Contact
Cookies
We use cookies to enhance your browsing experience - Learn more

Privacy Policy

Introduction

This privacy notice sets out your rights and answers any queries you may have about how Crux Product Design Ltd (hereinafter referred to as “Crux”) collects, uses and protects your personal data. If you have any questions or concerns about our notice, or our practices with regards to your personal data, please contact us at privacyteam@cruxproductdesign.com.

Please ensure that you read this notice, and any other notices you may be provided with when we collect or process your personal data. Doing so will help you make informed decisions about sharing your personal data with us.

Crux reviews and updates this privacy notice. We recommend checking periodically to ensure that you are happy with any changes.

This privacy notice applies to all personal data collected through our website, and/or any related services, sales, marketing or events (hereinafter referred to as our “Services”).

Who are we?

We are a product development consultancy registered under company number 04893244. Our services include research, design, engineering and prototyping, human factors testing, advanced analytics digital twin, simulation and on-market lifecycle management.

Crux offers a range of consultancy services to support a diverse array of product development projects. This includes human factors research and usability testing, methodology used to evaluate user interaction with products. To authorise this testing, Crux is registered as a data controller with the Information Commissioner’s Office (ICO) under number ZA558972. A data controller determines the purposes and means of the processing of personal data.

How can you contact us about your data?

Crux Product Design Ltd
Flatiron Building
332-336 Paintworks
Bristol
BS4 3AR
United Kingdom

Tel: 0117 300 9788

Email: privacyteam@cruxproductdesign.com

How do we use your information?

This privacy notice explains what personal data we will collect when you are:

1) Visiting our website or engaging on social platforms
2) Visiting our office
3) Applying for a job
4) Using our services
5) Supplying to us
6) Participating in research

This notice also includes:

7) How we keep your personal data secure
8) Where your personal data is stored
9) What your rights are in relation to your personal data
10) How to find out more information on how Crux handles your personal data

1. Visiting our website or engaging on social platforms

When you visit our website cruxproductdesign.com, and use our services, you trust us with your personal information.

This privacy policy applies to all information collected through our website (such as https://cruxproductdesign.com), and/or any related services, sales, marketing or events (we refer to them collectively in this privacy policy as the “Services”).

1.1 What personal data will we hold?

We collect and process personal data from the following sources:

1.1.1 Personal data you disclose to us

We collect personal data that you voluntarily provide to us when expressing an interest in obtaining information about us or our products and services, when participating in activities with our Services or otherwise contacting us.

The personal data we collect depends on the context of your interactions with us and our Services and can include the following:

  • name;
  • phone number(s);
  • email;
  • phone number(s);
  • business address;
  • social media; and
  • other similar data.

Data is stored on our secure customer relationship management (CRM) platform.

1.1.2 Personal data automatically collected

Some personal data is collected automatically when you visit our Services. This data is required to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

This personal data information does not reveal your specific identity (for example, your name or contact information) but may can include device and usage information such as:

  • IP addresses;
  • language preferences;
  • referring URLs;
  • information about how and when you use our Services;
  • device name;
  • device geolocation; and
  • other similar data.

1.3 Do we use cookies and other tracking technologies?

We use cookies and similar tracking technologies (like web beacons and pixels) to access or store personal data. Where this involves cookies that are not strictly functional for the operation of our website, we will ask you for your consent prior to those cookies being placed on your device.


We use Google Analytics to collect personal data about how people use our website. Google Analytics stores information about behaviour on our website, such as referrals, pages you visit and what you click on. We do not allow Google to share our analytics data. We do this to understand how we can improve our website and make sure we are meeting the needs of our users.

1.4 Where do we get your personal data from?

We obtain personal data directly from you or other members of your organisation. We may also
acquire personal data from your public profiles available online, primarily LinkedIn or company
websites. Where this is the case, we will be transparent about our collection of your personal data
and we only contact people who we believe will have an interest in our products and services.

1.5 How do we use this personal data and what is the legal basis for this use?

We process your personal data collected in section 5.1 for purposes based on legitimate business
interests, the fulfilment of our contract with you, compliance with our legal obligations, and/or your
consent.

