Last updated 14 January 2026.
1.
Introduction
1.1
We are UserNova Ltd, a company registered in England and Wales under company number 16936679 with its registered office at 5 Toynbee Road, Bristol, England, BS4 1DD (we, us or our). We operate a participant recruitment and research support business, connecting individuals who take part in research studies with organisations commissioning research. We are the controller responsible for your personal data and we are responsible for this website.
1.2
We comply with our obligations under the Data Protection Act 2018 and the EU law retained version of the General Data Protection Regulation ((EU) (2016/679) (UK GDPR) (data protection laws). If any of these laws are replaced or superseded, we will also comply with those.
1.3
We are registered with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (ico.org.uk), and our registration number is ZC075655. If you have any concerns about data protection, we would appreciate if you contacted us first so we can discuss these with you before you approach the ICO. You also have the right to make a complaint at any time to the ICO. For data protection matters, please email us at info@usernova.co.uk
(a)
We respect your privacy and are committed to protecting your personal data. This policy explains the terms on which we collect and process your personal data, and how we protect your personal data, such as when you:
(b)
visit our website at https://www.usernova.co.uk,
(c)
register your interest as a research participant or sign up to our participant panel via our website or other channels,
(d)
contact us with an enquiry, including via forms on our website,
(e)
engage us as a client commissioning research or participant recruitment services,
(f)
take part in research activities facilitated by us, or
(g)
when you otherwise engage with us.
2.
The data we may collect about you
2.1
Personal data/information means any information about an individual from which that person can be identified. It does not include anonymous data. We may collect, use, store and transfer different kinds of personal data about you, depending on whether you are a research participant, a prospective participant, a client, or a contact at a client organisation, which we have grouped together as follows:
(a)
Identity Data includes your full name, date of birth, age, gender, nationality, employer and job title (where you are a client or a contact at a client organisation).
(b)
Contact Data includes email address, telephone number, and home location (such as city or region), together with work contact details where you are referred by or contact us through a third party. We collect telephone numbers as part of participant sign-up and registration.
(c)
Financial Data includes bank account details or payment information where we make payments to you for participating in research activities, or where you pay us for our services.
(d)
Transaction Data includes details about payments to and from you and other details of the services you have purchased from us or research activities in which you have participated.
(e)
Technical Data includes internet protocol (IP) address, device identifiers, your login data, time of access, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
(f)
Profile Data includes information you provide when registering as a participant or completing forms, which may include demographic information, professional background, interests, lifestyle information, availability for research, survey responses and feedback, and any username and password (if applicable).
(g)
Usage Data includes information about how you use our website, forms, and services.
(h)
Marketing and Communications Data includes your preferences in receiving marketing or research-related communications from us and your communication preferences.
(i)
Aggregated Data such as statistical or demographic data for any purpose, is not considered personal data in law as this data will not directly or indirectly reveal your identity to us. We may aggregate your data to analyse trends in participant demographics, research engagement or website usage.
(j)
Special Category Data means special categories of personal data and includes information about your health, mental health, disability, race or ethnicity, criminal convictions, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, genetic and biometric data. In the context of research recruitment, we may collect Special Category Data where this is necessary to identify suitable participants for specific research studies, for example where research requires participants with particular health conditions, disabilities, or other protected characteristics.
3.
Do we collect special categories of personal data?
3.1
Under UK GDPR, there are certain types of personal data that are likely to be more sensitive and so these are given additional protections. These are referred to as ‘Special Category Data’ and include the following:
(a)
personal data revealing racial or ethnic origin;
(b)
personal data revealing political opinions;
(c)
personal data revealing religious or philosophical beliefs;
(d)
personal data revealing trade union membership;
(e)
genetic data;
(f)
biometric data (where used for identification purposes);
(g)
data concerning health (including physical or mental health conditions or disabilities);
(h)
data concerning a person’s sex life; and
(i)
data concerning a person’s sexual orientation.
3.2
Due to the nature of research participant recruitment, we may collect and process Special Category Data about you. This may occur where such information is necessary to assess your suitability for particular research studies, for example where research requires participants with specific demographic characteristics, health conditions, disabilities, lived experiences, or other protected characteristics.
