Skip to content
Menu

Privacy notice

The Behavioural Insights Team website

This notice is effective from 20 April 2020

1. Introduction

This privacy notice is maintained by the Behavioural Insights Team (BIT). It sets out how and why we use your personal data – both on this website, and offline.  

If you work for BIT, you should refer to your Employee Privacy Notice, and if you have applied for a job, you should refer to your Recruitment Privacy Notice.  

If your personal data is processed by BIT because you are a participant in one of our research projects, you should refer to the privacy notice made available by us or by our client or partner prior to the research being undertaken. If you do not have a copy of the relevant privacy notice in relation to the research project you are involved in, please contact us at dpo@bi.team.  

If your personal data is processed by BIT in the context of using one of our products (including but not limited to Predictiv, Networky, Tig or Promptable), you should refer to the privacy notice made available by us on the relevant product’s app or website. In most cases, this would have been made available to you at the point of signing up to use the product. 

This notice does not create any contractual rights or obligations.  We may change this privacy notice from time to time. If we make any significant changes in the way we treat your personal information we will make this clear on the website or by contacting you directly.

BIT comprises a global group of companies which is headquartered in the United Kingdom.  The main BIT entity – Behavioural Insights Ltd – is the controller of, and responsible for, most personal data collected by BIT, including on this website.  However, if you interact with another BIT entity (see the list in Section 6 (International Transfers) of this privacy notice) that entity will be responsible for your personal data, and local data protection laws in that country will apply. 

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights in relation to your personal data, please contact the DPO:

By post: Behavioural Insights Ltd, 4 Matthew Parker Street, London, SW1H 9NP

By email: dpo@bi.team.

2. When do we collect information from you?

We may collect information about you if you:

  • commission BIT to undertake research or other work for your organisation or company, or communicate with us about prospective or ongoing work;
  • work for one of our partners (or a prospective partner) on a research project (e.g. at a school, college, GP surgery, NHS trust, social care service etc) that is helping us to deliver and/or evaluate a research intervention; 
  • use our website;
  • sign up for events organised by us;
  • subscribe to our newsletter;
  • contact us with any form of complaint or enquiry or in response to a request for feedback or a survey; 
  • consent to take part in an interview or focus group as part of a research project we are undertaking on our own behalf or on behalf of a client or partner; 
  • purchase products from us; 
  • work for or are one of our suppliers, or work for a prospective supplier; or
  • visit our offices.

3. What kind of information do we collect from you?

This will depend on the context in which we interact with you:

a) When you scope working with BIT/commission BIT to undertake research for you/act as a supplier to BIT/work for a partner involved in a BIT research project:

Category  Description 
Client Data 

Partner Data 

Supplier Data 

BIT is primarily engaged by government departments/corporate entities and as such those instructors are not data subjects. 

Also, BIT generally contracts with corporate entities as suppliers to BIT and with partner organisations (rather than with individuals). 

However, as part of such engagements or as part of business development with prospective clients, personal information may be provided to us (e.g. personal information relating to officers of clients, prospective clients, partners or suppliers) which may include the following: 

  • Name and job title
  • Contact information including the company/organisation/institution you work for, telephone numbers and email addresses, where provided
  • Payment information
  • Information that you provide to us as part of us scoping or providing services to you or working with you as partners on a project (or as part of you providing services to us if you are a supplier), which depends on the nature of the work
  • relevant information as required by any applicable Know Your Client and/or Anti-Money Laundering regulations (which may include request for identity information such as passports and information collected from publicly available sources e.g. Companies House) 

b) When you use our website, subscribe to our newsletter or contact us with complaints, enquiries or feedback

Category  Description 
Website User Data 

Subscriber Data 

  • Email address and any other contact details you provide when you sign up to receive newsletters and other communications from us 
  • The date, time and content of any queries, feedback or complaints 
  • Newsletters or other messages sent to you after you have subscribed may contain tracking beacons / tracked clickable links or similar server technologies in order to track subscriber activity within email marketing messages. Where used, such newsletters and messages may record a range of Subscriber Data relating to engagement, geographic, demographics and already stored Subscriber Data.
  • Cookie and browser generated information collected through your use of the website
  • Marketing preferences

Further details about the technical data that is processed by us can be found in our Cookies Policy.

c) Visiting our offices or attending a BIT event

Category  Description 
Visitor Data 

Event Data 

  • Name
  • Contact information
  • Occupation and/or organisation you represent 
  • Information you provide to us for the purposes of attending meetings and events, including dietary requirements which may reveal information about your health or religious beliefs
  • (for paid events) credit or debit card information including credit card number and expiration date
  • CCTV recordings on entering and leaving BIT’s premises / at an event 
  • Information regarding your use of our local area networking facilities (including WiFi) and similar electronic services

Please note that for larger events organised by BIT, such as BIT’s Behavioural Exchange conferences, there may be a separate event website and privacy notice applicable to that event. The privacy notice for that specific event will take precedence over this privacy notice. 

d) Purchasing products from us (such as EAST cards)

Category  Description 
Payment Data 
  • Name
  • Credit or debit card type, expiration date, and certain digits of your card number
  • Delivery and billing address
  • Mobile phone number
  • Details of your transaction history

e) When you are participating in interviews or focus groups in relation to a research project we are undertaking

Category  Description 
Research Participant Data 
  • Name
  • Contact details (e.g. telephone number, email address) 
  • Responses to interview questions/focus group questions which may reveal information about your health, ethnicity or religious beliefs (or other special category data and/or information about criminal convictions or offences). It will never be mandatory to provide any such information as part of your responses. 
  • Records of consent 

Except as identified above in the context of collecting dietary requirements and responses to interviews, we do not collect any special categories of personal data (special category data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data), or information about criminal convictions and offences for any of the activities covered by this privacy notice. 

