You can withdraw consent at any time (see Section 12).

We never sell your data or use it for marketing purposes.

6) Recordings, observers & venues

Some research sessions may involve audio/video recording, live streaming to remote observers, or one-way mirrors at venues. We will always tell you beforehand and ask for your consent. Some venues use CCTV for safety – this is managed by the venue under their policy.

7) Children & vulnerable participants

Ace Acts is for UK residents only age 16+. We do not knowingly recruit children into Ace Acts. If a project involves minors or vulnerable groups, we operate additional safeguards (e.g. parental/guardian consent, tailored briefings, shorter retention).

8) Incentives & payments

If you are eligible for an incentive, we’ll collect the minimum information needed to pay you (e.g. name, email, bank or voucher details depending on method). We may use approved payment processors (e.g BACS/PayPal/voucher providers). We retain payment records for up to 6–7 years to meet HMRC/legal requirements. We do not store full card details.

9) Who we share data with

We only share personal data when it is necessary to deliver or support the research activity. Depending on the project, this may include:

• Clients commissioning the research – only where required to meet the project objectives, and usually in an anonymised or aggregated format. Identifiable information is shared only when essential (for example, where participants are recontacted or attend a client-run session) and always with consent.
• Approved service providers (processors) – such as community or survey platforms, incentive and payment processors, transcription or video platforms, email/SMS providers, and IT/security providers. These suppliers act under written contracts and only process data on our instructions.

• Client-specified platforms – where a client chooses a third-party platform (e.g., Zoom, Teams, or other virtual meeting software), participant names and email addresses may be used solely to provide access to that platform for the session. In such cases, the platform provider and client are independent controllers of that data.
• Venue hosts (for in-person research) – where research takes place at an external venue, we may share first names and a mobile number with an on-site host purely to manage arrival and safety. Full participant details are not provided to the venue itself.
• Regulators or law enforcement – only where we are legally required to disclose information.

We do not sell, rent, or release your data for marketing purposes.

10. International Data Transfers

We primarily store and process your personal data within the United Kingdom and France. However, in some cases, we may share personal data with trusted clients located outside the UK and the European Economic Area (EEA).

Whenever we transfer personal data outside the UK or EEA, we ensure that appropriate safeguards are in place to protect it.

This may include the use of the UK-approved International Data Transfer Addendum (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), as applicable. These safeguards ensure that your data continues to be protected to UK standards, even when processed overseas.

We will always tell you if your data is being transferred internationally and will only do so when it’s safe and lawful.

11. Cookies and Tracking

We use cookies to improve your experience on our website and to help us understand visitor activity.
Cookies are small text files stored on your device to remember preferences, enable login features, or provide analytics.

You can manage or block cookies through your browser settings, though some site functions may be affected.

12) Your choices: unsubscribe, withdraw consent, erase

• Unsubscribe/stop invitations: email team@aceacts.co.uk (subject: “Unsubscribe”) or use any unsubscribe link provided in our emails.
• Withdraw consent: email team@aceacts.co.uk
• Right to be forgotten (erasure): email team@aceacts.co.uk

We aim to respond within one month.

13) Your rights

Under UK data protection law you have the right to: be informed, access, rectification, erasure, restriction, portability, object, and not be subject to automated decision-making. We do not use automated profiling to decide your eligibility; human review is involved.

To exercise your rights, email team@aceacts.co.uk.

14) Security

We use layered security controls, including:

• Secure UK/EEA hosting encrypted in transit
• ISO/IEC 27001 information security management
• Access controls, MFA, logging, firewalls, regular audits and staff training
• Supplier due diligence and data processing agreements
• If we become aware of a personal data breach that poses a risk to you, we will assess, notify the ICO if required, and inform you where appropriate.

15) How long we keep your data (retention)

We keep your data only as long as necessary for the purposes described:

• Panel profile & contact data: while you remain active; if inactive for 12 months, we may contact you to confirm if you wish to stay; if no response, we may remove or archive your profile
• Survey & project data: typically 12 months after project close (unless we tell you otherwise for a specific study)
• Incentive/payment records: up to 6–7 years to meet legal/tax obligations
• Call/video recordings/transcripts: only as long as needed for analysis/quality assurance (normally up to 12 months, unless stated otherwise)

16) Keeping your details up to date

Please tell us if your contact details change so we can keep your profile accurate: team@aceacts.co.uk

17) Complaints

We’d like the chance to resolve any concerns first. Email team@aceacts.co.uk

You also have the right to complain to the Information Commissioner’s Office (ICO):
ico.org.uk/make-a-complaint or call 0303 123 1113.

18) Changes to this policy

We may update this notice to reflect changes in law or our operations. We’ll post updates here and adjust the Effective date above. For material changes, we’ll notify panel members where feasible.