3.3
We will only collect Special Category Data where it is necessary for a specific research purpose, and where we have a valid lawful basis to do so. In most cases, we will rely on your explicit consent, which will be obtained at the point you provide the information, for example when you register as a participant, complete a form, or agree to take part in a specific research activity.
3.4
Where you are recruited outside our website or participant panel, including via social media, third-party recruitment platforms, or direct outreach, we will obtain your consent before collecting or processing any Special Category Data in connection with a research study.
3.5
We treat Special Category Data with a high level of care and apply appropriate technical and organisational measures to protect it. Access to such data is limited to authorised personnel and, where shared with clients, this will be done only where necessary for the research and in accordance with the terms explained to you at the time.
3.6
We will only use Special Category Data for the purposes for which it was collected, namely to facilitate research participant recruitment and participation, and we will not use it for unrelated purposes.
3.7
You have specific rights in relation to your personal data, including Special Category Data. Further information about these rights can be found in section 15.
4.
How is your personal data collected?
We may use different methods to collect data from and about you including through:
4.1
Direct interactions. You may give us your Identity Data, Contact Data, Profile Data and, where relevant, Special Category Data by filling in forms on our website (including participant registration forms and enquiry forms), by corresponding or engaging with us by post, phone, email, social media or otherwise, by registering as a research participant, expressing interest in taking part in research, or engaging with us as a client commissioning research or participant recruitment services.
4.2
Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies implemented through our website platform and analytics tools. We may also receive Technical Data about you if you visit other websites employing our cookies. Further information about our use of cookies is set out in our cookies policy.
4.3
Third party sources. We may receive personal data about you from third parties, including:
(a)
third party participant recruitment platforms;
(b)
social media platforms or social media groups where individuals express an interest in participating in research; and
(c)
service providers involved in automating or managing our recruitment workflows,
in each case where you have indicated an interest in participating in research or have consented to your data being shared with us.
4.4
Public sources. We may collect personal data about you from publicly available sources, such as professional networking platforms, company websites or public registers, where this is relevant to contacting you in a professional capacity or assessing suitability for a research project.
4.5
Clients and employers. Where you are a contact at a client organisation, or where participation in research is arranged through an employer or organisation, we may receive your Identity Data and Contact Data from that organisation. We do not routinely collect Special Category Data from employers.
5.
How we use your personal data
We will only use your personal data when we can rely on a legitimate (lawful) basis, such as:
5.1
Contract: Where we need to perform a contract we are about to enter into or have entered into with you, including where you engage us as a client commissioning research or participant recruitment services, or where we have entered into a contract with your employer or organisation.
5.2
Legitimate Interests: Where it is necessary for our legitimate interests (or those of a third party), such as operating and developing our business, managing our participant panel, communicating with participants and clients, and facilitating research activities, and your interests and fundamental rights do not override those interests. Where required, we carry out a legitimate interests assessment to ensure this balance is met.
5.3
Legal Obligation: Where we need to comply with a legal or regulatory obligation, including record-keeping, tax, or responding to lawful requests from authorities.
5.4
Consent: We rely on consent where we have obtained your active agreement to use your personal data for a specified purpose, in particular where you register as a research participant, provide information through our website forms, or agree to take part in specific research activities.
Where we process Special Category Data, we will obtain your explicit consent unless another lawful basis applies. You have the right to withdraw your consent at any time, although this may affect our ability to include you in certain research activities.
6.
Purposes for which we will use your personal data
We have set out below, in a table format, a description of all the ways we plan to use the various categories of your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Purpose/activity
Type of data
Lawful basis for processing including basis of legitimate interest
To enable you to submit an enquiry to us, whether via our website, email or social media.
Identity
Contact
Legitimate interests - to respond to enquiries, manage our business communications and keep records of correspondence.
Contract - where your enquiry relates to services you wish us to provide.
To register you as a research participant or prospective participant, including creating and maintaining a participant profile or panel record.