4. How do we use the information we collect?

Your personal information will be used for the purposes listed in the table below.  We will only use your personal data where we have a lawful basis for doing so. The basis we rely upon will impact which rights you have in relation to your personal information (see section below for more details):

Purpose Lawful Basis Category of personal data
Do business with our prospective clients, clients, suppliers and partners (as well as prospective clients, suppliers and partners)  Legitimate interest in contacting our clients, prospective clients, partners and suppliers, and retaining records of our contacts

Compliance with a legal obligation 

To perform our obligations in accordance with any contract that we may have a client, partner or supplier 

Client Data 

Supplier Data 

Partner Data 

Send our newsletter and promote our products and services via direct marketing Consent Subscriber Data 
To recruit partners such as schools, colleges, businesses, GPs and NHS Trusts (not an exhaustive list) to work with us on research projects  Consent 

Legitimate interest in contacting potential partners to meet recruitment requirements for research projects (provided the partners are likely to have a mutual interest in the potential outcomes of the research project) 

Partner Data 
Request feedback and conduct surveys and other research/analytics  Consent 

Legitimate interests in understanding how to improve our products and services 

Website User Data 

Subscriber Data 

Client Data 

Partner Data 

Supplier Data

Visitor Data 

Event Data 

Arrange events and interact with clients and contacts at events Legitimate interest in generating interest in our services and products  Subscriber Data 

Event Data 

Client Data 

Resolve queries and complaints Legitimate interest in resolving a query or complaint raised by or involving a data subject 

Compliance with a legal obligation

Subscriber Data 

Website User Data 

Client Data 

Partner Data 

Supplier Data 

Visitor Data 

Event Data 

Provide you with access to all parts of our site, personalise your experience on our website, and ultimately improve the functionality of the website for the benefit of all users Legitimate interest in providing an enhanced, user friendly website by understanding how our website is used Website User Data 
Protect the security of our website and detect and prevent dangerous or unlawful use Legitimate interest in safeguarding BIT’s intellectual property and assets, and in protecting the security of users and their information Website User Data 
Protect the security of our offices, staff and guests by identifying visitors Legitimate interest in safeguarding BIT’s assets and employees

Compliance with a legal obligation (health and safety)

Visitor Data 

Event Data 

To process your order for a product, including taking your payment and arranging delivery To perform our obligations in accordance with a contract Payment Data

Website User Data

To prevent or detect fraud and money laundering including fraudulent payments and fraudulent use of our services Compliance with a legal obligation (fraud and anti-money laundering compliance) 

Legitimate interest in safeguarding BIT’s assets and employees 

Payment Data 

Client Data 

Partner Data 

Supplier Data

Website User Data 

Establish, defend or enforce legal claims or regulatory investigations  Legitimate interest in protecting the commercial and legal interests of BIT Client Data 

Partner Data 

Supplier Data 

Website User Data 

Payment Data 

Subscriber Data 

Visitor Data 

Event Data 

Conducting interviews and/or focus groups to collect qualitative data in connection with research projects and build a body of evidence of what works in behavioural science and public policy  Consent 

Legitimate interests in undertaking robust research with social impact 

Where we collect special category as part of research participants’ responses to interviews and we have relied on consent as the lawful basis, we will also seek explicit consent as a condition of processing. Where we have relied on legitimate interests as the lawful basis, our condition for processing special category data will be that it is necessary for scientific research purposes. 

Research Participant Data 

Where we rely upon a “legitimate interest” as our legal basis, we will ensure that our interest is not outweighed by any impact on your rights and freedoms, by using your information in a way which is proportionate and respects your privacy.

Please make sure that any personal data you provide is accurate and up to date, and let us know about any changes in the information which you have provided as soon as possible.

Marketing choices

If you have previously signed up to receive our newsletter or other promotional communications from us but you don’t want to receive any more communications, please click the unsubscribe link on any email from us. Alternatively, you can also email us at info@bi.team at any time.

