Privacy and Data Protection Policy

POS Insights Ltd
Hanham Hall, 7c Whittucks Road
Bristol BS15 3FR
Company Number: 8036439
VAT No. 135 896 671
Email: hello@posinsights.co.uk

We provide shopper insight, research and consultancy services.

This policy explains how we collect, use and protect personal data when you use our website, contact us, or take part in research activities as a client, partner or research participant.

1. Who we are and our role in data protection

POS Insights Ltd acts as either a data controller or a data processor depending on the activity.

We act as the data controller for enquiries, website use and our own business records.

For research projects, our role depends on who determines the purpose and scope of the data being collected:

  • We act as the data controller when we design the research approach, set the data requirements and manage the collection, handling and retention of participant information.

  • A client acts as the data controller when they define the purpose of the research, specify what personal data must be collected or require identifiable outputs such as interview recordings. In these situations, POS Insights Ltd acts as the data processor, following the client’s instructions.  This includes situations where POS Insights recruits’ participants on behalf of a client who defines the data requirements; in these cases, we act as the data processor even though we manage the recruitment process.

2. What data we collect

We only collect information needed to run our business and deliver our services.

Client, enquiry and project-related information

When you contact POS Insights Ltd or work with us on a project, we may collect and store:

  • Contact details such as your name and email address

  • Business and project information shared during enquiries or project delivery

  • Confidential or commercially sensitive information you choose to share

  • Communication records needed to manage the project and maintain an accurate account of our work

Research participants

We collect the following types of information from research participants:

  • Basic contact information to arrange or confirm participation

  • Profiling or screening information to assess eligibility for a study

  • Responses and feedback provided during research activities

Personal data collected for research is securely deleted within three months of a study’s completion, unless you expressly agree to be contacted for future project opportunities.

Automatically collected information

We use tools such as Squarespace Analytics and Google Analytics to understand how visitors use our website. These tools use cookies to collect anonymised information such as device type, pages visited, general location and time on site.

Analytics cookies only run if accepted through our cookie banner.

3. How we use your data

We use personal data to:

  • Respond to enquiries

  • Deliver and manage research and consultancy projects

  • Recruit and manage research participants

  • Administer incentive payments

  • Maintain business and accountancy records

  • Meet legal and regulatory requirements

  • Understand and improve website usage through anonymised analytics

We do not sell personal data or use it for unsolicited marketing.

4. Our lawful bases for processing

Under UK GDPR, we rely on the following lawful bases:

Purpose - Lawful Basis

Responding to enquiries - Legitimate interests

Delivering client projects - Contract

Managing research participants - Consent or Legitimate interests

Accounting, tax and compliance - Legal obligation

Website analytics and performance - Legitimate interests

Storing client records - Legitimate interests

5. Who we share data with

We only share personal data with trusted providers and partners who help us deliver our services.  Depending on the work, this may include:

Service providers

  • Squarespace – website hosting, security, contact form storage, analytics

  • Microsoft 365 – email, document storage, project communication

  • iCloud – secure storage across devices

  • Google Drive – cloud-based document storage

  • Dropbox / WeTransfer – secure file transfers where required

  • Specialist market-research tools, including AI-assisted platforms used for data collection, processing and analysis

  • Cloud-based accounting software – managing bookkeeping and other accountancy requirements

Research partners

  • Recruitment agencies to arrange or confirm participation

  • Research moderators, interviewers or other business partners providing external support

  • Clients receiving identifiable research materials (e.g., recordings) where necessary for project delivery

All providers and partners are required to apply appropriate security measures and comply with UK GDPR.

We do not share data with third-party advertisers and never sell personal information.

6. How we handle client data

Client information is treated as confidential and handled in line with our contractual obligations, the MRS Code of Conduct and UK GDPR.

Client materials may be shared internally or with trusted specialist subcontractors where necessary to deliver the project.

AI and client data

Client information may be exchanged or discussed using professional communication tools that are widely used and suitable for business and research purposes.

For analysis or processing, we may use specialist market-research AI tools selected for their security, privacy controls and suitability for professional research use. We do not use open or consumer-grade AI platforms (such as generative AI tools) to analyse identifiable client information.

