At a glance
Who we are
Thiscovery unlocks insights from people who use, deliver and influence health and care services. We help organisations create better products, policies and services.
We combine expert teams, an online platform, and a growing crowd of engaged participants.
THIS Labs runs Thiscovery. THIS Labs is a partnership between THIS Institute (at the University of Cambridge) and The Health Foundation.
What we do with your information
We use your information to:
- Connect you with health and care research that matches your interests
- Run our services safely
- Help deliver projects and communities that improve health and care
Your control
You choose what information to share. You can change your mind at any time. You have full rights over your personal information.
Your information is safe
We keep your information secure and up to date. We store information in the UK or EU. We never sell your information.
Questions?
Contact our Data Protection Officer: DPO@thiscovery.org
Who we are and how to contact us
About Thiscovery
Thiscovery gathers knowledge and experience from patients, NHS staff, and the public.
We combine:
- Our team of experts in research methods and communications
- Our accessible online platform
- Our growing crowd of engaged participants
THIS Labs runs Thiscovery. THIS Labs is a partnership between:
- THIS Institute (a research centre at the University of Cambridge)
- The Health Foundation
Data protection officer
Our data protection officer looks after all privacy matters.
Email: DPO@thiscovery.org
Address: THIS Labs, c/o Regus, Chivers Way, Histon, Cambridge, CB24 9AD
Response time: We aim to respond in 2 working days.
Urgent concerns: Email DPO@thiscovery.org with "URGENT" in the subject line.
Make a complaint: You can contact the Information Commissioner's Office (ICO). But we'd like to help fix your concern first.
How we use your information
When you visit our website
What we collect:
- How you use our website (which pages you visit, how long you spend)
- Your device and browser type
- Cookies (see our Cookie Settings for full control)
Why we collect it:
- Keep our website working
- Make the website better
- Keep the website secure
Legal reason:
Necessary cookies we must use. Other cookies need your permission.
When you join research or engagement projects
What information might be collected:
Each project is different. We always explain clearly before you take part. Each project has its own information page and privacy notice.
Examples of information that might be collected:
- Basic information (age, location, role)
- Health information
- Your work background and experience
- Your answers to survey questions
- Interview recordings (if you agree)
- Photos or other files you choose to upload
What we do with it:
- Run the research or engagement project
- Give information and results to the organisation that commissioned the research (usually NHS organisations, universities, healthcare charities or digital health companies)
How your information is protected:
- All information is encrypted (scrambled) and stored safely
- Only authorised Thiscovery research staff can access your information during projects
- How your information is shared varies by project (some share only summary reports with no names, others share data with your name removed)
- Each project's privacy notice explains exactly what is shared, with whom, and how your privacy is protected
Legal reason:
This varies by project. It's always clearly stated in the project information.
- Public task: For NHS organisations, universities, and government doing research as part of their official work
- Legitimate interests: For research with clear benefits and small privacy impact
- Consent (your permission): For sensitive research topics or when other legal reasons don't fit
Each project explains which applies and why.
More details:
Each project gives you full information before you take part:
- Who is running the project and why
- What taking part involves
- How your information will be used and protected
- Who will see your information
- How long it will be kept
- Your rights and how to use them
Research rules:
Some rights may be limited for research to keep results valid. Any limits are explained clearly before you take part. You can choose not to take part if you're not comfortable.
When you join our communities
Extra information we collect:
- Your location and member type
- Community-specific information (always optional)
- What you do in the community (posts, comments, files you share, events you join)
- Your preferences for updates and notifications
What we do with it:
- Make community features work safely
- Help collaborative projects and knowledge sharing
- Send community updates and invitations (based on your preferences)
- Support community members
- Improve the community (using data with no names)
Legal reason:
Your permission to join. Then usually legitimate interest for managing discussions and keeping the platform safe.
When you join our Thiscovery "crowd" to be kept up to date on activities and research opportunities
Required information:
- Name and email address
- If relevant, projects you have taken part in previously (but never any answers you gave in these projects)
What we do with it:
- Keep you updated about Thiscovery
- Send you information about projects you might be interested in
- Improve our platform based on feedback and how people use it
What we don't do:
- We don't make automatic decisions about you
- We never sell your information
- We never share your information for marketing
Legal reason:
Your permission.
When you take part in user research
We sometimes do research about Thiscovery to help us improve our services.
What we might collect:
- Your experience using Thiscovery
- Your suggestions for improvements
- Basic information to make sure we hear from diverse people
- Banking information (if we pay you for your time)
Legal reason:
Your permission. You can change your mind at any time.
