PRIVACY POLICY

At Data4Science, user privacy is an extremely high priority for us, and we strive to provide a safe and transparent environment for you to receive, manage, and share your personal data.

We want you to know about our practices so that you can make good decisions about how you use Data4Science. This policy explains what information we collect about you, what we do with it, and how you can make choices about sharing it with others. This Privacy Statement applies to all websites and portals owned and operated by Data4Science, and any other websites, pages, features, or content we own or operate.

Data4Science is the Data Controller responsible for your personal data. This Privacy Policy applies to processing activities under both the UK GDPR and EU GDPR, as well as the Data Protection Act 2018, and if applicable, your local jurisdiction. Our data protection officer (“DPO”) is responsible for handling questions that relate to this privacy notice. You can contact the DPO by email at: dpo@Data4Science.com.

Data4Science collects, stores and links many data sources, with the primary aim of providing a resource for behavioural and health researchers to make new discoveries about human behaviour, health and disease. “We, us, our” refers to Data4Science and “You, your” is an individual who has chosen to participate in Data4Science.

This privacy notice explains how we process and protect the personal data of individuals who have chosen, and provided their Informed Consent, to participate in Data4Science. (We note that when we use the term ‘consent’ for research participation, it is different from ‘consent’ under GDPR, in which the latter is a type of lawful basis for data processing.)

What data do we collect and how do we collect your data?

Data4Science generally collects the following information:

1. Information you provide directly to us or through a third party.

   1. Personal Information. Information that can help identify you. Data4Science collects and stores the following types of personal information.

      1. Registration Information. When you create a Data4Science account, we collect Personal Information, which may include your email address, name, username, and password. Data4Science stores this information to help identify you when you log in, make it possible for you to manage and change information in your account, and build the Data4Science community.

      2. Self-Reported Information. You have the option to provide us with additional information about yourself through surveys, questionnaires, forms, features and applications. For example, you may provide us with information about your personal traits (e.g., height, weight), ethnicity, lifestyle (e.g., diet, exercise, vaping), other behavioural and additional questions (e.g., chronotype, personality, education), and family history information (e.g., your family tree). Before you disclose information about a family member, you should make sure you have permission from the family member to do so.

      3. User Provided Content. This is information you provide about you or other individuals, living or deceased, when you voluntarily contribute to our Services. For example, as we expand into different types of data donation, it may be digital data analyses (e.g., social media), wearables (e.g., exercise or sleep history) or genetics and information you voluntarily provide in response to our questionnaires available through the Services. This may include health or medical information.

      4. Profile Information. We gather the information you use to create a user profile. This information cannot be seen by other Data4Science users.

   2. Communications with Customer Service. When you contact our Customer Services or correspond with us about our Service, we collect information to: track and respond to your query, investigate any breach of our policies or regulations, and analyse and improve our Services.

   3. Aggregate Information. Information that has been combined with that of other users and analysed or assessed as a whole, such that no specific individual may be reasonably identified.

   4. Pseudonymous Information. Information that has been stripped from your Account Information and other identifying data, such that you cannot easily be identified as an individual to the public, and is instead only identifiable by a number key or other alphanumeric sequences.

2. Web-Behaviour Information collected through tracking technology (e.g., from cookies and similar technologies).

We and any of our third-party service providers (e.g., web page analytics) use cookies and similar technologies (such as web beacons, tags, scripts and device identifiers) to:

1. help us recognize you when you use our Services;

2. customize and improve your experience;

3. provide security;

4. analyse usage of our Services (such as to analyse your interactions with the results, reports, and other features of the Service);

5. gather demographic information about our user base;

6. offer our Services to you;

7. monitor the success of marketing programs; and

8. serve targeted advertising on our site and on other sites around the Internet.

Non-essential cookies (including analytics or advertising cookies) are used only where you have given explicit consent through our cookie banner. You can withdraw consent at any time.

3. Other Types of Information

We continuously work to enhance our Services with new products, applications and features that may result in the collection of new and different types of information. We will update our Privacy Statement and/or obtain your prior consent to new processing, as needed.

