Privacy & Cookies

Privacy Policy

Marketing Privacy Policy


Privacy Policy

Information is our business – we look after it

Firefish Ltd (Firefish Ltd, The Numbers Lab@Firefish and The Pineapple Lounge Ltd) is known for excellence and quality and strives to be a trusted business partner. Integral to this is meeting our data protection responsibilities.

A fundamental part of our business is to gather and analyse data to help deliver research insights and strategic advice to our clients. Within our work this will involve the collection and use of personal data. We are committed to protecting the personal data we collect, have access to, use, store and share, otherwise known as ‘processing’. This privacy policy sets out our approach to data protection in our research activities. In different research activities we may act as a Data Controller, a Joint Data Controller along with our client(s) or supplier(s) or a Data Processor for our client(s).

 Our key privacy related responsibilities to research participants include

  • Contacting you in connection with the research and administering your consent
  • Securely storing your personal data
  • Analysing the information that you provide during your market research activity
  • Securely sharing recordings and footage with carefully selected partners who assist us with the research
  • Responding to your privacy related requests
  • Deleting your personal data when it is time to
  • Informing you of the identify of Data Controllers at a suitable point in the project

Each of these processing activities is described further below.

What personal data do we process?

The type of personal data we process will vary with each research project. Along with attitudes and opinions this will typically include:

  • Name and contact details (phone and email) to confirm attendance or to re-contact you:
    • To discuss activity related to a project
    • To discuss input / answers
    • To discuss the further processing of personal data
  • Age, gender and location to ensure we speak to a demographically representative group of people
  • Address, if any research is to be conducted in a home
  • Bank details for incentives paid via BACS
  • Audio recordings and video footage
    • for the purposes of transcription, research analysis and reporting
    • to demonstrate and bring to life research findings for internal business uses
    • to update people connected to the research
  • All personal data is collected with your consent, this may include special category data such as your ethnicity, health information, sexual orientation, sex life, political opinions, religious or philosophical beliefs.

How do we collect and use your personal data?

There are several ways we may collect or have access to personal data.

  • Directly from you as a research participant
  • From a client, whom you have already provided your personal data to, or other third party, database we have access to
  • From a panel you have already signed up to. This would be provided by the panel owner

We, like other organisations, have to process personal data lawfully.  The way we do this is to ensure we meet at least one of the following:

  • We have consent for research purposes, including parental consent for under 16s. Details of the personal data we will collect and how it will be used are explained before the research
  • We have established legitimate interests for the collection and use of personal data. This would include our internal quality control purposes, consent audits or any activities where it is not practical or possible to get consent
  • We are required by law or public interest to collect or disclose your personal data

How long do we keep your personal data?

We will only hold your personal data for as long as there is a legitimate business need or legal requirement to retain it.

  • Personal data we collect and use for research purposes will be held by us for 6 months after the project has finished, unless has been otherwise specified
  • Some personal data we have collected (i.e. photos/film clips), may be included in research outputs. These may be held by our clients for longer than 6 months and while there is still a valid purpose for its use in connection with the research. This will be subject to the client’s data privacy policy and security measures

Personal data that is included in the final research output will be held by us for a period of 7 years for archiving processes

  • Where name and attendance are recorded for our internal quality control purposes these are held for a 2 year window. This is held by our research partner, Ayda, ( This excludes personal data that has originated from a client/third party database
  • Where we have paid the research incentive, we will hold a record of transaction or signature for 7 years, for tax audit purposes

How do we look after your personal data?

It is important to us that you know your personal data is safe and we have a number of security policies and procedures to ensure that we protect your information at all times. We have a dedicated IT and Security team to ensure our systems are regularly monitored and maintained with up to date security software to protect against threats.

  • Only authorised people have access to your personal data and on a needs-only basis
  • Your personal data is stored in a secure environment hosted by us or third parties providing hosting services to us
  • We take steps to encrypt your personal data when it is stored and to prevent unauthorised access or loss
  • Secure transfer methods are used so your personal data is safe whenever it is shared
  • Secure destruction methods are used when we dispose of your personal data

 Who do we share your personal data with?

As well as with the commissioning client, we will need to share your personal data with partners, suppliers, agents and subcontractors as these third parties are essential to helping support research projects. We work with trusted third parties and ensure these relationships are managed using agreements that set out clear terms and handling instructions in line with our Data Protection policies.

These third parties will include:

  • Recruiters who find participants for research
  • Partner research agencies
  • Research viewing facilities
  • Web-streaming providers
  • Online research platform partners
  • Filming providers
  • Expert and Professional advisors e.g. IT service providers/lawyers
  • Research analysis tools and services

We recommend you review the third parties’ privacy policies if you use the relevant features.

Where else does your personal data go?

In the course of conducting our research activities, it may sometimes be necessary for us to transfer your personal data outside of the U.K. and EU to carefully selected partner and providers. Some countries have different standards of data protection and may not be as strict as those in the U.K. or in the EU. We ensure that these organisations meet the necessary compliance with data protection and have appropriate and adequate safeguards in place.  These transfers will be governed such as; by data processing agreements; standard contractual clause contracts; adequacy measures or other legal mechanisms. In addition, our clients receiving personal data from research outputs may share this data with other parties connected with the research, for research purposes only.

