How DML uses data

This page was last updated on 21 June 2022. You can see previous versions on GitHub.

Privacy Policy

Who we are:

Dark Matter Labs (DML) is a strategic discovery, design and development lab working to transition society in response to technological revolution and climate breakdown. We run this website ( and its subdomains (

This privacy policy applies to Dark Matter Labs, a company registered at 217 Mare Street London, E8 3QE United Kingdom. We operate in various offices around the world and have partnerships that are representative of these multiple geographies that we operate within.

At Dark Matter Labs, we want every individual to know what personal data we collect, why we are collecting it, and for you to know what we do with it. We firmly believe in the right for every individual as a data subject to know how their personal data is being used by a data controller such as DML, so please get familiar with our Privacy Policy and if you have any questions at all you can reach out to [email protected].

This Privacy Policy is divided into sections based on the way you are interacting with Dark Matter Labs. You are either a Site Visitor, Research Participant, Event Attendee, Partner, or a Prospective Applicant. Please determine what type of user you are and we have explained what information we collect, how we use it, how we store it, and how we may share that information. All of our practices are compliant with the General Data Protection Regulation (GDPR) which is a legal framework that sets guidelines for the collection and processing of personal information for individuals that live in the UK & European Union.  

User Type:

Site Visitor: You are a site visitor when you visit and interact with our web sites, web pages, blogs and content on Jump to Site Visitor.

Research Participant: You are a Research Participant when you have agreed to take part in research that Dark Matter Labs is conducting. Jump to Research Participant.

Partner: You are an existing Partner once you have engaged with Dark Matter Labs in a contract. Jump to Partner.

Prospective Applicant: You are a Prospective Applicant when you apply to a position at Dark Matter Labs that are found here. Jump to Prospective Applicant.

Event Attendee: We occasionally host events at Dark Matter Labs that require your registration, you are an Event Attendee once you have registered for an event that we are hosting. Jump to Event Attendee.


Firstly, we want to make you aware of six principles for which all personal data must be processed according to Article 5 of the GDPR. These principles outline what any company that has a digital presence need to keep accountable towards:

  1. Lawfulness, fairness, and transparency: Obey the law, only process personal data in a way that people would reasonably expect, and always be open about your data protection practices.
  2. Purpose limitation: You must normally only process personal data for the specific reason you collected it and nothing else.
  3. Data minimization: don't process any more data than you need.
  4. Accuracy: Make sure that any personal data you hold is adequate and accurate.
  5. Storage limitation: Don't store personal data for longer than you need to.
  6. Integrity and confidentiality: Always process personal data securely.

These principles build the foundation for why data is being collected and all of the data that DML is collecting has to fall in line with one of these six principles.

Site Visitor:

What data we collect

We use Cloudlfare analytics and it collects the following personal information about visitors to our website

  • IP address (first two bytes)
  • Timestamp of visit
  • Amount of visits
  • Country of visit
  • Page views by source
  • Referrer
  • Operating system
  • Browsers
  • Device type
  • Paths

As we only have access to their free analytics package, we only have access to the following:

  • Country of Visit
  • Amount of Visits

Why we collect website data

Our website analytics allows us to see how people are using our sites and improve their experience. We do not run cookies on our website.

Where website data is processed and stored

We use an analytics software run through Cloudflare, a service that adopts a privacy-first analytics approach. This means that they enable us to analyze traffic to our website, without compromising our users’ privacy. Their approach to customer data is outlined in their privacy policy and the data that we have access to is only visible for 30 days.

Opt-out of collection

You can opt out of our analytics by turning on Do Not Track in your browser. Find out how to do this for Google Chrome, Firefox, Safari, Internet Explorer and Microsoft Edge. If you do not opt-out, clicking any link on our website is taken as implied consent to our analytics run through Cloudflare on your device, unless you have disabled them in your browser as described above.

Third-party services

We also use third-party services to host and deliver website content. You can find out more about each of these services below:


DML’s website is built and hosted by Cargo, their approach to GDPR is highlighted here and also reflected in their Privacy Policy.


We host our blog on Medium, because its infrastructure is better suited to delivering blog content than our own. Find out more about how they use data in their privacy statement. Any reference to an identifiable individual in our blog space has been obtained with their consent, and all of our data is collected in this way.

If you opt-in to receiving our newsletter by email, you will explicility be asked for your consent to keep your email on file and we do not sell our email lists, or use them for anything else that is not expliclitily stated when signing up.

Our social media accounts

We use several social media accounts to share our work and that have been included on our website. We occasionally use the analytics tools provided by these platforms to understand how we can use these services better. Our social media accounts include the following and please check their privacy policies before sharing personal information:

Research participants

As a discovery organisation, research is an important part of our work: it helps us understand people’s needs and build better products and services. We treat all the notes, recordings and other data you collect during our research as personal data.

At the moment, we do not conduct any research with people under the age of 18.

