Privacy Policy

Last updated: 13th May 2026

TruStrata Limited (together with our affiliates, “TruStrata“, “we“, “our” or “us“) takes your privacy seriously and is committed to safeguarding any information we collect from or about you. This Privacy Policy sets out our practices in relation to the Personal Information we collect when you visit our website at www.trustrata.com (the “Website“), and when you use, evaluate, or interact with our products and consultancy services – including TruStatMind, TruVerbatim, and TruConsulting (together with the Website, the “Services“).

Use of our products may also be governed by a separate written agreement between TruStrata and your organisation, including a Data Processing Agreement where we act as a processor on your behalf. Where there is a conflict between this Policy and that agreement in respect of product data, the agreement prevails.

This Policy is written in line with our obligations under the UK General Data Protection Regulation (“UK GDPR“), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (“PECR“), and the Data (Use and Access) Act 2025.

1. Personal Information we collect

We collect information that, either by itself or combined with other information we hold, can identify you (“Personal Information“), in the following ways.

Personal Information you provide to us

We may receive Personal Information when you complete a form, create an account to use our products, attend a demonstration, engage our consultancy team, or otherwise interact with us.

Enquiry Information. When you submit the contact form, request a demonstration, or send us a brief through the Website, we collect your name, business email address, telephone number, employer or organisation, job title, country, and any free-text details you include about your research needs (collectively, “Enquiry Information“).

Newsletter Information. If you sign up to receive updates from us, we collect your name and business email address.

Account Information. When an account is created for you to access our products under a trial, pilot, or commercial agreement, we collect details associated with that account – typically your name, work email address, organisation, role, authentication identifiers (issued through Microsoft Entra ID or a comparable identity provider), and information about your activity within the product. We do not store or process payment card details directly; commercial arrangements are invoiced separately by our finance team (collectively, “Account Information“).

Submitted Content. When you use our products you may upload research data, codeframes, transcripts, verbatims, survey outputs, datasets, briefs, or other materials. Where this material contains Personal Information about you or third parties, we refer to it as “Submitted Content“. For most product use, your organisation is the controller of Submitted Content and TruStrata acts as the processor under a Data Processing Agreement; we handle Submitted Content in line with that agreement and use it only for the purposes set out in this Policy and in your contract.

Consultancy Information. When you engage TruConsulting or any of our consultancy services, we collect information about your project, your team, and the data you share with us for the purpose of the engagement, along with correspondence and meeting records (collectively, “Consultancy Information“).

Communication Information. If you correspond with us – by email, through LinkedIn, by phone, or via webinars, scheduled meetings or events – we collect the contents of those communications, your name, contact details, and any other information you choose to share with us (collectively, “Communication Information“).

Event and Social Media Information. We maintain a presence on professional platforms including LinkedIn, and attend industry events run by bodies such as the Market Research Society. When you engage with us through these channels, register for an event, or attend a webinar, we collect the information you choose to make available – such as your name, employer, contact details and the engagement itself. The platforms and event organisers that host our presence may also provide us with aggregated insights about our audience (collectively, “Event and Social Information“).

Personal Information we receive automatically through your use of the Services

When you visit and interact with the Services, we automatically receive the following (collectively, “Technical Information“).

Log Data. Standard information sent by your browser and devices when accessing the Services, including your IP address, browser type and version, language, the date and time of each request, and the page, feature, or resource requested.

Usage Data. Information about how you interact with the Services – which pages and use cases you view, which product features you use, what you click, how long you stay, and the order in which you navigate. This helps us operate the Services, support users, and understand which features and content are most useful.

Device Information. The device, operating system, browser, and screen settings used to access the Services. The specifics depend on your device and its privacy controls.

Cookies and Similar Technologies. We use cookies and comparable storage and access technologies to operate the Services, authenticate users, remember preferences and (with your consent) measure how the Services are used. A “cookie” is a small text file placed on your device by the website you visit. You can configure your browser to accept or reject cookies, and you can manage your preferences for non-essential cookies through the cookie banner displayed on first visit. Further detail is set out in Section 9.