​

​

What is the legal basis we rely on for our data processing?​

​

Data4Science relies on the legal ground of legitimate interests under GDPR Article 6(1)(f) for ordinary personal data and the scientific research condition under Article 9(2)(j) GDPR for special category data. We have performed a documented Legitimate Interests Assessment which concluded that our research purpose is sufficiently in the legitimate interests of both Data4Science and participants, and that data subjects’ rights are not overridden. When processing special category data under Article 9(2)(j), we implement the safeguards described in Article 89(1), including pseudonymisation, access limitation, and technical and organisational measures. Data4Science only processes personal data where it has a legal basis to do so. Where special category data is involved (e.g., health, ethnicity, sex life), the relevant legal condition will be scientific research in the public interest.

We have balanced our legitimate interests in conducting health and behavioural research against the potential impact on your rights and freedoms, and concluded that our interests are not overridden. This will allow us to process data if the processing of data is of mutual benefit to both us and you, has minimal impact on your privacy, and uses data in a way that you would expect.

​

​

​

​

​​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​​

*The GDPR defines “special categories data” as information that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; and the processing of genetic data or biometric data for the purpose of uniquely identifying a person; data concerning health or data concerning sex life or sexual orientation. This sensitive data is subject to enhanced protections.

​​​

To use the legal basis of legitimate interest to process your data we must show that:

1. We have a legitimate interest to process your data. Since we are developing a larger resource for health and behavioural research, our legitimate interest is preserving and bettering wellbeing, equality and health. This will benefit the wider public in relation to more effective approaches and interventions and prevention.

2. The data processing is necessary to meet that legitimate interest. Without the data that you provide for analysis, we would be unable to establish the resource, and researchers would not have the data they need to do the research. We remove identifying information from the data that researchers can use, and we store only that which we need for as little time as necessary (known as data minimisation). Re-identification may be a risk, but we have safeguards in place including data minimisation, aggregation and suppression and researchers must sign a commitment not to re-identify individuals.

3. The interests of participants to process the data is balanced. We are required to conduct an assessment to ensure that our legitimate interests or need to process your data to conduct the research study, is balanced and proportionate and does not present any risks to you. This means that we only collect data that is deemed necessary for the research study and that you would reasonably expect us to collect. We must also ensure that it is robustly protected and secure.

When you provide your Informed Consent to join Data4Science and you allow us to collect, store and make available information about you for behavioural and health-related research for public good. You can review the Informed Consent you gave within your account.

Data4Science links various datasets you donate to enable additional research, for example as we expand your search history with mobility activity. These linkages have the scientific rationale for extending data collection beyond conventional data, however, it is entirely your choice as to whether you agree to participate.

How will we use the data?

1. Personal Information (Generally)

We use your Personal Information to provide, personalize, improve, update and expand our Services. This includes:

a. Authenticating your access to the Services and improving information security;

b. Building new and improving existing Services;

c. Helping you create, and providing insights about, knowledge based on data in Data4Science databases;

d. Issuing surveys and questionnaires for use in the Services, as well as facilitating product development and research initiatives;

e. Conducting scientific, statistical, and historical research;

f. Detecting and protecting against error, fraud, or other criminal or malicious activity; and;

g. Enforcing our ethics and governance principles

​

2. Communications

We use your Personal Information to communicate with you about the Services, such as when we:

a. Respond to your inquiries to Member Services;

b. Inform you of changes to Services or new Services;

c. Alert you about incidental findings if you have not opted out;

d. Ask you to participate in Data4Science media productions, advertisements, or testimonials; and,

e. Provide you with information or request action in response to technical, security, and other operational issues.

3. Self-reported information and User Provided Content

Data4Science uses your data (e.g., from questionnaires, genetic data, digital data) for the following primary purposes:

a. Conducting scientific, statistical and historical research

b. Sharing aggregated data with bona fide researchers for approved and time-limited research projects

c. Providing you with insights into what your data reveals about traits

d. Improving customer experience

4. Sharing your data with our research partners

A key component of Data4Science is to eventually share your data with our approved research partners when the resource is large and/or adequate enough for research. Access to data will only be granted for scientifically and ethically approved research consistent with our core values and purpose. Access to your data will only be given to bona fide researchers, with strict processes in place to check this. Although we follow the general principles of open access, Data4Science retains full control of access to and uses of the data. All proposals are reviewed by our Scientific Committee, overseen by our Advisory Board, which you can read about on our website as our company develops (https://www.data4science.com/).