What data we collect

We collect the following information from research participants:

Participant information

  • Full name
  • Telephone number
  • Email address
  • Address

Consent forms

  • Full name
  • Signature

Research material

  • Interview recordings (audio or video)
  • Quotes
  • Notes
  • Photos

Why we collect this data

We collect participant information to identify participants, and arrange sessions and follow-ups.

All research participants are given a consent form that outlines what the research involves, what information will be recorded and how it will be used. If the participant is happy to proceed we ask them to sign the form to confirm this.

We collect research material to reference during project work.

How long we keep research data

Participant information is deleted at the end of the project.

Our consent forms are kept on file for 6 years. All notes and digital files are destroyed or deleted 2 years after the research session. We delete any personal information provided to us from the research recruiter when the project has finished.

Where research data is processed and stored

Research material is separated from any identifiable information, such as consent forms, while we are working with it.

Any notes we gather during research sessions are stored securely. Any digital files (like audio, photos and videos) are stored on Google Drive and are only accessed by DML team members involved in the research. We may send audio of the research session to a transcriber if necessary. We review the privacy notices of the companies we use for this and ask for explicit consent from participants in our consent forms.

We may use research materials like quotes, photos, audio or video clips, in presentations to clients. We will only do this if we have consent from participants. We don’t connect this information to participants’ names.

Sometimes we may publish quotes from research sessions. We only do this if we have specific consent from the participant and any personally identifiable information has been removed. We will only publish audio, photos and video from a research session if a participant has given consent and has signed a model release form.

Opt-out of collection

Participants are able to withdraw their information from a project at any time. To do this, contact [email protected].

Potential and existing partners

What data we collect

We may collect the following information about our potential and existing clients:

  • Name
  • Company
  • Email address

Why we collect this data

We may process your personal data because it is necessary for the performance of a contract, or to take steps at your request prior to entering into a contract (for example, to enter into grant agreements with you).

Testimonials may be used on our website for promotional purposes.

How long we keep this data

We keep information about potential clients for 1 year from last contact, and information about existing clients for 2 years from last contact.

Where data about potential and existing partners is processed

We use the following services to store and process this data:

  • Google Workplace, including Gmail and Drive
    • Our servers for google are in the EU
  • Our workspace on Slack
  • Notion

Attendees of DML’s events

From time to time, we run events to share our insights and to connect with other Responsible Data practitioners.

What data we collect

We collect the following information from event attendees:

Attendee Registration

  • Full name
  • Telephone number
  • Email address
  • Job title and Company

During or after the event

  • Video and audio of the event (audio or video)
  • Quotes
  • Feedback

Why we collect this data

We collect attendee information to send the event invitation, provide help should there be any issues joining the event and to reach out for feedback.

We usually record the events we run so we can share them with people who were unable to attend. We may use comments we receive in the event itself to promote future events. All Attendees are told that the event will be recorded prior to the event starting.

We collect feedback to improve these events for Attendees.

How long we keep Attendee data

Attendee Registration data is deleted after 2 years after the event.

Videos of the events and the feedback we receive is kept indefinitely unless we are asked to remove it.

Where Attendee is processed and stored

All Attendee data is stored on Google Drive and is only accessed by DML team members.

We may use feedback materials like quotes, photos, audio or video clips, in presentations to clients. We will only do this if we have consent from Attendees. We don’t connect this information to Attendees’ names.

Sometimes we may publish quotes from the events we run. We only do this if we have specific consent from the Attendee. We will only publish audio, photos and video from an event if an Attendee has given consent and has signed a model release form.

Third-party services

We also use third-party services to plan, deliver and host event content. You can find out more about each of these services below:

Opt-out of collection

Attendees are able to withdraw their information at any time. To do this, contact [email protected].

Prospective Job applicants

What data we collect

We collect the following information about people who apply to join our team:

  • Full name
  • CV and supporting information
  • Email address
  • Covering letter
  • References
  • Phone number
  • Recruitment platform profile
  • Notes from interviews

If you progress to the final round of interviews, we may ask you explicitly if we can record your interview as we work in a distributed team spread across multiple timezones. This constitutes as special category data, only the recruiting team has access to the recordings, and they are deleted as soon as the job is filled.

We do not ask for background checks, sexual orientation, biometrics, health history, race or ethnicity, or any political memberships as part of the application process.

Why we collect recruitment data

Recruitment data is used to assess suitability for a role and to help us communicate with candidates.

How long we keep recruitment data

Recruitment data is deleted when a candidate leaves the recruitment process, is offered a job, or their application is unsuccessful. In some circumstances, when we believe the candidate could be a good fit for a position in the near future, we ask for their consent to store their CV & Resume on file for up to 1 year. After which it is deleted from our system.

Where recruitment data is processed and stored

We use several services to help us find people to join our team. At the moment, these include:

(If you want to exercise your rights on a particular service, please refer to its privacy policy for more information.)

We store CVs on Google Drive and our servers for google are in the EU. Only team members involved in the recruitment process have access to recruitment platform accounts, CVs and emails.

