PRIVACY POLICY

Privacy policy

Refreshing Law Limited – Privacy Notice & Data Protection Policy
Last updated: 14 October 2025

What this privacy policy covers

We take issues relating to your personal data seriously. This privacy policy explains how we handle and protect your personal data. We will always be clear about why we need the details we ask for and ensure that your personal information, or any belonging to a third party you provide to us, is kept as secure as possible.

We do not knowingly collect data relating to children.

Please read this privacy notice together with any other privacy or fair-processing notices we may provide on specific occasions when we are collecting or processing personal data about you. This policy supplements those notices and is not intended to override them.

This policy is provided in a layered format so you can click or scroll through to the relevant section. Please use the Glossary to understand the meaning of some terms used below.

1. Important information and who we are

Controller
Refreshing Law Limited is the controller responsible for your personal data (in the case of individual clients) or your employees’ personal data (in the case of employer clients). References in this policy to “we”, “us” or “our” mean Refreshing Law Limited.

Data Protection Officer (DPO)
We have appointed a Data Protection Officer (DPO) to oversee questions about this policy.
Contact: Lousha Reynolds
Email: lreynolds@refreshinglawltd.co.uk
Post: Refreshing Law Limited, 5 Romilly Park Road, Barry, Vale of Glamorgan, Wales, United Kingdom, CF62 6RN
Telephone: 02920 599 993

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk). We would appreciate the chance to address your concerns before you approach the ICO.

Changes to this notice
We may update this policy periodically. Any material changes will be communicated or published on our website.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Third-party links
Our website may include links to third-party websites. Clicking on those links may allow third parties to collect or share data about you. We are not responsible for their privacy statements and encourage you to read them before providing personal data.

2. The data we collect about you

Personal data means any information from which an individual can be identified. It does not include anonymised data.

We may collect, use, store and transfer different kinds of personal data, including:

  • Identity Data – names, titles, date of birth, gender, marital status.
  • Contact Data – billing and delivery addresses, email addresses, telephone numbers.
  • Financial Data – bank account details for refunds or payments.
  • Advice Data – information disclosed to obtain legal or practical advice.
  • Transaction Data – details about payments and services purchased.
  • Technical Data – internet protocol (IP) address, browser type, login data and similar technical identifiers.
  • Usage Data – information about how you use our website, services and materials.
  • Marketing and Communications Data – your preferences in receiving marketing from us.

We also collect and use Aggregated Data (statistical or demographic data) that cannot identify you. If we combine aggregated data with your personal data so that you can be identified, we treat it as personal data.

Special category data (sensitive personal data) may include:

  • Information about health or medical conditions;
  • Racial or ethnic origin, religious or philosophical beliefs;
  • Sexual life or sexual orientation;
  • Trade-union membership.

We will only process such data where:

  • You have given explicit consent (for individual clients), or
  • Processing is necessary for the establishment, exercise or defence of legal claims (for employer clients).

Criminal offence data may occasionally arise during legal advice. We will process this data only with your consent (for individual clients) or where necessary for advising your employer on legal matters.

If you fail to provide data
Where we need to collect personal data by law or to perform a contract with you, we may be unable to provide our services if you fail to provide the requested data. We will notify you if this applies.

3. How your personal data is collected

We collect data using several methods:

  • Direct interactions – you may provide data by completing forms, corresponding by email, phone or post, or otherwise engaging with us.
  • Automated technologies – we may collect Technical Data about your browsing via cookies and similar technologies.
  • Third-party sources – for example, referrals from another solicitor, accountant or HR service provider, or information from publicly available sources such as Companies House.

4. How we use your personal data

We will only use your personal data where permitted by law. Common lawful bases include:

  • Performance of a contract (Article 6(1)(b));
  • Legal or regulatory obligation (Article 6(1)(c));
  • Legitimate interests (Article 6(1)(f)), provided those interests are not overridden by your rights;
  • Consent (Article 6(1)(a)) – primarily for marketing;
  • Vital interests (Article 6(1)(d)) – rarely, in emergencies.

We process data to:

  • Carry out our contract or retainer with you or your employer;
  • Comply with legal requirements (e.g. anti-money-laundering checks);
  • Communicate with you and manage our client relationships;
  • Defend or establish legal claims;
  • Provide information about relevant services (where lawful).

