Something Exciting Ltd is committed to protecting your personal information. Our Privacy Policy gives you detailed information on when and why we collect your personal information, how we use it and how we keep it secure.

This Policy also sets out your right to request that we delete, update, transfer or provide you with access to your personal information.

This Privacy Policy sets out how Something Exciting Ltd uses and protects any information that you give when you use this website.

Something Exciting Ltd (“we”, “our”, “us” or “the Company”) values and respects the privacy of everyone who visits somethingexciting.co.uk (“our site”). Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

Use of this website indicates your acceptance of this Privacy Policy.

What does this Policy cover

This Privacy Policy applies only to your use of our site. Our site may contain links to other websites. We do not have any control over those other websites and therefore cannot be responsible for the protection and privacy of any information which you provide whilst visiting them. We advise you to check the privacy policies of any such websites before providing any data to them.

What information we collect from you

Depending on your use of our site, we may collect some or all of the following personal data (please also see “Use of cookies”):

Information you give us. This is information about you that you give us by filling in forms on our site, or by corresponding with us by phone, email, or otherwise. It includes, but is not limited to, information you provide when you complete the ‘Contact form’, contact us with regards to a job application, participate in social media functions on our site, and/or when you report a problem with our site. The information you give us may include your name, job title contact information (e.g. email address or telephone number), demographic information such as postcode, your preferences and interests, and other information relevant to customer surveys and/or offers.

Information we collect about you. With regards to each of your visits to our site, we will automatically collect the following:

Technical information, including the internet protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating systems and platform

Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for, page interaction information (such as scrolling, clicks and mouse-overs), and both identifiable and unidentifiable data via digital methodology.

We collect information as a result of you giving your feedback, subscribing to our newsletters and any other information that you choose to send us.

Use of cookies

Cookies are small text files that are placed on your computer or mobile device when you visit almost all websites. Cookies do not recognise you personally and are not harmful to your computer or mobile device. Cookies help analyse web traffic and allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

How we use your information

Our use of your personal data will always have a lawful basis, and we will never sell, share or rent your personal data without prior consent. We collect personal data to understand your needs and provide you with a better service. Specifically, we may use your data for the following purposes:

Improving our products and services;

Personalising and tailoring your experience on our site, according to your interests;

Supplying our products and services to you (please note that we require your personal data in order to enter into a contract with you);

Replying to emails from you;

Supplying you with emails about new products, special offers or other information which we think you may find interesting that you have opted in to using the email address which you have provided (you may unsubscribe or opt-out at any time by contacting us.

Market research purposes;

Analysing your use of our site to enable us to continually improve our site and your user experience.

You have the right to withdraw your consent to us using your personal data at any time, and to request that we delete it. If you would like to do this, please contact us.

How long we store your personal data for

We only keep your personal data for as long as we need, in order to use it for the reason(s) it was first collected (“How we use your information”). If you would like us to delete it sooner, please contact us. Please see our Data Retention Policy for more information.

Where we store your personal data

Your data will only be stored within the European Economic Area (“the EEA”, which consists of all EU member states plus Norway, Iceland, and Lichtenstein).

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

Please see our Data Protection Policy for more information.

Sharing your information

Subject to the exceptions below, we will not share any of your data with any third parties.

In certain circumstances, we may be legally required to share certain data held by us, which may include your personal data, for example, where we are involved in legal proceedings, where we are complying with legal obligations, a court order, or a governmental authority.

Your rights

As a data subject, under the Data Protection Act 2018 you have the right to:

be informed about our collection and use of personal data;

request a copy of all personal data which we hold about you;

require inaccurate data which we hold about you to be corrected and rectified;

require us to erase any personal data we hold about you where:

the original purpose for which we obtained your personal data has expired;

you have withdrawn your consent to us holding your personal data;

you consider us to be unlawfully processing your personal data;

you object to us processing your data on the basis of our legitimate interests;

have your personal data transferred to us to another data controller or to us from another data controllers; and

restrict us from processing your personal data whilst any dispute that may arise between us is being resolved.

You can:

Exercise your right to prevent processing of personal data for marketing purposes by checking certain boxes on the forms we use to collect your data.

Restrict our use of cookies (“Use of cookies”).

Exercise any of your rights, including the right to withdraw your consent, at any time by contacting us.

How can you access your data?

You have the right to ask for a copy of any of your personal data held by us. Please contact us for more details.

Contacting us

If you have any questions or complaints regarding our Privacy Policy or associated practices, please contact us by email at Hello@SomethingExciting.co.uk

Should you have an unresolved privacy or data use concern that we have not addressed satisfactorily, you have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioners Office.

