Privacy Policy

1. Who We Are

Paidia Consulting Ltd ("we", "us", "our") is a company registered in England and Wales.

We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

2.1 Website Visitors

Our main website (paidiaconsulting.com) does not use cookies, analytics, or tracking technologies. We do not collect any personal data from casual website visitors.

2.2 Business Enquiries

When you contact us via email, we collect:

• Your name and email address
• Your organisation (if provided)
• The content of your message

This information is used solely to respond to your enquiry and, where appropriate, to discuss potential work together.

2.3 Clients and Suppliers

When we work with you as a client or supplier, we collect:

• Contact details (name, email, phone number)
• Company information (name, address, VAT number)
• Payment and invoicing details
• Project-related communications and documents

2.4 Research Projects and Games

Paidia Consulting develops interactive games and digital platforms, sometimes as part of research projects conducted in collaboration with academic institutions or research organisations.

When acting as a data processor on behalf of a research institution (the data controller), we operate under a per-project Data Processing Agreement (DPA) with that institution. Each project also has a project-specific data handling addendum that sets out exactly what is collected, where it is stored, who has access, retention period, and how data is transferred to the research team. Both documents are reviewed and approved by the institution's ethics committee before data collection begins.

We follow data minimisation as a default. In practice this means:

• We do not collect names, email addresses, or any other direct identifiers on participant-facing research platforms
• We do not log IP addresses or device fingerprints to study databases
• We do not run third-party analytics, advertising, or tracking on participant-facing research pages
• Where a session identifier is used to link records within a single attempt (e.g., to join a participant's demographics to their performance data), it is a random per-session value, scoped to that browser session, with no link to participant identity

Typical data collected in research contexts may include:

• Demographic information held under a separate consent platform operated by the research institution (e.g., age, sex at birth, partial postcode, ethnicity)
• Game performance, response times, and other study-specific measurements
• Timestamps and per-session identifiers as described above

For any research project you participate in, please refer to the participant information sheet provided by the lead research institution for full details about data handling specific to that study, and to the project-specific data handling addendum referenced there.

3. Legal Basis for Processing

We process personal data under the following legal bases:

• Contract: To fulfil our contractual obligations with clients and suppliers
• Legitimate interests: To respond to business enquiries and manage our business operations
• Consent: Where you have given explicit consent (e.g., for research participation)
• Legal obligation: To comply with legal and regulatory requirements (e.g., tax records)

4. How We Use Your Data

We use your personal data to:

• Respond to your enquiries and provide information about our services
• Deliver contracted services and manage our client relationships
• Process payments and maintain financial records
• Comply with legal and regulatory obligations
• Process research data on behalf of research institutions (as a data processor)

We do not sell your personal data to third parties, nor do we use it for automated decision-making or profiling.

5. Data Sharing

We may share your personal data with:

• Service providers: Cloud infrastructure (Google Cloud Platform, with research data hosted in the UK europe-west2 region), email services, and accounting software, all under data processing terms with appropriate safeguards
• Research partners: When acting as a data processor, data is shared with the lead research institution as specified in the per-project Data Processing Agreement and data handling addendum, typically by encrypted, password-protected file transfer over HTTPS
• Professional advisers: Accountants and legal advisers as required
• Regulatory authorities: Where required by law (e.g., HMRC)

We require all third parties to respect the security of your personal data and treat it in accordance with the law.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Research data hosted in the UK Google Cloud europe-west2 (London) region by default
• Access controls and authentication on all data stores; access credentials held only by Paidia's research team
• Transfer of research data to research partners via encrypted, password-protected files over HTTPS
• Removal of third-party trackers (analytics, advertising, error reporting) from participant-facing research pages
• Regular security reviews

7. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

• Business enquiries: 2 years from last contact (unless a business relationship develops)
• Client and supplier records: 7 years after the end of the business relationship (for legal and tax purposes)
• Research data: As specified by the research institution's ethics approval and data management plan

8. Your Rights

Under UK GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data (subject to legal obligations)
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Request a copy of your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, please contact us at david@paidiaconsulting.com.

For research projects where we act as a data processor, please contact the lead research institution (the data controller) to exercise your rights.

9. International Transfers

Research data is hosted in the UK by default (Google Cloud europe-west2, London region) and does not leave UK soil during the study. For other categories of data, we primarily store and process within the UK and European Economic Area. Where data is transferred outside the UK/EEA (for example to cloud service providers headquartered overseas), we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement, Standard Contractual Clauses, or adequacy decisions.

10. Complaints

If you have concerns about how we handle your personal data, please contact us first at david@paidiaconsulting.com.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

11. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date.

12. Contact Us

For any questions about this privacy policy or our data practices, please contact: