Privacy Policy

1. About Us and Purpose

Disinformation Index Ltd (“GDI” “We,” “Us”, “Our”) is a not-for-profit organisation that operates on the three principles of neutrality, independence, and transparency. Our vision is a world free from disinformation and its harms. Our mission is to catalyse industry and government to defund disinformation.

This website is operated by Disinformation Index Ltd, a limited by guarantee without share capital in England (Company number11297397). We act as the Data Controller for any personal data collected through this website. We are also registered as a data controller with the Information Commissioner’s Office (“ICO”) and our registration number is ZA830060.

We are committed to handling personal information responsibly, transparently, and in line with applicable data‑protection requirements. This Notice explains how we may collect and use personal information for our routine website operations and general interactions with you (for example, when you visit our website, submit information to us online, contact us by phone or email, engage with our social media channels, or attend our events). It does not cover situations where we process personal data in connection with services provided under a separate agreement; in those cases, additional information is supplied at the relevant time, as required by law.

We also carry out research and analysis in support of our mission which may involve obtaining and using personal data from publicly accessible sources. Please see the Research Activities section for more information about those activities and the safeguards we apply.

For questions about how we handle personal data gathered for research purposes in support of our mission and any project work, please contact us at privacy@disinformationindex.org.

2. Children’s Data

This website is not intended for children under fourteen (14) and we do not knowingly collect personal data relating to children under 14. If you believe we have collected personal data from a child under 14, please contact us, and we will take appropriate steps to delete it.

3. Controller and contact details

The controller is Disinformation Index Ltd (GDI). Contact: privacy@disinformationindex.org; Postal: 124 City Road, London, England, EC1V 2NX. We have not appointed a Data Protection Officer (DPO) we can be contacted via privacy@disinformationindex.org (DPO if appointed).

4. Categories of personal data and sources

The categories of personal data we may process are described in the “Category / What / Why / Lawful basis” table below.

5. Special category data

We generally do not seek to collect or process special category personal data (as defined by Article 9 UK/EU GDPR). However, in limited circumstances (in connection with specific research activities), we may process special category data where necessary and where a valid Article 9 condition applies, with appropriate safeguards.

6. If we collect data from public sources

In some cases, we may collect personal data from publicly available sources (for example, public websites and publications) where relevant to our activities. We will only use such data for specific, legitimate purposes, will apply appropriate safeguards (such as minimisation and, where appropriate, aggregation or pseudonymisation), and will not collect more than we need; where providing an individual notice would involve disproportionate effort or is not possible, we will rely on the applicable UK/EU GDPR transparency exemptions to the extent permitted by law. Please also see the Research Activities section for more information.

7. Recipients / categories of recipients

We share personal data only as described in the Disclosures section, including with service providers we use to operate and secure the website and our business (for example, website hosting and IT support providers), and with professional advisers and public authorities where required by law.

8. Disclosures

We share your personal data only with third parties as necessary to operate and secure the website and our business (for example, website hosting and IT support providers), and with professional advisers and public authorities where required by law.

9. International transfers and safeguards

Where we transfer personal data outside the UK/EEA, we use appropriate safeguards as described in the International Transfers section (for example, UK IDTA/Addendum and/or EU Standard Contractual Clauses, and adequacy decisions where applicable).

10. Retention

We retain personal data for the periods described in the Retention table below or, where those periods do not apply, for as long as necessary for the relevant purposes and in line with applicable legal requirements.

11. Your rights and how to exercise them

Your rights and how to exercise them are described in the Data Subject Rights section. We may ask for information to verify identity, and rights may be subject to legal limitations/exemptions. You can make your requests by email via privacy@disinformationindex.org.

12. Donations

We are a charitable organisation that relies on donations to fund our services and initiatives. You may donate to us through our website or by reaching out to us separately. When you donate to us, we process your personal data such as name, email address, location, and financial information to accept and process your donation.

We maintain a record of your donations in our internal database for administering donations and maintaining our donor database for our legitimate interests. You may write to us if you wish to have your name removed from our internal database, subject to our legal obligations to retain certain records (for example for tax and accounting). We may retain transaction and related financial records for up to 7 years to comply with legal and accounting obligations. We do not sell information about our donors.

We use Donorbox to process donations made on our website. Donorbox uses your financial information to process your payment. We are joint controllers with this service provider, who simply pass donations through their services to us based on a transaction. These transactions are subject to the provider’s privacy notices/policies available here. Where we rely on legitimate interests, we consider and balance any potential impact on you and your rights before processing. Where we rely on consent, you can withdraw it at any time.

13. Cookies and similar technologies

We aim to minimise the use of cookies and similar technologies. We use only strictly necessary cookies (and similar technologies) for the website to function and to provide security. We do not use cookies for advertising or cross-site tracking; you can set your browser to block or alert you about these cookies, but some parts of the website may not work.

14. Data Subject Rights

Depending on your jurisdiction- see the Complaint section where we named a few-, you may have rights to access, correct, delete, port, restrict, object, and withdraw consent. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (this is a security measure). We respond to requests within the time limits set by applicable law and may extend the response period where permitted (for example, where requests are complex or numerous), in which case we will inform you of the extension and the reasons for it. Please note that these rights are not absolute and may be subject to legal limitations and exemptions under UK GDPR/EU GDPR and other applicable law.

15. Complaints

If you have any questions, concerns, or complaints about how we process personal data or about any of our research outputs, you may contact us using the details provided in this privacy notice. We encourage you to contact us in the first instance so that we can review and address your concerns.

We will consider any representations received and, where appropriate, review, clarify or update our findings.

You have the right to make a complaint at any time to the authority which supervises and enforce the personal data protection law that applies to you in your jurisdiction, for example the Information Commissioner’s Office (ICO) if you are in the UK, or your local EEA supervisory authority if you are in the EEA.