Changes to Our Privacy Policy

We may change this Privacy Policy from time to time. Any changes will be immediately posted on our site and you will be deemed to have accepted the terms of the Privacy Policy on your first use of our site following the alterations. We recommend that you check this page regularly to keep up-to-date.

This Policy sets out the obligations of Something Exciting Ltd (“we”, “us”, “our”, “the Company”) regarding data protection and the rights of consumers, customers and business contacts (“data subjects”) in respect of their personal data under the Data Protection Act 2018.

The procedures set out in this Policy must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.

The Data Protection Officer is responsible for ensuring implementation and compliance with the requirements of the Data Protection Act 2018 and this Policy. That role is held by Darren Hanley (Email: Darren@SomethngExciting.co.uk). Any questions or concerns about this Policy should be referred in the first instance to the Data Protection Officer.

Our commitment to data protection

Something Exciting Ltd takes the issues of data protection and information security very seriously. We are committed not only to the letter of the law, but also to the spirit of the law. We place high importance on the correct, lawful and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals we work with.

We abide by the requirements of the Data Protection Act 2018 and by professional codes of conduct established by the Market Research Society (MRS) and by the Association of Qualitative Researchers (AQR).

DEFINITIONS

Data is information which is stored electronically on a computer, telephone, voice recorder or other device, or in the cloud, or in paper-based filing systems.

Data subjects for the purposes of this policy include all living individuals about whom we hold personal data. All data subjects have legal rights in relation to their personal data.

Personal data is data which relates to a living individual who can be identified from that data (or from that data and other information in our possession, or which is likely to come into our possession). Personal data can be factual (such as a name, address, or date of birth) or it can be an opinion (such as a performance appraisal).

Special category data (or sensitive personal data) includes information about the data subject’s racial or ethnic origin; their political opinions; their religious or similar beliefs; trade union membership; their physical or mental health condition; their sexual life; their genetics; their biometrics (if used for ID purposes); the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, usually with the express consent of the data subject.

Data controllers are the people or the organisation which determine the purposes for which, and the manner in which, any personal data is processed.

Data users include employees whose work involved using personal data. Data users have a duty to protect the information they handle by following our data protection and security policies at all times.

Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.

The information we collect

Something Exciting Ltd is a market research agency. We conduct qualitative and quantitative research on behalf of our clients. As part of our business activities, we will collect, store and process personal information about consumers and customers of our clients. This data can be collected directly from data subjects or obtained from third parties.

Research data

We conduct qualitative research to explore consumer opinions in detail, in both face-to-face sessions (group and individual) and in online communities and forums. As part of this, we collect personal data during the screening and interviewing processes. Our quantitative survey work involves the sizing and validation of personal level data in large scale surveys, where we collect responses from the general public. This data is aggregated and anonymised, and not attributable to an individual respondent; this type of data therefore does not count as personal data.

Client supplied customer data

We are occasionally required to use client supplied customer data to identify and reach eligible research sample for both qualitative and quantitative research projects. This typically includes customer name and contact details, and occasionally previous purchase behaviours/identified relationship with the client. We use third party recruitment agencies to process this personal data for screening and recruitment. In these cases, an agreement on data processing is concluded with each agency.

Information about our clients

We collect, store and process personal information about our clients, typically in the form of name, job title, email addresses, telephone numbers.

Information about our employees

For our staff, the types of information that we may be required to handle include details of current, past and prospective employees, address and telephone number, and bank account details for payment of salary. This information, which may be held on paper or on computer, is subject to certain safeguards specified in the Data Protection Act 1998 (“the Act”). The Act imposes restrictions on how we may use that information.

Regardless of the source and type of personal data, we will:

only use and process personal data for purposes that we have informed individuals about and obtained consent for;

always be transparent about the personal data we collect and how we use it; and

always store and transfer personal data securely.

Data protection principles

When processing personal data, we comply with the principles set out in the Data Protection Act 2018. According to the Data Protection Act 2018, all personal data must be:

Processed lawfully, fairly, and in a transparent manner. Data subjects should be kept informed at all times of the purpose(s) for which their personal data will be used.

Collected for specified, explicit, and legitimate purposes only. In limited circumstances, personal data may also be further processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Adequate, relevant, and limited to what is necessary for the purposes for which data is processed.

Accurate and, where necessary, up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay.

Kept only for as long as is necessary for the purpose(s) for which that personal data was originally collected, held and processed. All such retention is fully compliant with the requirements of the Data Protection Act 2018.

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

Your rights

The Data Protection Act 2018 sets out the following rights applicable to data subjects:

The right to be informed;

The right of access;

The right to rectification;

The right to erasure (also known as the ‘right to be forgotten’);

The right to restrict processing;

The right to data portability;

The right to object; and

Rights with respect to automated decision-making and profiling.