Identity
Contact
Profile
Special Category
Consent - you actively opt in when registering or providing information. This may include contacting you by email, telephone or SMS for research purposes only, for example to invite you to participate in research, to confirm your participation, or to send reminders.
Explicit consent - where Special Category Data is processed to assess suitability for research activities.
To assess your suitability for, and invite you to take part in, specific research projects.
Identity
Contact
Profile
Usage
Special Category
Consent - to contact you about research opportunities.
Explicit consent - where Special Category Data is required for a particular research project.
Legitimate interests - to match participants with relevant research opportunities, subject to appropriate safeguards.
To share participant information with clients commissioning research, where necessary for the research activity.
Identity
Contact
Profile
Special Category
Consent - you will be informed of, and consent to, the sharing of your data as part of participation in a specific research activity.
Explicit consent - where Special Category Data is shared.
To manage our relationship with you as a client, including onboarding, communications, quotes and contracts.
Identity
Contact
Transaction
Contract - necessary to provide our services to you.
Legitimate interests - to manage client relationships and business operations.
To administer payments to research participants or receive payments from clients.
Identity
Contact
Financial
Transaction
Contract - to make and receive payments in connection with research activities and services.
To manage our relationship with you, including notifying you about changes to our terms, this privacy policy or our cookies policy, and dealing with requests, complaints or queries.
Identity
Contact
Profile
Marketing and Communications
Legal obligation - to comply with data protection and consumer protection laws.
Legitimate interests - to keep records accurate and respond to issues raised.
To administer and protect our business and our website (including troubleshooting, testing, system maintenance, support, reporting and hosting of data).
Identity
Contact
Technical
Legitimate interests - to operate our business securely and efficiently, prevent fraud and ensure IT security.
Legal obligation - to comply with statutory data security obligations.
To use data analytics to improve our website, services, participant recruitment processes and business operations.
Technical
Usage
Legitimate interests - to improve our services, understand how our website is used and develop our business.
To send marketing communications to clients or prospective clients, where permitted.
Identity
Contact
Marketing and Communication
Consent - where required by law.
Legitimate interests - to promote our services to business contacts, subject to your right to opt out at any time.
To comply with legal or regulatory obligations.
Identity
Contact
Transaction
Legal obligation - to comply with applicable laws, regulations and lawful requests from authorities.
7.
Direct marketing
7.1
We will only send you marketing communications where permitted by law. You will receive marketing communications from us if you have opted in to receive them, or, where you are a business contact and applicable law allows, where you have previously engaged with us and have not opted out.
7.2
Where permitted, we may use your Identity Data, Contact Data, Technical Data, Usage Data and Profile Data to understand which of our services may be relevant to you, so that we can send you relevant and proportionate marketing communications. This profiling will be limited to business development and service-related communications and will not involve automated decision-making that produces legal or similarly significant effects.
7.3
You can opt out of marketing communications at any time by following the unsubscribe links in our communications or by contacting us using the details set out in this policy.
8.
Third party marketing
We do not sell your personal data to third parties for marketing purposes. We will only share your personal data with a third party for their own direct marketing purposes where we have obtained your express consent to do so.
Any sharing of personal data with clients for research purposes is not carried out for marketing and is addressed elsewhere in this policy.
9.
Opting out of marketing
9.1
You can ask to stop sending you marketing communications at any time by following the opt-out links within any marketing communication sent to you or by contacting us at info@usernova.co.uk.
9.2
If you opt out of receiving marketing communications, you will still receive non-marketing communications where these are necessary, including service-related or research-related communications, for example:
(a)
communications about research projects you have agreed to take part in;
(b)
administrative messages relating to your participation or our services;
(c)
updates to our terms and conditions or this privacy and cookies policy; and
(d)
checking that your contact details are correct.
10.
Cookies
10.1
Our website uses cookies and similar technologies to distinguish you from other users of our website, to help it function properly, and to improve how it operates. We do not use cookies for behavioural advertising or targeted advertising purposes.
10.2
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you consent to us doing so. Cookies contain information that is transferred to your computer’s hard drive. Some pages may also include similar technologies, such as web beacons or pixels, which work in conjunction with cookies to help us understand how our website is used.
