LEGAL

Privacy Policy

Version 2.0 · Last updated 21 May 2026

This Privacy Policy explains how Lawyerly Ltd collects, uses, shares, and protects personal data, and the rights you have in relation to your personal data. It applies to personal data we process as a controller, including personal data we collect about prospective clients, clients, people connected with our clients, website visitors, job applicants, suppliers, and other contacts.

Where we handle personal data on behalf of a client in connection with legal services, we do so as a processor under the client’s instructions. That processing is governed by our Data Processing Addendum, not by this Privacy Policy.

If you originally engaged with us when our service was offered under the name "Lawyerlink", this Privacy Policy applies to any personal data we hold about you from that earlier engagement. The legal entity controlling the personal data, Lawyerly Ltd (Company No. 15697410), has not changed.

This Privacy Policy should be read together with our Cookies Policy, our Data Processing Addendum (where relevant), and any specific privacy information we provide when we collect personal data from you.

1.1

Lawyerly Ltd

Lawyerly Ltd is a private limited company registered in England and Wales with company number 15697410. Our registered office is at 3rd Floor, 45 Albemarle Street, London, W1S 4JL.

We are the controller of the personal data we collect and process as described in this Privacy Policy. We are registered with the Information Commissioner’s Office.

1.2

Our Data Protection Officer

We have appointed Willie van der Merwe as our external Data Protection Officer. The Data Protection Officer is responsible for overseeing how we handle personal data, advising on data protection compliance, and acting as a point of contact for data subjects and the Information Commissioner’s Office. You can contact the Data Protection Officer at support@lawyerly.co.

1.3

Our regulatory framework

Lawyerly is a commercial legal service. Legal services are delivered by solicitors who are individually authorised and regulated by the Solicitors Regulation Authority and remain personally bound by the SRA’s professional rules and Code of Conduct. We are committed to handling personal data in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003.

1.4

How to contact us

You can contact us about this Privacy Policy or any data protection matter:

  • by email at support@lawyerly.co

  • by post to 3rd Floor, 45 Albemarle Street, London, W1S 4JL

  • by phone on 0203 442 8479.

If you have a specific concern about how we handle your personal data, please address your message to the Data Protection Officer.

Personal data means any information relating to an identified or identifiable individual. It includes obvious identifiers such as a name, email address, or phone number, as well as less obvious information that can be linked to an individual, such as an IP address, account identifier, or device identifier.

Special category data is a more sensitive subset of personal data that includes information about health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to identify an individual, sex life, or sexual orientation. We handle special category data only in limited circumstances, which are set out in the Special Category Data clause below.

 

The personal data we collect depends on how you interact with us. The sections below describe the main categories of personal data we collect and the people they relate to.

3.1

Prospective clients and enquirers

When you enquire about our services, we may collect:

  • your name, role, and business contact details;

  • information about the business you represent;

  • information about your legal need or the matter you are enquiring about;

  • records of our communications with you, including emails, forms, calls, and meetings; and

  • marketing preferences and any consents you have given.

3.2

Clients and individuals connected with clients

When you become a client or are connected with a client business (for example, as a director, officer, employee, shareholder, or other contact), we may collect:

  • your name, role, business contact details, and signature where relevant;

  • identification and verification information collected for anti-money laundering and know-your-client checks, including identity documents and proof of address;

  • information about the client business and your relationship to it;

  • payment and billing information;

  • records of our communications and meetings, including recordings and transcripts of meetings where you have consented;

  • documents and information you provide to us in connection with a matter; and

  • information generated through your use of the Client Hub, including login records, activity logs, and uploaded content.

3.3

Website visitors

When you visit our website, we may collect:

  • technical information such as IP address, browser type, device type, and operating system;

  • usage information such as pages viewed, time on site, and referring sources; and

  • information you submit through web forms, including any message content.

We explain how we use cookies and similar technologies in our Cookies Policy.

