to receive personal data you have provided to a controller and the right to request that a controller transmits this data directly to another controller.


If you have any further queries concerning how we handle your data, please e-mail us via [email protected]

If you are unhappy with the way that your data is being handled by Critical Research, you have the right to make a complaint to the Information Commissioner’s Office (ICO).

Changes to our policy

We regularly review our data protection and privacy policy and we will place any updates on this page.