Skip to main content

Privacy policy Information is our business – we look after it.

Privacy Policy

Firefish Ltd (Firefish, The Numbers Lab and The Pineapple Lounge) is known for excellence and quality and strives to be a trusted business partner. Integral to this is meeting our data protection responsibilities.

A fundamental part of our business is to gather and analyse data to help deliver research insights and strategic advice to our clients. Within our work this sometimes involves the collection and use of personal data. We are committed to protecting the personal data we collect, have access to, use, store and share, otherwise known as ‘processing’. This privacy policy sets out our approach to data protection in our research activities. In different research activities we may act as a Data Controller, a Joint Data Controller along with our client(s) or supplier(s) or a Data Processor for our client(s).

When we are acting as a Data Controller and Joint Data Controller our key privacy related responsibilities are:

  • Contacting you in connection with the research and administering your consent
  • Securely storing your personal data
  • Analysing the information that you provide during your market research activity
  • Securely sharing recordings and footage with carefully selected partners who assist us with the research
  • Responding to your privacy related requests
  • Deleting your personal data when it is time to.

Each of these processing activities is described further below.

What personal data do we process?

The type of personal data we process will vary with each research project. Along with attitudes and opinions this will typically include:

  • Name and contact details (phone and email) to confirm attendance or for re-contact such as:
    • To discuss activity related to a project
    • To discuss input / answers
    • To discuss the further processing of personal data
  • Age, gender and location to ensure we speak to a demographically representative group of people
  • Address, if any research is to be conducted in a home
  • Bank details for incentives paid via BACS
  • Audio recordings and video footage
    • for the purposes of transcription, research analysis and reporting
    • to demonstrate and bring to life research findings for internal meetings and business uses
    • to update people connected to the research
  • Other types of personal data we may collect will be set out on a project by project basis. This may include sensitive personal data which we will only process with your explicit consent.

How do we collect and use personal data?

There are several ways we may collect or have access to personal data.

  • Directly from research participants
  • From a client’s, or other third party database we have access to
  • From a panel provided by a client or other third party.

We, like other organisations, have to process personal data lawfully.  The way we do this is to ensure we meet at least one of the following:

  • We have consent for research purposes, including parental consent for under 16s. Details of the personal data we will collect and how it will be used are explained before the research
  • We have established legitimate interests for the collection and use of personal data. This would include our internal quality control purposes, consent audits or any activities where it is not practical or possible to get consent
  • We are required by law or public interest to collect or disclose your personal data.

How long do we keep your personal data?

We will only hold your personal data for as long as there is a legitimate business need or legal requirement to retain it.

  • Personal data we collect and use for research purposes will be held by us for 6 months after the project has finished, unless has been otherwise specified
  • Personal data that is included in the final research output will be held by us for a period of 7 years for our internal record keeping and archiving processes
  • Some personal data we have collected (i.e. photos/film clips), may be included in research outputs. These may be held by our clients for longer than 6 months and while there is still a valid purpose for its use in connection with the research. This will be subject to the client’s data privacy policy and security measures
  • Personal data files may exist for up to 6 months in our IT back-up system before being naturally overwritten
  • Name and attendance is recorded and held by us for a 2-year window for our internal quality control purposes. This excludes personal data that has originated from a client/third party database
  • Where we have paid the research incentive, we will hold a record of transaction or signature for 7 years, for tax audit purposes.

How do we look after your personal data?

It is important to us that you know your personal data is safe and we have a number of security policies and procedures to ensure that we protect your information at all times. We employ a specialist IT provider to ensure our systems are regularly monitored and maintained with up to date security software to protect against threats.

  • Only authorised people have access to your personal data and on a needs-only basis
  • Your personal data is stored on secure servers hosted by us or third parties providing hosting services to us
  • We take steps to encrypt your personal data when it is stored and to prevent unauthorised access or loss
  • Secure transfer methods are used so your personal data is safe whenever it is shared
  • Secure destruction methods are used when we dispose of your personal data.

Who do we share your personal data with?