We use the personal data we collect or receive:

  • To send you focused marketing communications. We will send you select material we believe will be of interest. You can opt-out of our marketing emails at any time (see section 9 below).
  • To send administrative information to you. We will use your personal data to send you product, service and new feature information and/or information about changes to our terms, conditions, and policies.
  • To protect our Services. We will use your personal data as part of our efforts to keep our Services safe and secure (for example, for fraud monitoring and prevention); and
  • For analysis and improvement. We will use your personal data for data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our products, Services and your experience. We will use and store personal data in aggregated and anonymised form so that it is not associated with individual end users. We will not use identifiable personal data without a specific lawful basis in place.
1.6 Who will we share your personal data with?

We use other companies to provide us with telephony, email and other IT services. We have put agreements in place with these companies to ensure that they will only process your personal data as requested by us and in accordance with data protection law.

We only share and disclose your personal data with the following third parties. If we have processed your data based on your consent and you wish to revoke your consent, please contact us.

  • SAP – an enterprise resource planning (ERP)system;
  • HubSpot – a CRM platform;
  • Retargeting Platforms – LinkedIn website retargeting; and
  • Office365 – for email correspondence and communication.
1.7 How long will you keep my personal data?

Crux will retain your personal data for as long as it is required to fulfil the purposes for which the personal data was collected (including for the purpose of meeting any legal or other reporting requirements or obligations).

We will retain your personal data for no longer than 2 years after our relationship with you has ended. If you do use our Services, we will need to retain certain personal data for a longer period to meet our legal obligations (for example for financial records).

When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymise it, or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

2. Visiting our Office

For security purposes and emergency preparedness we may request personal data if you visit our office. This could include your name, business and vehicle details (if required). We use CCTV at our offices for security and the personal safety of our staff and visitors. Signage is in place to inform all visitors that we have CCTV. Any captured data is only accessible to limited members of staff within Crux and is stored for 30 days before being automatically deleted.

3. Applying for a job

When you apply for a job with us, Crux will collect and process personal data about you.

3.1 What personal data will we hold?

The personal data we process, where provided, includes:

  • your name, home address, email address and/or phone numbers;
  • your date of birth, marital status, nationality and National Insurance number;
  • your educational and employment history;
  • further information contained within your CV or other documents you submit to us;
  • information from the selection process;
  • references and assessments relating to your work for previous employers;
  • information to confirm your identity and right to work, such as a copy of your passport;
  • any access or support requirements you may have in attending an interview;
  • details of any unspent criminal convictions; and
  • information relating to your feedback on our organisation.

Crux does not collect personal data relating to your ethnicity, gender, disability, religion, sexual orientation and other diversity-related information as part of our recruitment process.

3.2 Where do we get your personal data from?

We obtain personal data directly from you, as well as from third parties such as recruitment agencies, background checking companies or former employers where seeking a reference. We may also check any publicly available social media profiles (primarily LinkedIn), where this is relevant, as part of our recruitment process e.g. for checking employment history.

3.3 How do we use this personal data and what is the legal basis for this use?

We process the personal data listed in section 7.1 above for the following purposes only in accordance with our legitimate business interests and legal obligations as an employer:

  • to make recruitment decisions;
  • to meet our accessibility and support requirements; and
  • to prevent and detect fraud and other wrongdoing.
3.4 Who will we share your personal data with?

Your personal data will only be shared with Crux employees involved in the recruitment process.

This includes the People team, interviewers involved in the recruitment process and managers in the business area, including Operations and IT staff (including contractors), if access to the data is necessary for the performance of their roles.

We use other companies to provide us with telephony, email and other IT services. We have put agreements in place with these companies to ensure that they will only process your personal data as requested by us and in accordance with data protection law.

Crux will not share your data with third parties unless your application is successful, and it makes you an offer of employment. Crux may then share data with former employers to obtain references.

3.5 How long will you keep my personal data?

We will not keep your personal data for longer than is necessary. We will keep the personal data connected to your job application (including any interview records) for 6 months from the end of the recruitment process.

In some instances, we may ask for your consent to retain your data for a longer period if a suitable position is not immediately available. If your application is successful and you become a member of staff, we will provide you with a copy of the Employee Privacy Notice. The retention periods referred to therein will apply to your personal data during your employment.

4. Using our services

When using Crux for your project, we need to collect and process personal data about you to fulfil our contractual obligations to you as a client.

