Gorilla Logo

Privacy Policy

This Privacy Policy applies to the website https://gorilla.sc (also at https://research.sc) (the 'Site') which is run by Cauldron Science Limited ('Cauldron'), a company registered in England and Wales with company number 07071678 with our registered office located at 2 Old Bath Road, Newbury, Berks, RG14 1QL, having our business address at St John's Innovation Centre, Cowley Road, Cambridge CB4 0WS, United Kingdom.

This Privacy Policy ('Policy') explains how Cauldron collects, uses and discloses personal information about you when you visit the Site, our research platform ('Gorilla'), when you create a user account and when you contact Cauldron, whether by e-mail, or telephone using the contact options on the Site. For the personal data we collect about you in these scenarios, including your personal information if you are an account holder using our services, Cauldron is the data controller for the purpose of the General Data Protection Regulation EU 2016/679. This policy does not apply to data that you upload or input in the course of using our web-based tools. That data is governed by our licence terms and conditions.

Cauldron provides users with access to use Gorilla to help account holders (such as scientists) create, design, conduct and analyse psychology research experiments (‘Experiments’) by providing tools to host and conduct tasks in a self-service capacity (collectively, the 'Services') directly and through the Site.

If you want to register an account with us you will need to provide us with some additional personal information so that we can ensure the information provided to you is relevant and to be certain that we are placing any new information you create as a user of the Site in the appropriate category. If you do choose to create and account or otherwise to provide us with your personal information, we will collect that information for our own use and for the purposes described in this Policy.

What type of personal information does Cauldron collect?

The personal information we collect from you, including where you choose to provide personal details to us, and where we obtain information about you, will include the following data which we require in order to provide our Services and to communicate with you:

  • your full name;
  • your e-mail address and Gorilla password;
  • your address and contact details;
  • your mobile phone number if you choose to secure your account with 2-factor authentication;
  • your credit or debit card details if you decide to purchase the Services;

Where you fail to provide this data, or other data requested that we need to collect by law, or under the terms of another contract we have with you, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our Services). In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time. The other personal information we may collect from or about you, includes:

  • Your university and department;
  • information you voluntarily submit to us (including through the Site) from time to time as part of user generated content (or through other means);
  • Details of visits to our website (which enable our website to remember information about you and your preferences) and use of our site. This may include:
    • Usage data, such as the URLs of pages visited and the times and dates of those visits
    • Error data, such as the URLs and contextual information for any errors encountered while using the site
    • Referral data, such as the site that referred you to Gorilla and the site that Gorilla referred you to
    • Technical data, such as the browser you use to access our site, the device and operating system that you use, and your time zone
  • Any information necessary for legal compliance

The information above will be collected primarily from you as information voluntarily provided by you to us, but we may also collect it where lawful to do so from (and combine it with information from) public sources, your university, employer, third party service providers, individuals who you have indicated have agreed for you to provide their personal information, government, tax or law enforcement agencies and other third parties. We may also collect personal information about you from your use of other Cauldron websites or services.

On what basis can we process your information?

The legal grounds for processing your personal data are as follows:

  • It is necessary that we collect your data for the performance of a contract to which you are a party, or to take steps prior to entering into a contract with you, in order for us to provide you with our Services.
  • Where you have provided explicit consent to the processing of your personal data for one or more specific purposes, namely:
    • to receive electronic marketing by us and/or by third parties,
    • to receive information from us as a result of your details being passed to us from your colleague under a referral scheme,
    • to process special category data where relevant.
  • You do not need to provide us with marketing consent in order to receive our Services.
  • It is necessary for the purposes of our legitimate interests, except where our interests are overridden by the interests, rights or freedoms of affected individuals (such as you). To determine this we shall consider a number of factors, such as what you were told at the time you provided your data, what your expectations are about the processing of the data, the nature of the data, and the impact of the processing on you. Our legitimate interests are to improve and to promote our Services and those of others, to better understand our customers’ interests and to administer the Site.
  • Where processing of special category data is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR and UK data protection legislation.
  • Where we need to comply with a legal obligation; or in rare circumstances:
    • Where we need to protect your interests (or someone else's interests); and/or
    • Where it is needed in the public interest or for official purposes

How does Cauldron use information about you?

Cauldron uses information about you for the following purposes:

  • In order to provide you with our Services;
  • To provide you with information about services we feel may interest you, including by our referral scheme, where one account holder can refer another to us;
  • to respond and/or deal with your request or enquiry;
  • to administer the Site;
  • to administer the Services, including support and consultancy services;
  • for internal record keeping, including:
    • Financial transactions (for tax and accounting purposes)
    • Subscription usage (for billing)
    • Data ownership (to denote which account holder is the owner of which project)
    • Feature usage and server load (to denote which features are popular or need changing, and to ensure adequate server provision)
  • to contact you by e-mail or phone for any of the above reasons;
  • to provide you with information at your request, or as a result of searches undertaken using the Site;
  • where necessary as part of any restructuring of Cauldron or sale of Cauldron’s business or assets; and
  • for compliance with legal, regulatory and other good governance obligations.

This list is not intended to be exhaustive and may be updated from time to time as business needs and legal requirements dictate.

Cauldron may also convert personal information into anonymous data and use it (normally on an aggregated statistical basis) for research and analysis to monitor and improve Site performance and/or for promotional purposes.

How long we keep your data for

We will keep your details on record for so long as you have a registered account with Cauldron. If you would like to close your registered account, you can do so via the Site. When you close your account:

  • Subscription usage and financial records are kept as part of our usage records
  • Identifying information about you (name, email address) is deleted from your account, and your account data is pseudonymised to form part of our aggregated statistics

Does Cauldron share personal information with third parties?

Your personal information will only be made available for the purposes mentioned above (or as otherwise notified to you from time to time including in this Policy) to our staff who properly need to know these details for their functions within Cauldron.

Your personal information may also be made available to third parties (within or outside of Cauldron) providing us with relevant services on our behalf, such as your university, auditors and compliance managers and IT hosting and IT maintenance providers. These companies will only have access to or use your information where necessary to perform their functions on our behalf. A list of these organisations is available here

We may disclose specific information upon lawful request by government authorities, law enforcement and regulatory authorities where required or permitted by law and for tax or other purposes. Your personal information may also be made available to third parties or partners, where necessary, as part of any restructuring of Cauldron or sale of Cauldron’s business or assets. Personal information may also be released to external parties in response to legal process, and when required to comply with laws, or to enforce our agreements, corporate policies, and terms of use, or to protect the rights, property or safety of Cauldron, our employees, agents, Site users and others, as well as to parties to whom you authorise Cauldron to release your personal information.

Will your personal information be transferred abroad?

Whilst we hold your data on secure servers within the UK/European Economic Area ('EEA') certain transfers of personal information to third party recipients take place, as explained above. Please be aware that such recipients of your personal information (as set out in this notice), may not be located within the EEA but instead located in countries which do not have equivalent protection for personal information to that within the EEA. Where we transfer your information outside the EEA we will either undertake an assessment of the level of protection in light of the circumstances surrounding the transfer or:

  • Only transfer it to a non-EEA country with privacy laws that give the same protection as the EEA; or
  • Ensure we have an agreement in place with the recipient under which they are under a duty to protect your data to the same standards as those in place in the EEA; or
  • We will make sure that any transfers are not repetitive and only limited to the minimum amount of information possible. In certain circumstances we may need to seek your consent unless there is an overriding legal need to transfer the information; and
  • In all cases where your information is transferred outside the EEA, you have a right to contact us for information on the measures we have put in place. Those current measures in place are here

What safeguards are in place to protect your paersonal information?

While we take efforts to safeguard your personal information which are consistent with relevant laws, the nature of the internet is such that we cannot guarantee absolutely the security of any personal information you disclose online.

How you can access and update your personal information

You can find out if Cauldron hold any personal information by making a ‘subject access request’, normally free of charge, under data protection legislation. If we do hold information about you we will let you have a copy of that information unless a legal exception applies, in which case we will inform you of this at the time. You also have the right to request that information we hold about you which may be incorrect, incomplete, or which has been changed since you first told us, is updated or removed. To make a request to exercise either of these rights, please email your request to info@gorilla.sc

For California residents, to exercise your CCPA rights, please contact us at info@gorilla.sc. We will respond to verifiable consumer requests within 45 days of receipt. If we require more time, we will inform you of the reason and extension period in writing.

To protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your personal information or complying with your request. If you have an account with us, we will verify your identity through our existing authentication practices for your account. If you do not have an account with us, we will request additional information from you to verify your identity.

How you can request erasure of your data

You can ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

How you can withdraw your consent

You have the right at any time to withdraw any consent you have given us to process your personal data. Please note if you withdraw your consent it will not affect the lawfulness of any processing of your personal data we have carried out before you withdrew your consent. Should you wish to do so you can change your consent preferences at any time on your Account page or by contacting info@gorilla.sc

How you can restrict or object to us using your data

You can ask us to suspend the way in which we are using your information in certain scenarios, or object to our processing your data where we are relying on a legitimate interest ground (or those of a third party) and you feel it impacts on your fundamental rights and freedoms, or where we are processing your personal data for direct marketing purposes or profiling your data. In some cases where you object, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Please note that if you want us to restrict or stop processing your data this may impact on our ability to provide our Services. Depending on the extent of your request we may be unable to continue providing you with our service.

Any queries or concerns about the way in which your data is being used can be sent to info@gorilla.sc

Moving your information to another organisation

In the event that we process your data by automated means where you have either provided us with consent for us to use your information or where we used the information to perform a contract with you, you have the right to request that we send to you or to another organisation, an electronic copy of the personal data we hold about you, for example when you are dealing with a different service provider. If you would like us to move, copy, or transfer your information please let us know by email to info@gorilla.sc. We will respond to you within one month after assessing whether or not this is possible, taking into account the technical compatibility with the other organisation in question.

Automated decision making and Profiling

We do not use your information for automated decision making or profiling that has legal or similarly significant effects on you.

California Consumer Privacy Act (CCPA) Rights

For California residents, in addition to the rights described in this Privacy Policy, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected, used, shared, or sold
  • Right to delete personal information held by businesses
  • Right to opt-out of the sale of personal information (Note: We do not sell your personal information)
  • Right to non-discrimination for exercising CCPA rights

Cauldron Science Limited does not sell personal information. We review this policy annually and update it when necessary due to regulatory changes or changes to our application and/or data flow.

You may designate an authorised agent to make a request under the CCPA on your behalf. To do so, we need to receive written permission from you or a copy of a power of attorney. We may also need you to verify your own identity directly with us.

We will not discriminate against you for exercising any of your CCPA rights. We will not:

  • Deny you goods or services
  • Charge you different prices or rates for goods or services
  • Provide you with a different level or quality of goods or services
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services

FERPA Compliance

When educational institutions use our Services for research projects involving student data, we recognize that such data may be subject to the Family Educational Rights and Privacy Act (FERPA). While students do not directly access our Services, we acknowledge our responsibilities regarding any student education records that faculty members may upload as part of their research projects.

For Research Data Including Student Information:

  • We implement appropriate security measures to protect any student data uploaded to our platform

  • We process such data only as instructed by the educational institution

  • We acknowledge that any identifiable student data remains under the direct control of the educational institution

  • We do not use or disclose such data for any purpose other than the research project for which it was provided

For questions about FERPA compliance related to research data processed through our Services, educational institutions should contact our Data Protection Officer at privacy@gorilla.sc

Representation for data subjects in the EU

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact.

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please click here

Data Processing Agreement (DPA)

In addition to this Privacy Policy, we offer a Data Processing Agreement (DPA) for our business customers and partners who engage with us as data controllers, where we act as a data processor under the General Data Protection Regulation (GDPR) or other applicable data protection laws.

Our DPA provides detailed information on how we process personal data on behalf of our customers, including:

  • Our obligations as a data processor
  • Security measures we implement to protect personal data
  • Procedures for handling data subject requests
  • Our approach to using sub-processors
  • Data breach notification processes
  • Data retention and deletion policies
  • Compliance with cross-border data transfer requirements

The DPA is designed to meet the requirements of Article 28 of the GDPR and to provide our customers with the assurances they need regarding our data processing activities.

If you are a business customer or partner and wish to review or execute our DPA, please contact our Data Protection Officer at privacy@gorilla.sc or view our DPA at https://app.gorilla.sc/data-processing-agreement

For individuals concerned about their personal data, this Privacy Policy continues to be the primary source of information about our data handling practices. The DPA provides additional technical and organisational details primarily relevant to our business relationships.

Changes to this Policy

We keep this Policy under regular review. We may change this Policy from time to time by updating this page in order to reflect changes in the law and/or our privacy practices. The date at the top of this Policy will be updated accordingly.

We encourage you to check the date of this Policy when you visit the Site for any updates or changes. We will notify you of any modified versions of this Policy that might materially affect the way we use or disclose your personal information.

This Policy only extends to the Site and does not, therefore, extend to your use of, provision of data to and/or collection of data on any website not connected to us to which you may link by using the hypertext links within this website.

Contact/address details

If you have any questions about this Policy, please contact us at info@gorilla.sc or write to us at:

Cauldron Science Ltd
St John's Innovation Centre
Cowley Road
Cambridge
CB4 0WS
United Kingdom

Complaints about the use of your personal data

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the UK data protection regulator, the Information Commissioner’s Office. Further details can be found at www.ico.org.uk or 0303 123 1113.