Analytics. Where you have given consent, we use analytics tools to understand which content is useful, which features attract research professionals, and where we can improve the Services. These tools rely on cookies and similar technologies and are described in Section 9.

2. How we use Personal Information

We use Personal Information for the following purposes:

  • To respond to your enquiry, arrange and deliver demonstrations, prepare proposals, and follow up on conversations you initiate with us;
  • To provide, operate, secure, support, and improve the Services – including authenticating users, managing accounts, delivering product features, and providing customer support;
  • To deliver consultancy engagements, including onboarding, workflow design, advanced analytics, reporting and dashboarding, and other services described to you in a statement of work or proposal;
  • To send you newsletters and marketing communications about TruStrata, our products, and our consultancy services, where you have opted in or where the soft opt-in under PECR Regulation 22(3) applies (existing customers receiving similar communications, with an easy way to opt out);
  • To carry out research and analysis that helps us improve the Services – for example, understanding which features researchers find most useful, or where users encounter friction;
  • To develop new features, products, and consultancy offerings;
  • To protect the Services and our users against fraud, misuse, security incidents, scraping, and unauthorised automated access; and
  • To comply with our legal, regulatory, and accounting obligations, and to establish, exercise or defend legal claims.

Aggregated and Anonymised Information. We may aggregate or anonymise Personal Information so that it can no longer be linked to you, and use the resulting information to measure and improve the Services. Once information is properly anonymised it falls outside the UK GDPR, and we may retain and use it without further notice.

AI and model training. We do not use Submitted Content uploaded by our customers to train general-purpose AI models or models offered to other customers, except where you (or your organisation) have given explicit consent or instructions to do so under a separate agreement.

Under UK GDPR we must have a lawful basis for each use of your Personal Information. We rely on the following:

  • Steps prior to entering, and performance of, a contract – to handle your enquiry, arrange demonstrations, prepare proposals, deliver consultancy engagements, and provide the products under a trial, pilot, or commercial agreement.
  • Legitimate interests – to operate, secure, and improve the Services, manage business relationships in a B2B context, prevent misuse, support users, and (where lawful) measure the effectiveness of our content and features. Where we rely on legitimate interests, we have considered the impact on you and concluded our interests are not overridden by your rights. You can request more detail using the contact details in Section 11.
  • Consent – for non-essential cookies, optional marketing, and any other processing where consent is the appropriate basis. You can withdraw your consent at any time without affecting the lawfulness of prior processing.
  • Compliance with legal obligations – to meet our obligations under UK law.

Where we act as a processor of Submitted Content on behalf of your organisation, the relevant lawful basis is determined by your organisation as controller, and we process that information in line with the instructions set out in your contract.

3. Disclosure of Personal Information

We share Personal Information only where it is appropriate to do so. In particular, we may share Personal Information with the following categories of recipients without further notice to you, except where notice is required by law.

Service providers and sub-processors. We rely on trusted third parties to help us run the Services and our business – including providers of cloud hosting, identity and authentication, business email, customer relationship management, email marketing, scheduling, analytics, support tooling, AI and machine learning infrastructure, and professional advice. These providers may access Personal Information only on our instructions and only for the purposes set out in their agreements with us. Our principal hosting and identity provider is Microsoft (Azure and Entra ID), with infrastructure located in the United Kingdom. A current list of sub-processors used to deliver our products can be requested at privacy@trustrata.com.

Affiliates. Where TruStrata has affiliated entities (entities that control, are controlled by, or are under common control with TruStrata), we may share Personal Information with them where it is necessary for the purposes set out in this Policy. Affiliates will handle Personal Information in line with this Policy.

Business transactions. If TruStrata is involved in a merger, acquisition, financing, restructuring, sale of assets, insolvency, or transition of services to another provider (a “Transaction“), Personal Information may be disclosed under appropriate confidentiality protections to counterparties, professional advisers, and successor entities as part of the Transaction.

Legal and regulatory. We may disclose Personal Information where we believe in good faith that disclosure is necessary to (i) comply with a legal obligation or valid request from a regulator, court, or law enforcement body; (ii) protect or enforce our rights or property; (iii) prevent or investigate fraud, abuse, or security incidents; (iv) protect the safety of users of the Services or the public; or (v) defend against legal claims.