Keeping you informed

Whenever we collect personal information directly from data subjects, we inform them of its purpose at the time of collection through our Notices and Privacy Policy. Where personal data is obtained from a third party, the data subject will be informed of the purpose when communication is first made, before the data is transferred to us, or as soon as reasonably possible after the personal data is obtained (whichever is most relevant to the purpose).

This Data Protection Policy provides full information about your rights and our responsibilities under the Data Protection Act 2018.

Subject access requests

Any individual whose data is held by Something Exciting Ltd may make a subject access request (“SAR”) at any time to find out more about the personal data we hold about them, what we are doing with that personal data, and why. All requests must be made in writing to the Data Protection Officer at the following email address: Hello@SomethingExciting.co.uk). Any member of staff who receives a written request should forward it to the Data Protection Officer immediately.

Responses to SARs will normally be made within one month of receipt, however this may be extended is the SAR is complex and/or numerous requests are made. We will inform the data subject if we need more time to respond to the request.

We do not charge a fee for the handling of SARs. We reserve the right to charge reasonable fees for additional copies of information that have already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

Rectification of your personal data

Data subjects have the right to require us to rectify any of their personal data that is accurate or incomplete. In such instances, we will rectify the data in question, and inform the data subject of the rectification, within one month of the data subject informing us of the issue. This may be extended in the case of complex requests. We will inform the data subject if we need more time to respond.

If any affected personal data has been disclosed to third parties, they shall be informed of any rectification that must be made.

Erasure of your personal data

Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) when:

Personal data is no longer required for the purpose for which it was originally collected and processed;

They withdraw their consent;

They object to the processing of their personal data, and we have no overriding legitimate interest;

Personal data is processed unlawfully (i.e. in breach of the Data Protection Act 2018;

Personal data has to be erased to comply with a legal obligation.

Unless we have reasonable grounds to refuse the request, all requests for erasure will be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. This may be extended in the case of complex requests. We will inform the data subject if we need more time to respond.

If any personal data that is requested to be erased has been disclosed to third parties, they shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

Restriction of personal data processing

Data subjects may request that we cease processing the personal data it holds about them. If a data subject makes such a request, we will retain only the amount of personal data concerning that data subject that is necessary to ensure that the personal data in question is not processed further.

If any affected personal data has been disclosed to third parties, they shall be informed of the applicable restrictions (unless it is impossible or would require disproportionate effort to do so).

Objections to personal data processing

Data subjects have the right to object to us processing their personal data based on legitimate interests, direct marketing (including profile), and processing for scientific and/or historical research and statistics purposes.

If a data subject objects to our processing their personal data based on its legitimate interests, we shall cease such processing immediately, unless it can be demonstrated that our legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.

Where a data subject objects to our processing of their personal data for direct marketing purposes, we shall cease such processing immediately.

Data retention

When personal data is no longer required (either upon the expiry of stated data retention periods, or when a data subject exercises their right to have their personal data erased), all reasonable steps will be taken to erase or otherwise dispose of it without delay.

For full details of our approach to data retention, including retention periods for specific types of personal data, please refer to our Data Retention Policy.

Data security

We will ensure that all personal data collected, held and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

Data security — transferring and handling personal data

We will ensure that all personal data collected, held and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

We ensure the following measures are taken with respect to all communications and other transfers involving personal data:

All emails containing personal data are password protected and marked ‘confidential’;

Personal data is transmitted over secure networks only;

Personal data contained in the body of an email, whether sent or received, is copied from the body of the email and stored securely. The email and associated temporary files are deleted;

Where personal data is to be transferred in hardcopy form it is passed directly to the recipient, or sent via a reputable delivery firm using a tracked and signed-for delivery service;

All personal data is handled with care at all times. It is never left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time, whether in physical hardcopy (i.e. on paper) or viewed electronically) i.e. on a computer screen.

Data security — storage

We ensure that the following measures are taken with respect to the storage of personal data:

All electronic copies of personal data are stored securely using password protection.

All hardcopies of personal data, along with any electronic copies stored on physical, removable media is stored securely in a locked box, drawer, cabinet, or similar;

All personal data stored electronically is backed up three times day with backups stored securely off-site. All backups should be encrypted [using 256 bits encryption and re-encrypted at rest].

No personal data is stored on any mobile device (including, but not limited to laptops, tablets, and smartphones). When it is unavoidable, storage is strictly in accordance with all instructions and limitations above, and for no longer than is absolutely necessary; and

No personal data is transferred to any device personally belonging to an employee. Personal data may only be transferred to devices belonging to agents, contractors, or other parties working on our behalf when the party in question is fully compliant with the letter and spirit of this Policy and of the Data Protection Act 2018 (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).

