Menu
Contact

Privacy Policy

The security and protection of information is fundamental to the effective and efficient working of the company and the maintenance of confidentiality. This Policy provides a framework within which allows us to handle information and data in the most secure way, given the demands of the company.

One Minute Silence t/a Flume is committed to respecting and protecting your privacy. Because Flume is committed to protecting your privacy, Flume will not sell, rent or otherwise disclose this information to any third party, except as described in this Privacy Policy. Flume maintains all personal information as private to the best of the company’s ability. However, personal information may be disclosed under the limited circumstances described below, and by submitting your personal information, you agree that Flume may do so.

One Minute Silence t/a Flume is an organisation, with legal entities, business processes, management structures, and technical systems.

What Data We Collect
We may collect the following types of personal data, depending on your interaction with us:

  • Identity and Contact Information: Name, email address, phone number.
  • Demographic Information: Age, gender, occupation, or other details relevant to research studies.
  • Behavioural Data: Preferences, interests, or responses provided during research.
  • Financial Information: Payment details for incentives (e.g. cash or vouchers), if applicable.

How We Collect Your Data
We collect data through:

  • Direct Interactions: When you register as a participant, complete surveys, or contact us.
  • Client Projects: When you participate in research studies we manage for clients.
  • External panels for recruitment of research projects.

Why We Use Your Data
We use your personal data for the following purposes:

  • Recruiting and managing participants for market research studies.
  • Conducting research on behalf of clients.
  • Communicating with you about research opportunities or services.
  • Managing our participant database and improving our services.
  • Processing payments for incentives, where applicable.
  • Complying with legal or regulatory obligations.
  • Legal Basis for Processing

We process your data based on the following lawful bases:

  • Consent: When you agree to participate in research or provide data voluntarily.
  • Contract: To fulfill agreements with you, such as participation in a study or client services.
  • Legitimate Interests: For purposes like improving our services or managing our database, provided your rights are not overridden.
  • Legal Obligation: To meet regulatory requirements, such as tax or data protection laws.
  • For special category data (e.g., health), we rely on your explicit consent or other lawful bases, such as research purposes.

Who We Share Your Data With
We may share your data with:

  • Clients: Limited data necessary for research, under strict confidentiality agreements, ensuring anonymity in research outputs.
  • Service Providers: Trusted third parties (e.g., IT or payment processors) who support our operations, bound by data protection contracts.
  • Regulators: When required by law, such as for audits or investigations.
  • We do not sell your personal data to third parties for marketing purposes.

How Long We Keep Your Data
We retain personal data only as long as necessary for the purposes outlined or as required by law. For research purposes, data is typically kept for up to 1 year after a project ends, then securely deleted or anonymised. Specific retention periods depend on project requirements or legal obligations.

Your Data Protection Rights
Under UK GDPR, you have the following rights:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure: Request deletion of your data, where applicable.
  • Restriction: Limit how we process your data in certain cases.
  • Portability: Receive your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw Consent: Revoke consent at any time, without affecting prior lawful processing.
  • No Automated Decision-Making: You will not be subject to decisions based solely on automated processing that significantly affect you.

To exercise these rights, contact us at Hello@flume.group. You also have the right to lodge a written complaint to Jayne@flume.group

Data Security
We use robust technical and organizational measures to protect your data, including:

  • Encryption of data in transit and at rest.
  • Access controls and authentication protocols.
  • Regular security audits and staff training.
  • Secure deletion of data no longer needed.

External Security Control 

1. General

  • Any person not directly a member of the practice team is to be considered ‘external’. 

2. Information Exchange

  • The exchange of information with, and between, other organisations shall take place within formal arrangements that reflect the legal requirements and the sensitivity of the information. All files containing PII must be encrypted and any file transfer carried out via a secure transfer service. 

3. Data Storage and Transfer 

  • Files containing PII must not be stored on PC hard disks or desktops at any time. All such files must be stored on the server which employees can access remotely via VPN or online portal if they are outside of the office. 
  • Files containing PII that are stored on the server will be subject to the retention and deletion policy detailed below. 
  • Transfer of files containing PII must be carried out via a secure file transfer system.

4. Contracts with Clients 

  • The commissioning client and the research agency act as joint data controllers under GDPR. To ensure anonymity of research participants and protection of their personal data, contracts with clients must specify that they may not request access to participant PII at any stage during or after the research project. PII will be disclosed to the immediate project team only. 
  • For projects where clients require access to personal data (e.g. consumer connections, recruitment only research), consent for data to be used in this way will be obtained from participants during recruitment. 
  • The name of the commissioning client must be disclosed to research participants for them to be able to give full informed consent. In the case of blind studies this may be done at the end the research and participants must be aware upfront that this will be the case.  

In the event of a breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
In the event of a breach which carries high risk or will cause harm to the individuals affected, the below procedure will be implemented: 

  • Breach identified, risks and impact assessed. 
  • Debbie Newbould informed. 
  • Jayne Williams or Debbie Newbould to inform ICO of the breach without undue delay (within 72 hours). 
  • In the event of a breach concerning IT systems, Jayne Williams to inform Surf Tech IT immediately. 
  • Jayne Williams to inform the individuals affected via email or telephone where necessary. 
  • In the event of a breach concerning IT systems, Jayne Williams to continue working with Surf Tech IT to rectify the issue.