What we won’t do with your personal data

Your personal data will not be broadcast, put in the public domain, used for direct marketing purposes, automated profiling, sold to third parties or used for other purposes unless we have your explicit consent.

Know your rights – we respect them

You have a number of rights over your personal data and our aim is to fulfil these as best we can. Please contact us using the details below if you;

  • Want to withdraw your consent
  • Want to request that we delete, correct or restrict the use of your personal data
  • Want to know about or see the personal data we hold that belongs to you
  • Want to port or transfer your personal data
  • Have any concerns or questions about the ongoing processing of your personal data

Write to the Data Protection Officer, Firefish Ltd, 170-172 Tower Bridge Road, London, SE1 3LS or email

Regulatory Bodies

If you don’t think we’ve done enough or you want to lodge a complaint then you can contact our data protection supervisory authority. In the U.K., this is the Information Commissioner’s Office (“ICO”). Contact details can be found at and our registration reference is Z1512613.

In the U.K., our industry regulatory body is the Market Research Society (MRS) and we are bound by the MRS Code of Conduct and associated guidelines. Details can be found at

About Us

Firefish Ltd is an independent market research agency incorporated in England and Wales with a company registration of 03854900 and located at 170-172 Tower Bridge Road, London, SE1 3LS, U.K.

Updates To Privacy Policy – this policy may be updated from time to time without notice and you should always check that you are referring to the most recent version.

Policy effective date: 25th May, 2018

Policy version: V9_June_2023

Marketing Privacy Policy

Firefish Ltd is serious about the privacy of your data.

We only collect the information needed to deliver and manage our newsletter and marketing communication or to respond to any requests you send to us. If you opt in to receive marketing communication from us, you accept the practices set out in this policy.

What data is collected?

  • Name
  • Email address
  • Company Name
  • Country
  • IP address

What happens to your data?

In order to technically support our marketing communication we use the following third party software providers: Moosend – our email marketing platform, and; Highrise – our CRM system.

Moosend have partnered with a global infrastructure provider and host all of our customer data within the EU. They are ISO27001 certified and GDPR compliant.

Highrise’s services are provided from the U.S. and provide the levels of data security and protection required by data protection law specified in an EU Standard Contractual Clause agreement. Should you wish to find out more you can view their privacy policies on their websites by clicking the links above.

Data security and retention

Any data exchanges between us and our providers are by secure transfer. Any data held by Firefish is stored on our secure server for 1 month and can only be accessed by certain approved members of staff. Data is otherwise held securely by the software providers on their systems. Data is retained in order to record your preferences and to ensure you only get the communication you’ve chosen to receive from us.

What we won’t do with the data

Firefish Ltd will not use your personal data for profiling, to send unsolicited emails or to pass it to other third parties without your express consent.

Your data choices  

If you no longer wish to receive marketing communication from us, or update your marketing preferences, then you can do so by using the links at the bottom of any email marketing we send you now or in the future. Alternatively, you can send an email to with the subject UNSUBSCRIBE. Please allow 72 hours for your details to be removed from our system.

Want to get in touch?

Write to: Data Protection Officer, 170-172 Tower Bridge Rd, London, SE1 3LS


Policy Version: V5.2021

Note: This policy only applies to this website. Other sites may vary.

We May Use Cookies

What are cookies?

Cookies are files containing small amounts of information which are downloaded to your computer when you visit a website. Cookies are then sent back to this website on each subsequent visit (1st party cookies) or to another website that recognises that cookie (3rd party cookies).

Why are cookies used?

Cookies do lots of different and useful jobs, such as remembering your preferences and generally improving your online experience. Some cookies collect anonymous data about your computer and browsing history for statistical purposes.

There are different types of cookie:

Session cookies enhance the experience of your visit and are deleted when you close your browser.

Persistent cookies last after you have closed your browser and allow the website to remember your actions and preferences.

Strictly necessary cookies are essential in order to enable you to move around the website and use its features.

Performance cookies collect information about how you use the website.

Functionality cookies allow the website to remember choices you make.

Why do Firefish use cookies?

We use _utm cookies to support the video on our website via our 3rd party video host, Vimeo. We use exp_ cookies for Google Analytics tracking, to help us analyse how our website is used and to provide the maps and to show our locations in relation to where you are. This information will be subject to Google’s privacy policy  We also use a cookie for site administration, to make sure only those authorised are logging in.

Your choice about cookies

Cookies are used to enhance your user experience now and in future visits and they may collect anonymous data as a result. If you want to restrict or block the cookies, you need to do this through the settings for each browser you use and on each device you use to access the internet. If you visit this will give you more information and instructions about blocking cookies on different browsers. Please note this is a 3rd party website and is subject to change. Firefish are not responsible for anything that happens to your computer or device in visiting 3rd party websites.

If you do not block cookies to this website, we will take this as agreement to their use as described. We may make changes to this policy from time to time, which will be binding under the same agreement. Alternatively, you can accept or reject cookies, even if you have previously selected a different option, using one of the buttons below: