Privacy Notice
Last updated: 27/02/2026
Folk Research Ltd (“Folk Research”, “we”, “us”, “our”) is an independent market research agency. We carry out qualitative and quantitative research on behalf of organisations to understand people’s experiences, opinions, and behaviours.
This notice explains how we collect, use, and protect your personal data when you take part in our research, receive a survey invitation, or interact with us in connection with a research project.
Folk Research processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we conduct research involving participants in the European Economic Area (EEA), we also comply with the EU General Data Protection Regulation (EU GDPR).
1. Who we are
Data Controller: Folk Research Ltd (company number 11267127)
Address: Cookham House, 29 The Green, Winchmore Hill, London N21 1HS
Data protection contact: dataprotection@folkresearch.com
We are registered with the UK Information Commissioner’s Office (ICO). ICO registration number: ZA354791
We are responsible for deciding how your personal data is used in our research projects. In some projects, we act as joint controller alongside the organisation that commissioned the research — see Section 11 for more detail.
2. Why we collect your information
We collect and use personal data so we can:
Invite suitable people to take part in research studies
Screen and recruit participants against agreed criteria
Organise and run interviews, focus groups, surveys, or online communities
Collect your responses and feedback as part of the research
Arrange incentive payments for participation
Deliver anonymised research findings and reports to our clients
Meet our legal and regulatory obligations, including quality and audit requirements
We only collect information that is relevant and necessary for the research.
3. What information we may collect
Depending on the project, we may collect:
Invitation and recruitment data
Name, email address, phone number
General location (e.g. city or region)
Background information (such as age range, job role, professional specialism, or household details) to assess suitability and ensure a good mix of participants
Survey and research data
Your responses to questionnaire or screener questions
Your opinions, experiences, and feedback shared in interviews, focus groups, diaries, or online communities
Audio or video recordings (where you have been informed in advance and consented)
Written responses, chat messages, or community posts
Research notes and transcripts
Special category data (health and other sensitive information)
Where a project requires it, we may ask questions about your health, medical conditions, disability status, or other special category data. We will always make this clear before asking, explain why it is needed, and ask for your explicit consent before collecting it. You can decline to answer any such questions without affecting your ability to take part in the rest of the research. See Section 5 for more detail.
Incentive information
If we pay you for taking part, limited information needed to arrange payment may be processed via our incentive payment provider (typically Ayda). We do not collect or store bank or card details directly.
We try to minimise the personal data we collect. Where possible, we separate your contact details from your research responses and use participant reference numbers rather than names.
Age restriction: Our research is intended for adults aged 18 and over unless a project is specifically designed to include younger participants, in which case appropriate safeguards and parental or guardian consent will be obtained.
4. Lawful basis for using your data
Under UK and EU data protection law, we rely on the following lawful bases. References are to the UK GDPR; equivalent provisions apply under the EU GDPR where EEA participants are involved.
| Processing activity | Lawful basis |
|---|---|
| Taking part in research (surveys, interviews, groups) | Consent (Article 6(1)(a)) |
| Audio/video recordings | Consent (Article 6(1)(a)) |
| Special category data (e.g. health information) | Explicit consent (Article 9(2)(a)) |
| Arranging recruitment, scheduling, and project management | Legitimate interests (Article 6(1)(f)) |
| Fraud prevention and quality assurance | Legitimate interests (Article 6(1)(f)) |
| Financial records and incentive payment reconciliation | Legal obligation (Article 6(1)(c)) |
Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms as a research participant.
5. Special category data
Some of our research involves questions about health conditions, disability status, clinical experience, or other sensitive topics. This type of data is given additional protection under data protection law.
Where a project involves special category data:
We will always tell you clearly before any such questions are asked
We will ask for your explicit consent before collecting any health-related information
The consent request will identify the specific categories of data collected and explain why they are needed
You can withdraw consent for health-related questions at any time without affecting your broader participation
Health-related data is deleted more quickly than general research data — see Section 8 for retention periods
Health-related data is never shared with our clients in identifiable form
6. How your data is used in research outputs
Your personal identity is not shared with our clients. Research reports, presentations, and other outputs are designed so that:
Participants are not named
Quotes are anonymised or use pseudonyms
Information that could directly identify you is removed wherever possible
In cases where a client needs to observe a session or review recordings (for example, via a viewing facility or video link), we will make this clear in advance and obtain your consent.
Our clients receive anonymised research findings only.
7. Who we share your data with
We share personal data only where necessary to deliver the research, with the following categories of trusted supplier:
| Supplier type | Purpose | Examples |
|---|---|---|
| Panel and recruitment providers | Sourcing and screening research participants | M3 Global Research |
| Survey hosting platforms | Scripting and hosting online surveys | Included within panel provider services |
| Qualitative research partners — international | Conducting or supporting qualitative research in markets outside the UK, including moderating interviews or focus groups, recruiting participants, and handling local logistics | Local research agencies and partners engaged per project |
| Qualitative research partners — UK freelancers | Conducting or supporting qualitative research in the UK where Folk engages an independent moderator or researcher, including moderating interviews or focus groups and handling participant data for scheduling and logistics | Independent moderators and qualitative researchers contracted by Folk |
| Transcription services | Transcribing recorded interviews and focus groups | Third-party transcription suppliers |
| Research platforms | Online communities, diary tools, video interview platforms, and other qual-specific tools | Qual-specific platforms as applicable per project |
| Incentive payment providers | Processing participation payments | Ayda |
| Secure business systems | Storing and managing project data | Microsoft 365 (SharePoint / OneDrive / Teams) |
Where Folk engages a local research partner or independent moderator to conduct qualitative interviews or focus groups — for example in international markets or where a specialist moderator is required — that partner will have access to the personal data necessary to conduct and record the session, such as your name, scheduling details, and research responses. All such partners are contractually bound by data protection obligations equivalent to those applied by Folk and may only use your data to deliver the research.
