Behavioural Exchange™

This notice is effective from 24 November 2024

1. Introduction

This privacy notice is maintained by the Behavioural Insights Team (BIT). It sets out how and why we use your personal data – both on this website, and offline.

BIT’s hallmark conference focuses on the intersection of behavioural science and public policy – the only event to do so on a global scale. BX2025 is hosted in collaboration with BIT’s partners the Behavioral Science Group at the Office of Development Affairs in Abu Dhabi. BX2025 will focus on New Frontiers in Behavioral Science – bringing to life the latest developments in the field and hearing from the people behind them. Together with policy makers, academics and practitioners we’ll be discussing topics spanning the applied behavioural sciences.

Your personal data is processed by BIT because you are attending one of our events.

This notice does not create any contractual rights or obligations. We may change this privacy notice from time to time, of which some changes may be required by applicable law.

If we make any significant changes in the way we treat your personal information we will make this clear on the website or by contacting you directly.

BIT comprises a global group of companies which is headquartered in the United Kingdom. The main BIT entity – Behavioural Insights Ltd – is the controller of, and responsible for, most personal data collected by BIT, including on this website. However, if you interact with another BIT entity (see the list in Section 6 (International Transfers) of this privacy notice) that entity will be responsible for your personal data, and local data protection laws in that country will apply.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights in relation to your personal data, please contact the DPO:

By post: Behavioural Insights Ltd, 58 Victoria Embankment, London, EC4Y 0DS

By email: dpo@bi.team.

2. When do we collect information from you?

We may collect information about you if you:

communicate with us about prospective or ongoing work;
use our website;
sign up for events organised by us and may take photographs at events;
subscribe to our newsletter;
contact us with any form of complaint or enquiry or in response to a request for feedback or a survey;
consent to take part in an interview or focus group as part of a research project we are undertaking on our own behalf or on behalf of a client or partner;
visit our offices.

3. What kind of information do we collect from you?

This will depend on the context in which we interact with you:

When you use our website, subscribe to our newsletter, sign up to join our alumni network, or contact us with complaints, enquiries or feedback.
Category	Description
Website User Data Subscriber Data	Email address and any other contact details you provide when you sign up to receive newsletters and other communications from us Name, email address, country of residence, job title, organisation and organisation sector and other information you choose to provide when you sign up to join our alumni network The date, time and content of any queries, feedback or complaints Newsletters or other messages sent to you after you have subscribed may contain tracking beacons / tracked clickable links or similar server technologies in order to track subscriber activity within email marketing messages. Where used, such newsletters and messages may record a range of Subscriber. Data relating to engagement, geographic, demographics and already stored Subscriber Data. Cookie and browser generated information collected through your use of the website. Marketing preferences.
Visiting our offices or attending a BIT event (either in person or online, e.g. a webinar)
Visitor Data Event Data	Name Contact information Occupation and/or organisation you represent Information you provide to us for the purposes of attending meetings and events, including dietary requirements which may reveal information about your health or religious beliefs (for paid events) credit or debit card information including credit card number and expiration date CCTV recordings on entering and leaving BIT’s premises / at an event Information regarding your use of our local area networking facilities (including WiFi) and similar electronic services Photographs of you taken at event venues
When you are participating in interviews or focus groups in relation to a research project we are undertaking
Research Participant Data	Name Contact details (e.g. telephone number, email address) Responses to interview questions/focus group questions which may reveal information about your health, ethnicity or religious beliefs (or other special category data and/or information about criminal convictions or offences). It will never be mandatory to provide any such information as part of your responses. Records of consent

We do not collect any special categories of personal data (special category data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data), or information about criminal convictions and offences for any of the activities covered by this privacy notice, and/or data defined as ‘sensitive personal information’ in the CCPA (please see section 10 below) (non-public information such as government identification numbers, consumer or financial account logins, precise geolocation information, racial or ethnic origin, religious or philosophical beliefs, or union membership, genetic data, contents of mail or electronic communications, biometric data, health data, or data concerning sex life or sexual orientation).