Data4Science enables external researchers to access the de-identified data. When the resource is large and/or adequate for external researchers to access the data we will follow access similar to the OpenSAFELY (https://www.opensafely.org/) secure analytics platform, created by Ben Goldacre, University of Oxford. It lets researchers study millions of NHS patient records without anyone ever seeing personal data. Instead of downloading information, researchers write and test their analysis code on dummy data, then submit that code to run securely inside the OpenSAFELY system, where the real health records stay safely in place. Only anonymised, checked summaries ever leave the secure servers. Every project must be approved, and all the analysis code is made public so the process is transparent and reproducible. This is a “bring-the-code-to-the-data” model that enables large-scale research while keeping patients’ privacy intact.

We undertake annual audits across all environments. Researchers sign a contract which includes an agreement not to attempt to re-identify participants at any time. Where researchers are based outside the UK or EEA, we ensure that equivalent data protection safeguards are in place, such as the EU Standard Contractual Clauses or UK International Data Transfer Agreement, before access is granted.

All bona fide researchers who gain access to the data, whether employed by universities, research institutes, government, charities or commercial companies, will be held to the same scientific and ethical standards. There may be cases where a commercial entity is able to meet our strict scientific review and values and use the data to increase well-being, health or drug development. We are also committed to publishing who uses our data for which research purpose, to allow transparency. Find out more on our website: https://www.data4science.com/

Access to the data resource by the police or other law enforcement agencies will be agreed to only under court order. We do not share personal data with any other third parties without your explicit prior consent. Sometimes we ask third parties (for data storage, App building), including suppliers and partners, to carry out business functions on our behalf. Where we are required to share personal data with these third parties, we conduct robust due diligence assessments to ensure that they have appropriate security standards in place that protects your personal data, and we enter into a written contract imposing appropriate security and usage standards on them.

As we evolve we include a list of third-party processors, and details of the processing they do for Data4Science on our website https://www.data4science.com/. Global Initiative (https://www.global-initiative.com/) are helping us build and test our App. They are a trusted partner who meets high international standards for quality and security, including ISO 9001 (Quality Management) and ISO 27001 (Information Security Management) certification. These standards mean that our systems are regularly checked by independent experts to make sure your data is safe.

How do we keep your data secure?

Your data is transferred and stored in a highly secure data environment. During data transfer and at rest all participant data is encrypted to secure identity and preserve privacy. Once stored in our main database, the identifying information is removed, and your information is transferred to a secure storage environment in a form which does not allow anyone to identify you.

Data4Science stores all your data securely and to the highest industry and professional standards. Some of the steps we take to maintain secure and robust platforms:

• Undertake routine security testing of all platforms

• Commission external experts to regularly test the security of our systems

• Undertake an annual DPIA (Data Protection Impact Assessment)

Only a small number of approved (and security-checked) staff members at Data4Science have access to identifiable data. This allows us to add more information to your record as it becomes available, and to manage your account. Bona fide approved researchers may also analyse the data using a secure analytics platform outlined earlier.

How long do we keep your data?

The Data Protection Act 2018 and GDPR legislation sets out additional rights for data controllers for scientific research, for example data can be stored for research for longer periods of time. We aim to balance your rights with the needs of researchers, to allow for maximum value to be extracted from the datasets, for behavioural and health research in the public interest. Data4Science is a long-term resource. In line with other large national data resources and biobanks, following Article 5(1)e and Recital (39) of GDPR, we fall under the exception that personal data may be kept for a longer period for archiving purposes in the public interest or for reasons of scientific or historical research, provided that the technical and organisational measures are put in place. It may be that during the duration of this project or in the event of substantial scientific or legal changes, renewal of your consent is required. Identifiable personal data will be reviewed every five years to assess continued necessity. De-identified research data may be retained indefinitely for scientific purposes under Article 89(1) safeguards.

International Data transfers

Data will be stored securely in the UK, even if it is stored within the Cloud. Data in the form of aggregated results may be transferred to third countries, but this will only happen after vetting by the Scientific Committee, using our secure data analytics system and only with GDPR safeguards in place.

