Projects by IF is a limited company based in London, England. We run this website ( and its subdomains.

We use third party services to publish work, keep in touch with people and understand how we can do both of these things better. Here you can find out what these services are and how we handle data for user research, job applications and people that work at IF.

This page was last updated on 18 April 2019. You can see previous versions on GitHub.

Our websites

We use the following services to run our websites and understand how people are using them.


We track visitors to IF’s websites using analytics software called Matomo, which collects information about how people are using our sites to allow us to improve their experience. Data is stored indefinitely, so we can see how use of our website changes over time. We run our own copy of Matomo, so no third parties have access to this data.

You can opt out of our analytics by turning on Do Not Track in your browser. Find out how to do this for Google Chrome, Firefox, Safari, Internet Explorer and Microsoft Edge.


Many of IF’s sites are hosted on Netlify, a managed website hosting service for static web pages. Netlify describes the data they collect about visitors to sites hosted on their platform in their GDPR statement. Further information about their approach to customer data is included in their privacy policy.

Digital Ocean

IF’s blog and Matomo analytics service run on servers in London that are owned by Digital Ocean. They give us full control over the software we use and how data is stored. Digital Ocean’s approach to customer data is outlined in their privacy policy.


We use GitHub to host code, which allows people outside of IF to contribute to our open source projects. Find out more about how they use data in their privacy statement.


We host videos using Vimeo, because its infrastructure is better suited to delivering video content than our own. Find out more about how they use data in their privacy statement.

Amazon Web Services

We host images using Amazon Web Services (AWS) Simple Storage Service (S3). We use AWS S3 because it’s reliable and integrates easily with our CMS, Craft.

We don’t use logging for S3 files, but Amazon may log IP addresses to protect the security of their systems. We have signed a Data Protection Addendum with Amazon to ensure data protections approved by the European Commission are in place.

You can read more about privacy on Amazon AWS in their Data Privacy FAQ.

Our social media accounts

We use several social media accounts to share our work. We occasionally use the analytics tools provided by these platforms to understand how we can use these services better. Our social media accounts include:

We may feature public messages, comments or replies on

If you’d like content about you removed from this site or any of our social media profiles, please contact

Research participants

Research is an important part of our work: it helps us understand people’s needs and build better products and services.

All research participants are given a consent form that outlines what the research involves, what information will be recorded and how it will be used. If the participant is happy to proceed we ask them to sign the form to confirm this. We scan signed consent forms and shred paper copies, then store consent forms on Google Drive and keep these for 6 years.

At the moment, we do not conduct any research with people under the age of 18.

You can view an example of our informed consent form on GitHub.

Using information from research

Research material is separated from any identifiable information, such as consent forms, while we are working with it.

Any notes we gather during research sessions are stored securely. Any digital files (like audio, photos and videos) are stored on Google Drive and are only accessed by IF team members involved in the research. We may send audio of the research session to a transcriber if necessary. We review the privacy notices of the companies we use for this and ask for explicit consent from participants in our consent forms.

All notes and digital files are destroyed or deleted 2 years after the research session. We delete any personal information provided by us from the research recruiter when the project has finished.

Sometimes we may publish quotes from research sessions. We only do this if we have specific consent from the participant and any personally identifiable information has been removed. We will only publish audio, photos and video from a research session if a participant has given consent and has signed a model release form.

Participants are able to withdraw their information from a project at any time. To do this, contact

Job applicants

We use several services to help us find people to join our team. At the moment, these include:

Only team members involved in the recruitment process have access to these accounts, CVs and emails. We don’t collect any special category data or ask for any background checks as part of the application process.

If you want to exercise your rights on a particular service, please refer to its privacy policy for more information.

People who work at IF

When people join IF, we request information about them needed for tax and to confirm their right to work in the UK. We hold information about their role and their professional development at IF. Access to this information is controlled – more information about what’s stored is available in our handbook.

Things we don’t do

IF doesn’t participate in the following data processing activities:

  • Buying or selling marketing lists
  • Entering into data sharing agreements with other organisations
  • Telephone marketing
  • Postal marketing
  • CCTV surveillance (apart from CCTV systems run by the buildings in which we work)

We don’t use “soft opt-in”, meaning you won’t receive any marketing communication from us unless you’ve specifically agreed to it.

Keeping data secure

We carefully choose our services and tools at IF. It’s important that they follow good security practices, like HTTPS, two-factor authentication and the ability to set a strong password. We’ve reviewed the privacy policies and security practices of everything we use.

When a new team member joins IF, we explain best practices for keeping their devices secure, maintaining the security of their online accounts and working outside our offices.

Infrastructure we maintain ourselves, like our Digital Ocean servers, are secured using these best practices. Only specific members of the team can access these servers.

Data breaches

In the event of a data breach, we are required to notify the Information Commissioner’s Office. We will do so following their guidance.

Data transfer outside the EEA

We have reviewed the privacy policies of third party services we use. They provide adequate protections when information is shared outside of the European Economic Area.


There are exemptions to data protection regulations that may require us to share data about you, including requests by law enforcement. A full list of exemptions are listed on the ICO website – this also applies to data held about you by third party services we use.

Reviewing how we use data

Every quarter, we review our documentation of the data we handle and third party services we use. This helps us continuously improve our processes and hold ourselves to account. We will update this document as necessary.

Your rights and getting in touch

The General Data Protection Regulation gives EU citizens the following rights:

To exercise any of these rights, please contact us at You can find information specific to the services we use or our activities in the relevant sections of this document.

Our postal address is Projects By IF, New Wing, Somerset House, London, WC2R 1LA.

If you aren’t satisfied by our response, you can contact the Information Commissioner’s Office.