Privacy notice: customers and employees of clients


We are solicitors, and we provide our clients with legal advice on a range of topics, including trying to resolve disputes and complaints before they turn into litigation, as well as helping them handle requests made under the data protection framework (such as requests for access to personal data, or for erasure). This notice applies to the data we process about customers or employees of clients (or someone else whose data we are processing to advise our client).

This page was last updated on 14th October 2019

📄 What data we hold

The information we hold inevitably depends on the advice we are being asked to give. It commonly includes:

  • Name and contact information
  • Details of the complaint or question, and correspondence history
  • Background information (such as account notes / product holding and usage information / billing and payment information if you are a customer, or employment / performance records if you are an employee)

Using your information

References to the basis of processing (e.g. "(Basis: Art. 6(f).)") are a reference to the article of the General Data Protection Regulation under which we undertake the processing in question.

Advise our client

We use the information we hold about you to give our client the best legal advice and service we can. This often includes reading through all the materials, working out what has happened and what needs to be done, and often writing a response for them to send on to you.

(Basis: Art. 6(f): this is necessary for our client's legitimate interests.)

Keep records of our advice

We keep records of our advice, to help us deal with follow-up questions, and also so we can demonstrate to our clients that we have given them the correct advice if they ask in the future.

(Basis: Art. 6(f): this is necessary for our own legitimate interests.)

Fulfil our legal and regulatory obligations

As solicitors in a regulated law firm, we have a whole host of professional regulatory obligations. If we have to process personal data to fulfil them — for example, if our regulator, the Solicitors Regulation Authority, demanded information — we will do so.

(Basis: Art. 6(c): we have to do this processing to comply with legal and regulatory obligations.)

Your data and the EEA

We do not transfer or process data outside the European Economic Area.

Occasionally, to provide a high quality of service, we may work on our clients' matters when we are outside the EEA (for example, when on business or even if we are on holiday). If we do this, your data will be stored securely on our devices (which all have full disk encryption), and any access back to our servers in the UK will be encrypted.

Your rights

The data protection framework gives you lots of rights in respect of processing of your personal data, but then it takes some away again where the processing relatins to the giving of legal advice. The relevant remaining rights are:

  • you can object to our processing for the purpose of giving our clients' legal advice, and we would balance your interests against our interests and the relevant client's interests, but this does not apply where the processing is necessary "for the establishment, exercise, or defence or legal claims.
  • you can ask us to correct inaccurate data we are processing about you. But you probably will not know what this is, or even that we are processing your data, since this processing falls outside the scope of the rights of transparency and access.
  • in some situations, the right to require us to erasure your personal data or to restrict our processing of it, but this does not apply where the processing is necessary "for the establishment, exercise, or defence or legal claims".

If you want to exercise any of these rights, please just contact us.

You also have the right to lodge a complaint about our processing with a supervisory authority — you probably want the UK's Information Commissioner's Office.

Third parties

As a general principle, we will not transfer your personal data without your permission to anyone other than the client to which the processing relates.

There are two exceptions to this:

  • It is possible, though unlikely, that we might be forced to disclose your information in response to a court order or other binding mandate.
  • As solicitors, we have professional duties, including to to co-operate with our regulator, the Solicitors Regulation Authority. We will still try to minimise any sharing of your personal data.

Technical security

All our computers are full-disk encrypted, as are our phones and tablets.

Our preference is to use PGP/GPG-encrypted email, but not all of our clients use this. We still offer opportunistic TLS encryption on our mail servers, so even if your data are not end-to-end encrypted, they are still likely to be encrypted in transmission between us and our client.

We have a secure document transfer portal, which we use to transfer data which is either too sensitive or too large for email.

"Normal" phone calls are not encrypted.

Retention periods

Data about clients' matters (e.g. records of advice): duration of the client's relationship with us, then seven years

Get in touch

email  Email

Please contact us via email:

Please encrypt it, if you can. Here is our PGP/GPG key. You can also find our keys on, and via Web Key Directory.

phone Voice & video

Please email and arrange a time to speak.

We offer "normal" phone calls, unencrypted SIP, and encrypted audio/video calls (matrix or jitsi).

We record calls.

We'll never spam you or sell your information. Ever. More info here.

Authorised Law Firm badge

View our Authorised Law Firm digital badge here. The badge is hosted by a third party (which purports to act as a processor of the Solicitors Regulation Authority). They used to load Google Analytics automatically, but the SRA has said that it is not going to do so "at the moment". As we cannot be sure when they might start to use it again, we suggest that you only view our badge if you are willing to send your IP address to the third party, and Google (to load a jQuery resource), and potentially for them to run Google Analytics JavaScript on your device. Here is the third party's privacy notice.

Other bits is:

  • authorised and regulated by the Solicitors Regulation Authority (626329)
  • subject to the SRA's code of conduct
  • a company registered in England and Wales (9856909) with a registered office address of 48A Dene Way, Donnington, Newbury, Berkshire, RG14 2JW
  • registered as a data controller with the Information Commissioner's Office (ZA152364)
  • registered for VAT in England and Wales (229 6427 86)