PRIVACY POLICY

We take your privacy very seriously.

Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights under the UK GDPR and Data Protection Act 2018, including rights to access, rectification, erasure, data portability, and how to contact us or the Information Commissioner's Office (ICO) in the event you have a complaint.

We are responsible as ‘controller’ of that personal data for the purposes of those laws. Our registered address is 81 Chancery Lane, London, WC2A 1DD and our company registration number is 07030061. Our use of your personal data is subject to your instructions, the UK GDPR, other relevant UK legislation and our professional duty of confidentiality.

Who are we and what do we do?

Net Solicitors is a limited company, authorised and regulated by the Solicitors Regulation Authority under number 567184.

We collect, use and are responsible for certain personal data about you. When we do so we must comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If we offer any services to individuals in the European Economic Area (EEA), we are also required to comply with the EU General Data Protection Regulation (EU GDPR) as a third country service provider.

If you want further information about how we might use your data, please contact us.

Key terms

Personal data we collect about you

The table below sets out the personal data we will or may collect in the course of advising and/or acting for you.

This personal data is required to enable us to provide our service to you and comply with our legal and regulatory obligations. If you do not provide personal data we ask for, or provide incomplete or inaccurate information, it may delay or prevent us from providing services to you, and in some cases may require us to terminate our services.

Children’s Privacy

Because we care about the safety and privacy of children online, we comply with UK data protection laws including the Age Appropriate Design Code (Children's Code) established by the Information Commissioner's Office (ICO). We do not knowingly contact or collect information from persons under the age of 18. The website is not intended to solicit information of any kind from persons under the age of 18.

If we inadvertently receive information about persons under the age of 18, we will take steps to verify the age and obtain parental consent where required by law. If we cannot obtain such consent, we will delete the information. Please notify us if you believe we have inadvertently collected information about persons under 18 by emailing enquiries@net-solicitors.co.uk.

How your personal data is collected

We collect most of this information from you direct. However, we may also collect information:

from publicly accessible sources,

eg Companies House or HM Land Registry;

directly from a third party, eg:

sanctions screening providers;
client due diligence providers;
credit reference agencies

from a third party with your consent, eg:

your bank or building society, another financial institution or advisor;
your legal advisor, employer and/or trade union, professional body or pension administrators
consultants and other professionals we may engage in relation to your matter;
your doctors, medical and occupational health professionals;

via our website—we use cookies and similar technologies on our website (for more information on cookies, please see cookie policy https://www.net-solicitors.co.uk/cookie-policy ; and

via our information technology (IT) systems, eg:

case management systems;
door entry systems and concierge logs;
Our computer networks and connections, communications systems, email and instant messaging systems; for example Skype and SMS

How and why we use your personal data

Under data protection law, we will only process your personal data where we have a valid legal basis for doing so. We rely on one or more of the following legal bases:

to comply with our legal and regulatory obligations;
for the performance of our contract with you or to take steps at your request before entering into a contract;
for our legitimate interests or those of a third party; or
where you have given consent- where we need your consent, we will ask for it separately of this privacy policy and you can withdraw consent at any time.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. You have the right to object to processing based on legitimate interests. We must then stop the processing unless we can demonstrate compelling legitimate grounds which override your interests, rights and freedoms or the processing is required to establish, exercise or defend legal claims.

The table below explains what we use (process) your personal data for and our reasons for doing so:

The above table does not apply to special category personal data (including data about racial/ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual orientation, or criminal records). We will only process such data where strictly necessary for providing legal services and where we have a specific lawful basis under Article 9 of the UK GDPR, primarily for establishing, exercising or defending legal claims. Where this legal bases is not applicable, we will seek explicit consent or rely on another appropriate Article 9 condition.

the processing is necessary to protect your (or someone else’s) vital interests where you are physically or legally incapable of giving consent.

the processing is necessary to establish, exercise or defend legal claims; or

the processing is necessary for reasons of substantial public interest.

Promotional communications

We may use your personal data to send you updates by email or post about legal developments and our services where we have determined this is in our legitimate business interests for maintaining client relationships and business development. For existing clients, this may include updates relevant to previous services we have provided. For electronic marketing communications, we will obtain consent where required by the Privacy and Electronic Communications Regulations (PECR). We reserve the right to modify or discontinue such communications at any time.

Where we rely on legitimate interests for marketing communications, we have conducted and documented a legitimate interests assessment. For electronic marketing communications to individuals, we will obtain explicit consent where required by the Privacy and Electronic Communications Regulations (PECR). We reserve the right to review and update our legitimate interests assessments periodically to ensure continued compliance and effectiveness.

