May 24, 2019
At Consent Kit, we believe that how companies handle and process the information we provide them is fast becoming a key factor in deciding which services to use.
In the case of user research, personally identifiable information and the things people tell us are at the front of these concerns.
Often the tools that we use to fulfil the task of obtaining and managing informed consent are not sensitive to these needs. We created Consent Kit in response to this.
How we handle and process data is first and foremost when making decisions about how we build the product, but we must balance these concerns against the practicalities of creating a service that meets our users expectations.
We believe Consent Kit is the current best in class solution to this problem. As part of that I wanted to be transparent about how we actually do this.
By default, all of the servers we utilise are based within the EU or the US (certified by Privacy Shield).
Our server provider is independently audited and certified against the following standards for data privacy and security:
If you specifically need your data to be stored on a server in another location, please contact us for more information.
We use third parties to deliver certain functionality within Consent Kit, such as email delivery and product metrics. All third party companies we engage with are compliant with the GDPR and have Privacy Shield certification (if outside the EU).
Here is a list of the third party services we use:
With the exception of email delivery; no personally identifiable information belonging to your participants is shared with any third parties.
You are in control of how long information is kept on our servers. We will send you an email to remind you to delete participant information within the timeframe agreed in the consent document signed by the participant.
We remove all of your information from our system at the point of deletion.
In the case of email delivery; our third party service provider automatically deletes all email message activity and metadata within 45 days (or 7 days in the case of an FOI request).
If at any point you decide to leave Consent Kit we will provide you with a download of all of the information we hold for each of your projects created; including individual activity logs for each participant.
We will delete all of your account and project information after downloading and sending you the information.
It’s important to us that we not only get this right, but set a standard for how this should be done when designing services which handle potentially sensitive data. We’re actively taking steps to improve this all the time. If there is something you think we could be doing better, I’d love to hear from you!