Things we don’t do

DML doesn’t participate in the following data processing activities:

  • Buying or selling marketing lists
  • Entering into data sharing agreements with other organisations
  • Postal marketing
  • CCTV surveillance

We don’t use “soft opt-in”, meaning you won’t receive any marketing communications from us unless you’ve specifically agreed to it.

Keeping data secure

We carefully choose our services and tools at Dark Matter Labs. It’s important that they follow good security practices, like HTTPS, two-factor authentication and the ability to set a strong password. We’ve reviewed the privacy policies and security practices of everything we use.

When a new team member joins DML, we explain best practices for keeping their devices secure, maintaining the security of their online accounts and working outside our offices.

Data breaches

In the event of an unlawful data breach of this website’s database or the database(s) of any of our third-party data processors, it will be assessed and if appropriate reported to any and all affected persons and relevant authorities without undue delay, and if feasible, within 72 hours of the discovery of the breach. In the event of a data breach, we are also required to notify the Information Commissioner’s Office. We will do so following their guidance.

Data transfer outside the EEA

We have reviewed the privacy policies of third party services we use. They provide adequate protections when information is shared outside of the European Economic Area. We have team members in South Korea and Canada, which are both countries that have been approved as adequate for their data policies by the European Commission.


There are exemptions to data protection regulations that may require us to share data about you, including requests by law enforcement. A full list of exemptions are listed on the ICO website – this also applies to data held about you by third party services we use.

Reviewing how we use data and changes to the Privacy Policy

Every quarter, we review our documentation of the data we handle and third party services we use. This helps us continuously improve our processes and hold ourselves to account. This process will help us to make sure our Privacy Policy is up to date with our latest discoveries!

This Privacy Policy is subject to change and may be updated by Dark Matter Labs, at its sole discretion, from time to time. We will notify you of any changes by posting the new policy on the Website and/or by any other method of notice we see fit, including by email. Please do review this Privacy Policy periodically for any changes.

Your rights and getting in touch

The General Data Protection Regulation gives EU & UK citizens the following rights, please familiarise yourself with them and we have provided links to understand each right in more detail.

  • Right to be informed
    • You have the right to be informed about how Dark Matter Labs is using your personal information and this privacy policy is an attempt to make that process very transparent.
  • Right of access
    • You have the right to request Dark Matter Labs for copies of your personal data. We may charge you a small fee for this service to cover the admin time that is required to deliver on this request.
  • Right to rectification
    • You have the right to request that Dark Matter LabsOur Company correct any information you believe is inaccurate or incomplete.
  • Right to erasure
    • You have the right to request that Dark Matter LabsOur Company erase your personal data, under certain conditions.
  • Right to restrict processing
    • You have the right to request that Dark Matter Labs restrict the processing of your personal data, under certain conditions. The right to object to processing - You have the right to object to Dark Matter Labs processing of your personal data, under certain conditions.
  • Right to data portability
    • You have the right to request that Dark Matter Labs transfer the data that we have collected to another organisation, or directly to you, under certain conditions.
  • Right to object - You have the right to object to your data processing, including profiling, when it is on relevant grounds. We do not perform direct marketing, but if we did, if you unsubscribe from marketing emails, Dark Matter Labs is not allowed to send you any more emails unless we get your consent.
  • Rights related to automated decision-making, including profiling - At Dark Matter Labs, we do not use any automated decision making tools and avoid profiling any of our data subjects. However, it is important to know that as one of your data rights under the GDPR you have the right to avoid automated decision making and ask for.

To exercise any of these rights, please contact us at [email protected]. You can find information specific to the services we use or our activities in the relevant sections of this document. We will respond to all requests within 28 days of receiving them.

If you aren’t satisfied by our response, you can contact the Information Commissioner’s Office.


Thanks to IF for publishing their Privacy Policy which we were able to fork and add to.

We’re a distributed team with presence around the world.

Dark Matter Laboratories B.V.
Pakhuis de Zwijger
Piet Heinkade 181K
1019 HC Amsterdam

KvK number: 75174405

United Kingdom
Dark Matter Laboratories Limited
217 Mare Street
London, E8 3QE

Company number: 13294211

Laboratoires de Matière sombre / Dark Matter LabsOrganisation à but non-lucratif canadien / Canadian not-for-profit 
6107 Av. de Monkland
Montréal, Québec
H4A 1H5

Numéro de l'organisation / Corporation number: 1196376-7

South Korea
주식회사 다크매터랩스코리아 / Dark Matter Labs Korea Co., Ltd 
#301, Pyeongtaek 5-ro 20beon-gil 8,
Pyeongtaek-si, Gyeonggi-do, 17902

경기도 평택시 평택5로 20번길 8, 301호, 우편번호 17902
사업자등록증: 808-88-01717

Mörk Materia Laboratoriet AB / Dark Matter Labs Sweden
Amiralsgatan 76 
21437, Malmö

Registration number: 559305-1047