Data Privacy and Research Use Notice
Last updated: 18 January 2026
1) What this is
This site runs a survey and related research programme focused on organisation level generative AI adoption. We are primarily interested in company level insights, but we collect limited business contact details to administer participation, prevent duplicate submissions, and support longitudinal analysis.
2) Who we are
Data controller: [Your legal entity name]
Registered address: [Your registered address]
Contact: privacy@thebenchmark.site
If you have any privacy questions or concerns, please contact us first and we will do our best to resolve them promptly. You also have the right to contact the UK Information Commissioner’s Office (ICO).
3) What we collect
We collect three categories of data:
A) Survey responses (mostly organisation level)
Examples: organisation characteristics (sector, size band, coarse geography); adoption status, use cases, spend bands, governance practices, tooling, outcomes; optional free text responses (if enabled).
We design questions to target organisation level information. However, free text fields can accidentally include personal data. If we include free text, we ask respondents not to include personal identifiers and we may redact obvious personal identifiers before analysis.
B) Business contact details (limited personal data)
Examples: name; work email address; job title or role category; organisation name (if requested). This is personal data under UK GDPR even in a work context.
C) Technical and usage data
Examples: IP address and coarse location inference (e.g., country/region); device and browser metadata; timestamps, pages viewed, form completion events; basic security logs. We use this to secure the service, diagnose issues, and understand completion patterns.
4) How we use the data and our lawful bases
We only use personal data where we have a lawful basis under UK GDPR. The main bases we rely on are Legitimate Interests, Contract, and Consent (where appropriate).
| Purpose | Data used | Lawful basis |
|---|---|---|
| Run the survey and provide access to any account or dashboard | Business contact details; technical data | Contract (where an account is created), Legitimate Interests (admin and security) |
| Prevent duplicate responses and maintain dataset quality | Business contact details; technical data; survey responses | Legitimate Interests |
| Longitudinal research and statistical analysis | Survey responses; pseudonymous identifiers; limited technical metadata | Legitimate Interests and research safeguards |
| Produce benchmarks and research outputs | Aggregated survey responses | Legitimate Interests |
| Respond to enquiries and exercise rights requests | Business contact details | Legal obligation (where applicable) and Legitimate Interests |
| Optional communications (eg updates, invitations, follow ups) | Business contact details | Consent (where used) or Legitimate Interests (strictly limited, non-promotional research admin) |
Legitimate interests (summary): We have a legitimate interest in running the research programme, improving data quality, and producing aggregated insights. We minimise personal data, restrict access, and apply safeguards to reduce risk to individuals.
5) Pseudonymisation and separation of identifiers
For analysis, we pseudonymise survey responses by replacing direct identifiers with a random code. The mapping between codes and business contact details is stored separately and access is restricted. Pseudonymised data is still personal data under UK GDPR, but it reduces the risk of identification in analysis workflows.
6) Publication and disclosure control
We publish or share results in aggregated form, using disclosure controls designed to reduce re-identification risk. These controls may include minimum group sizes (cell suppression), banding or coarsening of sensitive attributes, and manual review of outputs where segmentation increases re-identification risk. We do not publish named organisations or named individuals without explicit permission.
7) Data retention
A) Account data and direct identifiers
Kept while the account is active or while needed for research administration. If an account is inactive for an extended period (e.g., 24 months), we will delete direct identifiers or permanently de-link them from survey responses unless we need to keep limited records for legal, security, or compliance reasons.
B) Pseudonymised longitudinal dataset (survey responses with codes)
Kept indefinitely for longitudinal research and statistical analysis, subject to safeguards, access controls, and periodic review of whether identifiers are still needed for the research purpose.
C) Aggregated outputs
Kept indefinitely.
D) Security and operational logs
Retained for a limited period appropriate for security and troubleshooting (typically days to months), then deleted or aggregated.
8) Sharing and processors
We use service providers (processors) to operate the site and research systems. Categories may include: hosting and databases; authentication and email delivery; analytics and monitoring; security and incident detection; customer support tooling. We require processors to protect data and to process it only on our instructions. We maintain a list of key processors and can provide it on request.
9) International transfers
We aim to choose providers that keep data within the UK where feasible. Some providers may process data outside the UK. Where international transfers occur, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, plus vendor due diligence.
10) Security measures
We use a combination of organisational and technical controls appropriate to the nature of the data, such as encryption in transit and at rest where supported by the platform, access controls and least privilege, separation of identifiers from analysis datasets, logging of administrative access and periodic review, and backups and recovery procedures. No system is risk free, but we design the programme to minimise collection and limit exposure.
11) Your rights
Depending on the circumstances, you may have rights to access, correct, delete, restrict or object to processing, data portability (where applicable), and withdraw consent (where we rely on consent). Research and statistical processing can affect how some rights apply in specific cases under UK law. Where a request would seriously impair the research purpose and lawful exemptions apply, we may be unable to fully comply, but we will explain our reasoning and apply alternatives where feasible (e.g., restricting use, de-linking identifiers, excluding future analysis).
12) Cookies and analytics
If we use cookies or similar technologies, we will describe them here and, where required, provide choices. If analytics are enabled, we prefer privacy minimising configurations (e.g., IP truncation where available) and avoid collecting unnecessary identifiers.
13) How to contact us
Email: privacy@thebenchmark.site. We may ask for verification before fulfilling a rights request, to avoid unauthorised disclosure.
14) Changes to this notice
We may update this notice as the programme evolves. We will post the latest version on this page and update the “Last updated” date above. If changes materially affect how we use personal data, we will take reasonable steps to notify active account holders.