We will always treat your personal data with the utmost respect and never share it with other organisations for marketing purposes.

You have the right to opt out of receiving promotional communications at any time by:

contacting us by emailing Bola Fakoya, our COLP at bola@net-solicitors.co.uk
using the ‘unsubscribe’ link in emails
We may ask you to confirm or update your marketing preferences if you instruct us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.

We will always treat your personal data with the utmost respect and never sell or share it with other organisations for marketing purposes.

Who we share your personal data with

We routinely share personal data with:

professional advisers who we instruct on your behalf or refer you to, eg barristers, medical professionals, accountants, tax advisors or other external advisors or experts;
other third parties where necessary to carry out your instructions, eg your mortgage provider or HM Land Registry in the case of a property transaction or Companies House;
our insurers and brokers;
external auditors;
our banks
external service suppliers (both inside and outside of the UK), representatives and agents that we use to help deliver our services and / or make our business more efficient, eg case management system providers, typing services, photocopying service, marketing agencies, document collation;
companies providing services for money laundering checks and other crime prevention purposes and companies providing similar services.

We require all our service providers to handle your personal data in accordance with appropriate data protection requirements and contractual obligations through Data Processing Agreements (DPAs) that meet Article 28 GDPR requirements. Where personal data is transferred outside the UK, we implement appropriate safeguards as required by UK data protection laws. We conduct periodic reviews of our service providers' compliance with our data protection requirements and maintain a record of these assessments.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share some personal data with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, information will be anonymised, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

We will not share your personal data with any other third party unless required by law, necessary to provide our services, or with your explicit consent. Any such sharing will be subject to appropriate confidentiality and data protection obligations.

Where your personal data is held

Information may be held at our offices, third party agencies, service providers, representatives and agents as described above (see ‘Who we share your personal data with’). All data storage locations are subject to appropriate security measures.

Some of these third parties may be based outside the UK. While we take reasonable steps to ensure appropriate safeguards are in place, you acknowledge that data transferred outside the UK may be subject to different regulatory requirements. For more information on how we protect your data in these circumstances, see below: ‘Transferring your personal data out of the UK'.

Transmission of information to us by email

In accordance with Article 32 of UK GDPR, we implement appropriate technical and organizational measures including encryption, access controls, regular security testing, staff training, and incident response procedures. While we maintain robust security measures, please be aware that no method of transmission over the internet or electronic storage is completely secure. Despite our best efforts to use encryption and secure protocols, we cannot guarantee the absolute security of data transmission over the internet. By submitting information to us electronically, you acknowledge and accept these inherent risks.

While we implement reasonable security measures, you acknowledge and agree that we cannot be responsible for any costs, expenses, loss of profits, harm to reputation, damages, liabilities or any other form of loss or damage suffered by you as a result of your decision to transmit information to us by electronic means..

How long your personal data will be kept

We will keep your personal data after we have finished advising or acting for you. We will do so for one of these reasons:

to respond to any questions, complaints or claims made by you or on your behalf;
to show that we treated you fairly;
to keep records required by law.

In accordance with Article 5(1)(e) of UK GDPR (storage limitation principle), we will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, regulatory, accounting or reporting requirements. We maintain a detailed data retention schedule that sets specific retention periods for different categories of data based on:

- Legal and regulatory requirements

- The purpose(s) of processing

- Legitimate business needs

- Risk assessment and data minimization principles

The main retention periods are:

- Client matter files: 6 years from matter conclusion, except where:

• Longer retention is required by specific legal/regulatory obligations

• The matter involves minors (retained until the child reaches age 21)

• The matter involves wills, trusts or deeds (retained for 12 years)

• Ongoing litigation or disputes require extended retention

- Client identification and due diligence records: 5 years after the end of the business relationship

- Financial records: 6 years from the end of the financial year

- Marketing data: 2 years from last interaction or until consent is withdrawn, whichever comes first.

For prospective clients who have not engaged our services, marketing data will be reviewed annually and deleted if there has been no interaction in the previous 12 months

- Recruitment data: 6 months for unsuccessful candidates

In accordance with Article 5(1)(e) of UK GDPR, when we determine that retaining your personal data is no longer necessary for the purposes for which it was collected or processed, we will:

- Securely and permanently delete it using industry-standard methods

- Anonymize it in accordance with ICO guidelines so that it can no longer be associated with you

- Or pseudonymize it in accordance with Article 4(5) of UK GDPR where complete deletion is not technically possible, maintaining appropriate technical and organizational measures to prevent re-identification

These processes are documented in our internal data retention and destruction procedures and are regularly audited for compliance with UK GDPR requirements.