Data security — IT security

We ensure that the following measures are taken with respect to IT and information security:

All passwords used to protect personal data are changed regularly and do not use words or phrases that can be easily guessed or otherwise compromised;

Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on our behalf.

All software (including, but not limited to, applications and operating systems) is kept up-to-date. Any and all security-related updates are installed as soon as reasonably and practically possible after the updates are made available by the publisher or manufacturer.

Data security — disposal

When any personal data is to be erased for any reason, it is securely deleted and disposed of. For further information on the deletion and disposal of personal data, please refer to our .

Organisational measures

All employees are fully trained and supervised to ensure their compliance with the Policy (i.e. via spot checks). They are reminded to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise. Employees will only have access to, and use of, personal data when required to carry out their assigned duties.

All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the Data Protection Act 2018 and this Policy. Where any agent, contractor or other party working on behalf of Something Exciting handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

Transferring personal data to a country outside the EEA

From time to time we may transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA. If we do transfer data outside the EEA, we will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK under the Data Protection Act 2018. This could include (but is not restricted to) asking for your informed consent or determining that the transfer is to a country (or international organisation), or that the European Commission has determined ensures an adequate level of protection for personal data).

Data protection impact assessments

We will carry out data protection impact assessments for new projects or new uses of personal data that involve the use of new approaches, technologies and/or third-party suppliers, and the processing involved is likely high risk in terms of the rights and freedoms of data subjects under the Data Protection Act 2018. Data protection impact assessments will be overseen by the Data Protection Officer.

Data breach notification

All personal data breaches must be reported immediately to the Data Protection Officer.

If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer will ensure that the Information Commissioner’s Office is informed of the breach within 72 hours after having become aware of it.

In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described above) to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.

Implementation of policy

This policy is effect as of July 2022. No part of this Policy shall have a retroactive effect and shall thus apply only to matters occurring on or after this date.

We shall not keep personal data for any longer than is necessary for the purposes which that personal data was originally collected, held and processed.

When establishing and reviewing retention periods, we take into account the type of personal data and the purpose(s) for which it is collected, held and processed. Different types of personal data, used for different purposes, will be retained for different periods, as set out below:

Types of personal data: Client-provided customer records (typically including name, contact information and transaction details)

Purpose: Provided by clients with the purpose of contacting relevant customers to take part in market research

Retention period: 4 weeks after completion of project

Types of personal data: Respondent profile details (typically including name, contact information, demographics such as age and gender)

Purpose: To ensure respondent profile fits purpose of the research, and to allow tailoring of questions to respondent

Retention period: 3 months after completion of project

Types of personal data: Static, video and audio recordings that include personally identifiable information

Purpose: To support analysis of the research

Retention period: 12 months after completion of project

Types of personal data: Static, video and audio recordings that include personally identifiable information

Purpose: Use as part of a presentation, report or edited video (e.g. to bring the findings to life, or share with client)

Retention period: 12 months after completion of project – unless otherwise agreed

Types of personal data: Consumer-provided photos, videos and audio files that include personally identifiable information

Purpose: To support analysis of the research

Retention period: 12 months after completion of project

Types of personal data: Consumer provided photos, videos and audio files (anonymized)

Purpose: Use as part of a presentation, report or edited video (e.g. to bring the findings to life, or share with client)

Retention period: Indefinitely held by client

Any changes to the above will be clearly stated in our Notices, and are strictly opt-in. Data subjects will not be notified if data is deleted before the retention period ends.

In limited circumstances, it may also be necessary to retain personal data for longer periods, including for archiving purposes that are in the public interest, for scientific or historical research purposes, or for statistical purposes. All such retention is fully Data Protection Act 2018 compliant.

Your rights

Under the right to erasure (or “right to be forgotten”), data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) when:

Personal data is no longer required for the purpose for which it was originally collected and processed;

They withdraw their consent;

They object to the processing of their personal data, and we have no overriding legitimate interest;

Personal data is processed unlawfully (i.e. in breach of the Data Protection Act 2018);

Personal data must be erased to comply with a legal obligation.

Data disposal

Upon the expiry of the data retention periods set out below, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed or otherwise disposed of as follows:

Personal data stored electronically shall be deleted, including all backups (both physical and held in the Cloud).

Personal data stored in hard copy form shall be shredded and recycled.

All third-party data processors (such as fieldwork agencies), who process personal data on our behalf, or third-party data users (such as our end clients) will be prompted to delete all personal data and special category personal data as above. We will request written confirmation in all cases.