Bratby Law Privacy Notice

Who we are

Bratby Law is a trading name of Bratby Law Ltd (company number 12539220), a company incorporated in England and Wales. Our registered office is at 167-169 Great Portland Street, 5th Floor, London, England, W1W 5PF.

Bratby Law Ltd is the data controller for the personal data described in this notice.

Contact: Rob Bratby, rob@bratby.law, +44 77 3831 2629, https://bratby.law.

ICO registration reference: ZA745605.

Overview

We take privacy and client confidentiality seriously.

In addition to our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (as amended by the Data Use and Access Act 2025), we have professional duties under the SRA Code of Conduct for Solicitors (paragraphs 6.3 to 6.5) to keep all client information confidential, whether or not it constitutes personal data.

We are a virtual organisation that makes extensive use of cloud computing. We have documented and implemented an information and data security policy in line with guidance from the Solicitors Regulation Authority, the Law Society, the Information Commissioner’s Office and the National Cyber Security Centre. We review and update this policy regularly.

We use secure, enterprise-grade AI tools to enhance accuracy and efficiency in our legal work. AI tools are assistive only: we remain fully responsible for all professional advice we provide. Under our contractual arrangements with AI suppliers, and in accordance with our internal AI Use Policy, client data is not used to train, fine-tune or improve AI models.

What personal data we collect

We collect personal data from the following sources: our clients, their employees, advisors, customers, suppliers and partners; users of our website and newsletter subscribers; attendees at events and conferences; publicly available sources including internet searches and published data; credit rating and anti-money laundering agencies; government bodies and regulators; and individuals we meet or interact with in the course of business.

Purposes, legal bases and what we do with your data

We process personal data for the following purposes and on the following legal bases under Article 6(1) UK GDPR.

Contractual necessity (Article 6(1)(b)). We process personal data where necessary to perform contracts with our clients and suppliers, including service delivery, billing and collections.

Legitimate interests (Article 6(1)(f)). We process personal data for the legitimate purpose of running our business and providing legal advice, including: sales and marketing; due diligence and risk assessment; conflict checking; client and customer care; recruitment and retention of staff and consultants; obtaining and managing professional indemnity insurance and insurance claims; accounting and audits; and the defence or pursuit of legal claims. We do not consider that processing on this basis is likely to result in unwarranted prejudice to your rights and freedoms, and we review this assessment regularly.

Legal obligation (Article 6(1)(c)). We process personal data to comply with obligations imposed by the Solicitors Regulation Authority, anti-money laundering legislation, company law, tax and accounting requirements, and other legal obligations including the prevention of crime.

Consent (Article 6(1)(a)). Where no other legal basis applies and we rely on your consent, we will clearly specify what you are consenting to. You may withdraw your consent at any time by contacting us at rob@bratby.law.

We do not undertake any automated decision-making or profiling as defined by Article 22 UK GDPR.

Who we share your data with

We use third-party cloud-based service providers as data processors, each subject to written contracts with appropriate technical and organisational controls under Article 28 UK GDPR. Our key processors are:

  • Microsoft (email, document creation and storage);
  • Apple (end-user devices and document storage);
  • Google (analytics, AI-assisted research and analysis via Gemini and NotebookLM);
  • Xero (accounting and financial information); Starling Bank (banking services);
  • Kinsta (website hosting);
  • MailPoet / Automattic (newsletter subscription management and email delivery);
  • Veriphy (anti-money laundering compliance checks);
  • Adobe (PDF document processing);
  • Anthropic, PBC (enterprise AI system for document analysis and creation assistance);
  • OpenAI (enterprise AI system for document analysis and research assistance);
  • LexisNexis (legal research and AI-assisted analysis via Lexis+ Protege); and
  • Law Insider (legal clause research and benchmarking).

We may also disclose personal data to regulators, law enforcement authorities, and professional advisors where required by law or to protect our legal rights.

International transfers

Some of our processors transfer personal data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place. Transfers to the United States are covered by the UK extension to the EU-US Data Privacy Framework (where the recipient is certified) or by the UK International Data Transfer Agreement / UK Addendum to the EU Standard Contractual Clauses. Transfers to countries covered by UK adequacy regulations proceed on that basis.

Details of the specific transfer mechanisms relied upon by each processor are available on request.

Cookies and similar technologies

This website uses cookies and similar storage and access technologies on your device. Our use of those technologies is governed by regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended by the Data (Use and Access) Act 2025, and, to the extent we process personal data obtained through those technologies, by the UK GDPR.

We use four categories of cookies.

