Privacy & Cookies

Privacy Policy

Marketing Privacy Policy


Privacy Policy

Information is our business – we look after it

Firefish Ltd (Firefish, The Numbers Lab and The Pineapple Lounge) is known for excellence and quality and strives to be a trusted business partner. Integral to this is meeting our data protection responsibilities.

A fundamental part of our business is to gather and analyse data to help deliver research insights and strategic advice to our clients. Within our work this sometimes involves the collection and use of personal data. We are committed to protecting the personal data we collect, have access to, use, store and share, otherwise known as ‘processing’. This privacy policy sets out our approach to data protection in our research activities. In different research activities we may act as a Data Controller, a Joint Data Controller along with our client(s) or supplier(s) or a Data Processor for our client(s).

When we are acting as a Data Controller and Joint Data Controller our key privacy related responsibilities are:

  • Contacting you in connection with the research and administering your consent
  • Securely storing your personal data
  • Analysing the information that you provide during your market research activity
  • Securely sharing recordings and footage with carefully selected partners who assist us with the research
  • Responding to your privacy related requests
  • Deleting your personal data when it is time to

Each of these processing activities is described further below.

What personal data do we process?

The type of personal data we process will vary with each research project. Along with attitudes and opinions this will typically include:

  • Name and contact details (phone and email) to confirm attendance or for re-contact such as:
    • To discuss activity related to a project
    • To discuss input / answers
    • To discuss the further processing of personal data
  • Age, gender and location to ensure we speak to a demographically representative group of people
  • Address, if any research is to be conducted in a home
  • Bank details for incentives paid via BACS
  • Audio recordings and video footage
    • for the purposes of transcription, research analysis and reporting
    • to demonstrate and bring to life research findings for internal business uses
    • to update people connected to the research
  • Other types of personal data we may collect will be set out on a project by project basis. This may include sensitive personal data which we will only process with your explicit consent.

How do we collect and use personal data?

There are several ways we may collect or have access to personal data.

  • Directly from research participants
  • From a client’s, or other third party, database we have access to
  • From a panel provided by a client or other third party

We, like other organisations, have to process personal data lawfully.  The way we do this is to ensure we meet at least one of the following:

  • We have consent for research purposes, including parental consent for under 16s. Details of the personal data we will collect and how it will be used are explained before the research
  • We have established legitimate interests for the collection and use of personal data. This would include our internal quality control purposes, consent audits or any activities where it is not practical or possible to get consent
  • We are required by law or public interest to collect or disclose your personal data

How long do we keep your personal data?

We will only hold your personal data for as long as there is a legitimate business need or legal requirement to retain it.

  • Personal data we collect and use for research purposes will be held by us for 6 months after the project has finished, unless has been otherwise specified
  • Personal data that is included in the final research output will be held by us for a period of 7 years for our internal record keeping and archiving processes
  • Some personal data we have collected (i.e. photos/film clips), may be included in research outputs. These may be held by our clients for longer than 6 months and while there is still a valid purpose for its use in connection with the research. This will be subject to the client’s data privacy policy and security measures
  • Personal data files may exist for up to 6 months in our IT back-up system before being naturally overwritten
  • Name and attendance is recorded and held by us for a 2-year window for our internal quality control purposes. This excludes personal data that has originated from a client/third party database
  • Where we have paid the research incentive, we will hold a record of transaction or signature for 7 years, for tax audit purposes

How do we look after your personal data?

It is important to us that you know your personal data is safe and we have a number of security policies and procedures to ensure that we protect your information at all times. We employ a specialist IT provider to ensure our systems are regularly monitored and maintained with up to date security software to protect against threats.

  • Only authorised people have access to your personal data and on a needs-only basis
  • Your personal data is stored on secure servers hosted by us or third parties providing hosting services to us
  • We take steps to encrypt your personal data when it is stored and to prevent unauthorised access or loss
  • Secure transfer methods are used so your personal data is safe whenever it is shared
  • Secure destruction methods are used when we dispose of your personal data

Who do we share your personal data with?

As well as with the commissioning client, we will need to share your personal data with partners, suppliers, agents and subcontractors as these third parties are essential to helping make a research project happen. We work with trusted third parties and ensure these relationships are managed using agreements that set out clear terms and handling instructions.

These third parties will include:

  • Recruiters who find participants for research
  • Partner research agencies
  • Research viewing facilities
  • Web-streaming providers
  • Online platform partners
  • Filming providers
  • Expert and specialist advisors
  • Transcribers

Where else does your personal data go?

In the course of conducting our research activities, it may sometimes be necessary for us to transfer your personal data outside of the U.K. and EEA to carefully selected partner and providers. Some countries have different standards of data protection and may not be as strict as those in the U.K. or in the EU. We ensure that these organisations meet the necessary compliance with data protection and have appropriate and adequate safeguards in place.  These transfers will be governed such as; by data processing agreements; standard contractual clause contracts; adequacy measures or other legal mechanisms. In addition, our clients receiving personal data from research outputs may share this data with other parties connected with the research, for research purposes only.

