Bratby Law Privacy Notice

Who we are

Bratby Law is a trading name of Bratby Law Ltd (company number 12539220), a company incorporated in England and Wales. Our registered office is at 167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF.

Bratby Law Ltd is the data controller for the personal data described in this notice.

Contact: Rob Bratby, rob@bratby.law, +44 77 3831 2629, https://bratby.law.

ICO registration reference: ZA745605.

Overview

We take privacy and client confidentiality seriously.

In addition to our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (as amended by the Data Use and Access Act 2025), we have professional duties under the SRA Code of Conduct for Solicitors (paragraphs 6.3 to 6.5) to keep all client information confidential, whether or not it constitutes personal data.

We are a virtual organisation that makes extensive use of cloud computing. We have documented and implemented an information and data security policy in line with guidance from the Solicitors Regulation Authority, the Law Society, the Information Commissioner’s Office and the National Cyber Security Centre. We review and update this policy regularly.

We use secure, enterprise-grade AI tools to enhance accuracy and efficiency in our legal work. AI tools are assistive only: we remain fully responsible for all professional advice we provide. Under our contractual arrangements with AI suppliers, and in accordance with our internal AI Use Policy, client data is not used to train, fine-tune or improve AI models.

What personal data we collect

We collect personal data from the following sources: our clients, their employees, advisers, customers, suppliers and partners; users of our website and newsletter subscribers; attendees at events and conferences; publicly available sources including internet searches and published data; credit rating and anti-money laundering agencies; government bodies and regulators; and individuals we meet or interact with in the course of business.

Purposes, legal bases and what we do with your data

We process personal data for the following purposes and on the following legal bases under Article 6(1) UK GDPR.

Contractual necessity (Article 6(1)(b)). We process personal data where necessary to perform contracts with our clients and suppliers, including service delivery, billing and collections.

Legitimate interests (Article 6(1)(f)). We process personal data for the legitimate purpose of running our business and providing legal advice, including: sales and marketing; due diligence and risk assessment; conflict checking; client and customer care; recruitment and retention of staff and consultants; obtaining and managing professional indemnity insurance and insurance claims; accounting and audits; and the defence or pursuit of legal claims. We do not consider that processing on this basis is likely to result in unwarranted prejudice to your rights and freedoms, and we review this assessment regularly.

Legal obligation (Article 6(1)(c)). We process personal data to comply with obligations imposed by the Solicitors Regulation Authority, anti-money laundering legislation, company law, tax and accounting requirements, and other legal obligations including the prevention of crime.

Consent (Article 6(1)(a)). Where no other legal basis applies and we rely on your consent, we will clearly specify what you are consenting to. You may withdraw your consent at any time by contacting us at rob@bratby.law.

We do not undertake any automated decision-making or profiling as defined by Article 22 UK GDPR.

Who we share your data with

We use third-party cloud-based service providers as data processors, each subject to written contracts with appropriate technical and organisational controls under Article 28 UK GDPR. Our key processors are:

  • Microsoft (email, document creation and storage);
  • Apple (end-user devices and document storage);
  • Google (analytics, AI-assisted research and analysis via Gemini and NotebookLM);
  • Xero (accounting and financial information); Starling Bank (banking services);
  • Kinsta (website hosting);
  • Veriphy (anti-money laundering compliance checks);
  • Adobe (PDF document processing);
  • Anthropic, PBC (enterprise AI system for document analysis and creation assistance);
  • OpenAI (enterprise AI system for document analysis and research assistance);
  • LexisNexis (legal research and AI-assisted analysis via Lexis+ Protege); and
  • Law Insider (legal clause research and benchmarking).

We may also disclose personal data to regulators, law enforcement authorities, and professional advisers where required by law or to protect our legal rights.

International transfers

Some of our processors transfer personal data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place. Transfers to the United States are covered by the UK extension to the EU-US Data Privacy Framework (where the recipient is certified) or by the UK International Data Transfer Agreement / UK Addendum to the EU Standard Contractual Clauses. Transfers to countries covered by UK adequacy regulations proceed on that basis.

Details of the specific transfer mechanisms relied upon by each processor are available on request.

Cookies and analytics

We use Google Analytics 4 (GA4) to understand how visitors use our website. GA4 uses cookies to collect anonymised usage data including pages visited, time on site and referral sources. This data may be transferred to Google’s servers in the United States under the EU-US Data Privacy Framework (to which Google LLC is certified). You can opt out of Google Analytics tracking by installing the Google Analytics opt-out browser add-on.

Our website may include embedded content from other websites (such as videos or social media feeds). Embedded content behaves as if you had visited the originating website, which may collect data about you, use cookies, and track your interaction with the embedded content.

How long we retain your data

We retain personal data for the minimum period necessary. For client matter files, we retain information for the duration of the relevant active retainer plus six years (the primary limitation period under the Limitation Act 1980), unless a longer period is required by client instructions, legal or regulatory obligation, or a potential or actual dispute. For other categories of personal data (such as marketing contacts and website analytics), we apply shorter retention periods appropriate to the purpose.

Your data protection rights

Under UK GDPR, you have the following rights:

  • Access — you have the right to request copies of your personal data.
  • Rectification — you have the right to ask us to correct inaccurate data or complete incomplete data.
  • Erasure — you have the right to ask us to delete your personal data in certain circumstances.
  • Restriction — you have the right to ask us to restrict processing in certain circumstances.
  • Objection — you have the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Data portability — you have the right to request transfer of your data to another organisation in a structured, commonly used format, in certain circumstances.
  • Withdrawal of consent — where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

There is no charge for exercising your rights. We will respond to any request within one calendar month. Contact us at rob@bratby.law or +44 77 3831 2629.

Provision of personal data is not a statutory requirement. However, where we need personal data to enter into or perform a contract with you (including for anti-money laundering checks), failure to provide it may mean we are unable to act for you.

Complaints

If you are dissatisfied with how we handle your personal data, please contact rob@bratby.law in the first instance. We will acknowledge your complaint within 30 days and respond without undue delay.

We will deal with complaints in accordance with our written complaints procedure, which is available on request.

If we do not resolve your concern, you may complain to the Information Commissioner’s Office: telephone 0303 123 1113, or online at https://ico.org.uk/make-a-complaint/.

Changes to this notice

We may update this privacy notice from time to time. The current version will always be available on this page.

This notice was last updated in March 2026.