Client services
When organisations work with us
What we collect:
- Business contact details
- Company information
- Banking details (for payments)
Legal reason:
Contract and legal requirement.
Your rights and choices
Your rights
You have full rights over your personal information:
Response time: We respond within 30 days (or explain if we need longer)
No charge: Using your rights is free (unless requests are clearly unreasonable)
Special rules for research data
Research sometimes needs special rules to keep results valid and reliable.
When we might limit your rights:
Deletion: We can't delete your answers after analysis starts. This would affect research reliability and make findings incomplete. You can still withdraw from future contact.
Correction: You can't change past survey answers once submitted. This protects research integrity. But you can add extra information or context.
Access: We can't provide raw research datasets as these contain other participants' information. You can get a summary of your contributions.
Why these limits exist:
- To maintain scientific validity of research findings
- To ensure research conclusions remain reliable
- To prevent research results being accidentally influenced
- To protect other participants' information
Your protection:
- We only limit rights when absolutely necessary
- We always explain any limits before you take part
- You can choose not to participate if you're not comfortable
- You can always withdraw from future contact
- These limits are reviewed regularly and must be justified
If you have concerns about how your rights have been limited, contact DPO@thiscovery.org
What you hear from us
Control what we send you:
Project invitations: You can opt out at any time by emailing hello@thiscovery.org
Community updates: You can customise notifications for each community you join
Platform updates: Essential service information only
Project results: If you took part and want to hear outcomes
Update your preferences:
- Email hello@thiscovery.org for overall preferences
- Contact project teams for project-specific preferences
- Use community platform settings for community notifications
- Contact community administrators for community-specific preferences
How we protect your information
Keeping your information safe
We keep your information secure, accurate and up to date. We only keep it as long as needed.
Technical protection:
- Encryption (scrambling) for information in transit and stored
- Secure data centres with regular monitoring
- Multi-factor authentication for staff access
- Regular security testing
- Firewall protection and secure networks
Organisational protection:
- Staff background checks and security training
- Strict access controls (staff only see what they need)
- Clear data protection policies and procedures
- Regular security audits and checks
- Clear plans for responding to incidents
Standards we follow:
- Regular independent security checks
- UK government Cyber Essentials Plus framework
- Market Research Society and other relevant research data security standards
Important note:
We use strong security measures once we have your information. But sending information over the internet is never 100% safe. We do our best to protect information. But we can't guarantee security of information you send to our website. You send it at your own risk.
How long we keep your information
We keep your information only as long as needed:
Want us to delete your information? Email us and we'll do it quickly.
Note that:
- You can unsubscribe from Thiscovery at any time using the link in any email
- Some research information may need to be kept for scientific validity (this is always explained in project information before you take part)
- We may need to keep basic records of your participation for audit purposes even after deletion
When these periods end, we securely delete or make your information anonymous.
If something goes wrong
If there's a data breach:
- We'll tell you within 72 hours if a breach might affect you
- We'll explain what happened and what we're doing about it
- We'll advise what you can do to protect yourself
Who we work with
Technology partners
We work with trusted technology providers to deliver our services:
All partners have full data protection agreements and security measures.
Research organisations
When you take part in Thiscovery projects, we may share information with:
- NHS trusts and health boards
- Universities and research institutions
- Healthcare charities and foundations
- Digital health companies and developers
- Government health departments and agencies
- Professional healthcare bodies
Each project clearly identifies the specific organisations involved before you take part.
How information is shared:
With ID numbers (most common):
- Your answers with unique ID numbers instead of your name
- Research teams can see patterns but cannot identify you personally
- May include basic information you've provided (like age group)
Contact details (separate and only with your permission):
- If you agree to be contacted about results or future related research
- Your name and email may be shared with research teams
- Exactly what is shared and how is always clearly explained in each project's information
With no names (anonymous):
- All identifying information removed completely
- Used for reports, publications, and sharing with other researchers
- Includes removing indirect identifiers (like specific workplace names)
Important safeguards:
- Each project clearly explains what will be shared and with whom
- You always have the choice whether to take part
- Contact details are never shared without your specific permission
- Research teams have strict data protection agreements
Sending information outside the UK
Our approach
Main storage: All your information is stored in the UK, Germany or other European countries. This keeps your information in regions with strong data protection standards.
When we send information outside UK/EU:
- Only when necessary for essential services
- Always with appropriate safeguards:
- Countries with UK approval: These include EU countries, Switzerland, New Zealand, Canada, Japan, and South Korea. The UK government has confirmed these countries provide strong data protection.
- Standard contracts: For other countries, we use UK government-approved contracts that require strong protection standards.
