Research Participant Privacy Notice

Who we are and what we do

Lightning Health is a market access consultancy providing market research services to the life sciences sector.


Our Head Office is 8 Devonshire Square, London, EC2M 4PL.

Our UK Companies House Company Registration number is: 11063972.

Our ICO Registration Number is: ZA373665.

Our website is:

Our email address is:

Our contact number is: +44(0) 203 488 9438.


This privacy notice is set out to ensure that we meet out transparency obligations under General Data Protection Regulation (GDPR) across the EEA,  the UK GDPR and US Privacy law in the states of California (Californian Privacy Rights Act), Colorado (The Colorado Privacy Act), Virginia (Consumer Data Protection Act), Connecticut (Act Concerning Personal Data Privacy and Online Marketing), Utah (Consumer Privacy Act) and Iowa (Act Relating to Consumer Data Protection).

Lightning Health is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with Data Protection Legislation.

This privacy notice applies to individuals we have reached out to, to take part in research for the life sciences sector, and individuals who have agreed to take part in research we use the term Research Participants to refer to these individuals.


Types of personal information we collect and our Lawful Basis for processing the Recruitment of Individuals to take part in research

We collect information from a variety of sources on the internet, these are known as open data sources. We use the following open data sources: Linked-In, Hospital websites, Clinical Membership Associations e.g., Royal College of Surgeons or the American Association of Paediatrics, Life sciences trade and membership organisation and websites, Research Journals, National and State Regulatory Authority Websites.  We collect data such as your name, email address, professional qualification, skills and experience from such sources. Lawful Basis Legitimate Interest.

We also buy data from subscriptions like and ZoomInfo and LinkedIn Sales Navigator. Lawful Basis Legitimate Interest.

We collect and buy data such as your Name, Email address, Professional qualifications, Skills and experience. Lawful Basis Legitimate Interest.


Management of Research Participants

Once you have agreed to take part in research for Lightning Health we will need to and process personal information about you so we can match your skills, experience, specialisms and locations to the requirements of each research project and so we can renumerate you for taking part in the research projects so we can manage this contractual relationship and to comply with legal obligations to which we are subject. This includes:

  • your basic contact information, including your name, telephone numbers (home, mobile, work), email address. Lawful Basis: Contract & Legal Obligation
  • Your CV, Professional qualifications, skills, experience and current clinical or advisory role. Lawful Basis Contract & Legal Obligation
  • If you are a practicing medical professional/ Health care practitioner in France your French professional membership or medical ID number (RPPS), name, medical practice address, name of the medical establishment you work in and your speciality. Lawful Basis: Legal Obligation
  • your government issued identifiers, such as your national ID details, national insurance number, tax code where you issue an invoice to us. Lawful Basis: Contract & Legal Obligation
  • your bank, telephone number, address, date of birth and financial details for renumeration purposes following participation in research projects or advisory boards, such as your bank account number, bank name and details, your preferred currency. Lawful Basis: Contract & Legal Obligation
  • information collected for travel and expense purposes, such as credit card, bank details, driving licence and insurance details, passport number so we can book flights, booking and itinerary details and travel preferences, if you take part in a face-to-face Advisory Panel. Lawful Basis: Contract 


It is important that the personal information we hold about you is accurate and current.  Please keep us informed if your personal information changes during your research participation with us.


Your rights

EEA and UK Rights

You have the following rights over your data:

  • Request access to your personal information (commonly known as a “data subject access request”).  This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request rectification of the personal information that we hold about you.  This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information.  This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.  You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
  • Object to processing of your personal information where we are relying on a legitimate interest and there is something about your situation which makes you want to object to processing on this ground.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you.


If you would like to exercise any of these rights;

UK Resident please contact our Data Protection Officer at

EEA Residents please contact our EU Representative at, The DPO Centre, Alexandra House, 3 Ballsbridge Park, Dublin, D04C 7H2.


US Privacy Rights

If you live in California, Colorado, Connecticut, Iowa, Utah, or Virginia you have the following rights over your consumer data (please note the definition of consumer data varies from state to state and while the personal data of Research Participants resident in California would be considered consumer data other states will be considered on a case-by-case basis).

