Privacy notice

If you have any questions about this policy or our data processing practices, please contact our Data Protection Compliance Officer at the email address above.

We may collect and process the following categories of personal data:

• Identity data: name, title, date of birth, nationality, identification documents;
• Contact data: email address, telephone number, postal address;
• Case data: details about your fraud case, dispute, or legal matter;
• Financial data: bank account details, transaction records, financial information related to your claim;
• Communications data: correspondence, emails, records of telephone calls, messages sent through the Website;
• Technical data: IP address, browser type and version, time zone setting, browser plug-in types, operating system, cookie identifiers;
• Usage data: information about how you use our Website, including pages visited, time spent, and navigation patterns;
• Identity verification data: information collected for anti-money laundering and know-your-client procedures;
• Third-party data: information obtained from publicly available sources, credit reference agencies, other professional advisers, or opposing parties relevant to your matter.

Under Article 6 of the UK GDPR, we process your personal data on one or more of the following lawful bases:

• Consent: where you have given clear consent for us to process your personal data for a specific purpose;
• Contract: where processing is necessary for the performance of a contract with you, or to take steps at your request prior to entering into a contract;
• Legal obligation: where processing is necessary to comply with a legal obligation to which we are subject (including anti-money laundering regulations, Solicitors Regulation Authority requirements, and HMRC obligations);
• Legitimate interests: where processing is necessary for our legitimate interests or those of a third party, provided your rights do not override those interests. Our legitimate interests include providing legal services, managing our business, preventing fraud, and ensuring network and information security;
• Vital interests: where processing is necessary to protect someone’s life;
• Administration of justice: where processing is necessary for the establishment, exercise, or defence of legal claims.

We use your personal data for the following purposes:

• to provide legal consultancy, representation, and related services;
• to communicate with you about your case, enquiry, or our services;
• to comply with our legal, regulatory, and professional obligations (including SRA requirements);
• to fulfil anti-money laundering and identity verification obligations;
• to investigate and/or defend potential complaints, disciplinary proceedings, and legal proceedings;
• to invoice you for services and address any billing disputes;
• to improve our Website and services;
• to send you information about other services we provide which may be of interest, where you have consented;
• to maintain internal records and administer our business;
• to obtain professional indemnity insurance and respond to regulatory enquiries;
• to consult with credit reference agencies for creditworthiness or identity verification, with your consent where required.

In the course of providing legal services, we may process special category data, which includes information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, sexual orientation, or criminal convictions and offences.

Where we process such data, we do so on the basis that it is necessary for the establishment, exercise, or defence of legal claims, or with your explicit consent, or as otherwise permitted under Article 9 of the UK GDPR and Schedule 1 of the Data Protection Act 2018.

We may share your personal data with:

• other professional advisers, barristers, experts, or counsel instructed in connection with your matter;
• courts, tribunals, regulatory bodies (including the SRA and the Legal Ombudsman);
• opposing parties or their legal representatives, where necessary for the conduct of your matter;
• our professional indemnity insurers;
• HM Revenue & Customs, the National Crime Agency, or other law enforcement agencies where required by law;
• credit reference agencies;
• external service providers who support our operations (e.g., IT support, cloud storage providers, transcription services), all of whom are bound by confidentiality obligations;
• cost specialists and auditors;
• any third party where you have given your consent or where required by law.

We will not sell, rent, or trade your personal data to any third party for marketing purposes.

Given the cross-border nature of many matters we handle, your personal data may be transferred to, stored in, or processed in countries outside the United Kingdom.

Where we transfer personal data outside the UK, we will ensure that appropriate safeguards are in place in accordance with the UK GDPR, including adequacy decisions, standard contractual clauses, or other approved transfer mechanisms, to ensure your data is protected to a standard consistent with UK data protection law.

We will retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements.

In general, client files and related data are retained for a period of six years from the date of our final invoice on a matter, after which they may be securely destroyed or deleted, unless:

• a longer retention period is required by law or regulation;
• the data is required for ongoing or anticipated legal proceedings;
• you have requested that specific documents be held in safe custody.

We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These measures include:

• encryption of data in transit and at rest where appropriate;
• access controls restricting data access to authorised personnel;
• regular security assessments and audits;
• staff training on data protection and information security;
• secure cloud storage with reputable providers bound by data processing agreements.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security.

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Right of access: to obtain confirmation of whether we process your personal data and to request a copy of that data;
• Right to rectification: to request correction of inaccurate or incomplete personal data;
• Right to erasure: to request deletion of your personal data where there is no compelling reason for continued processing;
• Right to restrict processing: to request the restriction of processing in certain circumstances;
• Right to data portability: to receive your personal data in a structured, commonly used, and machine-readable format;
• Right to object: to object to processing based on legitimate interests or for direct marketing purposes;
• Right to withdraw consent: where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal;
• Rights relating to automated decision-making: to not be subject to a decision based solely on automated processing which produces legal effects concerning you.

To exercise any of these rights, please contact our Data Protection Compliance Officer at compliance@ay-legal.co.uk. We will respond to your request within one month. There is no fee for making a request, although we may charge a reasonable fee if your request is manifestly unfounded or excessive.

Where we rely on your consent as the lawful basis for processing, you have the right to withdraw consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, please contact us at compliance@ay-legal.co.uk. Please note that withdrawal of consent may affect our ability to provide certain services to you.

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you without human intervention.

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you without human intervention.

Our Website may use cookies and similar technologies. Cookies may collect personal data such as your IP address or cookie identifiers. For full details about the cookies we use, how they work, and how to manage them, please see our Cookies Policy.

Our Website and services are not directed at children under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us so that we can take appropriate steps.

We are subject to obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and related legislation. This requires us to collect and verify identity information, establish the source of funds, and conduct ongoing monitoring.

In certain circumstances, we may be required to make disclosures to the National Crime Agency or other agencies without your knowledge or consent. Where such obligations apply, they override any duty of confidentiality we may otherwise owe to you.

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:

We would appreciate the opportunity to address your concerns before you approach the ICO. Please contact us at compliance@ay-legal.co.uk in the first instance.

We may update this Privacy Policy from time to time by publishing an amended version on the Website. Any updated version will take effect from the date it is published. We encourage you to review this page periodically to stay informed about how we protect your personal data.