Where AI-assisted tools are used, we ensure that:

  • data is minimised (only information needed for the task is used)

  • personal identifiers are removed wherever possible

  • AI tools are selected for their security, privacy controls and suitability for professional research use

  • access is limited to authorised personnel involved in the project

  • AI outputs are reviewed by a human researcher before any conclusions or recommendations are produced

Any client material temporarily processed by AI-assisted tools is removed from those systems once the relevant stage of the project is complete.

7. How we handle research participant data

When you take part in research conducted by POS Insights Ltd, we ensure your data is handled responsibly and in line with the MRS Code of Conduct and UK GDPR.

You will always be informed about what data will be collected, how it will be used and the purpose of the study.  You may withdraw at any point before your data is anonymised or deleted.

Participant data is stored securely using reputable, GDPR-compliant tools, with access limited to those who need it for the project. Personal data collected for research is retained for no longer than three months after a study is completed, unless you expressly agree to be contacted for future work.  Incentive information is kept only for the time needed to issue payments and handle related queries.

We only share identifiable research materials (such as recordings or videos) with clients where necessary for the project. Once shared, clients act as independent data controllers and are responsible for their own privacy obligations.

AI and respondent data

Respondent interviews, transcripts, survey responses and other research materials may be collected using professional communication tools and processed using specialist market-research AI tools. These AI tools are selected for their security, privacy controls and suitability for professional research use.

Before any AI-assisted processing takes place, respondent data is anonymised and personal identifiers are removed, ensuring individuals cannot be identified.

AI tools may support a range of research activities, including thematic analysis, summarisation, pattern recognition, data organisation or the collection of certain types of research data. These tools are used only to support and accelerate human analysis, not to replace it.

All outputs generated by AI-assisted tools are reviewed, interpreted and validated by a human researcher before any findings or recommendations are produced.

Any respondent material temporarily processed by AI-assisted tools is removed from those systems once the relevant stage of the project is complete.

8. Your rights under UK GDPR

You have the right to:

  • Access your data

  • Correct inaccurate data

  • Request deletion

  • Withdraw consent (for research participation)

  • Restrict or object to processing

  • Request data portability

  • Complain to the ICO

To exercise these rights, please contact: hello@posinsights.co.uk We aim to respond within five working days.

9. How long we keep information

We retain personal data only for as long as it is needed for the purposes for which it was collected, or to meet legal and regulatory obligations.

  • Client, project and financial records are kept for a minimum of 7 years to meet business, tax and accountancy requirements. We may retain certain materials for longer where this supports ongoing work, provides useful reference or meets legitimate business needs, unless you ask us to delete them and we are not legally required to retain them.

  • Contact form enquiries are kept for a minimum of 12 months if no further action is taken and deleted when no longer required.

  • Research participant data is retained for no longer than 3 months after a study is completed, unless you have agreed to future contact.

We periodically review stored information and securely delete anything no longer required.

10. Where your data is stored

We store information securely using reputable cloud-based services, including:

·       Microsoft 365: email, documents and project files

·       iCloud: secure storage across devices

·       Google Drive: cloud-based document storage (where required)

·       Dropbox, WeTransfer or similar: secure file transfers when necessary

·       Squarespace: website hosting, contact form submissions and analytics data

These providers use encrypted connections and maintain GDPR compliant security standards.

Some data may be stored on servers outside the UK or EU. Where this occurs, providers apply approved international data-transfer safeguards to protect your information.

11. Cookies

Our website uses cookies to improve site performance and help us understand how visitors use the site.

Cookies may be used for:

  • Essential website functionality (such as security, page loading and navigation)

  • Website analytics, including Squarespace Analytics and Google Analytics, to gather anonymised information such as device type, pages viewed and general usage patterns

Analytics cookies only run if you accept them through our cookie banner. You can manage or disable cookies at any time through your browser settings, and you can withdraw your consent for analytics cookies at any time by revisiting the cookie banner or adjusting your browser settings.

A separate Cookie Policy provides more detail about the types of cookies used and how to control them.

12. Contact for data requests

If you have any questions or wish to exercise your GDPR rights, please contact: hello@posinsights.co.uk We aim to respond within five working days.

Updates to this policy

We may update this policy occasionally. The latest version will always be available on this website.

Last updated: November 2025