  • Right to Know/ Access.You have the right to request information on, the personal information we collected about you in the last 12 months,  including the categories of personal information, the categories of sources from which your personal information was collected from, the business or commercial purpose for collecting, selling, or sharing your personal information, the categories of third parties to whom we disclosed your personal information to, and the specific pieces of personal information we have collected about you;
  • Right to Delete.(Excluding) Utah) You have the right to request that we delete Personal Data that we have collected from you, subject to certain exceptions.
  • Right to Correct. (Excluding Iowa and Utah) You have a right to request that we correct inaccurate Personal Data that we maintain on you.
  • Right to Opt Out.(Excluding Iowa) You have the right to opt out of the sale of your Personal Data. However please note that we do not sell your Personal Data.
  • Right to No Discrimination. You have the right not to receive discriminatory treatment by us for the exercise of your privacy rights. This includes employee, applicant, or independent contractor rights to not to be retaliated against for the exercise of your privacy rights. We will not discriminate against you, in any manner prohibited by applicable law, for exercising these rights.

If you would like to exercise any of these rights,  please contact our Data Protection Officer by email:, by writing to us at Lightning Health, 8 Devonshire Square, London, EC2M 4PL or by calling +44(0) 203 488 9438.


Who we share your personal information with

For the most part when you participate in research for Lightning Health it will be in online surveys and one to one interviews.  To ensure that the research blinded and to avoid bias our client will get basic details on research participants areas of expertise and experience only. This is not directly identifiable data.

If you agree to take part in an advisory board or face to face or virtual meetings your CV will be shared with our client commissioning the particular advisory board or meeting.

Lightning Health relies on third-party service providers and vendors that provide products and services. These include accountants, law firms and legal service providers, financial professionals, IT providers, payment processors such as Microsoft Azure, Browser, AWS, Wise (International money transfers) and Scoro.

Our third-party service providers may have access to your personal information to perform certain functions or may host your personal information as part of a “cloud based” solution used by employees. Lightning Health only uses third-party service providers that ensure sufficient guarantees for the protection of your Personal Data. All suppliers are to undergo a supplier risk assessment. Lightning Health requires third-party service providers by contract to implement appropriate data security and confidentiality obligations, in accordance with applicable law.

Our third-party providers may change over time, but we will notify you in the event of any change. If you would like further details, or to object to us sharing your data for these purposes, please notify us at dpo@lightning.helath and we will provide you with detailed information and respond to your request.

Any organisation in the event of the sale, merger, reorganisation, dissolution, or disposal of our business. We will inform you of any such transfer or disclosure as required by law.

We do not sell Research Participant’s data.


Transferring Information outside the UK & EEA

Data Protection Laws prohibits the transfer of Personal Data belonging to European Union (EU) residents outside of the European Economic Area (EEA), unless there are appropriate safeguards in place to guarantee the security of that data.

Where we use third-party service providers outside of the EEA or Switzerland, we will ensure that these organisations provide sufficient guarantees to implement appropriate technical and organisational measures for the protection of Personal Data. Where necessary, we require that any such third-party service providers execute the relevant Standard Contractual Clauses or adhere to any certification procedures issued by the Commissioner for transfer of personal data to a third country and undertake a transfer impact assessment to identify any supplementary measures required to safeguard your personal data.

If you require further information about these protective measures, you can request it from our DPO at


Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Details of retention periods for different aspects of your personal information are available from our DPO at


Complaints or queries

Lightning Health always tries to meet the highest standards when collecting and using personal information and we welcome feedback about this privacy notice or any other data protection issues or concerns. Please in the first instance contact our Data Protection Officer Melissa Ashdown with any feedback, comments, concerns, or complaints.


UK Residents:

If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office in their capacity as the statutory body which oversees data protection law in the UK


EEA Residents:

If you want to make a complaint about the way we have processed your personal information, you can contact the Irish Data Protection Commission Homepage | Data Protection Commission.



Version 1.0. June 2023