Thiscovery Privacy Notice

Last updated: June 2025
Next review: December 2025

At a Glance

Who we are:

Thiscovery is a secure online platform and service thatenables the health and care system to improve and innovate throughcollaboration. We're developed and run by THIS Labs, an independentorganisation formed as a strategic collaboration between THIS Institute (aresearch centre at the University of Cambridge) and The Health Foundation.

What we do with your data:

We use your information to connect you with health and careresearch and engagement opportunities that match your interests, run ourplatform and service securely, and facilitate the design and delivery ofprojects aimed at improving health and care.

Your control:

You decide what information to share and can change yourmind at any time. You have comprehensive rights over your personal data.

Your data security:

We take appropriate technical and organisational measures toensure your information is kept secure, accurate and up to date. We store datain the UK/EU and never sell your information to anyone.

Questions?

Contact our Data Protection Officer: DPO@thiscovery.org

Who We Are & How to Contact Us

About Thiscovery

Thiscovery is developed and run by THIS Labs, an independentorganisation formed as a strategic collaboration between THIS Institute (aresearch centre at the University of Cambridge) and The Health Foundation.

Data Protection Officer

We have an expert Data Protection Officer who oversees allprivacy matters:

Email: DPO@thiscovery.org

Address: THIS Labs, c/o Regus, Chivers Way, Histon,Cambridge, CB24 9AD

Response time: We aim to respond within 2 working days

For urgent data protection concerns: Email DPO@thiscovery.org with "URGENT"in the subject line

Make a complaint: If you're not satisfied with our response,you can contact the Information Commissioner's Office (ICO). However, we'd appreciate the chance to addressyour concerns first.

How We Use Your Information

When You Visit Our Website

What we collect:‍

How you use our website (pages visited, timespent)
Your device and browser information
Cookies (see our Cookie Settings for full control)

Why we collect it:

Keep our website working smoothly
Understand how to improve user experience
Ensure website security

Legal basis:

Legitimate interest (essential cookies) and your consent(all other cookies)

‍

When You Participate in Research and Engagement projects

What information might be collected:

The specific information varies by project and is always clearlyexplained before you participate. Each project has its own detailed informationpage and confidentiality notice. Examples of information that might becollected include:

Basic demographics (age, location, role)
Health-related information
Professional background and experience
Your answers to survey questions
Interview recordings (with your permission)
Photos or other files you choose to upload

What we do with it:

Conduct the research or engagement project as described inthe project-specific information

Provide data and insights to research commissioners(typically NHS organisations, universities, healthcare charities or digitalhealth tech companies)

How your data is protected:

We separate your contact details from yoursurvey responses using pseudonymisation (ID numbers instead of names)
The pseudonymised dataset is used for analysis
Your name and email (if provided) are storedseparately and securely
Information is only shared as described in eachproject's confidentiality notice

Legal basis:

This varies by project type and is always clearly stated inthe project information:

Public task: For NHS organisations, universities, andgovernment bodies conducting research within their statutory functions andpublic health remit

Legitimate interests: For research with clear publicbenefit where public task doesn't apply, or for commercial research withminimal privacy impact that serves broader health and care improvement

Consent: For sensitive research topics, when you havemeaningful choice about participation, or where other legal bases aren'tsuitable for the specific project context

The most appropriate legal basis is determined throughcareful assessment of each project's purpose, participants, and data types.This assessment is always documented and available upon request.

Quick guide to typical legal bases:

NHS/university health research → Usually public task

Low-risk platform improvement research → Usually legitimateinterests

Sensitive topics or children's research → Usually consent

Each project clearlyexplains which basis applies and why

More details will always be available:

Each project provides comprehensive information before youparticipate, including:

Who is running the project and why
What taking part involves
How your information will be used and protected
Who will have access to your data
How long it will be kept
Your rights and how to exercise them

Research exemptions:

Some data subject rights may be limited for research data topreserve scientific integrity. Any limitations are always explained clearlybefore you participate, and you can choose not to take part if you're notcomfortable with these arrangements.