4. How do we use the information we collect?

Your personal information will be used for the purposes listed in the table below. We will only use your personal data where we have a lawful basis for doing so. The basis we rely upon will impact which rights you have in relation to your personal information (see section below for more details):

Purpose	Lawful Basis	Category of personal data
Send our newsletter and promote our products and services via direct marketing	Consent	Subscriber Data
Request feedback and conduct surveys and other research/analytics	Consent Legitimate interests in understanding how to improve our products and services	Website User Data Subscriber Data Client Data Partner Data Supplier Data Visitor Data Event Data
Arrange events and interact with clients and contacts at events	Legitimate interest in generating interest in our services and products	Subscriber Data Event Data Client Data
Resolve queries and complaints	Legitimate interest in resolving a query or complaint raised by or involving a data subject Compliance with a legal obligation	Subscriber Data Website User Data Client Data Partner Data Supplier Data Visitor Data Event Data
Provide you with access to all parts of our site, personalise your experience on our website, and ultimately improve the functionality of the website for the benefit of all users	Legitimate interest in providing an enhanced, user friendly website by understanding how our website is used	Website User Data
Protect the security of our website and detect and prevent dangerous or unlawful use	Legitimate interest in safeguarding BIT’s intellectual property and assets, and in protecting the security of users and their information	Website User Data
Protect the security of our offices, staff and guests by identifying visitors	Legitimate interest in safeguarding BIT’s assets and employees Compliance with a legal obligation (health and safety)	Visitor Data Event Data
To process your order for a product, including taking your payment and arranging delivery	To perform our obligations in accordance with a contract	Payment Data Website User Data
Establish, defend or enforce legal claims or regulatory investigations	Legitimate interest in protecting the commercial and legal interests of BIT	Client Data Partner Data Supplier Data Website User Data Payment Data Subscriber Data Visitor Data Event Data
Conducting interviews and/or focus groups to collect qualitative data in connection with research projects and build a body of evidence of what works in behavioural science and public policy	Consent Legitimate interests in undertaking robust research with social impact Where we collect special category as part of research participants’ responses to interviews and we have relied on consent as the lawful basis, we will also seek explicit consent as a condition of processing. Where we have relied on legitimate interests as the lawful basis, our condition for processing special category data will be that it is necessary for scientific research purposes.	Research Participant Data

Where we rely upon a “legitimate interest” as our legal basis, we will ensure that our interest is not outweighed by any impact on your rights and freedoms as a data subject in the United Kingdom or the European Economic Area, by using your information in a way which is proportionate and respects your privacy.

Please make sure that any personal data you provide is accurate and up to date, and let us know about any changes in the information which you have provided as soon as possible.

Marketing choices
If you have previously signed up to receive our newsletter or other promotional communications from us but you don’t want to receive any more communications, please click the unsubscribe link on any email from us. Alternatively, you can also email us at info@bi.team at any time.

5. Who else may have access to your information?

We may disclose your information with third parties for the purposes described below:

with other companies in our group, in order to utilise personnel or shared IT services based in other BIT offices, for any of the purposes described in this notice;
with third party service providers. These third parties have agreed to confidentiality restrictions and use any personal information we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us. These include our marketing automation platform (MailChimp, whose privacy policy can be found here), our IT service providers (including Google, whose privacy policies can be found here), our online store provider (Shopify, whose privacy notice can be found here), our Customer Relationship Management system (Hubspot, whose privacy policy can be found here) and other third parties who help manage our IT and back office systems;
with our regulators, which may include the Information Commissioner’s Office, and with courts and law enforcement to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies;
with a potential or actual third party purchaser of our business or assets if, in the future, we sell or transfer some or all of our business or assets to a third party, or invite investment in our company.