4.1 What personal data will we hold?

The personal data we process includes:

  • your name;
  • your job title;
  • your company and department;
  • your business address;
  • your business email address; and
  • the phone numbers provided to us.
4.2 Where do we get your personal data from?

We obtain this personal data directly from you or other members of your organisation. We may also acquire this personal data from your public profiles available online, primarily LinkedIn. Where this is the case, we will be transparent about our collection of your personal data.

4.3 How do we use this personal data and what is the legal basis for this use?

We process the personal data listed in section 8.1 above to fulfil our contractual obligations to you as a client in accordance with our legitimate business interests. This data is used by Crux to:

  • provide you with quotations;
  • send and agree contractual information;
  • enable project communication;
  • send project deliverables; and
  • provide service updates.
4.4 Who will we share your personal data with?

Your personal data will only be shared within Crux, including Crux Directors, Heads of Function, project and senior team members, and Finance team members, if relevant, for invoicing purposes.

We use other companies to provide us with telephony, email and other IT services. We have put agreements in place with these companies to ensure that they will only process your personal data as requested by us and in accordance with data protection law.

4.5 How long will you keep my personal data?

Crux will retain your personal data for as long as is necessary to provide our services to you and for
our own purpose in meeting legal and business obligations after completion of a project (including for
the purpose of meeting any legal, accounting or other reporting requirements or obligations).

This means Crux may retain your personal data after the project ends for a minimum of 7 subsequent tax years.

5. Supplying to us

We collect and process personal data about you when you are a Crux Product Design supplier.

5.1 What personal data will we hold?

The personal data we process includes:

  • contact names and job titles;
  • your business address;
  • your business email addresses and phone numbers;
  • your organisations bank details; and
  • data to allow us to qualify you as an approved supplier.
5.2 Where do we get your personal data from?

We obtain this personal data directly from you or other members of your organisation. We may also acquire personal data from your public profiles available online, for example on your company’s website or Companies House.

5.3 How do we use this personal data and what is the legal basis for this use?

We process the personal data listed in section 9.1 above to fulfil our contractual obligations to you as a supplier in accordance with our legitimate business interests.

This data is used by Crux to:

  • discuss requirements;
  • send and agree contractual information;
  • enable project communication;
  • process payments;
  • send you requests for quotation; and
  • receive project and business deliverables.
5.4 Who will we share your personal data with?

Your personal data will only be available to the relevant teams within Crux, for example Finance and Operations teams.

We use other companies to provide us with telephony, email and other IT services. We have put agreements in place with these companies to ensure that they will only process your personal data as requested by us and in accordance with data protection law.

5.5 How long will you keep my personal data?

Crux will retain your personal data for as long as our business relationship is active and for our own purpose in meeting legal and business obligations after completion of a project (including for the purpose of meeting any legal, accounting or other reporting requirements or obligations).

This means Crux may retain your personal data after the project ends for a minimum of 7 subsequent tax years.

6. Participating in research

As part of our service offering Crux undertakes User Research. In order to recruit people to take part in studies we collect personal data to allow us to assess suitability of participants.

If you are selected to participate in a user study, you will be provided with a specific Privacy Notice relating to that study prior to taking part.

If you would like another copy of any Privacy Notices, or any other documentation provided, please request this via the contact details above.

6.1 What personal data will we hold?

The personal data we process includes:

  • your name, age, identity and contact details;
  • your answers to any questions that you have been asked to assess whether you meet the eligibility criteria to take part in a study;
  • depending on the nature of the product, you may be asked to provide sensitive personal data about health and medical conditions; and
  • if you have responded to one of our own campaigns, through our website or any other online form, our servers will collect the IP address assigned to you or the person that provides you with internet access.
6.2 Where do we get your personal data from?

We obtain personal data directly from you or from one of our recruitment partners in response to a recruitment campaign. Those recruitment campaigns may take place through social media platforms, such as Facebook. We do not use Facebook to collect personal data about potential participants in our research – an email link is provided within our adverts to register your interest.

6.3 How do we use this personal data and what is the legal basis for this use?

We will only use your personal data:

  • to assess whether you are eligible to take part in a study;
  • to contact you in relation with other studies that may be applicable;
  • to make arrangements with you to take part in a study; and
  • if necessary, to defend any legal claims brought against us or our client in relation to the recruitment of participants to take part in a study.