5. Who else may have access to your information?

We may disclose your information with third parties for the purposes described below:

  • with other companies in our group, in order to utilise personnel or shared IT services based in other BIT offices, for any of the purposes described in this notice;
  • with third party service providers. These third parties have agreed to confidentiality restrictions and use any personal information we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us. These include our marketing automation platform (MailChimp, whose privacy policy can be found here), our IT service providers (including Google), our online store provider (Shopify, whose privacy notice can be found here), our Customer Relationship Management system (Hubspot, whose privacy policy can be found here) and other third parties who help manage our IT and back office systems;
  • with our regulators, which may include the Information Commissioner’s Office, and with courts and law enforcement to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies;
  • with a potential or actual third party purchaser of our business or assets if, in the future, we sell or transfer some or all of our business or assets to a third party, or invite investment in our company.

Comments and other information which you post on the website or our social media pages will be displayed publicly and to other users. Please be careful when disclosing personal information which may identify you or anyone else. We are not responsible for the protection or security of information which you disclose in public areas.

6. International Transfers

The global presence of BIT means that your personal data may be transferred outside of the UK and the European Economic Area (“EEA”) – where data protection laws may not be equivalent – for any of the purposes described in this notice.  Whenever we make restricted international transfers of personal data, we take steps to ensure that your personal data receives an adequate level of protection (by putting in place appropriate safeguards, such as contractual clauses), or to ensure that we are able to rely on an appropriate derogation under data protection laws.  You have a right to request access to any safeguard which we use to transfer your personal information outside of the UK and the EEA (although we may need to redact data transfer agreements for reasons of commercial confidentiality). 

As noted above, we may share your data with one of our group companies.  As of the date of last review of this notice, the group of companies comprise:

  • Behavioural Insights Ltd – (UK)
  • Behavioural Insights US (Inc) – (United States of America)
  • Behavioural Insights (Australia) Pty Ltd – (Australia)
  • Behavioural Insights (New Zealand) Ltd – (New Zealand)
  • Behavioural Insights (Singapore) Pte Ltd – (Singapore)
  • Behavioural Insights (Canada) Ltd (Canada)

There is an adequacy decision from the European Commission in respect of transfers of personal data to New Zealand. This means that New Zealand is deemed to provide an adequate level of protection for your personal information if we transfer personal data to Behavioural Insights (New Zealand) Ltd. There is also an adequacy decision from the European Commission in respect of transfers of certain types of personal data to Canada, namely data that is subject to protection under Canada’s Personal Information Protection and Electronic Documents Act. 

In relation to other group companies outside of the UK and EEA, we have put in place standard contractual clauses (as laid down in the European Commission Decision 2010/87/EU of 5 February 2010 or as updated from time to time) to ensure an adequate level of protection for your personal data.

Some of our data processors may transfer personal data outside of the UK or EEA and, as stated above, we will always ensure there are appropriate safeguards in place so that such transfers are lawful. For example, MailChimp’s and Hubspot’s servers are located in the United States so personal data will be transferred to the United States. MailChimp and Hubspot have both certified to the EU-U.S. Privacy Shield Framework.

If you are concerned about us sharing your personal data with MailChimp, please do not sign up to receive information from us. 

7. Security

We take appropriate steps to protect your personal information and follow procedures designed to minimise unauthorised access, alteration, loss or disclosure of your information.  Measures we take include placing confidentiality requirements on our staff members and service providers; limiting access to personal information and destroying personal information which is no longer required.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Any downloadable documents, files or media made available on this website are provided to users at their own risk. While all precautions have been undertaken to ensure only genuine downloads are available, users are advised to verify their authenticity using third party anti-virus software or similar applications.  You should also exercise caution when sharing personal data or confidential information on any website, and should use up-to-date web browsers and anti-virus software.

8. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. When it is no longer necessary to retain your personal data, it will be deleted.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

9. Your legal rights

Subject to certain exemptions, and in some cases dependent upon our lawful basis (see “How do we use the information we collect?” above), you have certain rights in relation to your personal data:

  • Request access to your personal data: this enables you to find out how and why we are using your personal data, and to receive a copy of the personal data we hold about you to check we are lawfully processing it.
  • Request correction of your personal data: this enables you to have any incomplete or inaccurate data we hold about you corrected.
  • Request erasure of your personal data: this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
  • Object to processing of your personal data: you can object where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Request restriction of processing your personal data: this enables you to ask us to suspend the processing of your personal data if you contest its accuracy; our processing is unlawful (but you do not want your data erased); your personal data is no longer needed for the original purposes but is needed for legal claims; or you have objected to processing which is based on legitimate interest grounds.
  • Data portability: Where the processing takes place on the basis of your consent or contract, and is carried out by automated means, you have the right to request that we provide your personal data to you or to another controller (where technically feasible) in a machine-readable format.  Based on our use or personal data and the lawful bases relied on, this right is unlikely to be relevant.
  • Right to withdraw consent to the processing of your personal data: This applies where we have relied on consent to process personal data. Please note that withdrawal of consent will not affect the lawfulness of any processing carried out before withdrawing your consent.

You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

If you wish to exercise any of the rights set out above, please contact the Data Protection Officer with your specific request by email to: dpo@bi.team

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded  or excessive (which may include repetitive requests). Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

10. Company details

Behavioural Insights Ltd is a limited company registered in England and Wales. Registration number: 08567792

Registered office: 4 Matthew Parker Street, London SW1H 9NP