Privacy Policy

Information is our business – we look after it

Firefish Ltd (Firefish Ltd, Firefish Data Ltd and The Pineapple Lounge Ltd) is known for excellence and quality and strives to be a trusted business partner. Integral to this is meeting our data protection responsibilities.

A fundamental part of our business is to gather and analyse data to help deliver research insights and strategic advice to our clients. Within our work this will involve the collection and use of personal data. We are committed to protecting the personal data we collect, have access to, use, store and share, otherwise known as ‘processing’. This privacy policy sets out our approach to data protection in our research activities. In different research activities we may act as a Data Controller, a Joint Data Controller along with our client(s) or supplier(s) or a Data Processor for our client(s).

 Our key privacy related responsibilities to research participants include

  • Contacting you in connection with the research and administering your consent
  • Securely storing your personal data
  • Analysing the information that you provide during your market research activity
  • Securely sharing recordings and footage with carefully selected partners who assist us with the research
  • Responding to your privacy related requests
  • Deleting your personal data when it is time to
  • Informing you of the identify of Data Controllers at a suitable point in the project

Each of these processing activities is described further below.

What personal data do we process?

The type of personal data we process will vary with each research project. Along with attitudes and opinions this will typically include:

  • Name and contact details (phone and email) to confirm attendance or to re-contact you:
    • To discuss activity related to a project
    • To discuss input / answers
    • To discuss the further processing of personal data
  • Age, gender and location to ensure we speak to a demographically representative group of people
  • Address, if any research is to be conducted in a home
  • Bank details for incentives paid via BACS
  • Audio recordings and video footage
    • for the purposes of transcription, research analysis and reporting
    • to demonstrate and bring to life research findings for internal business uses
    • to update people connected to the research
  • All personal data is collected with your consent, this may include special category data such as your ethnicity, health information, sexual orientation, sex life, political opinions, religious or philosophical beliefs.

How do we collect and use your personal data?

There are several ways we may collect or have access to personal data.

  • Directly from you as a research participant
  • From a client, whom you have already provided your personal data to, or other third party, database we have access to
  • From a panel you have already signed up to. This would be provided by the panel owner

We, like other organisations, have to process personal data lawfully.  The way we do this is to ensure we meet at least one of the following:

  • We have consent for research purposes, including parental consent for under 16s. Details of the personal data we will collect and how it will be used are explained before the research
  • We have established legitimate interests for the collection and use of personal data. This would include our internal quality control purposes, consent audits or any activities where it is not practical or possible to get consent
  • We are required by law or public interest to collect or disclose your personal data

How long do we keep your personal data?

We will only hold your personal data for as long as there is a legitimate business need or legal requirement to retain it.

  • Personal data we collect and use for research purposes will be held by us for 6 months after the project has finished, unless has been otherwise specified
  • Some personal data we have collected (i.e. photos/film clips), may be included in research outputs. These may be held by our clients for longer than 6 months and while there is still a valid purpose for its use in connection with the research. This will be subject to the client’s data privacy policy and security measures

Personal data that is included in the final research output will be held by us for a period of 7 years for archiving processes

  • Where name and attendance are recorded for our internal quality control purposes these are held for a 2 year window. This is held by our research partner, Ayda, ( This excludes personal data that has originated from a client/third party database
  • Where we have paid the research incentive, we will hold a record of transaction or signature for 7 years, for tax audit purposes

How do we look after your personal data?

It is important to us that you know your personal data is safe and we have a number of security policies and procedures to ensure that we protect your information at all times. We have a dedicated IT and Security team to ensure our systems are regularly monitored and maintained with up to date security software to protect against threats.

  • Only authorised people have access to your personal data and on a needs-only basis
  • Your personal data is stored in a secure environment hosted by us or third parties providing hosting services to us
  • We take steps to encrypt your personal data when it is stored and to prevent unauthorised access or loss
  • Secure transfer methods are used so your personal data is safe whenever it is shared
  • Secure destruction methods are used when we dispose of your personal data

 Who do we share your personal data with?

As well as with the commissioning client, we will need to share your personal data with partners, suppliers, agents and subcontractors as these third parties are essential to helping support research projects. We work with trusted third parties and ensure these relationships are managed using agreements that set out clear terms and handling instructions in line with our Data Protection policies.

These third parties will include:

  • Recruiters who find participants for research
  • Partner research agencies
  • Research viewing facilities
  • Web-streaming providers
  • Online research platform partners
  • Filming providers
  • Expert and Professional advisors e.g. IT service providers/lawyers
  • Research analysis tools and services

We recommend you review the third parties’ privacy policies if you use the relevant features.

Where else does your personal data go?

In the course of conducting our research activities, it may sometimes be necessary for us to transfer your personal data outside of the U.K. and EU to carefully selected partner and providers. Some countries have different standards of data protection and may not be as strict as those in the U.K. or in the EU. We ensure that these organisations meet the necessary compliance with data protection and have appropriate and adequate safeguards in place.  These transfers will be governed such as; by data processing agreements; standard contractual clause contracts; adequacy measures or other legal mechanisms. In addition, our clients receiving personal data from research outputs may share this data with other parties connected with the research, for research purposes only.

What we won’t do with your personal data

Your personal data will not be broadcast, put in the public domain, used for direct marketing purposes, automated profiling, sold to third parties or used for other purposes unless we have your explicit consent.

Know your rights – we respect them

You have a number of rights over your personal data and our aim is to fulfil these as best we can. Please contact us using the details below if you;

  • Want to withdraw your consent
  • Want to request that we delete, correct or restrict the use of your personal data
  • Want to know about or see the personal data we hold that belongs to you
  • Want to port or transfer your personal data
  • Have any concerns or questions about the ongoing processing of your personal data

Write to the Data Protection Officer, Firefish Ltd, 170-172 Tower Bridge Road, London, SE1 3LS or email

Regulatory Bodies

If you don’t think we’ve done enough or you want to lodge a complaint then you can contact our data protection supervisory authority. In the U.K., this is the Information Commissioner’s Office (“ICO”). Contact details can be found at and our registration reference is Z1512613.

In the U.K., our industry regulatory body is the Market Research Society (MRS) and we are bound by the MRS Code of Conduct and associated guidelines. Details can be found at

About Us

Firefish Ltd is an independent market research agency incorporated in England and Wales with a company registration of 03854900 and located at 170-172 Tower Bridge Road, London, SE1 3LS, U.K.

Updates To Privacy Policy – this policy may be updated from time to time without notice and you should always check that you are referring to the most recent version.

Policy effective date: 25th May, 2018

Policy version: V10_January_2024







© 2024 Firefish.