Version: CRX_LEGA_PRVN_UK_V03
This privacy notice sets out your rights and answers any queries you may have about how Crux Product Design Ltd (hereinafter referred to as “Crux”) collects, uses and protects your personal information. If you have any questions or concerns about our notice, or our practices with regards to your personal information, please contact us at privacy@cruxproductdesign.com.
Please ensure that you read this notice, and any other notices you may be provided with when we collect or process your personal information. Doing so will help you make informed decisions about sharing your personal information with us.
Crux reviews and updates this privacy notice. We recommend checking periodically to ensure that you are happy with any changes.
This privacy notice applies to all personal information collected through our website, and/or any related services, sales, marketing or events (hereinafter referred to as our “Services“).
Crux offers a range of consultancy services to support a diverse array of product development projects. This includes human factors research and usability testing, methodology used to evaluate user interaction with products. To authorise this testing, Crux is registered as a data controller with the Information Commissioner’s Office (ICO) under number ZA558972. A data controller determines the purposes and means of the processing of personal information.
This Notice at Collection describes how we collect, use and disclose personal information.
This privacy notice explains what personal information we will collect when you are:
This notice also includes:
We collect personal information you provide directly to us. For example, we collect personal information directly from you when you visit our website or engage with us on social platforms; visit our office; use our Services; supply to us; participate in research studies; express an interest in obtaining information about us or our Services; participate in activities related to our Services; contact us or conduct business dealings with us. The types of personal information that we may collect directly from you include the following:
Data is stored on our secure customer relationship management (CRM) platform (see Section 2.3).
Some personal information is collected automatically when you visit our Services. This data is required to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.
This personal information does not reveal your specific identity (for example, your name or contact information) but may can include device and usage information such as:
Information collected by Cookies and similar tracking technologies: We use cookies and similar tracking technologies (like web beacons and pixels) to access or store personal information. Where this involves cookies that are not strictly functional for the operation of our website, we will ask you for your consent prior to those cookies being placed on your device.
We use Google Analytics to collect personal information about how people use our website. Google Analytics stores information about behaviour on our website, such as referrals, pages you visit and what you click on. We do not allow Google to share our analytics data. We do this to understand how we can improve our website and make sure we are meeting the needs of our users.
We obtain personal information directly from you or other members of your organisation. We may also acquire personal information from your public profiles available online, primarily LinkedIn or company websites. Where this is the case, we will be transparent about our collection of your personal data, and we only contact people who we believe will have an interest in our products and services.
We process your personal information for purposes based on legitimate business interests, the fulfilment of our contract with you, compliance with our legal obligations, and/or your consent.
We use the personal information we collect or receive:
We use other companies to provide us with telephony, email and other IT services. We have put agreements in place with these companies to ensure that they will only process your personal information as requested by us and in accordance with data protection law.
We only share and disclose your personal information with the following third parties. If we have processed your data based on your consent and you wish to revoke your consent, please contact us (refer to Section 11).
Crux will retain your personal information for as long as it is required to fulfil the purposes for which the personal information was collected (including for the purpose of meeting any legal or other reporting requirements or obligations).
We will retain your personal information for no longer than 2 years after our relationship with you has ended. If you do use our Services, we will need to retain certain personal information for a longer period to meet our legal obligations (for example for financial records).
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
For security purposes and emergency preparedness we may request personal information if you visit our office. This could include your name, business and vehicle details (if required). We use CCTV at our offices for security and the personal safety of our staff and visitors. Signage is in place to inform all visitors that we have CCTV. Any captured data is only accessible to limited members of staff within Crux and is stored for 30 days before being automatically deleted.
When you apply for a job with us, Crux will collect and process personal information about you.
The personal information we process, where provided, includes:
Crux does not collect personal information relating to your ethnicity, gender, disability, religion, sexual orientation and other diversity-related information as part of our recruitment process.
We obtain personal information directly from you, as well as from third parties such as recruitment agencies, background checking companies or former employers where seeking a reference. We may also check any publicly available social media profiles (primarily LinkedIn), where this is relevant, as part of our recruitment process e.g. for checking employment history.
We process the personal information listed in Section 4.1 above for the following purposes only in accordance with our legitimate business interests and legal obligations as an employer:
Your personal information will only be shared with Crux employees involved in the recruitment process.
This includes the People team, interviewers involved in the recruitment process and managers in the business area, including Operations and IT staff (including contractors), if access to the data is necessary for the performance of their roles.
We use other companies to provide us with telephony, email and other IT services. We have put agreements in place with these companies to ensure that they will only process your personal information as requested by us and in accordance with data protection law.
Crux will not share your data with third parties unless your application is successful, and it makes you an offer of employment. Crux may then share data with former employers to obtain references.
We will not keep your personal information for longer than is necessary. We will keep the personal information connected to your job application (including any interview records) for 6 months from the end of the recruitment process.
In some instances, we may ask for your consent to retain your data for a longer period if a suitable position is not immediately available. If your application is successful and you become a member of staff, we will provide you with a copy of the Employee Privacy Notice. The retention periods referred to therein will apply to your personal information during your employment.
When using Crux for your project, we need to collect and process personal information about you to fulfil our contractual obligations to you as a client.
The personal information we process includes:
We obtain this personal information directly from you or other members of your organisation. We may also acquire this personal information from your public profiles available online, primarily LinkedIn. Where this is the case, we will be transparent about our collection of your personal information.
