How we handle participant data
Written by: Phil Hesketh
At Consent Kit, we believe that how companies handle and process the information we provide them is fast becoming a key factor in deciding which services to use.
In the case of user research, personally identifiable information and the things people tell us are at the front of these concerns.
Often the tools that we use to fulfil the task of obtaining and managing informed consent are not sensitive to these needs. We created Consent Kit in response to this.
How we handle and process data is first and foremost when making decisions about how we build the product, but we must balance these concerns against the practicalities of creating a service that meets our users expectations.
We believe Consent Kit is the current best in class solution to this problem. As part of that I wanted to be transparent about how we actually do this.
Where we store the data you give us
By default, all of the servers we utilise are based within the EU or the US (certified by Privacy Shield).
Our server provider is independently audited and certified against the following standards for data privacy and security:
- ISO 27001, 27017, and 27018 Certification
- SOC2 Type I Attestation Report
If you specifically need your data to be stored on a server in another location, please contact us for more information.
Third parties that we use
We use third parties to deliver certain functionality within Consent Kit, such as email delivery and product metrics. All third party companies we engage with are compliant with the GDPR and have Privacy Shield certification (if outside the EU).
Here is a list of the third party services we use:
- Hosting and databases: Heroku
- Email delivery: Postmark
- Analytics: Google Analytics, MixPanel
With the exception of email delivery; no personally identifiable information belonging to your participants is shared with any third parties.
How long we keep your data for
You are in control of how long information is kept on our servers. We will send you an email to remind you to delete participant information within the time frame agreed in the consent document signed by the participant.
We remove all of your information from our system at the point of deletion.
In the case of email delivery; our third party service provider automatically deletes all email message activity and metadata within 45 days (or 7 days in the case of an FOI request).
What happens to my data if I decide to leave?
If at any point you decide to leave Consent Kit we will provide you with a download of all of the information we hold for each of your projects created; including individual activity logs for each participant.
We will delete all of your account and project information after downloading and sending you the information.
Feedback is a gift
It’s important to us that we not only get this right, but set a standard for how this should be done when designing services which handle potentially sensitive data. We’re actively taking steps to improve this all the time. If there is something you think we could be doing better, I’d love to hear from you!