What we won’t do with your personal data

Your personal data will only be used for research purposes. Your personal data will not be broadcast, put in the public domain, used for direct marketing purposes, automated profiling, sold to third parties or used for other purposes unless we have your explicit consent.

Know your rights – we respect them

If you are an EU/UK citizen, you have a number of rights over your personal data and our aim is to fulfil these as best we can. Please contact us using the details below if you;

  • Want to withdraw your consent
  • Want to request that we delete, correct or restrict the use of your personal data
  • Want to know about or see the personal data we hold that belongs to you
  • Want to port your personal data
  • Have any concerns or questions about the ongoing processing of your personal data

Write to the Data Protection Officer, Firefish Ltd, 170-172 Tower Bridge Road, London, SE1 3LS or email

Regulatory Bodies

If you don’t think we’ve done enough or you want to lodge a complaint then you can contact our data protection supervisory authority. In the U.K., this is the Information Commissioner’s Office (“ICO”). Contact details can be found at

In the U.K., our industry regulatory body is the Market Research Society (MRS) and we are bound by the MRS Code of Conduct and associated guidelines. Details can be found at

About Us

Firefish Ltd is an independent market research agency incorporated in England and Wales with a company registration of 03854900 and located at 170-172 Tower Bridge Road, London, SE1 3LS, U.K.

Updates To Privacy Policy – this policy may be updated from time to time without notice and you should always check that you are referring to the most recent version.

Policy effective date: 25th May, 2018

Policy version: V6_2021

Marketing Privacy Policy

Firefish Ltd is serious about the privacy of your data.

We only collect the information needed to deliver and manage our newsletter and marketing communication or to respond to any requests you send to us. If you opt in to receive marketing communication from us, you accept the practices set out in this policy.

What data is collected?

  • Name
  • Email address
  • Company Name
  • Country
  • IP address

What happens to your data?

In order to technically support our marketing communication we use the following third party software providers: Moosend – our email marketing platform, and; Highrise – our CRM system.

Moosend have partnered with a global infrastructure provider and host all of our customer data within the EU. They are ISO27001 certified and GDPR compliant.

Highrise’s services are provided from the U.S. and provide the levels of data security and protection required by data protection law specified in an EU Standard Contractual Clause agreement. Should you wish to find out more you can view their privacy policies on their websites by clicking the links above.

Data security and retention

Any data exchanges between us and our providers are by secure transfer. Any data held by Firefish is stored on our secure server for 1 month and can only be accessed by certain approved members of staff. Data is otherwise held securely by the software providers on their systems. Data is retained in order to record your preferences and to ensure you only get the communication you’ve chosen to receive from us.

What we won’t do with the data

Firefish Ltd will not use your personal data for profiling, to send unsolicited emails or to pass it to other third parties without your express consent.

Your data choices  

If you no longer wish to receive marketing communication from us, or update your marketing preferences, then you can do so by using the links at the bottom of any email marketing we send you now or in the future. Alternatively, you can send an email to with the subject UNSUBSCRIBE. Please allow 72 hours for your details to be removed from our system.

Want to get in touch?

Write to: Data Protection Officer, 170-172 Tower Bridge Rd, London, SE1 3LS


Policy Version: V5.2021

Note: This policy only applies to this website. Other sites may vary.

We May Use Cookies

What are cookies?

Cookies are files containing small amounts of information which are downloaded to your computer when you visit a website. Cookies are then sent back to this website on each subsequent visit (1st party cookies) or to another website that recognises that cookie (3rd party cookies).

Why are cookies used?

Cookies do lots of different and useful jobs, such as remembering your preferences and generally improving your online experience. Some cookies collect anonymous data about your computer and browsing history for statistical purposes.

There are different types of cookie:

Session cookies enhance the experience of your visit and are deleted when you close your browser.

Persistent cookies last after you have closed your browser and allow the website to remember your actions and preferences.

Strictly necessary cookies are essential in order to enable you to move around the website and use its features.

Performance cookies collect information about how you use the website.

Functionality cookies allow the website to remember choices you make.

Why do Firefish use cookies?

We use _utm cookies to support the video on our website via our 3rd party video host, Vimeo. We use exp_ cookies for Google Analytics tracking, to help us analyse how our website is used and to provide the maps and to show our locations in relation to where you are. This information will be subject to Google’s privacy policy  We also use a cookie for site administration, to make sure only those authorised are logging in.

Your choice about cookies

Cookies are used to enhance your user experience now and in future visits and they may collect anonymous data as a result. If you want to restrict or block the cookies, you need to do this through the settings for each browser you use and on each device you use to access the internet. If you visit this will give you more information and instructions about blocking cookies on different browsers. Please note this is a 3rd party website and is subject to change. Firefish are not responsible for anything that happens to your computer or device in visiting 3rd party websites.

If you do not block cookies to this website, we will take this as agreement to their use as described. We may make changes to this policy from time to time, which will be binding under the same agreement. Alternatively, you can accept or reject cookies, even if you have previously selected a different option, using one of the buttons below: