Privacy Policy

KERF ("KERF," "we," "us," or "our") operates the website at kerf.co and provides customer evidence sprint services to product teams in regulated industries. This Privacy Policy explains how we collect, use, and protect information when you visit our website or engage with our services.

If you have questions about this policy, contact us at privacy@kerf.co.

Information you provide directly. When you submit an application, enquiry form, or contact us, we collect your name, email address, company name, job title, and any information you voluntarily share in your message.

Usage data. We collect standard web log data including your IP address, browser type, pages visited, time on site, and referral source. This data is used solely to understand how visitors use our website and to improve it.

Research participant data. When we conduct research interviews on behalf of clients, we collect data from participants under a separate informed consent process. That data is governed by the specific consent agreement provided at the time of recruitment.

We use the information we collect to:

• Respond to enquiries and evaluate applications for our sprint program
• Deliver and improve our research services
• Send service-related communications (e.g. sprint scheduling, deliverable handoff)
• Comply with legal obligations

We do not sell your personal information. We do not use your data for advertising targeting or share it with third-party marketing platforms.

For visitors in the European Economic Area or United Kingdom, we process personal data on the following bases: your consent (where you have provided it), the performance of a contract (when you engage our services), and our legitimate interests in operating and improving a professional services business.

You have the right to access, correct, or delete your personal data, to object to processing, and to data portability where applicable. To exercise any of these rights, contact us at privacy@kerf.co.

We retain contact and application data for up to 24 months from last interaction. Research deliverables and transcripts produced during a sprint engagement are retained for 12 months post-engagement, after which they are securely deleted unless a client requests extended retention in writing.

We use a limited set of third-party tools to operate our business, including cloud storage, email delivery, and analytics. Each vendor is selected for their data handling standards and is subject to data processing agreements where required by law.

We do not embed third-party advertising trackers, social media pixels, or behavioural profiling tools on our website.

Our website uses essential cookies required for basic functionality (e.g. session state). We do not use analytics cookies without your consent. Where a cookie consent banner is presented, your selection governs which non-essential cookies are set.

We implement industry-standard technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. All data in transit is encrypted via TLS. Access to personal data is restricted to personnel who require it to perform their role.

No method of internet transmission is 100% secure. If you believe your data has been compromised, contact us immediately at privacy@kerf.co.

We may update this Privacy Policy from time to time. Material changes will be noted with a revised "Last updated" date at the top of this page. Continued use of our website or services after a change constitutes acceptance of the revised policy.

For any privacy-related questions or requests, write to us at privacy@kerf.co.