As well as with the commissioning client, we will need to share your personal data with partners, suppliers, agents and subcontractors as these third parties are essential to helping make a research project happen. We work with trusted third parties and ensure these relationships are managed using agreements that set out clear terms and handling instructions.

These third parties will include:

  • Recruiters who find participants for research
  • Partner research agencies
  • Research viewing facilities
  • Web-streaming providers
  • Online platform partners
  • Filming providers
  • Expert and specialist advisors
  • Transcribers

Where else does your personal data go?

In the course of conducting our research activities, it may sometimes be necessary for us to transfer your personal data outside of the U.K. and EEA to carefully selected partner and providers. Some countries have different standards of data protection and may not be as strict as those in the U.K. or in the EU. We ensure that these organisations meet the necessary compliance with data protection and have appropriate and adequate safeguards in place. These transfers will be governed such as; by data processing agreements; standard contractual clause contracts; adequacy measures or other legal mechanisms. In addition, our clients receiving personal data from research outputs may share this data with other parties connected with the research, for research purposes only.

What we won’t do with your personal data

Your personal data will only be used for research purposes. Your personal data will not be broadcast, put in the public domain, used for direct marketing purposes, automated profiling, sold to third parties or used for other purposes unless we have your explicit consent.

Know your rights – we respect them

If you are an EU/UK citizen, you have a number of rights over your personal data and our aim is to fulfil these as best we can. Please contact us using the details below if you;

  • Want to withdraw your consent
  • Want to request that we delete, correct or restrict the use of your personal data
  • Want to know about or see the personal data we hold that belongs to you
  • Want to port your personal data
  • Have any concerns or questions about the ongoing processing of your personal data.

Write to the Data Protection Officer, The Pineapple Lounge, 170-172 Tower Bridge Road, London, SE1 3LS


Regulatory Bodies

If you don’t think we’ve done enough or you want to lodge a complaint then you can contact our data protection supervisory authority. In the U.K., this is the Information Commissioner’s Office (“ICO”). Contact details can be found at

In the U.K., our industry regulatory body is the Market Research Society (MRS) and we are bound by the MRS Code of Conduct and associated guidelines. Details can be found at

About Us

The Pineapple Lounge is an independent market research agency incorporated in England and Wales with a company registration of 03854900 and located at 170-172 Tower Bridge Road, London SE1 3LS.

Updates To Privacy Policy – this policy may be updated from time to time without notice and you should always check that you are referring to the most recent version.

Policy effective date: 25th May, 2018

Policy version: V6_2021


Marketing Privacy Policy

The Pineapple Lounge is serious about the privacy of your data.

We only collect the information needed to deliver and manage our newsletter and marketing communication or to respond to any requests you send to us. If you opt in to receive marketing communication from us, you accept the practices set out in this policy.

What data is collected?

  • Name
  • Email address
  • Company Name
  • Country
  • IP address

What happens to your data?

In order to technically support our marketing communication we use the following third party software providers: Mailchimp – our email marketing platform, and Highrise – our CRM system. Their services are provided from the U.S. and both companies provide the levels of data security and protection required by data protection law including Privacy Shield. Should you wish to find out more you can view their privacy policies on their websites by clicking the links above.

Data security and retention

Any data exchanges between us and our providers are by secure transfer. Any data held by The Pineapple Lounge is stored on our secure server for 1 month and can only be accessed by certain approved members of staff. Data is otherwise held securely by the software providers on their systems. Data is retained in order to record your preferences and to ensure you only get the communication you’ve chosen to receive from us.

What we won’t do with the data

The Pineapple Lounge Limited will not use your personal data for profiling, to send unsolicited emails or to pass it to other third parties without your express consent.

Your data choices

If you no longer wish to receive marketing communication from us, or update your marketing preferences, then you can do so by using the links at the bottom of any email marketing we send you now or in the future. Alternatively, you can send an email to with the subject UNSUBSCRIBE. Please allow 72 hours for your details to be removed from our system.

Want to get in touch?

Write to: Data Protection Officer, 170-172 Tower Bridge Road, London SE1 3LS.


Policy Version: V3.2018

Note: This policy only applies to this website. Other sites may vary.