3.4

Job applicants

When you apply for a role with us, we may collect your CV, covering letter, employment history, references, right to work documentation, contact details, and any other information you provide as part of your application or that we obtain through reference checks. Successful applicants will receive a separate Employee Privacy Notice covering the wider scope of staff personal data we hold.

3.5

Suppliers and other contacts

When we engage suppliers, advisers, or other contacts, we may collect the business contact details of relevant individuals, their role, and information necessary to manage the relationship and any associated payments.

We collect personal data in several ways:

  • directly from you, when you contact us, sign up for our services, use the Client Hub, attend meetings, or send us documents;

  • from your colleagues or representatives, where they provide information about you in connection with a client matter or business relationship;

  • from publicly available sources, including company registers, court records, sanctions lists, and other open records, particularly for client due diligence purposes;

  • from third parties we engage on our behalf, such as identity verification providers; and

  • automatically through our website and our service infrastructure, including the Client Hub, our email systems, and our security tools.

We process personal data only where we have a lawful basis under the UK General Data Protection Regulation. The lawful bases we rely on most often are:

  • performance of a contract with you or to take steps at your request before entering into a contract;

  • compliance with a legal or regulatory obligation, including our anti-money laundering, SRA, accounting, and tax obligations;

  • our legitimate interests in operating our business, providing our services, protecting our information and systems, developing our service, and managing relationships with clients, suppliers, and contacts, where those interests are not overridden by your rights and freedoms; and

  • your consent, where we ask for it (for example, for certain marketing activities or for special category data).

5.1

To provide our services

We process personal data to set up your account, complete onboarding and compliance checks, deliver legal services, communicate with you about your matters, manage the Client Hub, and complete payments and billing. The lawful bases are performance of a contract, compliance with legal obligations, and our legitimate interests in operating our service.

5.2

To run and develop our business

We process personal data to administer our accounts, manage our suppliers, develop our service, train our team, protect our systems and information, and exercise or defend legal claims. The lawful bases are our legitimate interests and, where applicable, compliance with legal obligations.

5.3

To communicate with you

We process personal data to respond to your enquiries, send you service-related messages and updates, and provide information you have requested. The lawful bases are performance of a contract or our legitimate interests in responding to you, and your consent where required.

5.4

For marketing and promotion

We process limited personal data to send you information about our services that we think may interest you. We do this on the basis of your consent or, where permitted by the Privacy and Electronic Communications Regulations, on the basis of our legitimate interests under the soft opt-in. You can opt out of marketing at any time using the unsubscribe link in our messages or by contacting us.

5.5

For legal and regulatory compliance

We process personal data to comply with our obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, the Solicitors Regulation Authority’s rules, tax and accounting law, data protection law, and any other law, regulation, or court or regulatory order that applies to us.

We do not routinely collect special category data. We may process it only where:

  • you have given us your explicit consent;

  • it is necessary for the establishment, exercise, or defence of legal claims;

  • it is necessary for reasons of substantial public interest as recognised by law; or

  • another condition under Article 9 of the UK GDPR and Schedule 1 to the Data Protection Act 2018 applies.

Where we process special category data, we apply additional safeguards, including stricter access controls and an appropriate policy document where required by law.

Our services are directed at businesses and not at children. We do not knowingly collect personal data from individuals under the age of 18. If you believe we hold personal data about a child, please contact us and we will take appropriate steps.

We use cookies and similar technologies on our website. Strictly necessary cookies make the website work and keep it secure, and are set automatically. Where you consent, we also use analytics cookies to understand how the website is used, so that we can measure and improve it. We do not currently use advertising cookies or cookies that track you across other websites, and we will ask for your consent before placing any new non-essential cookies.

Our Cookies Policy explains the categories of cookies we use, their purpose, and how you can manage your preferences. You can change your cookie preferences at any time through the cookie banner on our website or through your browser settings.

 

We send marketing communications only where we are permitted to do so, including where you have consented or where the soft opt-in applies and we are marketing similar services to an existing or prospective business client. We use only business contact details for marketing to corporate subscribers in line with the Privacy and Electronic Communications Regulations.

