Privacy policy

TONIC is committed to protecting privacy and safeguarding personal data. This Privacy Policy explains how TONIC collects, uses, stores, and protects personal data when you visit our website, engage with TONIC research, or when your data is received from public services TONIC works with. It is provided in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

Who we are

Tonic Consultants Ltd is a limited liability company (company number: 06141892), trading as TONIC. 

TONIC is registered with the Information Commissioners Office (ICO) reference number ZA273132.

TONIC is the “data controller” for personal data it collects. This means TONIC determines the purposes and means of processing your personal data and is responsible for handling it lawfully and securely.

TONIC processes your personal data for legitimate business interest in conducting research projects and in accordance with Data Protection laws. TONIC has suitable physical, electronic and managerial procedures in place to safeguard your data. TONIC adheres to strict data processing agreements drawn up between TONIC and its clients in order to safeguard and protect your information.

TONIC’s registered address is: 86-90 Paul Street, London, EC2A 4NE.

TONIC can be contacted by email at engage@tonic.org.uk or by phone on 0800 188 4034 or via the website www.tonic.org.uk

What data we collect

TONIC may collect personal information from you when you visit the website or complete a contact form. The types of personal information TONIC may collect include your name, contact details (e.g. email address or phone number), optional demographic data, and any information you voluntarily provide in correspondence. TONIC will not intentionally collect directly identifying data such as full names or addresses unless necessary.

How we use your data

For website visitors and enquirers, TONIC may use your data to:

  • Send you marketing communications that may be of interest to you

  • Respond to your inquiries or requests

  • Comply with applicable laws and regulations

For research participants, TONIC may use your data to:

  • Recruit and manage participation in research (interviews, surveys, focus groups)

  • Provide participation incentives (e.g. vouchers)

  • Share research summaries or findings where requested.

Research results and any reports produced by TONIC are anonymised and cannot identify individuals.

Legal basis

TONIC process personal data under the following lawful bases under UK GDPR Article 6:

  • Consent – e.g. for participation in research, and where applicable, marketing communications

  • Legitimate interests – e.g. for managing research projects, responding to enquiries, and maintaining business operations, where these interests are not overridden by your rights and freedoms

  • Legal obligation – e.g. where processing is required to comply with a legal duty such as safeguarding disclosures

  • Contract – where applicable.

Where TONIC processes special category data (such as ethnicity, health information, or data relating to criminal justice involvement), TONIC relies on:

  • Explicit consent (UK GDPR Article 9(2)(a)), and/or

  • Processing for research purposes with appropriate safeguards (UK GDPR Article 9(2)(i) and Schedule 1, DPA 2018).

Data sharing, storage and security

TONIC will never sell your personal information with any third-party service providers.

TONIC will only share personal data in the following circumstances:

  • With clients (commissioners of research) – only in anonymised or aggregate form, never in a form that could identify you

  • With data processors who support our operations – these processors are bound by data processing agreements and may only act on TONIC’s instructions

  • With law enforcement or governmental agencies – only where required by law, or where there is a safeguarding concern that requires disclosure

  • All data is stored within the UK (primarily through Microsoft 365 and SmartSurvey) or EEA, and TONIC does not transfer data outside these regions.

TONIC takes the security of your personal data seriously and has implemented a range of technical and organisational measures to protect data, including: encryption, access controls, and secure storage as well as staff training and confidentiality obligations.

In the event of a personal data breach, TONIC has an incident management procedure in place. Where required, TONIC will notify the ICO within 72 hours and inform affected individuals promptly.

Data retention

TONIC retains personal data for no longer than necessary. Personal research participation data is typically retained by TONIC for 3 months after project completion and sign-off by the client. In some cases (e.g. where legally required or specified by the client or contract), data may be retained for up to 5 years where necessary.

Data is then securely and permanently deleted at the end of its retention period using certified erasure methods.

Cookies and similar technologies

The TONIC website use cookies and similar technologies to improve functionality and your experience. Cookies are small text files that are placed on your device when you visit the website.

TONIC uses the following types of cookies:

  • Strictly necessary cookies – essential for the website to function; these do not require your consent.

  • Analytics and performance cookies – help us understand how visitors use the website. These are only placed with your consent.

  • Preference cookies – remember your settings and choices. These are only placed with your consent.

You can disable cookies in your browser settings if you prefer.

Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

  • Access the personal data TONIC holds about you (Subject Access Request)

  • Request that TONIC corrects or updates your personal data

  • Request that TONIC deletes your personal data

  • Request that TONIC restricts the processing of your personal data

  • Request that TONIC transfers your personal data to another controller.

To exercise these rights, please contact TONIC using the information provided below. TONIC will respond to requests within one calendar month. TONIC may ask you to verify your identity before processing a request.

Changes to this Privacy Policy

TONIC may update this Privacy Policy from time to time to reflect changes in practices or applicable laws. The latest version will always be available on TONIC’s website.

Contact us

If you have any questions or concerns about this Privacy Policy or TONIC’s privacy practices, please contact TONIC at DPO@tonic.org.uk

Last updated: 30/04/2026