There are six lawful grounds for using your personal data and we need to satisfy one for each separate purpose we intend to use your personal data for.

For all of the purposes described above, we will rely on our legitimate interests. We have undertaken an assessment of our legitimate interests and how we balance those with your rights and freedoms.

Where we collect any sensitive personal data , such as information about health or medical conditions, we also have to satisfy one additional condition. The conditions that we will rely on will be:

  • if the product is a regulated medical device or the purpose of the study is to support a client’s application for regulatory approval for a medical device, ensuring high standards of quality and safety in relation to the use of such product; or
  • if the product is not a medical device, for scientific research purposes.
6.4 Who will we share your personal data with?

We will keep your personal data separate from the information we hold about our general business activities. Access to your personal data will be limited to those who need access to it for the purposes described above, i.e., Crux employees who are either recruiting for or running the study you are participating in.

We use other companies to provide us with telephony, email and other IT services. We have put in place agreements with these companies to ensure that they will only process your information as requested by us and in accordance with data protection law.

In very rare circumstances, we may have to share your information with a court or other regulatory authority in response to an order or other legal request. Where we are allowed to do so, we will notify you of this.

6.5 How long will you keep my personal data?

If you have taken part in a research study your personal data and our results will be retained for 7 years from the date that we deliver our report to the client, unless stated otherwise in the study terms you agree to.

If you do not meet the eligibility criteria for a study, then we will delete your personal data unless you agree that we may keep your details on record for any future studies, which you may be eligible for. If such opportunities do not arise within 2 years, we will delete your personal data. For some potential participants with specific medical or heath conditions, we may retain your personal data for a longer period as studies in certain areas occur less frequently and it is important that we have enough participants for a study to be viable. Where this is the case, we will seek your consent prior to retaining your personal data for a longer period, in line with the above purpose.

7. How we keep your personal data secure

Crux have put in place a number of measures to protect your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include:

  • cyber security protocols;
  • requiring everyone who works with us to agree to legally binding confidentiality obligations;
  • using strong passwords and encryption for our users, servers and communications channels;
  • access to personal data is limited by specific roles;
  • ensuring that all staff are properly trained on how to handle your personal data as required by law;
  • adherence to policies and procedures to ensure we can deal with any security breaches involving your personal data quickly and effectively and respond to any requests by you to exercise your rights; and
  • contractual arrangements with third party service providers.

8. Where your personal data is stored

The personal data that we collect from you is stored within the United Kingdom or European Economic Area (“EEA”). In some cases, we may transfer your personal data to countries outside the United Kingdom and European Economic Area. Where we do so we will ensure that you are made aware that such transfers are compliant with the Data Protection Act 2018 or UK General Data Protection Regulation and that appropriate measures are put in place to keep your personal data secure. The only exception to this is as follows:

  • HubSpot – CRM Platform

Customer data is processed and secured in the EU before being transmitted and stored in the US in order to provide additional redundancy for critical components of our system. HubSpot act as our data processor for this purpose and are compliant with the EU-US Privacy Shield. We also have a written agreement in place with HubSpot in relation to the service they provide and how they must handle the data.

9. What are your rights are in relation to your personal data

You have several rights in relation to the personal data we hold about you, including the right to request a copy of your personal data (commonly known as a “subject access request”) and the right to have any inaccurate or incomplete personal data about you corrected. In certain circumstances, you have the right to request deletion of the personal data we hold about you, ask us to restrict how we use it or object to us holding it.

Please note that there are some limited circumstances and exemptions where these rights may not apply.

You also have the right to make a complaint to the ICO about how we have used your personal data. https://ico.org.uk/make-a-complaint/ 

For further information about your rights, visit the ICO’s website, https://ico.org.uk/your-data-matters/.

If you want to exercise any of your rights or you have any questions regarding this notice, you can contact on the details in the sections below.

10. How you can find more information about how Crux handles your data?

Should you have any queries regarding this privacy notice, Crux’s processing of your personal data or wish to exercise your rights you can contact Crux’s Privacy Team using this email address: privacyteam@cruxproductdesign.com

If you are not happy with our response, you can contact the Information Commissioner’s Office: https://ico.org.uk/make-a-complaint/