10.3
We display a cookie banner the first time you visit our website, which allows you to accept or reject non-essential cookies, or to customise your preferences.
10.4
We use the following cookies:
(a)
Strictly necessary cookies. These cookies are required for the operation of our website and cannot be switched off in our systems. They include, for example, cookies that enable basic website functionality and security.
(b)
Analytical or performance cookies. These cookies allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us understand how our website is used and improve its performance and functionality. We do not use these cookies to track users across other websites.
(c)
Functionality cookies. These cookies are used to remember choices you make and preferences you select, such as form settings or region preferences, in order to provide a more consistent experience.
10.5
When you first visit our website, a cookie banner lets you accept, reject or customise non-essential cookies. You can change your cookie preferences at any time by using the cookie settings tool available on our website. Most browsers also allow you to block or delete cookies through their settings. Further information about managing cookies can be found at www.allaboutcookies.org.
11.
Disclosures of your personal data
11.1
We may disclose your information in the following circumstances:
(a)
to our employees, workers and contractors who need access to your personal data to operate our business and provide our services, including participant recruitment and research support;
(b)
where we are under a legal obligation to do so, or where disclosure is necessary to protect our rights, property or safety, or those of others; and
(c)
where necessary to prevent fraud or other unlawful activity.
11.2
Where you are a research participant, we may share your personal data with clients who commission research, where this is necessary for the relevant research activity. This may include sharing identifiable information such as your name and contact details where the client needs to contact you directly, or where the nature of the research requires this.
We will inform you of the information to be shared and obtain your consent, including explicit consent where Special Category Data is involved.
11.3
We may share your personal data with third party participant recruitment platforms, research partners or intermediaries where you have indicated an interest in participating in research through those platforms, or where you have consented to such sharing.
11.4
We use a number of third party service providers (sub-processors) to support our business operations. This means that personal data may be shared with these third parties where necessary. The categories of sub-processors we use include:
(a)
website hosting and management providers;
(b)
form and data collection providers;
(c)
database and participant panel management providers;
(d)
automation and integration service providers;
(e)
analytics and performance monitoring providers;
(f)
payment processing providers; and
(g)
professional advisers, including lawyers, accountants, auditors and insurers.
11.5
In particular, we currently use the following key service providers:
(a)
Webflow, which we use to host and manage our website. Webflow is GDPR compliant and uses appropriate international data transfer mechanisms where personal data is processed outside the UK or European Economic Area (EEA).
(b)
Tally, which we use to collect information through online forms for participants and clients. Tally is based in Belgium and stores data on servers located in the EEA.
(c)
Airtable, which we use as a database and participant panel management tool. Airtable may process personal data outside the UK or EEA. Where this occurs, Airtable relies on appropriate safeguards for international data transfers, such as standard contractual clauses or other lawful transfer mechanisms, in accordance with applicable data protection laws.
(d)
Zapier, which we use to automate workflows between systems. Zapier is a US-based service provider and may process personal data in the United States and other jurisdictions. Zapier implements appropriate technical and organisational measures to protect personal data and uses lawful safeguards for international data transfers, including standard contractual clauses and other approved transfer mechanisms, in accordance with applicable data protection laws.
11.6
We require all third parties to respect the security of your personal data and to treat it in accordance with data protection laws. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process it for specified purposes and in accordance with our documented instructions.
12.
Data security
12.1
Data security is of great importance to us. To protect your personal data, we have put in place appropriate physical, electronic and organisational measures to safeguard and secure the personal data we collect. These measures include, but are not limited to:
(a)
storing personal data on secure, reputable third-party platforms that implement appropriate security controls;
(b)
using password-protected systems and accounts; and
(c)
restricting access to systems and data through role-based access controls and authentication measures.
(d)
storing data on secure platforms
(e)
password protected accounts.
12.2
We limit access to your personal data to those employees, agents, contractors and service providers who have a business need to know. They will only process your personal data on our instructions and are subject to duties of confidentiality. We have procedures in place to detect, report and investigate suspected personal data breaches and will notify you and the ICO where we are legally required to do so.