When You Join Our Communities

Additional information we collect:

Your location and member type
Community-specific information relevant to thatcommunity (always optional)
Community interaction data (posts, comments,file shares, event participation)
Communication preferences and notificationsettings

What we do with it:

Enable secure community features and discussions
Facilitate collaborative projects and knowledgesharing
Send community updates and relevant invitations(based on your preferences)
Support community members effectively
Improve community functionality based on usagepatterns (anonymised data only)

Legal basis:

Your consent for joining; then usually legitimate interestfor managing community discussions and platform security

When you create a Thiscovery account

Required information:

Name and email address (essential for your account)

Optional information (you choose what to share):

Phone number
Country of residence and postcode
Year of birth, sex, gender identity
Ethnicity and interests
Employment information

What we do with it:

Manage your Thiscovery account and profile
Match you with health and care researchopportunities that align with your interests and eligibility
Send you information about projects you might beinterested in and eligible for
Provide customer support when you need help
Improve our platform based on user feedback andusage patterns
Keep you updated about Thiscovery developments(if you choose to receive these)

What we don't do:

We conduct no automatic decision making orprofiling
We never sell or share your information formarketing purposes
We don't contact you about research unless it'srelevant to your interests

Legal basis:

Your consent

When You Participate in User Research

We occasionally conduct research about Thiscovery itself tohelp us improve our platform and services.

What we might collect:

Your experience using Thiscovery
Suggestions for improvements
Basic demographics to ensure diverse feedback
Banking information (if we provide compensationfor your time)

Legal basis:

Your consent, which you can withdraw at any time

Client Services

When organisations work with us:

What we collect:

Business contact details
Company information
Banking details (for payments)

Legal basis:

Contract and legal obligation

Your Rights & Choices

Your Data Protection Rights

You have comprehensive rights over your personal data:

Right	What it means	How to use it
Access	Get a copy of your personal data	Email DPO@thiscovery.org with "Access Request"
Rectification	Correct inaccurate information	Contact us at hello@thiscovery.org or amend details directly in your account if you have one
Erasure	Delete your personal data	Contact us at hello@thiscovery.org or amend details directly in your account if you have one
Restrict Processing	Pause processing while issues are resolved	Contact DPO@thiscovery.org
Data Portability	Get your data in a portable format	Contact DPO@thiscovery.org
Object	Object to certain types of processing	Contact DPO@thiscovery.org
Withdraw Consent	Change your mind about data processing	Contact us at hello@thiscovery.org or email the project team directly for an individual project using thedetails on the project information page

Response time:

We respond within 30 days (or explain if we need longer)
‍

No charge:

Exercising your rights is free (unless requests are clearlyunreasonable)

Special Considerations for Research Data

Some rights may be limited for research data to preservescientific integrity and ensure valid results that can benefit health and care. However, we will:

Always explain any limitations clearly in projectinformation before you participate
Only apply limitations when absolutely necessaryfor the research to be valid
Give you the full choice about whether toparticipate if you're not comfortable with any arrangements
Ensure you can still withdraw from futureparticipation even if past data is retained for research integrity

Example limitations might include:

Unable to delete data after analysis has begun(but you can withdraw from future contact)
Unable to change past responses once submitted(but you can provide additional context)
Limited access to raw research datasets (but youcan receive a summary of your contributions)

These limitations help ensure research results are reliableand can genuinely benefit health and care improvement.

Communication Preferences

Control what you hear from us:

Project invitations: Based on your contactpreferences and community memberships (you can opt out)
Community updates: customizable notificationsfor each community you join
Platform updates: Essential service informationonly
Project findings: If you participated and wantto hear outcomes

Update your preferences:

Email us at hello@thiscovery.org for overall communication preferences
Contact individual project teams forproject-specific preferences
Use community platform settings for detailedcommunity notification control
Contact individual community administrators forcommunity-specific preferences

How We Protect Your Data

Security Measures

We take appropriate technical and organisational measures to ensure that we keep your information secure, accurate and up to date, and that we only keep it as long as is reasonable and necessary.