We balance any legitimate interest against your privacy rights before relying on it. Details are available on request.

Marketing
If you work for an employer client, we may send you updates or information relevant to your organisation unless you opt out. Individual clients will not receive marketing communications unless you have consented. You may withdraw consent or opt out at any time by contacting us.

Cookies
Our website uses essential cookies required for functionality and limited analytics cookies operated by our hosting provider (WordPress). Non-essential cookies will only operate with your consent. See our Cookie Notice for details and how to manage preferences.

Automated decision-making
We do not use your personal data for automated decision-making or profiling that produces legal or significant effects.

Change of purpose
We will only use your personal data for the purpose for which it was collected unless the new purpose is compatible with the original one. If we need to use it for another purpose, we will notify you and explain the legal basis.

5. Disclosures of your personal data

We may share your data with:

  • Service providers (e.g. IT and administration support) acting as processors;
  • Professional advisers (lawyers, auditors, insurers, bankers);
  • Regulators such as the Solicitors Regulation Authority or HMRC;
  • Debt-collection agencies (where required to recover sums due);
  • Third parties to whom you ask us to refer you, but only with your consent.

All processors and advisers are bound by confidentiality, privacy and data-protection obligations.

In the event of a business sale, merger or restructuring, your data may transfer to the new entity on the same lawful basis.

6. International transfers

We primarily store and process personal data within the UK.

Where we use service providers outside the UK, we comply with UK GDPR restrictions on international transfers.

Specifically:

  • We use Mailchimp and SurveyMonkey, US-based services certified under the UK Extension to the EU–US Data Privacy Framework (UK–US Data Bridge), which provides an adequacy decision for eligible US organisations.
  • For any other transfers outside the UK not covered by an adequacy decision, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses and perform a transfer risk assessment as required by the ICO.

Further details or copies of the safeguards can be obtained by contacting our DPO.

7. Data security

We implement appropriate technical and organisational measures to prevent accidental loss, unauthorised access, alteration or disclosure of personal data. Access is restricted to those with a business need and subject to confidentiality obligations.

We maintain incident-response procedures and will notify you and the ICO of any personal data breach where legally required.

8. Data retention

We keep personal data only as long as necessary to fulfil the purposes collected, including to meet legal, accounting or regulatory requirements.

Typical retention periods are:

Type of dataRetention period
Client files (including Advice Data)6 years after matter closure
Financial and Transaction Data6 years after payment or service completion
Marketing contact datauntil you withdraw consent or opt out
Technical / usage logsup to 2 years, anonymised thereafter

After expiry, data is securely deleted or anonymised.

You may request erasure where applicable (see section 9).

9. Your legal privacy rights

Under data-protection law, you have rights to:

  • Access – obtain a copy of your personal data.
  • Rectification – correct incomplete or inaccurate data.
  • Erasure – request deletion where no lawful basis for retention remains.
  • Object – oppose processing based on legitimate interests or for direct marketing.
  • Restriction – suspend processing in certain circumstances.
  • Data portability – receive data in a machine-readable format or transfer it to another controller.
  • Withdraw consent – where processing relies on consent.

To exercise any rights, contact our DPO. We will respond within one month (extendable by up to two months for complex or multiple requests). No fee is charged unless a request is manifestly unfounded or excessive.

We may need to verify your identity before acting on your request.

10. Glossary

Legitimate Interest – our business interest in conducting and managing our services to deliver the best, most secure experience, provided this does not override your rights.
Performance of Contract – processing necessary to perform a contract with you or take pre-contractual steps.
Legal Obligation – processing necessary for compliance with a legal duty.
Controller – the person or organisation determining the purpose and means of processing personal data.
Processor – a person or organisation processing data on behalf of the controller.
Adequacy Decision / Data Bridge – a UK Government decision confirming another country ensures an adequate level of data protection.
Special Category Data – personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data for identification, health data, or data concerning a person’s sex life or sexual orientation.
Data Transfer Impact Assessment – risk assessment for international transfers outside the UK.

Contact us
For questions about this privacy notice or to exercise your rights, contact:

Data Protection Officer
Lousha Reynolds
Email: lreynolds@refreshinglawltd.co.uk
Refreshing Law Limited, 5 Romilly Park Road, Barry, CF62 6RN

find Policies