Customer GDPR guide
Your obligations as a data controller and how Meaningful assists you
Your role as Data Controller
When you use Meaningful to conduct research, you are the data controller under GDPR. This means:
- You determine what data to collect (questions, demographics)
- You determine why you're collecting it (research purpose)
- You determine how long to keep it (retention period)
- You are responsible for the lawful basis (usually consent or legitimate interest)
- You must respond to data subject rights requests (access, deletion, etc.)
Meaningful's role: We are your data processor. We process data on your behalf according to your instructions, as set out in our Data Processing Agreement.
Before starting research
1. Establish a lawful basis (Article 6)
Choose one:
- Consent (most common): Participants explicitly agree to take part. Use Meaningful's consent checkbox feature.
- Legitimate interest: If research serves a legitimate purpose and is not overly intrusive
- Public interest: For academic or public-interest research (e.g., universities)
2. Provide a privacy notice (Article 13)
You must inform participants about how their data will be used. Your privacy notice should include:
- Your identity and contact details
- Purpose of the research
- Legal basis for processing
- What data you will collect
- How long you will keep it
- Their rights (access, deletion, etc.)
- That Meaningful is your processor
See the privacy notice template below.
3. Special category data (Article 9)
If your research collects data about racial or ethnic origin, political opinions, religious beliefs, health, sexual orientation, or biometric data, you need explicit consent or another Article 9 exception (e.g., scientific research with safeguards).
Recommendation: Avoid collecting special category data unless absolutely necessary for your research.
During research
4. Data minimisation (Article 5.1c)
Only collect data you actually need:
- Don't ask for names if you only need anonymous responses
- Make demographic questions optional
- Avoid collecting contact info unless necessary for follow-up
Meaningful provides: optional demographic fields and anonymous response mode (no email collection). All AI processing runs within our own EU cloud infrastructure — data does not leave our cloud boundary.
5. Security (Article 32)
Meaningful provides:
- TLS 1.3 encryption in transit, AES-256 at rest
- Access controls, audit logging, and regular testing
- EU-only data storage (Frankfurt, Sweden)
Your responsibility:
- Use strong passwords and enable MFA on your account
- Don't share login credentials
- Review and remove collaborator access when staff leave
After research: handling data subject requests
As the data controller, you are responsible for handling data subject requests. You must respond within 30 days. Meaningful can assist upon request.
6. Right of access (Article 15)
If participants came through an external panel: They are pseudonymised before they enter Meaningful. Meaningful retains only non-identifying quality-assurance data (country, region, city, ISP, timezone, and a one-way hashed IP) which cannot be linked back to an individual. Direct the participant to the panel provider who holds their identity.
If you recruited participants directly and collected identifying information: Verify their identity, export the relevant project data from the platform, and provide it to them within 30 days. Contact contact@meaningful.app if you need assistance.
7. Right to erasure (Article 17)
If participants came through an external panel: Meaningful holds only non-identifying quality-assurance data (country, region, city, ISP, timezone, and a one-way hashed IP) which cannot be attributed to an individual — there is nothing to erase on Meaningful's side. Direct the participant to the panel provider.
If you collected identifiable participant data directly: Delete the relevant data source or workspace from the platform. Contact contact@meaningful.app if you need assistance ensuring data is removed from all systems including backups. Confirm deletion to the participant within 30 days.
Exceptions: You can refuse deletion if required by law, necessary for legal claims, or if your research purpose outweighs the individual's rights (with safeguards).
8. Right to rectification (Article 16)
If a participant requests correction of inaccurate data, contact contact@meaningful.app and we will assist with updating the data.
9. Right to data portability (Article 20)
Export the participant's data from the platform and provide it in a machine-readable format (e.g., JSON or CSV).
10. Right to object (Article 21)
If processing is based on legitimate interest (not consent), the participant can object. Delete their data from your workspace to stop processing.
What Meaningful provides
| Feature | Description |
|---|---|
| EU data storage | All data stored in EU (Frankfurt, Sweden). No data leaves the EU for core features. |
| Encryption | TLS 1.3 in transit, AES-256 at rest for all Customer Data |
| Data isolation | Multi-tenant architecture with logical separation by organisation and workspace |
| AI no-training commitment | Customer Data is never used to train AI models by any provider |
| Consent checkbox | Configurable consent collection for AI-moderated interviews and surveys |
| Project and data deletion | Delete workspaces, projects, or data sources at any time. Contact us for assistance with participant-level deletion. |
| Assistance with DSARs | Contact contact@meaningful.app for help with data subject access requests, exports, or deletion |
Privacy notice template for participants
Copy and customise this template for your research participants:
Privacy Notice — [Your Organisation Name]
Who we are: [Organisation name] is conducting research on [topic]. We are the data controller for this research. Contact: [your email].
What data we collect: Your responses to interview or survey questions. Optional: [list demographic info]. Technical data: device type, timestamp (collected by our platform provider).
Purpose: [Describe research purpose, e.g., "Understand customer preferences for product development"].
Legal basis: Consent — by participating, you consent to this processing.
How we use it: Analyse responses to identify themes and insights. Generate aggregated reports (no individual identification). AI analysis using AWS and Azure services (EU-based, not used for model training).
Who we share it with: Meaningful (our platform provider) processes data on our behalf under strict contract. Our research team: [list who has access]. We do not sell your data.
How long we keep it: [X] years from collection. You can request earlier deletion.
Your rights: Access, rectification, erasure, portability, withdraw consent at any time without penalty. Email [your email] with your request. We will respond within 30 days.
Security: Data is encrypted, stored securely on EU servers, and accessed only by authorised personnel.
Frequently asked questions
Can I use Meaningful for research with EU residents?
Yes. Meaningful is GDPR-compliant and all data is stored in the EU.
Do I need a Data Processing Agreement with Meaningful?
Yes, and you already have one. It is included in your Terms and Conditions. You can review it at meaningful.app/data-policy.
What if a participant asks me to delete their data?
If the participant came through an external panel, Meaningful holds only non-identifying quality-assurance data (country, region, city, ISP, timezone, and a one-way hashed IP) which cannot be attributed to an individual — direct them to the panel provider who holds their identity. If you recruited them directly and collected identifying information, delete the relevant data source or workspace from the platform. Contact contact@meaningful.app if you need assistance.
What if I cannot find a participant's data?
Contact contact@meaningful.app with whatever information you have (name, date, topic). We will help locate the data.
Do I need consent from participants?
Usually yes, unless you have another lawful basis (legitimate interest, legal obligation). Consent is the safest approach for market research.
Can I use Meaningful for health research?
Yes, but health data is "special category" under GDPR. You need explicit consent or another Article 9 exception. Contact your legal team.
What if I get a GDPR request from a supervisory authority?
Contact contact@meaningful.app immediately. We will cooperate fully and provide all necessary information.
What AI models process my data?
Standard features use AWS Bedrock (Claude) and Azure OpenAI (GPT), both in the EU. Optional features like AI Perception may also use Google Gemini and Perplexity AI. Your data is never used for model training. See our sub-processor list for details.
Need help?
- GDPR questions: contact@meaningful.app
- Technical support: contact@meaningful.app
- Urgent data breach: contact@meaningful.app
Last updated: April 2026