Comments and other information which you post on the website or our social media pages will be displayed publicly and to other users. Please be careful when disclosing personal information which may identify you or anyone else. We are not responsible for the protection or security of information which you disclose in public areas.

6. International Transfers

The global presence of BIT means that your personal data may be transferred outside of the UK and the European Economic Area (“EEA”) – where data protection laws may not be equivalent – for any of the purposes described in this notice. Whenever we make restricted international transfers of personal data, we take steps to ensure that your personal data receives an adequate level of protection (by putting in place appropriate safeguards, such as contractual clauses), or to ensure that we are able to rely on an appropriate derogation under data protection laws. You have a right to request access to any safeguard which we use to transfer your personal information outside of the UK and the EEA (although we may need to redact data transfer agreements for reasons of commercial confidentiality).

As noted above, we may share your data with one of our group companies. As of the date of last review of this notice, the group of companies comprise:

Behavioural Insights Ltd – (UK)
Behavioural Insights US (Inc) – (United States of America)
Behavioural Insights (Australia) Pty Ltd – (Australia)
Behavioural Insights (New Zealand) Ltd – (New Zealand)
Behavioural Insights (Singapore) Pte Ltd – (Singapore)
Behavioural Insights (Canada) Ltd (Canada)
Behavioural Insights Trustee Company Limited

There is an adequacy decision from the European Commission in respect of transfers of personal data to New Zealand. This means that New Zealand is deemed to provide an adequate level of protection for your personal information if we transfer personal data to Behavioural Insights (New Zealand) Ltd. There is also an adequacy decision from the European Commission in respect of transfers of certain types of personal data to Canada, namely data that is subject to protection under Canada’s Personal Information Protection and Electronic Documents Act.
In relation to other group companies outside of the UK and EEA, we have put in place standard contractual clauses (as first set forth laid down in the European Commission Decision 2010/87/EU of 5 February 2010 and as updated from time to time) to ensure an adequate level of protection for your personal data.

Some of our data processors may transfer personal data outside of the UK or EEA and, as stated above, we will always ensure there are appropriate safeguards in place so that such transfers are lawful. For example, MailChimp’s and Hubspot’s servers are located in the United States so personal data will be transferred to the United States. If you are concerned about us sharing your personal data with MailChimp, please do not sign up to receive information from us.

7. Security

We take appropriate steps to protect your personal information and follow procedures designed to minimise unauthorised access, alteration, loss or disclosure of your information. Measures we take include placing confidentiality requirements on our staff members and service providers; limiting access to personal information and destroying personal information which is no longer required.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Any downloadable documents, files or media made available on this website are provided to users at their own risk. While appropriate precautions have been undertaken to ensure only genuine downloads are available, users are advised to verify their authenticity using third party anti-virus software or similar applications. You should also exercise caution when sharing personal data or confidential information on any website, and should use up-to-date web browsers and anti-virus software.

8. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. When it is no longer necessary to retain your personal data, it will be deleted.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

9. Your legal rights

Subject to certain exemptions, and in some cases dependent upon our lawful basis (see “How do we use the information we collect?” above), you have certain rights in relation to your personal data:

Request access to your personal data: this enables you to find out how and why we are using your personal data, and to receive a copy of the personal data we hold about you to check we are lawfully processing it.
Request correction of your personal data: this enables you to have any incomplete or inaccurate data we hold about you corrected.
Request erasure of your personal data: this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
Object to processing of your personal data: you can object where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
Request restriction of processing your personal data: this enables you to ask us to suspend the processing of your personal data if you contest its accuracy; our processing is unlawful (but you do not want your data erased); your personal data is no longer needed for the original purposes but is needed for legal claims; or you have objected to processing which is based on legitimate interest grounds.
Data portability: Where the processing takes place on the basis of your consent or contract, and is carried out by automated means, you have the right to request that we provide your personal data to you or to another controller (where technically feasible) in a machine-readable format. Based on our use or personal data and the lawful bases relied on, this right is unlikely to be relevant.
Right to withdraw consent to the processing of your personal data: This applies where we have relied on consent to process personal data. Please note that withdrawal of consent will not affect the lawfulness of any processing carried out before withdrawing your consent.