We process the personal information listed in Section 5.1 above to fulfil our contractual obligations to you as a client in accordance with our legitimate business interests. This data is used by Crux to:
Your personal information will only be shared within Crux, including Crux Directors, Heads of Function, project and senior team members, and Finance team members, if relevant, for invoicing purposes.
We use other companies to provide us with telephony, email and other IT services. We have put agreements in place with these companies to ensure that they will only process your personal information as requested by us and in accordance with data protection law.
Crux will retain your personal information for as long as is necessary to provide our services to you and for our own purpose in meeting legal and business obligations after completion of a project (including for the purpose of meeting any legal, accounting or other reporting requirements or obligations).
This means Crux may retain your personal information after the project ends for a minimum of 7 subsequent tax years.
We collect and process personal information about you when you are a Crux Product Design supplier.
The personal information we process includes:
We obtain this personal information directly from you or other members of your organisation. We may also acquire personal information from your public profiles available online, for example on your company’s website or Companies House.
We process the personal information listed in Section 6.1 above to fulfil our contractual obligations to you as a supplier in accordance with our legitimate business interests.
This data is used by Crux to:
Your personal information will only be available to the relevant teams within Crux, for example Finance and Operations teams.
We use other companies to provide us with telephony, email and other IT services. We have put agreements in place with these companies to ensure that they will only process your personal information as requested by us and in accordance with data protection law.
Crux will retain your personal information for as long as our business relationship is active and for our own purpose in meeting legal and business obligations after completion of a project (including for the purpose of meeting any legal, accounting or other reporting requirements or obligations).
This means Crux may retain your personal information after the project ends for a minimum of 7 subsequent tax years.
As part of our service offering Crux undertakes User Research. In order to recruit people to take part in studies we collect personal information to allow us to assess suitability of participants.
If you are selected to participate in a user study, you will be provided with a specific Privacy Notice relating to that study prior to taking part.
If you would like another copy of any Privacy Notices, or any other documentation provided, please request this via the contact details above.
The personal information we process includes:
We obtain personal information directly from you or from one of our recruitment partners in response to a recruitment campaign. Those recruitment campaigns may take place through social media platforms, such as Facebook. We do not use Facebook to collect personal information about potential participants in our research – an email link is provided within our adverts to register your interest.
We will only use your personal information:
There are six lawful grounds for using your personal information and we need to satisfy one for each separate purpose we intend to use your personal information for.
For all of the purposes described above, we will rely on our legitimate interests. We have undertaken an assessment of our legitimate interests and how we balance those with your rights and freedoms.
Where we collect any sensitive personal information, such as information about health or medical conditions, we also have to satisfy one additional condition. The conditions that we will rely on will be:
We will keep your personal information separate from the information we hold about our general business activities. Access to your personal information will be limited to those who need access to it for the purposes described above, i.e., Crux employees who are either recruiting for or running the study you are participating in.
We use other companies to provide us with telephony, email and other IT services. We have put agreements in place with these companies to ensure that they will only process your personal information as requested by us and in accordance with data protection law.
In very rare circumstances, we may have to share your personal information with a court or other regulatory authority in response to an order or other legal request. Where we are allowed to do so, we will notify you of this.
If you have taken part in a research study your personal information and our results will be retained for 7 years from the date that we deliver our report to the client, unless stated otherwise in the study terms you agree to.
If you do not meet the eligibility criteria for a study, then we will delete your personal information unless you agree that we may keep your details on record for any future studies, which you may be eligible for. If such opportunities do not arise within 2 years, we will delete your personal information. For some potential participants with specific medical or heath conditions, we may retain your personal information for a longer period as studies in certain areas occur less frequently and it is important that we have enough participants for a study to be viable. Where this is the case, we will seek your consent prior to retaining your personal information for a longer period, in line with the above purpose.
Crux have put in place a number of measures to protect your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include:
The personal information that we collect from you is stored within the United Kingdom or European Economic Area (“EEA”). In some cases, we may transfer your personal information to countries outside the United Kingdom and European Economic Area. Where we do so we will ensure that you are made aware that such transfers are compliant with the Data Protection Act 2018 or UK General Data Protection Regulation and that appropriate measures are put in place to keep your personal information secure. The only exception to this is HubSpot (a CRM Platform).
Customer data is processed and secured in the EU before being transmitted and stored in the US to provide additional redundancy for critical components of our system. HubSpot act as our data processor for this purpose and are compliant with the EU-US Privacy Shield. We also have a written agreement in place with HubSpot in relation to the service they provide and how they must handle the data.
You have several rights in relation to the personal information we hold about you, including the right to request a copy of your personal information (commonly known as a “subject access request”) and the right to have any inaccurate or incomplete personal information about you corrected. In certain circumstances, you have the right to request deletion of the personal information we hold about you, ask us to restrict how we use it or object to us holding it.
Please note that there are some limited circumstances and exemptions where these rights may not apply. For further information about your rights, visit the ICO’s website.
You also have the right to make a complaint to the ICO through their website about how we have used your personal information.
Should you have any queries regarding this privacy notice, Crux’s processing of your personal information or wish to exercise your rights you can contact Crux’s Privacy Team using this email address: privacy@cruxproductdesign.com.