12.3
If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and take all necessary steps to limit the effects of the breach and prevent a recurrence.
12.4
Where we have given you, or where you have chosen, a password which enables you to access certain parts of our website or services, you are responsible for keeping that password confidential. We ask you not to share your password with anyone.
12.5
Unfortunately, the transmission of information via the internet is not completely secure. Although we take appropriate steps to protect your personal data, we cannot guarantee the security of personal data transmitted to our website or systems, and any transmission is at your own risk.
13.
International transfers
13.1
Some of our third-party service providers are based outside the UK or the EEA, or process personal data outside those locations. As a result, your personal data may be transferred outside the UK or EEA.
13.2
Whenever we transfer your personal data outside the UK or EEA, we ensure that appropriate safeguards are in place to protect it, in accordance with data protection laws. These safeguards may include:
(a)
transfers to countries which have been recognised as providing an adequate level of protection for personal data; or
(b)
the use of approved contractual safeguards, such as standard contractual clauses or the UK International Data Transfer Addendum, or other lawful transfer mechanisms.
13.3
We work with service providers that are required to implement appropriate technical and organisational measures to protect personal data and to comply with applicable data protection laws when processing personal data internationally.
13.4
You can contact us using the details set out in this policy if you would like further information about the safeguards we use when transferring personal data outside the UK or EEA.
14.
Data retention
14.1
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes for which it was collected, including for the purposes of providing our services, facilitating research activities, and satisfying any legal, regulatory, tax, accounting or reporting requirements. Retention periods will vary depending on whether you are a research participant, a prospective participant, or a client contact, and on the nature of the data collected.
14.2
Where you are a research participant or prospective participant, we will retain your personal data for as long as you remain registered with us or engaged in research activities, unless you request deletion or withdraw your consent earlier. We may retain certain information for longer where necessary to deal with queries, complaints, disputes, or potential legal claims.
14.3
Where you are recruited into a specific research project but do not proceed to participate, we will delete your personal data within a reasonable period following the conclusion of the recruitment process, unless we are required or permitted to retain it for another lawful purpose.
14.4
We will retain personal data relating to clients, including Identity, Contact, Financial and Transaction Data, for a period of up to six years after the end of the relevant client relationship, where required for tax, accounting or legal purposes.
14.5
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
14.6
You may request the deletion of your personal data at any time, as explained in section 15. Where we are unable to delete personal data immediately due to legal or contractual obligations, we will explain the reason and, where appropriate, restrict further processing of the data.
14.7
Once the relevant retention periods have expired, we will securely delete or anonymise personal data. We may retain anonymised data for research, reporting or statistical purposes, as anonymised data does not constitute personal data and may be used indefinitely.
15.
Your legal rights
15.1
You have several rights under data protection laws in relation to your personal data. These rights are not absolute and may be limited in certain circumstances, including where we are required to retain personal data to comply with legal, regulatory or contractual obligations. Your rights include the following:
(a)
Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
(b)
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
(c)
Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
(d)
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third-party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
(e)
You also have the absolute right to object any time to the processing of your personal data for direct marketing purposes (see ‘Opting out of marketing’ in section 9 for details of how to object to receiving direct marketing communications).
(f)
Request the transfer of your personal data to you or to a third-party. We will provide to you, or a third-party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
(g)
Withdraw consent at any time where we are relying on consent to process your personal data (see the table in section 6 for details of when we rely on your consent as the legal basis for using your data). However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
(h)
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:
i.
If you want us to establish the data's accuracy;
ii.
Where our use of the data is unlawful but you do not want us to erase it;
iii.
Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
iv.
You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
15.2
If you wish to exercise any of the rights set out above, please contact us at info@usernova.co.uk.
15.3
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
15.4
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
15.5
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
16.
Third party links
This website may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
17.
Changes to this privacy and cookie policy and your duty to inform us of changes.
17.1
We keep our privacy and cookie policy under regular review. This version was last updated on the date at the header of this policy.
17.2
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.