Every marketing email we send includes an unsubscribe link. You can opt out of marketing at any time by clicking that link or by contacting us at support@lawyerly.co. Opting out of marketing will not affect service-related communications, which we will continue to send where necessary to provide our services.

We share personal data only with categories of recipients that need access to it for the purposes set out in this Privacy Policy, and only under appropriate contractual and security safeguards.
10.1

Within our group

We share personal data with our parent company, Lawyerly Group (Pty) Ltd, and with related entities where necessary for shared services, group governance, and support functions. Group sharing is governed by intra-group agreements that include appropriate data protection safeguards.

10.2

Service providers

We use carefully selected service providers to support our operations and the delivery of our services. The main categories of service providers are:

  • cloud hosting, productivity, and collaboration platforms (for example, Microsoft);

  • payment processing (for example, Stripe);

  • customer relationship management and marketing platforms (for example, HubSpot);

  • identity verification and anti-money laundering providers (for example, ComplyCube);

  • meeting transcription tools used with your consent (for example, Fireflies);

  • AI tools that support service delivery (for example, Anthropic);

  • compliance and operational tooling (for example, monday.com); and

  • our strategic partners, including our technology partner Shft (Pty) Ltd and our marketing partner Seek the Just (Pty) Ltd.

All service providers act on our instructions under written data processing terms. Where they handle personal data we process on behalf of a client, the detailed sub-processor arrangements are set out in our Data Processing Addendum.

10.3

External advisers and specialists

Where appropriate, we may share personal data with external advisers and specialists, such as barristers, accountants, tax advisers, or other professionals, in connection with a specific matter or to obtain advice. Where we make a referral or introduction at your request, we share only the information you have asked us to share or that is needed for the referral.

10.4

Regulators, courts, and law enforcement

We may share personal data with regulators, courts, and law enforcement bodies where we are required to do so by law, by a court order, or by a regulatory authority such as the Solicitors Regulation Authority, the Information Commissioner’s Office, or HM Revenue and Customs.

10.5

Corporate transactions

If we sell, restructure, or reorganise our business or assets, we may share personal data with the relevant counterparties and their advisers, subject to appropriate confidentiality and data protection safeguards.

Some of our service providers are based outside the United Kingdom, including in the European Economic Area, the United States, and South Africa. Where we transfer personal data outside the United Kingdom, we ensure that an appropriate transfer mechanism is in place.

The transfer mechanisms we rely on include:

  • UK adequacy regulations, where the United Kingdom has recognised that a country provides an adequate level of protection;

  • the UK Extension to the EU-US Data Privacy Framework, for transfers to certified United States organisations;

  • the International Data Transfer Agreement issued by the Information Commissioner’s Office, or the UK Addendum to the EU Standard Contractual Clauses, supported by a Transfer Risk Assessment; and

  • any other transfer mechanism recognised under UK data protection law.

You can ask us for more information about the transfer mechanisms in place for a specific transfer by contacting our Data Protection Officer.

We keep personal data only for as long as we need it for the purposes set out in this Privacy Policy, and to comply with our legal, regulatory, and operational requirements. As a general guide:

  • client matter files are typically retained for at least six years after closure of the matter, in line with limitation periods and Solicitors Regulation Authority guidance;

  • AML and identity verification records are retained for at least five years after the end of the business relationship, in line with anti-money laundering law;

  • financial, accounting, and tax records are retained for at least six years from the end of the relevant accounting period;

  • marketing data is retained until you opt out or for up to two years from your last meaningful interaction with us, whichever is sooner;

  • unsuccessful job applications are retained for up to six months after the recruitment decision, unless you have agreed to a longer retention period; and

  • website analytics data is retained for no longer than the lifespan of the relevant analytics cookies, after which it is aggregated or deleted in the ordinary course.

Where personal data is held in backup or archival systems, it may be retained for a slightly longer period before it is overwritten in the ordinary course of operations.