Technical protections:

Encryption for data in transit and at rest
Secure data centers with regular monitoring
Multi-factor authentication for staff access
Regular security testing and vulnerability assessments
Firewall protection and secure network architecture

Organisational protections:

Staff background checks and security training
Strict access controls based on need-to-know principles
Comprehensive data protection policies and procedures
Regular security audits and compliance reviews
Clear incident response procedures

Compliance and certifications:

We follow NHS Digital security standards and guidance when required for specific for health data processing
Our security practices align with ISO 27001 information security management principles
Regular independent security assessments and penetration testing
Compliance with UK government's Cyber Essentials framework
Adherence to research data security standards from UK Research Councils and health research bodies

Important note:

Although we use appropriate security measures once we have received your personal information, the transmission of information when you submit it over the internet is never completely secure. We do our best to protect personal information, but we cannot guarantee the security of information transmitted to our website, so any transmission is at your own risk.

Data Retention

We keep your data only as long as necessary:

Data Type	How Long	Why
Account information and contact details	Contact details are kept for 24 months after your last interaction with us, unless you’ve specifically consented to longer retention for follow-up studies	Account management, consent records, follow-up studies
Website usage data	13 months	Analytics and improvement
Research data	Specific periods are detailed in each project’s information pages	Analysis, verification, follow-up studies
Communication records	24 months from last contact	Service continuity
Support requests	13 months from resolution	Pattern identification

When retention periods expire, we securely delete or anonymise your data.

If Something Goes Wrong

Data breach notification:

We'll tell you within 72 hours if a breach might affect you
We'll explain what happened and what we're doing about it
We'll advise what you can do to protect yourself

Who We Work With

Technology Partners

We work with trusted technology providers to deliver our services:

Service	What they do	Data shared
Qualtrics	Survey platform	Survey responses, IP addresses
Voxco	Survey platform	Survey responses, IP addresses
Amazon Web Services	Data hosting	Account and project data
Microsoft Azure	Data hosting	Account and project data
HumHub GmbH & Co	Community platform hosting	Community member information, posts, files and interactions
HumHub Technologies	Community platform software	Technical platform functionality (no personal data access)
Hivebrite	Community platform	Community member information, posts, files and interactions
Zoom	Video calls and webinars	Meeting participation data
Twilio/SendGrid	Email delivery	Email addresses for communications
Voxco	Email delivery	Email addresses for communications
Acuity	Interview scheduling	Contact details for appointments
Trint	Audio transcription	Interview recordings
Ascribe	Data analysis services	Survey responses for analysis

All partners have comprehensive data protection agreements and security measures.

Research Clients

When you participate in Thiscovery projects, we may share your data with:

Research projects data sharing:

When you participate in research projects, we may share your data with research commissioners in specific ways:

Pseudonymised sharing (most common):

Your responses with unique ID numbers instead of your name
Research teams can analyse patterns but cannot identify you personally
May include demographic information you've provided

Contact details (separate and only with your permission):

If you agree to be contacted about results or future related research
Your name and email are shared separately from your survey responses
Research teams cannot link your identity to your specific answers

Anonymised sharing:

All identifying information removed completely
Used for reports, publications, and sharing with other researchers
Includes removing indirect identifiers (like specific workplace names)

Important safeguards:

Each project clearly explains what will be shared and with whom
You always have the choice whether to participate
Contact details are never shared without your specific consent
Research teams have strict data protection agreements

International Data Transfers

Our Commitment

Primary storage: All your data is stored in the UK, Germany or other European Economic Area countries. This ensures your data remains within regions with equivalent data protection standards.

When we transfer data outside UK/EU:

Only when necessary for essential services
Always with appropriate safeguards:
- Countries with UK adequacy decisions: These include EU member states, Switzerland, New Zealand, Canada, Japan, and South Korea, which the UK government has determined provide equivalent data protection standards
- Standard contractual clauses: For other countries, we use UK government-approved contract templates that require equivalent protection standards
- Additional security measures: Including encryption, access logging, and regular compliance audits of overseas partners
- Research-specific safeguards: Extra protections for health data including data minimisation, pseudonymisation, and restrictions on further use

Brexit arrangements: We have specific safeguards for UK-EU research collaborations

Transparency: We always tell you if your data will be processed outside the UK/EU

Special Protections

Children and Young People

We take extra care with data from anyone under 18:

Enhanced consent:

