Privacy Policy

How we collect, use and protect personal data

We are committed to handling personal data responsibly, securely, and in line with UK data protection law.

This Privacy Policy explains what personal data we collect, how and why we use it, who we share it with, how long we keep it, and the rights you have in relation to it.

It applies whether you interact with us as a client, prospective client, supplier, business contact, or website visitor. It should be read together with our Cookies Policy and, where relevant, our Data Processing Addendum.

This section explains who we are, when this Privacy Policy applies, and the different roles we may have when handling personal data.

This Privacy Policy applies to personal data we process about prospective clients, clients, website visitors, suppliers, business partners, and other individuals who contact us or whose details are provided to us in connection with our services.

We act as a data controller where we decide what personal data to collect and how to use it. We act as a data processor, handling personal data strictly on behalf of a client and in line with their instructions, for example, when information is processed through the Client Hub as part of the services we provide.

This Privacy Policy does not apply where we process personal data strictly on behalf of a client as a processor. In those cases, the client is responsible for that personal data, and their own privacy information will apply. Our role in those situations is governed by our Data Processing Addendum.

We are registered with the UK Information Commissioner’s Office under registration number CSN3427257. We are also Cyber Essentials certified, reflecting recognised UK cyber security standards in the way we manage and protect information.

This section explains the types of personal data we may collect, depending on how you interact with us.

We may collect and use the following categories of personal data:

  • Identity data, such as your name, title, and date of birth.
  • Contact data, such as your email address, telephone number, and postal address.
  • Financial data, such as billing details and payment information.
  • Technical data, such as IP address, browser type, operating system, device information, login data, cookies, and analytics data.
  • Usage data, such as information about how you use our website, Client Hub, and services.
  • Profile data, such as usernames, passwords, preferences, communication history, and matter history.
  • Marketing data, such as your communication preferences and whether you want to receive updates from us.
  • Content you choose to share, such as documents, images, audio, or video provided as part of a matter or enquiry.

In limited cases, we may also process special category data, such as information about health, racial or ethnic origin, or trade union membership, and criminal offence data, such as information relating to criminal convictions or allegations, where this is necessary and permitted by law.

This section explains why we use personal data and the legal grounds we rely on.

We only use personal data where we have a valid legal basis to do so under UK data protection law. Depending on the circumstances, we may use personal data to:

  • respond to enquiries and assess whether we can assist;
  • onboard clients and administer accounts;
  • provide legal and related services;
  • verify identity and carry out compliance, AML, or KYC checks;
  • process payments and manage billing;
  • communicate about services, matters, updates, and support;
  • maintain records and comply with legal, regulatory, tax, and accounting obligations;
  • protect our systems, prevent fraud, and manage business risk;
  • improve our website, services, and user experience; and
  • send marketing communications where we are permitted to do so.

The lawful bases we rely on may include:

  • contract, where processing is necessary to take steps before entering into an agreement or to perform our contract with you;
  • legal obligation, where processing is necessary for compliance with a legal or regulatory duty;
  • legitimate interests, where processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights and interests; and
  • consent, where you have given clear permission, including for certain marketing communications or where explicit consent is required.

Where we process special category data or criminal offence data, we only do so where an additional legal condition applies, such as where processing is necessary for the establishment, exercise, or defence of legal claims, where required by employment or social security law, where explicit consent has been given, or where another lawful condition applies.

Where we act as a processor, we process personal data only on the client’s instructions and in accordance with the applicable contractual and data protection arrangements.

This section explains how we handle marketing communications, cookies, and similar technologies.

We may send you information about our services where you are an existing client and the law allows us to do so, or where you have consented to receive marketing from us.

You can opt out of marketing communications at any time by using the unsubscribe link in our emails or by contacting support@lawyerlink.co.

We do not sell personal data, and we do not allow third parties to use your personal data for their own direct marketing without your consent.

Our website also uses cookies and similar technologies. For more information about how we use them, please see our Cookies Policy.

This section explains who we may share personal data with and what happens if it is transferred outside the UK.

We may share personal data with:

  • our employees, consultants, and contractors who need access to it for legitimate business purposes and who are subject to confidentiality obligations;
  • service providers and processors who support our systems and operations, such as technology, cloud, hosting, payment, communications, and support providers;
  • professional advisers, such as accountants, auditors, insurers, and external legal advisers;
  • regulators, law enforcement bodies, courts, tribunals, or public authorities where disclosure is required or appropriate; and
  • carefully selected service partners who support the delivery, administration, promotion, or security of our services, acting on our behalf under appropriate contractual controls.

We require third parties who process personal data for us to handle it securely, confidentially, and only for authorised purposes.

Most personal data is stored and processed in the UK or in jurisdictions with appropriate protections. Where personal data is transferred outside the UK, we will ensure that appropriate safeguards are in place. These may include an adequacy decision, the UK International Data Transfer Agreement, or other approved transfer mechanisms.

You may contact us if you would like more information about the safeguards we use for international data transfers.

This section explains the security measures we use and how long personal data is retained.

We use appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, misuse, alteration, or disclosure.

These measures may include encryption, access controls, authentication measures, monitoring, secure hosting environments, staff training, and procedures for managing incidents and restoring systems if needed.

No system can ever be completely secure, but we take information security seriously and continually review our safeguards. Security is also a shared responsibility. If you use our Client Hub or other account-based services, you are responsible for keeping login details confidential and managing account access appropriately.

We only keep personal data for as long as reasonably necessary for the purposes for which it was collected, including for legal, regulatory, tax, accounting, insurance, and record-keeping reasons.

Retention periods may vary depending on the nature of the data and the relationship involved. By way of example:

  • client matter files may be kept for up to 7 years after the end of the client relationship;
  • AML and KYC records may be kept for 5 years where required by law;
  • marketing data may be kept until you opt out or withdraw consent;
  • website analytics may be kept for up to 2 years; and
  • supplier and contractual records may be kept for up to 7 years after the relevant relationship ends.

Where data is no longer needed, we will securely delete it or anonymise it.

This section explains the rights you may have under UK data protection law and what to do if you have concerns.

Depending on the circumstances, you may have the right to:

  • request access to the personal data we hold about you;
  • request correction of inaccurate or incomplete data;
  • request deletion of personal data where there is no lawful reason for us to keep it;
  • request restriction of processing;
  • object to our processing, including direct marketing;
  • request portability of certain personal data; and
  • withdraw consent where we rely on consent.

We do not use personal data for automated decision-making or profiling that produces legal effects or similarly significant effects.

These rights are not absolute, and there may be situations where we are entitled or required to refuse a request, or where an exemption applies. If that happens, we will explain our position.

We may ask for proof of identity before responding to a request. We will usually respond within one month, although that period may be extended where permitted by law.

If you have any concerns about how we collect, use, or protect personal data, please contact us first so that we can try to resolve the issue. You also have the right to complain to the Information Commissioner’s Office.

This section explains how to contact us about privacy matters and how changes to this Privacy Policy will be handled.

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact:

Data Protection Officer: Willie van der Merwe
Email: dpo@lawyerlink.co

We may update this Privacy Policy from time to time to reflect changes in our services, systems, legal obligations, or the way we process personal data.

The latest version will always be available on our website and, where relevant, through the Client Hub.