Introduction

At Dragonfish, we are deeply committed to safeguarding the privacy of all individuals who interact with our Lumin platform. Our privacy practices are built upon a foundation of transparency, rigorous compliance with data protection laws, and a profound respect for the rights of survey participants and our valued clients. While our platform is intentionally designed to avoid the collection of direct personal identifiers, Dragonfish maintains the highest standards of data protection, fully adhering to applicable legislation, including the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.

Data Collection and Anonymity

Lumin is designed to maintain the anonymity of survey respondents by default. Dragonfish does not collect any direct personal identifiers, such as names, email addresses, IP addresses, or other information that could directly identify an individual. Our data collection is strictly limited to segmentation-level data (e.g., department, grade, location, tenure), which is inherently anonymised and cannot be traced back to specific individuals. Access to surveys is secured through a universal URL and password provided and managed at the organisational level. To further reinforce anonymity, Dragonfish employ the following robust techniques:

• Data Suppression: Dragonfish rigorously suppresses any data originating from groups smaller than a pre-defined and agreed-upon threshold (e.g., fewer than 6 respondents). This critical measure prevents the potential for indirect identification through small group analysis.
• Optional Demographics: Respondents are provided with the explicit option to skip demographic questions that, while still at a segmentation level (e.g., age range, broad gender categories), they may feel uncomfortable answering. This choice is clearly communicated within the survey interface.
• No Tracking Technologies: Dragonfish does not employ cookies, tracking pixels, or any other technologies designed to monitor or track individual user activity across sessions or websites.

Data Usage

The data collected through Lumin is exclusively used for the purposes of providing organisational insights, supporting improvement planning initiatives, and facilitating anonymised benchmarking. Dragonfish do not engage in the selling, sharing, individual profiling, or any purposes beyond those explicitly stated in this policy and agreed upon with our clients. With explicit client consent, Dragonfish may aggregate and further anonymise collected data to contribute to broader industry or sector benchmarking reports, ensuring that no individual or specific organisation can be identified in these aggregated analyses.

Data Retention

Survey response data is retained for a standard period of six (6) years from the completion of the survey, unless a different retention period is explicitly agreed upon with the client at the outset of a project. This default retention period is essential to facilitate:

• Year-on-Year Comparisons: Enabling clients to track changes and trends in their organisational data over successive surveys.
• Benchmarking Datasets: Allowing for the inclusion of anonymised and aggregated data in our benchmarking analyses, providing valuable comparative insights.

Following the agreed-upon retention period, all row-level (individual response) data is securely and permanently purged from our systems. Only high-level, aggregated insights and reports, from which individual responses cannot be reconstructed, may be retained for long-term reference and internal analytics purposes.

Hosting & Data Storage

All survey data collected through Lumin is securely hosted on Amazon Web Services (AWS) infrastructure managed by Lawton Communications Group. These data centres comply with applicable data residency and sovereignty regulations, ensuring adherence to GDPR and other relevant legal frameworks. The platform utilises AWS EC2 for the application server and AWS RDS for the database, with Lawton Communications Group employing robust security measures and being contractually obligated to maintain the confidentiality and integrity of the data in accordance with our stringent standards. Data is consistently stored and processed in a manner aligned with the principles of GDPR and other pertinent data protection legislation.

Use of AI and Ethical Considerations

Currently, the core Lumin platform does not employ Artificial Intelligence (AI) for any decision-making processes that could impact individuals. While Power BI, a tool utilised for data visualisation and exploration, may offer basic AI-driven query suggestions or features, these do not involve the processing of any personal identifiers or individual survey responses. Looking towards future enhancements, Dragonfish may explore the integration of AI-powered features, such as automated report generation. Dragonfish are firmly committed to ensuring that all such implementations are guided by strong ethical considerations and principles of transparency. Dragonfish will provide clear and concise information about any future AI integrations and their implications for data privacy.

Legal Compliance

Dragonfish is committed to full compliance with the following data protection and privacy legislation:

• The Data Protection Act 2018 (United Kingdom)
• The General Data Protection Regulation (EU) 2016/679 (GDPR)
• The Freedom of Information Act 2000 (United Kingdom) – to the extent it may relate to our processing of data.
• The Privacy and Electronic Communications Regulations 2003 (PECR) – although our current practices do not involve direct electronic marketing or the use of cookies for tracking.

Dragonfish regularly reviews and updates the policies and procedures to ensure ongoing compliance with these and any other relevant legal requirements.

Your Rights Regarding Your Data

As Lumin collects and processes only anonymized data, the rights associated with personal data, such as the right to access, rectify, or erase your data, do not apply.

Data Security Policy Link

For more detailed information about the technical and organisational measures Dragonfish employs to ensure the security of your data, please refer to our comprehensive Data Security & Safety Policy.

Contact Information for Privacy Inquiries

Should you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices related to Lumin, please do not hesitate to contact us at dpo@dragonfishuk.com

Regular Review of this Privacy Policy

This Privacy Policy will be reviewed and updated periodically to reflect any changes in our practices, technologies, or legal requirements. The date of the last review is 25th April 2025. Dragonfish will communicate any significant changes to this policy through appropriate channels.