16. Which data protection law applies to you

Data protection laws can vary by where you are and how you interact with us. The main laws that may apply to our use of your personal data are:

If you are in the UK: we generally process your personal data under the UK GDPR and the Data Protection Act 2018, and the UK regulator is the Information Commissioner’s Office (ICO).

If you are in the European Economic Area (EEA): we may process your personal data under the EU GDPR, and the regulator is usually the data protection authority in the EEA country where you live, work, or where the issue happened.

If you are outside the UK/EEA: local privacy laws may apply to you in addition to (or instead of) UK GDPR/EU GDPR. If those local laws give you specific rights or require specific notices, we will comply with them where they apply.

As a general guide, the law that applies is often linked to where you are located when you use our website or provide your information, and whether our activities are directed to people in that country/region. This can be complex, and more than one law may apply.

If you are unsure which law applies to you, or which regulator you should contact, please email us at privacy@disinformationindex.org, and we will help you identify the most relevant jurisdiction and complaint route.

We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.

  • Email: privacy@disinformationindex.org
  • Postal: 124 City Road, London, England, EC1V
  • Data Protection Officer (if appointed): privacy@disinformationindex.org

17. Security

We implement technical and organisational measures to protect data. Where required by law, we notify regulators and affected individuals of breaches without undue delay.

18. Automated Decision‑Making

We do not subject your personal data to automated decision‑making or profiling that produces legal or significant effects.

19. Research Activities

We undertake research and related initiatives on issues such as harmful content online. The outputs of our research activities may be displayed in this website dedicated section in the form of reports or other digital tools or formats.

These activities may require us to process personal data, including special category (sensitive) personal data.

For our research activities, we may obtain personal data from a range of sources, including publicly accessible sources (such as public websites and public social media content) and platform tools where permitted by the relevant terms and applicable law.

The types of personal data we may collect include:

  • names and identifiers;
  • social media account information (including handles and publicly available posts);
  • location data;
  • professional or social affiliations; and
  • where necessary for a specific research project, limited special category data such as information relating to race or ethnic origin, political opinions, religious beliefs, health, or sexual orientation.

This data may be used to conduct analysis and produce research outputs and reports. Where we obtain data from online platforms, we aim to focus on information that is publicly accessible.

19.1 How we use and protect personal data

Personal data is collected and processed on a project-by-project basis, subject to strict internal controls. In particular:

  • we ensure that all processing has a valid lawful basis;
  • we minimise the collection of personal data and avoid collecting data that is excessive or irrelevant;
  • any personal data identified as unnecessary or inaccurate is deleted without undue delay; and
  • data is processed using secure systems and only accessed by authorised and trained personnel.

19.2 Publication and sharing

We do not publish research findings in a way that identifies individuals unless it is necessary and lawful to do so. In most cases:

  • data included in reports is aggregated, anonymised, or otherwise de-identified; and
  • personal data is not shared with third parties without appropriate safeguards.

We may share personal data with third parties only where this is necessary:

  • to perform our contractual obligations; or
  • to comply with legal or regulatory requirements.

19.3 Project-specific information notices

For research projects where we act as a data controller, we maintain a dedicated information notice. These notices set out:

  • the categories of personal data processed;
  • the lawful basis for processing;
  • retention periods;
  • security measures; and
  • any data sharing arrangements.

Due to the sensitive and confidential nature of certain projects, these notices are not routinely published on our website. However, you may request further information by contacting us at the details provided in this privacy notice.

In some cases, and particularly for research projects of limited scope or where prior engagement may not be appropriate, we may not notify relevant platforms or stakeholders in advance of publication. In such instances, we seek to ensure transparency by providing a clear route for enquiries or concerns to be raised following publication, and we are committed to reviewing and responding to any such requests promptly and, where appropriate, taking corrective action.

Please see the Complaints section 15 of this notice for details of how to contact us in relation to any enquiries or concerns.

19.4 Use of artificial intelligence

We may use artificial intelligence and automated analytical techniques to analyse data, particularly in relation to social media research.

Where such techniques are used, we ensure that:

  • the purpose of using these methods is clearly defined;
  • the methodology applied is documented and transparent; and
  • the conclusions drawn are presented clearly in our research outputs and supporting documentation.

20. Public notice (information where we obtain personal data indirectly – Article 14 GDPR)

This section applies where we obtain personal data about individuals from sources other than the individual. This may include publicly accessible sources (such as public websites and publicly available online content) and, in some circumstances, service providers acting on our instructions (for example, providers supporting our IT systems).

Categories of personal data and sources. The categories of personal data we may obtain indirectly depend on the context and may include identifiers and professional information (such as name, role, and organisation) and publicly available content and associated metadata.

Purposes and lawful bases. We use indirectly obtained personal data only for the purposes described in this Privacy Notice (including research and analysis consistent with our mission, and operating and protecting our organisation and systems). Our lawful bases are as described in this Privacy Notice (typically legitimate interests, and in some cases legal obligation, depending on the circumstances).

Disclosures. We disclose personal data only to the categories of recipients described in the Disclosures section and to public authorities where required by law.

International transfers, retention, and your rights. Information about international transfers, retention and your rights is set out in the relevant sections of this Privacy Notice.

Where we cannot provide individual notice. In some cases, providing the information required by Article 14 individually may be impossible or would involve disproportionate effort (for example, where we process large volumes of publicly accessible information). Where an applicable exemption applies, we may rely on it on a case-by-case basis and provide information through this notice to the extent permitted by law. If you have questions or wish to exercise your rights (including the right to object, where applicable), please contact us using the details in this Privacy Notice.

___

Last updated 20th April 2026