You also have the right to make a complaint at any time to the applicable data authority or government agency in your jurisdiction; in the UK that is the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach a data authority or government agency, so please contact us in the first instance.

If you wish to exercise any of the rights set out above, please contact the Data Protection Officer with your specific request by email to: dpo@bi.team.

Our representative in the EEA is BIT France, 26 Rue Henri Monnier, 75009 Paris, France. If you are located in the EEA, you can contact them by post or by sending an email to dpo@bi.team.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

10. California residents

If you reside in California, in addition to the foregoing legal rights, you have the following additional rights:

Right to Know request: Under California law, you have a right to request information about our collection, use, and disclosure of your personal information over the prior 12 months, and ask that we provide you with the following information without charge:
- Categories or specific pieces of personal information we have collected about you.
- Categories of sources from which we collect personal information.
- Purposes for collecting personal information.
- Categories of third parties with which we share personal information.
- Categories of personal information disclosed about you for a business purpose
Household Requests: We currently do not collect household data. If all the members of a household makes a Right to Know or deletion request, we will respond as if the requests are individual requests.

How to Exercise Your California Rights
You can exercise your rights, or raise privacy questions or concerns, by emailing dpo@bi.team.
We may need to request specific information from you to help us confirm your identity, which may include, but is not limited to, verifying your name and email address. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. You may make a request related to your personal information twice per 12-month period.
We aim to confirm receipt of requests within 10 business days (if we have not already granted or denied the request by then), and aim to respond substantively within 45 calendar days of the date you made your request. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.
No Discrimination
We will not discriminate against you for exercising any of your rights under applicable California privacy laws.
No Sale of Personal Information
We do not ‘sell’ personal information of California consumers (as defined in the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA), as applicable), have not done so in the past 12 months, and we will not do so without offering you the right to opt out of any ‘sale’.
No Use By Minors
We do not knowingly permit children (under the age of 13 in the US or 16 in the EEA) to use our services or participate in our surveys. If we discover someone who is underage has engaged our services, we will take reasonable steps to promptly remove that person’s personal information from our records.
Shine the Light Disclosure
The California “Shine the Light” law gives residents of California the right under certain circumstances to request information from us regarding the manner in which we share certain categories of personal information (as defined in the Shine the Light law) with third parties for their direct marketing purposes. We do not share your personal information with third parties for their own direct marketing purposes.
Notice Concerning Tracking Signals
Do Not Track is a privacy preference that users can set in certain web browsers. We do not currently respond to Do-Not-Track signals. You can learn more about Do Not Track here.

11. US residents. The laws of your state of residence may provide you with certain rights, which may include the following:

You may have the right to confirm whether we process personal information about you and you may have the right to access the personal information we process about you.
You may have to right to obtain a copy of the personal information we process about you. This information will be provided in a portable, accessible format, to the extent that is practical.
You may have the right to request that we delete the personal information we process about you.
You may have the right to request that we correct inaccuracies in the personal information we process about you.
You may have the right to opt-out of certain types of processing of personal information, including:
- Opt outing of the “sale” of personal information as defined by your applicable state law;
- Opting out of targeted advertising by us;
- Opting out of automated profiling for the purposes of making decisions that produce legal or similarly significant effects.
Please note, as discussed elsewhere in this policy, we do not “sell” personal information as that word is traditionally defined in applicable state laws. However, we may share personal information with third parties to provide you with services. You may opt-out from any disclosures of your personal information to third parties by emailing us at info@bi.team.

Behavioural Insights Ltd is a limited company registered in England and Wales. Registration number: 08567792

Registered office: 58 Victoria Embankment, London, EC4Y 0DS