Privacy
How we look after your information.
Your health information is yours. This policy explains — in plain language — what we collect, why, who can see it, and the rights you have over it.
Last updated: 2 July 2026 · Applies to myresearch.study
1. Who we are
MyResearchStudy ("we", "us") operates myresearch.study, a UK-based registry that matches people to clinical research studies and gives research teams access to a consented, de-identified recruitment pool. For the purposes of the UK GDPR and the Data Protection Act 2018, we are the data controller for the registry.
Contact: privacy@myresearch.study.
2. What we collect
This service is for adults. We do not knowingly collect data from anyone under 18, and we ask that you do not submit information about another person without their agreement.
3. Why we use it, and our legal bases
We do not use your information for automated decisions with legal effects, and we never sell it.
4. Who can see your information
Research teams (sponsors) see only a de-identified pool: an anonymous ID, condition, age band, region, and match status — never your name or contact details. Your identity is shared with a specific study team only after you explicitly agree to be introduced to that named study.
Service providers (processors) host and run the service under data processing agreements: Supabase (database and authentication), Render (site hosting), Resend (sending your sign-in and account emails, processed in the EU), Cloudflare (cookieless web analytics and content delivery), and Google Fonts (typefaces; Google receives your IP address when fonts load). We share data with authorities only where the law requires it.
International transfers. Some providers process data in the United States. Where personal data leaves the UK we rely on safeguards approved under UK law — the International Data Transfer Agreement or UK Addendum, or the provider's certification under the UK–US Data Bridge.
5. How long we keep it
We keep your registry profile while you remain on the registry. If you opt out, your profile is deleted; records of consent may be retained where we need them to demonstrate compliance. You can opt out at any time from your portal.
6. Your rights
Under the UK GDPR you have the right to: access your data; correct it; have it erased; restrict or object to processing; receive a portable copy; and withdraw consent at any time (which stops future matching but doesn't undo past lawful processing). You can also change exactly what you share with research teams — de-identified profile, or contact details for a named study — any time from your account. Withdrawing is as easy as opting out in your portal or emailing us.
To exercise any right, email privacy@myresearch.study. We verify requests (usually by confirming the email on your profile) and respond within one month, extendable where the law allows — we'll tell you if so.
Complaints. We'd welcome the chance to resolve any concern first, but you can complain at any time to the Information Commissioner's Office (ico.org.uk).
7. Security
Data is encrypted in transit, access to identifying information is restricted, and research teams work from de-identified records by default. No system is perfectly secure; if a breach ever put your rights at risk we would notify you and the regulator as the law requires.
8. Changes to this policy
If we make material changes we'll update the date at the top and, where the change affects how your data is used, tell you by email before it takes effect. Continuing to use the registry after a change does not replace consent where consent is required — we'll ask again.