- Extra security: Including encryption, access logging, and regular checks of overseas partners.
- Research-specific safeguards: Extra protections for health information including reducing information, using ID numbers, and restrictions on further use.
Brexit arrangements: We have specific safeguards for UK-EU research collaborations.
Transparency: We always tell you if your information will be processed outside the UK/EU.
Extra protection
Children and young people
We take extra care with information from anyone under 18:
Who needs to agree:
- Under 13: Parent/guardian permission required + child's understanding
- 13-15: Parent/guardian permission required + young person's agreement
- 16-17: Young person can usually agree (we assess each situation)
Ongoing safeguards for young participants:
- Regular checks that participation is still appropriate during longer studies
- Extra monitoring for signs of distress, discomfort, or wanting to withdraw
- Simplified, age-appropriate ways to withdraw with multiple contact options
- Extra staff training on recognising and responding to young people's needs
- Automatic reviews if participation patterns suggest concern
- Priority response times for any concerns raised by young participants or their families
Sensitive information
Health information, ethnicity, and other sensitive information gets extra protection:
- Stronger security measures
- Clear consent requirements
- Limited access on strict need-to-know basis
- Extra staff training
About THIS Labs - who makes decisions
Key terms explained:
- Data controller: The organisation that decides why and how personal information is used
- Data processor: An organisation that handles information on behalf of a controller following their instructions
When we are the data controller (we make decisions about your information):
- Website management and how people use it
- Your contact details (name and email address), if you agree for us to contact you about a project you took part in or future relevant projects
- Community management and communications
- User research about our platform
- Client services and business relationships
- Certain specific research projects where we lead all or most aspects of the work
When we are a data processor (we handle information for other organisations):
- Individual research or engagement projects for NHS organisations, universities, and some other clients
- Individual communities hosted for NHS organisations, universities or other clients
- Information analysis done on behalf of project commissioners
Why this matters to you:
- When we make decisions, you use your rights directly with us
- When we process information for another organisation, that organisation is responsible for key decisions about your information
- Each project clearly states who is responsible and gives their contact details
- You always have the right to know who is responsible for your information and how to contact them
Our privacy leadership
Privacy by design
We build privacy protection into every part of our platform from the start:
- Technical innovation: We use advanced techniques to protect identity while maximising research value
- Ethical leadership: Our approach exceeds legal requirements, guided by fairness, transparency, and respect for people's choices
- Continuous improvement: We regularly review new privacy technologies and best practices
- Knowledge sharing: We aim to contribute to privacy best practice guidance for the research sector and share our learnings
Transparency and accountability
- Open about our practices: Technical details of our privacy measures are available to researchers and participants who want deeper understanding
- Your feedback matters: Your suggestions and concerns directly influence how we improve our privacy practices
- Independent checks: Our practices are regularly reviewed by independent privacy experts and research ethics advisors
Better transparency
Beyond legal requirements
We go well beyond minimum legal requirements through our Enhanced Transparency Framework:
- Harm checks: We check whether our communications could cause anxiety or confusion, and adjust accordingly
- Community involvement: We work with diverse community representatives to test and improve our transparency materials
- Multiple formats: We provide information in various ways to meet different accessibility needs
- Continuous improvement: We regularly gather feedback and improve our transparency approaches
Real impact
This enhanced approach means:
- Information designed to inform, not overwhelm
- Materials tested with real participants before use
- Clear help if something isn't clear
- Ongoing conversation rather than one-way communication
Keeping this policy current
Regular reviews: We review this policy every 6 months and when we make significant changes.
Important changes: We'll tell you about important updates and explain what they mean for you.
Your feedback: Tell us how we can make this policy clearer or more helpful.
Contact us
For general questions: hello@thiscovery.org
For project-specific questions: Use the project team email provided in project information
For data protection concerns: DPO@thiscovery.org
For urgent data protection issues: DPO@thiscovery.org (mark subject "URGENT")
To make a complaint: DPO@thiscovery.org or Information Commissioner's Office (ico.org.uk)
Response times:
- General questions: 2 working days
- Rights requests: 30 days (we'll let you know if we need longer)
- Urgent issues: Same working day response
More information
Cookie settings: Manage your cookie preferences. You can also access cookie settings through the cookie preference centre that appears when you first visit our site, or by clicking the cookie settings link in our footer.
Terms of service: Read our Terms and Conditions
This privacy policy complies with UK GDPR and the Data Protection Act 2018. We are committed to transparency, fairness, and putting you in control of your personal information.
Last updated: December 2025
Next review: June 2026