We do not sell your Personal Information.

4. Your rights

Depending on where you are located, you may have certain statutory rights in respect of your Personal Information. Under UK GDPR, individuals in the United Kingdom have the right to:

  • request access to the Personal Information we hold about you;
  • ask us to correct Personal Information that is inaccurate or incomplete;
  • ask us to delete your Personal Information in certain circumstances;
  • ask us to restrict or object to our processing, particularly where we rely on legitimate interests;
  • ask us to transfer Personal Information you have provided to us to another controller, where technically feasible;
  • withdraw consent at any time, where we rely on consent;
  • object to direct marketing at any time; and
  • lodge a complaint with the supervisory authority (in the UK, the Information Commissioner’s Office – ico.org.uk).

You can exercise any of these rights by emailing privacy@trustrata.com. We will respond within one month. We may need to verify your identity before acting on a request.

Where we hold your Personal Information as a processor on behalf of your organisation (for example, as part of Submitted Content), we will direct your request to your organisation as the controller and assist them in responding, in line with our Data Processing Agreement.

We do not carry out solely automated decision-making, including profiling, that produces legal or similarly significant effects on you through the Services.

5. Children

The Services are intended for use by business professionals, in particular researchers and insight teams. The Services are not directed to children, and we do not knowingly collect Personal Information from anyone under the age of 18. If you believe a child has provided Personal Information to us, please contact privacy@trustrata.com and we will investigate and, where appropriate, delete the information from our systems.

The Services may contain links to third-party websites and platforms that are not operated or controlled by TruStrata – including LinkedIn, partner organisations, content hosted by industry bodies such as the Market Research Society, and authentication providers such as Microsoft. Any information you share with these third parties is governed by their own privacy notices and terms, not by this Privacy Policy. We provide these links for convenience and do not imply endorsement. Please review the relevant third party’s policies before sharing Personal Information.

7. Security and retention

We use technical, administrative, and organisational measures designed to protect Personal Information from loss, misuse, and unauthorised access, alteration, disclosure, or destruction. These include encryption of traffic in transit (TLS) and of data at rest where appropriate, authentication of restricted areas through Microsoft Entra ID, role-based access controls, least-privilege principles, separation of customer environments where applicable, staff training, and confidentiality obligations on all personnel and contractors.

No system or transmission method is entirely secure. In particular, email is not a secure channel by default – please consider what information you send to us by email. We are not responsible for the circumvention of privacy or security measures contained on third-party services.

We retain Personal Information for as long as we need it to provide the Services and pursue the purposes set out in this Policy, or for longer where required to comply with our legal obligations, defend legal claims, or maintain accurate business records. When deciding how long to keep Personal Information, we consider the volume, nature, and sensitivity of the information; the potential risk of harm from unauthorised use or disclosure; the purposes for which we process the information; and applicable legal requirements (including the six-year limitation period under the Limitation Act 1980 for contractual records). Submitted Content is retained for the period set out in your product agreement and Data Processing Agreement.

Where we no longer have a lawful basis to keep your Personal Information, we will delete or anonymise it. Where we anonymise Personal Information so it can no longer be linked to you, we may retain and use the resulting information indefinitely.

8. Where we host and process your Personal Information

UK hosting: All Personal Information collected through the Services – including Account Information, Submitted Content, Consultancy Information, Enquiry Information, and Technical Information – is hosted on infrastructure located in the United Kingdom. Our principal hosting and identity provider for the Services is Microsoft (Azure and Entra ID), with infrastructure in the UK West and UK South Azure regions. We do not host Personal Information on infrastructure located outside the United Kingdom. 

Inference within the UK and EU: The AI and machine-learning models that power our products perform inference on infrastructure located within the United Kingdom or the European Economic Area (EEA). Where inference takes place in an EEA country, the destination is covered by UK adequacy regulations, so no separate transfer safeguard is required. We do not use AI or inference providers that process Personal Information in the United States or in any other country outside the UK and EEA.