We take the security of personal data seriously. We apply appropriate technical and organisational measures to protect personal data against unauthorised or unlawful access, loss, destruction, alteration, or disclosure. These measures include:

  • encryption of personal data in transit and at rest, where appropriate;

  • role-based access controls, multi-factor authentication, and identity management through our identity platform;

  • secure infrastructure provided by our cloud hosting and productivity providers;

  • training and policies for our team on data protection, confidentiality, and information security;

  • due diligence and contractual safeguards for our service providers; and

  • monitoring, logging, and incident response procedures.

We are certified by the UK Government under the Cyber Essentials scheme. Despite our safeguards, no system is completely secure. If you become aware of a possible security incident affecting your personal data, please contact us promptly.

You have a number of rights in relation to your personal data under the UK General Data Protection Regulation. The main rights are described below. Most rights are not absolute, and we may need to balance them against our legal or regulatory obligations.

14.1

Right to be informed

You have the right to be informed about how we collect and use your personal data. This Privacy Policy is our main way of providing that information.

14.2

Right of access

You have the right to ask us for a copy of the personal data we hold about you and information about how we process it.

14.3

Right to rectification

You have the right to ask us to correct personal data we hold about you that is inaccurate or incomplete.

14.4

Right to erasure

You have the right to ask us to erase personal data we hold about you in certain circumstances, for example where the data is no longer needed for the purposes for which we collected it. We may not be able to comply with an erasure request where we are required to keep the data by law or for the establishment, exercise, or defence of legal claims.

14.5

Right to restrict processing

You have the right to ask us to restrict our processing of your personal data in certain circumstances, for example while we investigate a complaint or rectification request.

14.6

Right to data portability

Where we process personal data on the basis of consent or performance of a contract and by automated means, you have the right to ask us to provide that data to you, or to another controller, in a structured, commonly used, and machine-readable format.

14.7

Right to object

You have the right to object to our processing of personal data where we rely on our legitimate interests. You also have the right to object to processing for direct marketing purposes at any time, and we will stop such processing when you do so.

14.8

Rights relating to automated decision-making

You have the right not to be subject to a decision based solely on automated processing which produces a legal effect on you or similarly significantly affects you, except in limited circumstances permitted by law. We do not make such decisions about you.

14.9

Right to withdraw consent

Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

14.10

How to exercise your rights

To exercise any of your rights, please contact us at support@lawyerly.co. We will respond within one month, although we may extend this period by up to two further months for complex or numerous requests, in which case we will let you know. We do not usually charge a fee, but we may charge a reasonable fee or refuse to act on a request that is manifestly unfounded or excessive.

14.11

Identity verification

We may need to verify your identity before responding to a rights request, particularly where it relates to special category data or where there is a risk that the request has come from someone other than the data subject.

We use AI tools in the course of delivering our services, including for tasks such as research, drafting, summarising, document review, and operational support. Our solicitors remain responsible for the legal advice and work product we provide. We assess each AI provider before adoption and, where contractually available, secure written safeguards preventing personal data from being used to train the provider's models. The AI providers we use, and the safeguards that apply to each, are set out in our Data Processing Addendum

If you are not satisfied with how we have handled your personal data or a data protection request, please contact us first so that we can try to put things right. You can write to our Data Protection Officer at support@lawyerly.co.

You also have the right to lodge a complaint with the Information Commissioner’s Office, which is the supervisory authority for data protection in the United Kingdom. The Information Commissioner’s Office can be contacted at:

  • Information Commissioner’s Office;

  • Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF;

  • Helpline: 0303 123 1113; and

  • Website: ico.org.uk.

We may update this Privacy Policy from time to time to reflect changes to our services, the way we process personal data, or legal or regulatory requirements. The version number and effective date are shown on the cover page and in the footer of this document.

Where a change is material, we will take reasonable steps to notify you, including by posting a notice on our website or sending a message through the Client Hub or by email.

For any questions about this Policy, please contact us at support@lawyerly.co.