All suppliers are contractually required to process your data only on our instructions, to keep it secure, and to delete it when it is no longer needed. We do not sell your personal data.
8. How long we keep your data
We keep personal data only for as long as is necessary for the purposes for which it was collected.
| Data type | Retention period |
|---|---|
| Health-related screener responses | Deleted within 30 days of fieldwork closing |
| Professional or occupational data collected for research eligibility purposes (e.g. clinical specialism, job role) where the research context is sensitive | Deleted within 30 days of fieldwork closing |
| Survey response data (where hosted by a third-party supplier) | Transferred to Folk on completion; supplier copy deleted within 7 days of confirmed receipt |
| Recruitment contact details and screener data | Deleted within 90 days of fieldwork closing |
| Participant scheduling and logistics data | Deleted within 90 days of fieldwork closing |
| Audio/video recordings | Deleted within 6 months of the final research deliverable |
| Transcripts and research notes (pseudonymised) | Deleted within 12 months of the final research deliverable |
| Incentive payment records | Deleted as soon as practical after payment reconciliation (subject to HMRC record-keeping requirements — up to 6 years) |
| Final anonymised research reports | Retained for our records; these do not identify individual participants |
Where applicable law requires us to retain certain data for longer — for example in connection with pharmacovigilance or adverse event reporting obligations in medical research — we will retain only the minimum data necessary and document the legal basis for doing so.
9. International data transfers
Folk Research is based in the United Kingdom. Some of our research projects are conducted across multiple countries, and some of the tools and suppliers we use may store or process data outside the UK or European Economic Area (EEA).
Where personal data is transferred outside the UK or EEA to a country without an adequacy decision, we ensure appropriate safeguards are in place:
UK-originating data: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses
EEA-originating data: EU Standard Contractual Clauses (Commission Decision 2021/914)
We will not transfer your data to any country without appropriate protections in place. If you would like more detail about the specific safeguards applicable to your data, please contact us using the details in Section 15.
Where Folk Research processes personal data of EEA residents and the EU GDPR applies, EEA-based participants may also have the right to lodge a complaint with the supervisory authority in their country of residence.
10. How we keep your data secure
We use a combination of technical and organisational security measures, including:
Restricted access to project data on a need-to-know basis
Multi-factor authentication on all systems used to access personal data
Full disk encryption on devices
Secure cloud storage and file sharing
TLS-encrypted channels for data transmission
No unencrypted transmission of personal data by email
Procedures for reporting, investigating, and resolving data security incidents
If we become aware of a personal data breach that is likely to affect your rights or freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours and, where required, notify you directly.
11. Joint controller arrangements
In some research projects, Folk Research acts as joint controller alongside the organisation that commissioned the research. This means both parties have a role in determining the purpose and parameters of the research.
Where this applies:
The commissioning organisation determines the research objectives, target populations, and markets
Folk Research determines the detailed means of conducting the research: instrument design, consent language, data security, and retention
The commissioning organisation receives only anonymised research outputs and does not process your personal data directly
Folk Research is the operational controller responsible for all data protection obligations in connection with the research, and is your primary point of contact for any data protection queries or rights requests
Where a joint controller arrangement is in place, we will identify this in the survey consent language and make the essence of the arrangement available to you on request.
12. Adverse event reporting
In research involving medical devices or pharmaceutical products, participants sometimes share information that may constitute a reportable adverse event (AE) under applicable pharmacovigilance regulations.
Where this applies, Folk Research has procedures in place to ensure that potential AEs are identified and reported promptly to the commissioning organisation, which holds the relevant regulatory reporting obligations as the manufacturer or authorisation holder. Only the minimum information necessary for reporting purposes will be shared. Folk Research will retain a record that the report was made.
If you disclose information during research participation that may constitute an adverse event, our research team will handle it sensitively and in accordance with our AE reporting procedure.
13. Your rights
Under applicable data protection law (UK GDPR and, where relevant, EU GDPR), you have the right to:
Access the personal data we hold about you
Correct inaccurate or incomplete information
Delete your data (in certain circumstances)
Restrict how we use your data (in certain circumstances)
Object to processing based on legitimate interests
Withdraw consent at any time — this will not affect the lawfulness of processing already carried out, but we will stop using your data for that purpose going forward
Data portability — where processing is based on your consent and carried out automatically, you may request a copy of your data in a structured, commonly used, machine-readable format
Not be subject to solely automated decisions that produce significant legal or similar effects — Folk Research does not use automated decision-making of this kind in its research activities
Complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have handled your data
Withdrawing from research: If you withdraw your consent to take part in research, we will stop processing your data for research purposes. Where your responses have already been included in anonymised analysis, it may not be possible to remove them from existing outputs — but your identifiable data will be deleted.
How to exercise your rights: Contact us at dataprotection@folkresearch.com. We will respond within one calendar month.
14. Changes to this notice
We may update this notice from time to time. The date at the top of this page shows when it was last updated. We will notify you of any material changes where we have your contact details.
15. Contact us
Folk Research Ltd
Cookham House, 29 The Green, Winchmore Hill, London N21 1HS
Email: dataprotection@folkresearch.com
Website: www.folkresearch.com
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):
Website: https://www.ico.org.uk
Telephone: 0303 123 1113