Limited operational transfers within the UK and EEA: A small number of supporting business systems – such as email, customer relationship management, scheduling, and email marketing tools – may process limited Personal Information (typically name, work email, and the content of business correspondence) within the UK or EEA. Where these transfers fall outside the UK, they are limited to EEA countries covered by UK adequacy regulations.

No transfers to the United States or other countries: We do not transfer Personal Information to the United States or to any other country that is not covered by UK adequacy regulations. If this position changes in the future – for example, because we adopt a new service provider – we will update this Policy and put in place an appropriate transfer mechanism under UK GDPR (such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses) before any such transfer takes place.

Legal basis for processing (UK and EEA users). When you are located in the UK or the EEA, the legal bases we rely on are set out in Section 2.

Data controller. For the purposes of the UK GDPR and the Data Protection Act 2018, the data controller of the Personal Information described in this Policy is:

TruStrata Limited

Cn House, Brooks Drive, Cheadle Royal Business Park, Cheadle, Cheshire, England, SK8 3TD

Company number: 16898008

ICO registration number: ZC146421

Where we process Submitted Content on behalf of your organisation, your organisation is the data controller and TruStrata acts as the data processor under a Data Processing Agreement.

Complaints. If you feel we have not adequately addressed a concern, you have the right to lodge a complaint with the Information Commissioner’s Office (ico.org.uk; helpline 0303 123 1113). We would, however, appreciate the opportunity to address your concerns directly first.

This Section explains how TruStrata uses cookies and similar storage and access technologies on the Services, why we use them, and how you can control them. It forms part of this Privacy Policy.

We use first-party cookies (set by TruStrata) and third-party cookies (set by service providers acting on our behalf) for several reasons. Some cookies are required to make the Services work or to keep them secure (“strictly necessary”). Others help us understand and improve how the Services are used, or remember your preferences. The categories of cookies we use are set out below.

Strictly necessary cookies: These cookies are essential for the Services to function. They include authentication tokens used by Microsoft Entra ID where you access restricted areas, load-balancing cookies, security cookies (such as anti-CSRF tokens), and the cookie that records your cookie preferences. These cookies are set without consent because the Services cannot operate without them.

Performance and analytics cookies: Where you have given consent, we use cookies to measure how visitors find and use our content and features – which pages are viewed, which use cases are explored, and how researchers move through the Services. We use this information to improve the relevance and clarity of the Services. The analytics tools we currently use include Google Analytics.

Functional cookies: Where you have given consent, we may use cookies to remember preferences (for example, language or layout choices) so that the Services behave consistently between visits.

Marketing cookies: Where you have given consent, we may use cookies provided by advertising and professional networking platforms to measure the effectiveness of our campaigns and to deliver content to researchers who have shown interest in our services.

Your choices: When you first visit our website you will see a cookie banner offering equally prominent “Accept all” and “Reject all” options, in line with the Information Commissioner’s Office guidance finalised in April 2026. You can change your preferences at any time through the “Cookie settings” icon in the website footer, or by clearing cookies and adjusting controls in your browser. Rejecting non-essential cookies will not prevent you from using the Services, although some convenience features may be limited.

A current list of the specific cookies used on the Services – including provider, purpose, and duration – is available within the cookie banner / “Cookie settings” panel.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make changes, we will post the updated version on this page and update the “Last updated” date at the top. Where the changes are material, we will provide more prominent notice (for example, by email to registered users or through a banner on the Services). Your continued use of the Services after we post an updated Privacy Policy, or after we notify you of changes through another channel, constitutes your acceptance of the revised Policy to the extent permitted by law.

11. How to contact us

If you have any questions or concerns about this Privacy Policy, or wish to exercise any of your rights under it, please contact us:

  • Email (privacy queries): privacy@trustrata.com
  • Email (general): contact@trustrata.com
  • Post: TruStrata Limited, 167-169 Great Portland Street, 5th Floor, London, W1W 5PF

If we have not been able to resolve your concern, you have the right to lodge a complaint with the Information Commissioner’s Office at ico.org.uk (helpline 0303 123 1113; Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF).

Scroll to Top