​

The privacy and data protection laws and rules on data access may differ from those in the country where you live. All data transfers to a third country will comply with the GDPR and will only take place with adequate safeguards in place, including the EU Standard Contractual Clauses. All international transfers comply with Chapter V of the UK and EU GDPR. Where no adequacy decision exists, transfers are governed by the relevant Standard Contractual Clauses and technical measures such as encryption and access limitation.

​

Data transfer will only take place following the approval of the third party by the Scientific Committee, overseen by the Advisory Board, following strict protocols.

How do I withdraw from Data4Science?

You can decide to withdraw your data from Data4Science at any time without providing any reason. But if you withdraw, it will not be possible for us to remove your data from research that already taken place, since that is part of the published literature. The options are:

• No further contact: We will no longer contact you again, but we can continue to use information you provided previously before you withdrew.  

• No further use: This means we will not contact you again and we will destroy all the personal data and samples we collected from you. However, it won’t be possible to remove your data from any research that took place before your exit.

We have the option for you to withdraw from the study within our App. Alternatively, if you would like to withdraw, you can contact us at: contact@data4science.com. Once data has been de-identified and incorporated into aggregate research results, it can no longer be linked to you and therefore cannot be deleted. Identifiable data will, however, be destroyed upon withdrawal.

Marketing

Data4Science would like to send you information by email about products and services of ours that we think you might like or invite you to participate in a new research study. We will only send this information if you have previously given consent for this type of contact.

If you have agreed to receive marketing, you may always opt out later. You have the right at any time to stop Data4Science from contacting you for marketing purposes. Marketing consent is separate from consent to participate in research. Declining marketing will not affect your participation.

If you no longer wish to be contacted for marketing purposes, please contact us at contact@Data4Science.com

What are your data protection rights?

You have rights under data protection laws that relate to the personal data which we hold. In this section, we explain what your rights are, as they relate to Data4Science.

Under GDPR certain rights may be available to individuals include the right to access, right to erasure, right to data portability, right to rectification and right to restrict processing.

Different rights are available depending on the circumstances of the request.

The right to erasure is available on request, where data that identifies you personally can be deleted, but there are instances where de-identified data will be retained. This is because erasing data when a dataset has been locked for analysis would seriously impair the purposes of the research activity. In those circumstances, we will retain de-identified data where erasing it would render impossible or seriously impair researcher’s ability to complete their research.

To ensure data governance and security, all data is retained in archival back-ups on a rolling 3-month basis. Therefore, deletion requests will not be fully completed until the archived back-up is replaced.

Data4Science is legally required to retain details of all participants informed consent, along with the active time period and withdrawal, therefore, this data set cannot be deleted. Where data is processed solely for scientific research, certain rights (such as erasure or objection) may be limited under Article 89(2) GDPR and section 19 Data Protection Act 2018, but only where exercising those rights would seriously impair research results.

How to contact us

If you have any questions about Data4Science’s Privacy Policy, the data we hold, or you would like to exercise one of your data protection rights, please do not hesitate to contact us. Email us at: contact@Data4Science.com

How to contact the appropriate authorities

Our DPO would be delighted to answer any questions or concerns you have and can be contacted by email at: dpo@Data4Science.com

​

If you have any questions about your rights as a research subject or complaints regarding this research study, or you are unable to reach the research staff, you may contact a person independent of the research team at contact@Data4Science.com.

​

If you have questions about your rights, or if you wish to make a complaint about how your data has been handled, you can also contact someone independent of the research team.

In the United Kingdom, this is the Information Commissioner’s Office (ICO) — the national authority that makes sure data protection laws such as the UK GDPR are being followed.

​

You can contact the ICO by visiting www.ico.org.uk or by calling 0303 123 1113.

If you are based outside the UK, you can contact your local data-protection authority for advice about your rights under your country’s privacy laws. We comply with local data protection laws in the jurisdictions where participants are based, where applicable.

Changes to our privacy policy

Data4Science keeps its privacy policy under regular review and places any updates on this web page.

This privacy policy was last updated on 09 November 2025.