Privacy policy · RivalStudy
RivalStudy ← Back to site
Legal

Privacy Policy

Last updated: June 2026 · UK GDPR compliant

1. Who we are

Rival Study is a company registered in England and Wales. Our registered office is in London, United Kingdom. We are the data controller for personal data processed in connection with our intelligence services and this website.

ICO registration: in progress. We will publish our registration reference here once confirmed.

Data protection enquiries: privacy@rivalstudy.com

2. Data we collect

Client contact data. When you request a briefing, commission a study, or create a client portal account, we collect your name, work email address, company name, job title, billing details, and correspondence relating to your engagement.

Participant interview data. When we conduct interviews on behalf of clients, we collect responses, audio recordings (with consent), role and company descriptors, and verification data confirming participant eligibility. Direct identifiers are removed before deliverables are shared with clients.

Usage analytics. We collect minimal, functional analytics on website and client portal usage - page views, session duration, and feature interactions - to maintain and improve our services. We do not use advertising or cross-site tracking technologies.

3. Participant data

Interview participants are recruited and interviewed under a separate consent process. Before each interview, participants are informed of the research purpose, how their data will be used, and their rights under UK GDPR.

Anonymisation protocol. Direct identifiers are removed or generalised within 48 hours of interview completion. Company names, individual names, and contact details are never included in client deliverables. Role descriptors and company size bands may be retained where analytically necessary.

Retention. Source interview records (including audio where recorded) are retained for a maximum of 24 months from the date of interview, after which they are securely deleted. Anonymised analytical outputs may be retained indefinitely for quality assurance.

4. How we use client data

We process client personal data for the following purposes and on the following legal bases:

  • Delivering commissioned intelligence services - contract performance
  • Managing client accounts and the client portal - contract performance
  • Issuing invoices and processing payments - contract performance and legal obligation
  • Responding to briefing requests and enquiries - legitimate interests
  • Improving our services through aggregated usage analysis - legitimate interests

We do not sell client data. We do not use client data for automated decision-making or profiling.

5. Third-party processors

We use carefully selected third-party processors to support our operations. All processors are bound by data processing agreements compliant with UK GDPR Article 28.

  • Stripe - payment processing and invoicing
  • Supabase - database, authentication, and secure storage of documents and transcripts
  • LayerSend - transactional email delivery

6. International transfers

Some of our processors are located outside the United Kingdom. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements and, where applicable, Standard Contractual Clauses approved by the European Commission.

We conduct transfer impact assessments for all processors located in countries without an adequacy decision from the UK Secretary of State.

7. Your rights under UK GDPR

If you are located in the United Kingdom or European Economic Area, you have the following rights in relation to your personal data:

  • Right of access - request a copy of the personal data we hold about you
  • Right to rectification - request correction of inaccurate data
  • Right to erasure - request deletion in certain circumstances
  • Right to restrict processing - request limitation of how we use your data
  • Right to data portability - receive your data in a structured, machine-readable format
  • Right to object - object to processing based on legitimate interests

To exercise any of these rights, contact privacy@rivalstudy.com. We will respond within one calendar month.

8. Data retention schedule

Data type
Retention period
{{ r.type }}
{{ r.period }}

9. Cookies

This website and client portal use functional cookies only. These are necessary for session management, authentication, and basic usage analytics. We do not use advertising cookies, social media tracking pixels, or third-party behavioural profiling technologies.

Functional cookies include: session identifier (duration: session), authentication token (duration: 30 days), and a first-party analytics cookie for aggregate page view counting (duration: 12 months). No consent banner is required for strictly necessary cookies under UK PECR, but you may disable cookies in your browser settings - note that the client portal requires session cookies to function.

10. Contact and ICO complaints

For any data protection enquiry, contact our Data Protection Officer at privacy@rivalstudy.com or write to: Data Protection Officer, Rival Study, London, United Kingdom.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
ico.org.uk · 0303 123 1113