Under 13: Parent/guardian consent required + child's understanding
13-15: Parent/guardian consent required + young person's consent
16-17: Young person can typically consent (with context assessment)

Ongoing safeguards for young participants:

Regular review of participation appropriateness throughout longer-term studies
Enhanced monitoring for signs of distress, discomfort, or desire to withdraw
Simplified, age-appropriate withdrawal processes with multiple contact options
Additional staff training on recognising and responding to young people's needs
Automatic review triggers if participation patterns suggest concern
Priority response times for any concerns raised by young participants or their families

Sensitive Information

Health data, ethnicity, and other sensitive information gets extra protection:

Enhanced security measures
Explicit consent requirements
Limited access on strict need-to-know basis
Additional staff training

About THIS Labs - Data Controller and Processor Roles

When we're the Data Controller (we make decisions about your data):

Website management and analytics
Your Thiscovery account registration and management, if you choose to create an account
Your contact details (name and email) address, if you consent for us to contact you about a project you have taken part in or future relevant projects
Community management and communications
User research about our platform
Client services and business relationships
Certain specific research projects where we are leading on all aspects of the work

When we're a Data Processor (we process data on behalf of commissioning and collaborating organisations):

Individual research or engagement projects for NHS organisations, universities, or other clients
Individual communities hosted for NHS organisations, universities or other clients
Data analysis conducted on behalf of project commissioners

Why this matters to you:

When we're a Controller, you exercise your data rights directly with us
When we're a Processor, the research organisation commissioning the project is the Controller and responsible for key decisions about your data
Each project clearly states who the Controller is and provides their contact details
You always have the right to know who is responsible for your data and how to contact them

Our Privacy Leadership Commitment

Privacy by Design Innovation

We build privacy protection into every aspect of our platform from the ground up:

Technical innovation: We use advanced pseudonymisation techniques and privacy-preserving analytics to maximise research value while minimising privacy risks
Ethical leadership: Our approach exceeds legal requirements, guided by principles of fairness, transparency, and respect for participant autonomy
Continuous improvement: We regularly review emerging privacy technologies and best practices to enhance our protections
Knowledge sharing: We aim to contribute to privacy best practice guidance for the research and engagement sector and share our learnings with the wider community

Transparency and Accountability

Open about our practices: Technical details of our privacy measures are available to researchers and participants who want deeper understanding
Feedback integration: Your suggestions and concerns directly influence our privacy practice improvements
Independent oversight: Our practices are regularly reviewed by independent privacy experts and research ethics advisors

Enhanced Transparency Innovation

Beyond Legal Requirements

We go well beyond minimum legal compliance through our Enhanced Transparency Framework, which includes:

Transparency harm assessments: We systematically evaluate whether our communications could cause anxiety or confusion, and adjust accordingly
Community involvement: We work with diverse community representatives to test and improve our transparency materials
Layered communication approaches: We provide information in various ways to meet different accessibility needs
Continuous improvement: We regularly gather feedback and improve our transparency approaches

Real-World Impact

This enhanced approach means:

Information designed to inform, not overwhelm
Materials tested with real participants before use
Clear escalation if something isn't clear
Ongoing dialogue rather than one-way communication

Keeping This Policy Current

Regular reviews:

We review this policy every 6 months and when we make significant changes

Material changes:

We'll notify you of important updates and explain what they mean for you

Your feedback:

Tell us how we can make this policy clearer or more helpful

Contact Us

Got questions? We're here to help:

General privacy questions: DPO@thiscovery.org
Urgent concerns: DPO@thiscovery.org (subject: URGENT)
Exercise your rights: Email hello@thiscovery.org

Response times:

General queries: 2 working days
Rights requests: 30 days (we'll let you know if we need longer)
Urgent issues: Same day response

Further Information

Cookie Settings: Cookies Settings. You can also access cookie settings through the cookie preference centre that appears when you first visit our site, or by clicking the cookie settings link in our footer.
Terms of Service: Our terms and conditions

This privacy policy complies with UK GDPR and the Data Protection Act 2018. We are committed to transparency, fairness, and putting you in control of your personal data.

Last updated: June 2025
Next review: November 2025