Client Feedback Privacy Notice
- Wavehill
- Feb 23
- 4 min read
Wavehill Ltd is committed to protecting your personal data and being transparent about how we use it. This Privacy Notice explains what information we collect through this form, why we collect it, how we use it, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).
1. Who we are
Wavehill Ltd is the data controller for the personal data collected through this form.
If you have any questions about how your data is used, please contact us:
Email: louise.petrie@wavehill.com
2. What data we collect
The client feedback forms asks for organisation name, name of person completing the survey, project name and then a series of questions asking about the standard of the work undertaken by Wavehill.
Questions included, but not limited to:
How likely is it that you would recommend Wavehill to a friend or colleague? Where 0 is not at all likely and 10 is extremely likely
What, if anything, has been / do you anticipate will be the impact of the evaluation research conducted by Wavehill?
Would you allow us to feature your response to the question above as a testimonial to help others understand the impact of our services?
On occasion, prospective clients ask us for a reference. Are you happy for us to retain your contact details [name and contact email/telephone] and supply these to prospective clients for them to contact you directly for this purpose?
We sometimes conduct research with previous clients to understand the impact of our work. This can include how our research has been used, and any outcomes it may have led to. We may wish to contact you by email or telephone, once within 6 to 12 months of the project completing, are you happy for us to keep your contact details on file for this purpose?
We do not collect any special category (sensitive) data through this form.
3. Why we collect your data and our legal basis
Purpose | Data Used | Legal Basis |
To understand client satisfaction and improve our services | Feedback responses, organisation name, project name | Legitimate interests (to evaluate and improve our work) |
To feature your response as a testimonial | Feedback + your name/organisation (if provided and consent given) | Consent |
To provide your contact details to prospective clients as a reference | Name + contact email/telephone | Consent |
Where we rely on consent, you may withdraw it at any time by contacting us.
4. How we use your data
We analyse feedback and project-level insights to help us review and improve our services. If you consent, we may publish your testimonial (including your organisation name, unless you prefer it to be anonymised). If you agree to act as a reference, we may share your name and contact details with prospective clients. If you consent to follow‑up contact, we may contact you once within 6–12 months of project completion to understand longer-term impact.
We will not use your personal data for any unrelated purpose.
5. Who we share your data with
Your identifiable data is kept within Wavehill unless:
You have consented to act as a reference, in which case we may share your name and contact email/telephone with prospective clients.
We do not sell or share your data for marketing.
The data collected is stored securely on our Google
Drive and our internal CRM [customer relationship management] system where we can access and action any agreed purposes i.e. use for references etc.
6. Data Retention
Data Type | Retention Period |
Feedback responses | Up to 5 years |
Testimonials (if consent given) | Until no longer in use or consent withdrawn |
Reference contact details | Up to 5 years or until consent withdrawn |
Follow‑up research contact details | Up to 12 months after project completion |
All personal data is securely deleted when no longer needed.
6.2 Justification for 5‑year retention
Wavehill’s evaluation work often involves long-term impact cycles, where outcomes may only become visible several years after project completion. UK GDPR does not impose fixed retention limits but requires organisations to justify their chosen periods based on purpose, and the ICO confirms that retention must be assessed and documented rather than follow universal timescales. [gov.uk]
Retaining client feedback for five years allows Wavehill to:
Assess long-term evaluation impact, which may evolve over multiple years
Maintain continuity of evidence for repeat commissioning cycles, bids, and tenders
Support operational needs where clients re‑engage Wavehill for additional work
Meet GDPR’s requirement to set justified, purpose-driven retention periods, as reinforced by data protection guidance stating that organisations must determine retention lengths based on their specific business needs. [sprintlaw.co.uk]
This period represents a proportionate balance between Wavehill’s operational needs and individuals’ data protection rights, aligning with good practice guidance that retention periods should be justified against purpose and reviewed regularly. [gdprlocal.com]
At the end of 5 years, all personal data will be securely deleted or anonymised unless continued retention is legally required or consent is renewed.
Your Rights
Under the data protection legislation, you have the right:
To access your personal data held by Wavehill.
To require Wavehill to correct any mistakes in that data.
Withdraw consent at any time
To (in certain circumstances) object to or restrict processing
For (in certain circumstances) your data to be ‘erased’.
Please contact Louise Petrie if you wish to do any of these things.
If you have any concerns about how your data has been handled, you can lodge a complaint with the Information Commissioner’s Office who is the independent regulator for data protection. You can contact the Information Commissioner’s Office on 01625 545 745 or 0303 123 1113, via the website www.ico.org.uk or write to: Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
If you have any questions at all, please contact Louise Petrie by email louise.petrie@wavehill.com.