Strictly necessary cookies. These are required to deliver the website, to operate the cookie preference banner and to maintain basic security and session state. They are set without your consent because they fall within the “strictly necessary” exception in regulation 6 PECR. You cannot switch these off through the banner.

Analytics cookies. We use Google Analytics 4 to understand how visitors use the site at an aggregate level, including pages visited, time on site, and referral sources. We use the results only to improve the site and the content we publish. Analytics cookies are set only if you give consent through our cookie preference banner. Before consent is given, Google Consent Mode v2 is configured so that no analytics cookies are written and no identifiable data is sent to Google.

Functional cookies. We use a small number of cookies to remember preferences you have set on the site, such as your cookie preferences themselves. These are set only with your consent.

Advertising and personalisation cookies. We do not set these by default. Google Consent Mode v2 is configured to keep ad_storage, ad_user_data and ad_personalization denied unless you accept all cookies.

Legal basis. Where we rely on consent under regulation 6 PECR, we also rely on your consent as the lawful basis for any related processing of personal data under Article 6(1)(a) UK GDPR. Where we rely on the strictly necessary exception, we rely on our legitimate interests under Article 6(1)(f) UK GDPR in operating and securing the website.

Changing your choices. You can review or change your cookie choices at any time by clicking the “Cookie preferences” link in the footer of every page. You can also block or delete cookies through your browser settings.

International transfers. Where analytics data is collected through Google Analytics 4, it may be transferred to Google LLC in the United States. We rely on the UK extension to the EU-US Data Privacy Framework (to which Google LLC is self-certified) as the transfer mechanism.

Embedded content from other sites

Our pages may include content embedded from other websites, such as videos or social media feeds. Embedded content behaves as if you had visited the originating site, which may set its own cookies and collect data about you. We have no control over the technologies used by those third parties. Their use of storage and access technologies on your device is governed by their own privacy and cookie notices.

Newsletter and marketing communications

We publish a blog at bratby.law/blog covering developments in UK telecoms regulation, data protection and payments regulation. You may subscribe to receive notifications of new posts by completing the subscription form on our blog pages.

When you subscribe, we collect your name, email address, and (optionally) your company name and position. We also record your topic preferences so that we can send you content relevant to your interests. This data is processed by MailPoet (a service operated by Automattic Inc.) on our behalf under a data processing agreement.

Legal basis. We send newsletter emails on the basis of your consent (Article 6(1)(a) UK GDPR). Consent is obtained through a double opt-in process: after you submit the subscription form, you will receive a confirmation email and must click the confirmation link before any marketing emails are sent. This process also satisfies the consent requirements of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

Withdrawal of consent. You may unsubscribe at any time by clicking the unsubscribe link included in every newsletter email, or by contacting us at rob@bratby.law. On unsubscription, we will stop sending marketing emails and delete your subscriber data within 30 days.

We do not share subscriber data with any third party for their own marketing purposes. We do not purchase mailing lists or add contacts to our subscriber list without their explicit consent.

How long we retain your data

We retain personal data for the minimum period necessary. For client matter files, we retain information for the duration of the relevant active retainer plus six years (the primary limitation period under the Limitation Act 1980), unless a longer period is required by client instructions, legal or regulatory obligation, or a potential or actual dispute. For other categories of personal data (such as marketing contacts, newsletter subscriber data, and website analytics), we apply shorter retention periods appropriate to the purpose.

Your data protection rights

Under UK GDPR, you have the following rights:

  • Access — you have the right to request copies of your personal data.
  • Rectification — you have the right to ask us to correct inaccurate data or complete incomplete data.
  • Erasure — you have the right to ask us to delete your personal data in certain circumstances.
  • Restriction — you have the right to ask us to restrict processing in certain circumstances.
  • Objection — you have the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Data portability — you have the right to request transfer of your data to another organisation in a structured, commonly used format, in certain circumstances.
  • Withdrawal of consent — where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

There is no charge for exercising your rights. We will respond to any request within one calendar month. Contact us at rob@bratby.law or +44 77 3831 2629.

Provision of personal data is not a statutory requirement. However, where we need personal data to enter into or perform a contract with you (including for anti-money laundering checks), failure to provide it may mean we are unable to act for you.

Complaints

If you are dissatisfied with how we handle your personal data, please contact rob@bratby.law in the first instance. We will acknowledge your complaint within 30 days and respond without undue delay.

We will deal with complaints in accordance with our written complaints procedure, which is available on request.

If we do not resolve your concern, you may complain to the Information Commissioner’s Office: telephone 0303 123 1113, or online at https://ico.org.uk/make-a-complaint/.

Changes to this notice

We may update this privacy notice from time to time. The current version will always be available on this page.

This notice was last updated in March 2026.