Data Protection Policy

V4.0 Updated 02/10/25

This is the data protection policy (“Data Protection Policy​") for information collected by MuirCorp Ltd, known as Muir Wood & Co (together “Muircorp”), and https://www.muirwood.co.uk ("Site​"). The Site is operated by or on behalf of Muircorp.

At Muircorp, we want to be clear and transparent about the information we collect, how we use the information, where we store the data and how it is protected.

Our Data Protection Policy explains:

– Who we are and what we do

– What information we collect and why we collect it.

– How we use that information.

– The choices we offer, including how to access and update information.

We’ve tried to keep this Data Protection Policy as simple as possible but if you have any questions, please feel free to contact us.

Who are we?

We are MuirCorp Ltd, trading as Muir Wood & Co. We do research for technology clients and help startups build their customer-centric capabilities.

Our registered address is Muircorp Ltd 13 Hilbre Road, West Kirby, Wirral, CH48 3HA.

What information do we collect?

We may collect personal information you provide directly (for example, when taking part in research projects, interviews, or surveys) as well as information you share with us via our website or communications.

This may include:

• Contact details (name, email, phone)
• Research participation details (e.g. demographic info, screening questions)
• Project-related information (interview recordings, transcripts, feedback, survey responses)
• Technical data (IP address, browser type, device info)

For research projects, the types of information we capture vary but may include audio or video recordings, transcripts, notes or photographs. Before taking part, all participants are asked to sign a consent form that explains what we are collecting, how it will be used and how it may be shared.

We also agree with our clients how customer data will be handled during and after the project. Our work is guided by the Market Research Society’s best practices for the ethical treatment of participants and their data.

How do we use your information?

We use your personal data to:

• Carry out research projects for our clients
• Communicate with you during a project
• Analyse and report anonymised findings
• Arrange and pay incentives (where applicable)
• Comply with legal and regulatory obligations
• Manage and operate our business (e.g. developing contacts, recruiting staff, protecting our interests in the event of a legal claim)
• Maintain and improve our website and services

We may also occasionally use client and colleague (not participant) email addresses to share updates about our work or let them know about events. You can opt out of these communications at any time.

Our legal basis for processing your personal information

We rely on one or more of the following legal bases:

• Consent – for example, when you agree to take part in a research project. You may withdraw consent at any time.
• Contract – where processing is necessary to deliver services we have agreed with a client or with you.
• Legal obligation – where we must process data to comply with law.
• Legitimate interests – such as managing our business, ensuring information security, and improving our services, provided these interests are not overridden by your rights and freedoms.

Will we transfer personal information?

We sometimes use trusted third parties to help us process data, such as:

• Google Workspace (with EU-only data residency settings where available)
• Zoom (for conducting and recording online research sessions)
• Descript (for transcription and video editing)
• Claude (Anthropic) (for qualitative analysis and support)

These providers process data under contract with us, apply confidentiality and security measures, and may transfer data outside the UK or EEA (for example, to the United States).

When this occurs, we rely on approved safeguards under UK data protection law, including:

• The UK Addendum to the EU Standard Contractual Clauses (SCCs)
• The UK Extension to the EU–US Data Privacy Framework (DPF), where providers are certified
• Equivalent legally recognised mechanisms where applicable

These safeguards ensure your data continues to be protected to UK legal standards.

Retention and deletion

We keep personal data only for as long as necessary to fulfil the purpose for which it was collected.

For research projects: typically the duration of the project plus up to 6–12 months for archiving and legal defence. After this period, we will securely delete or anonymise the data.

Anonymised or aggregated data (which no longer identifies individuals) may be retained indefinitely.

Security

We apply appropriate technical and organisational measures including encryption, access controls, pseudonymisation, and secure servers. Access to data is restricted to people who need it. We require third-party providers to meet equivalent security standards and notify us of any breaches.

Your rights

If you are resident in the UK, the EEA or elsewhere and your personal information is processed under UK or EU law, you have the following rights (subject to conditions and legal limits):

• Access to your personal data
• Correction of inaccurate data
• Erasure (“the right to be forgotten”)
• Restriction of processing
• Objection to processing based on legitimate interests
• Data portability
• Withdrawal of consent (where relied upon)

To exercise these rights, contact us at data@muirwood.co.uk. We will respond within one month.

Controller or processor

Depending on the context, Muircorp may act as:

Controller – for example, when designing and conducting research projects and deciding what data to collect.

Processor – when handling data solely on a client’s instructions.

We make sure that in both cases, personal data is managed in accordance with this policy and applicable law.

Contact us

If you have questions about this policy or your rights, please contact our Data Protection Officer (DPO) at data@muirwood.co.uk

If you are unsatisfied with how we handle your personal data, you have the right to complain to the Information Commissioner’s Office (ICO) in the UK, or your local supervisory authority if you are based in the EEA.