2.1 Website Visitors

• Website usage data: Pages visited, time spent on pages, links clicked, navigation paths (collected via cookies with your consent - see our Cookie Policy)
• Technical data: IP address (anonymized), browser type and version, device type, operating system, general geographic location (country/city level)
• Communications: Information you provide when you contact us through forms, email, or phone

2.2 Prospective Clients (Inquiries and Quotes)

• Contact information: Name, email address, phone number, postal address
• Service inquiry details: Type of legal service needed, brief description of your legal matter
• Quote-related data: Information you provide when requesting a quote (e.g., property details for conveyancing, transaction values)

2.3 Current and Former Clients

• Identity data: Full name, date of birth, national insurance number, passport/driving license details
• Contact data: Postal address, email address, telephone numbers
• Financial data: Bank account details, payment card information, financial circumstances
• Case-related data: Information relevant to your legal matter, documents you provide, communications, case notes
• Special category data: Where necessary for your legal matter, we may process sensitive personal data such as health information, criminal convictions, or other data revealing racial or ethnic origin, political opinions, religious beliefs, or trade union membership (only with your explicit consent or where legally required)
• Third-party information: Information about other parties involved in your legal matter

3.1 Consent (Article 6(1)(a))

We process your data based on your consent when:

• You opt in to receive marketing communications
• You accept cookies for analytics (see our Cookie Policy)
• We process special category data (where explicit consent is required)

You have the right to withdraw your consent at any time.

3.2 Contract Performance (Article 6(1)(b))

We process your data when it is necessary for the performance of a contract with you or to take steps at your request before entering into a contract. This includes:

• Providing legal services and advice
• Administering your matter and maintaining your client file
• Processing payments
• Responding to your inquiries and providing quotes

3.3 Legal Obligation (Article 6(1)(c))

We process your data to comply with our legal and regulatory obligations, including:

• Solicitors Regulation Authority (SRA) requirements
• Money Laundering Regulations (identity verification and due diligence)
• Legal professional privilege and confidentiality obligations
• Court orders and legal proceedings
• Tax and accounting requirements
• Complaints handling and investigation

3.4 Legitimate Interests (Article 6(1)(f))

We process your data where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. This includes:

• Maintaining and improving our website and services
• Understanding how visitors use our website (analytics)
• Preventing fraud and ensuring the security of our systems
• Internal business administration and record-keeping
• Defending legal claims and protecting our rights
• Assessing suitability for employment (for job applicants)

3.5 Special Category Data (Article 9)

Where we process special category data (such as health information, criminal convictions), we rely on:

• Your explicit consent
• Necessity for legal claims or judicial proceedings
• Substantial public interest (legal advice and representation)

5.1 Third Parties We May Share Data With

• Other solicitors and legal professionals: Barristers, counsel, expert witnesses, other law firms (where required for your matter)
• Courts and tribunals: As required for legal proceedings
• Other parties to your matter: Opposing parties, their legal representatives, witnesses
• Regulators: Solicitors Regulation Authority (SRA), Information Commissioner's Office (ICO), Legal Ombudsman
• Law enforcement: Police, HM Revenue & Customs, National Crime Agency (where legally required)
• Service providers: IT providers, cloud storage providers, case management software providers, document management providers
• Financial institutions: Banks, payment processors
• Search providers: For property searches in conveyancing matters
• Land Registry and government bodies: For property transactions and other matters
• Professional advisors: Accountants, auditors, insurers

5.2 International Transfers

Some of our service providers may be located outside the United Kingdom. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as:

• Transfer to countries with adequacy decisions
• Standard Contractual Clauses approved by the ICO
• Binding Corporate Rules

For example, we use Google Analytics (Google LLC, USA) with appropriate data protection measures in place.

5.3 Legal Disclosure

We may disclose your personal data if required by law, court order, or to protect our legal rights, prevent fraud, or protect public safety.

6.1 Retention Periods

• Client files: We retain client files for a minimum of 7 years after the conclusion of a matter (as required by SRA regulations), or longer where the nature of the matter requires it (e.g., wills, property deeds)
• Financial records: 7 years from the end of the financial year (as required by tax law)
• Identity verification documents: 7 years after the end of the client relationship (money laundering regulations)
• Marketing consents: Until you withdraw consent or we determine the data is no longer relevant
• Website analytics: 26 months (Google Analytics setting)
• Inquiry data (non-clients): 2 years from last contact
• Employment records: 6 years after employment ends

6.2 Secure Disposal

When we no longer need your personal data, we securely delete or destroy it in accordance with our data retention and destruction policy.

7.1 Security Measures

• Encryption of data in transit (HTTPS/TLS) and at rest
• Secure access controls and authentication (multi-factor authentication)
• Regular security assessments and penetration testing
• Staff training on data protection and security
• Secure destruction of physical and electronic records
• Regular backups and disaster recovery procedures
• Firewall and anti-virus protection
• Limited access to personal data on a need-to-know basis
• Confidentiality agreements with all staff and contractors

7.2 Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR.

8.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you. This is known as a "subject access request" (SAR). We will provide this information free of charge within one month of your request, unless the request is complex or manifestly unfounded.

8.2 Right to Rectification (Article 16)

You have the right to have inaccurate or incomplete personal data corrected. We will respond to your request within one month.

8.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data in certain circumstances, such as:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data was processed unlawfully

Important limitation: As solicitors, we are required by law and professional regulations to retain client files and certain records for specified periods. We cannot delete data where we have a legal obligation to retain it or where it is necessary for the establishment, exercise, or defence of legal claims.

8.4 Right to Restrict Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

8.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller where:

• The processing is based on consent or contract performance
• The processing is carried out by automated means

8.6 Right to Object (Article 21)

You have the right to object to processing of your personal data where:

• Processing is based on legitimate interests
• Processing is for direct marketing purposes (you can opt out at any time)
• Processing is for scientific/historical research or statistical purposes

8.7 Rights Related to Automated Decision-Making (Article 22)

We do not currently use automated decision-making or profiling that produces legal effects or similarly significantly affects you. If this changes, we will update this policy and inform you.

8.8 Right to Withdraw Consent

Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.