Further details on this are available in our client care letter/terms of business, which form part of our contractual relationship with you. We reserve the right to modify our retention periods based on legal, regulatory, or business requirements, subject to applicable law and appropriate notice.

Transferring your personal data out of the EEA

To deliver services to you and operate our business efficiently, it is sometimes necessary for us to share your personal data outside the European Economic Area (EEA), eg:

with your and our service providers located outside the EEA;
if you are based outside the EEA;
where there is an international dimension to the matter in which we are advising you;
where we use third-party service providers with operations outside the EEA, such as our case management system provider which has operations and personnel in India.

These transfers are subject to special rules under UK data protection law. For transfers outside the UK/EEA, we implement appropriate safeguards as required by UK GDPR. You have the right to obtain a copy of these safeguards by contacting us. Our safeguards include:

- Standard contractual clauses approved by the UK Government

- Additional technical and organizational security measures

- Regular audits of our service providers' compliance

Our case management system provider in India processes personal data under UK-approved International Data Transfer Agreements (IDTAs) with additional safeguards including:

- End-to-end encryption for data in transit and at rest

- Data minimization and purpose limitation controls

- Documented data retention and deletion processes

Your rights

Under UK GDPR Articles 15-22, you have the following rights, which you can exercise free of charge (subject to applicable exemptions):

For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.

If you would like to exercise any of those rights, please:

complete a data subject request form— available from our COLP
email, call or write to our COLP —see below: ‘How to contact us’; and
let us have enough information to identify you [(eg your full name, address and client or matter reference number)];
let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
let us know what right you want to exercise and the information to which your request relates.

Profiling

Profiling is any form of automated processing of your information to evaluate personal aspects about you, in particular to analyse or predict things like your performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Under UK GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The exceptions to this right are where the decision: (1) is necessary for entering into or performing a contract between you and us; (2) is authorized by UK law; or (3) is based on your explicit consent. We will always inform you if we make such decisions about you using solely automated means.

Use of Automated Processing and Profiling

We use industry-standard web analytics tools to collect and analyse website usage data, including information about visitor location and behaviour, in accordance with applicable data protection laws. We obtain your explicit consent for non-essential cookies through our cookie banner before any such cookies are placed on your device. You can withdraw this consent at any time through our cookie preferences centre. For full details, including the specific cookies we use, their purposes, and how to control them, please see our cookies policy at: https://net-solicitors.co.uk/cookies-policy/. Where possible, all collected data is pseudonymized using industry-standard encryption and hashing techniques.

Logic involved: by automatically analysing and categorising information such as the location (based on IP address) as well as the behaviour and devices of visitors to our website (using cookies), we are able to gain a better understanding of what our website visitors want (in terms of the content of our website and our products), how to improve our website and how to advertise and market our services to them.

Significance and envisaged consequences: Subject to your explicit consent through our cookie control tool, cookies will be used to track and store information about your behaviour and device on our website. Your location may be analysed based on your IP address. We may use this information to: (1) personalize your experience through content customization; (2) improve our services through usage analysis; and (3) optimize our marketing efforts, including targeted advertisements where permitted. This processing may affect the content and services you see but does not result in automated decisions that would produce legal effects or similarly significant impacts on you. While you have the right to object to this processing at any time through our cookie control tool or by contacting us directly, this may impact our ability to provide certain services or customized experiences.

Legal basis for processing: our legitimate interests (Article 6(1)(f) of the UK General Data Protection Regulation) for essential cookies and website functionality, and your explicit consent (Article 6(1)(a)) for non-essential cookies and tracking technologies.

Legitimate interest: to enable us to gain a better understanding of what our website users want so that we can improve our website and market our services accordingly.

Disclosure and additional uses of your information

This section sets out the specific purposes, legal bases, and retention periods for which we may process and disclose your information to third parties, including details of international transfers and the safeguards we have implemented to protect your data. Any international transfers of your data are conducted in accordance with Chapter V of the UK GDPR, with appropriate safeguards and transfer impact assessments in place as required by law. We regularly review our processing activities to ensure continued compliance with UK GDPR requirements.

Disclosure of your information to service providers

We use a number of third parties to provide us with services which are necessary to run our business or to assist us with running our business and who process your information for us on our behalf. These include the following:

Telephone provider
Email provider
IT service provider
Web developer
Hosting provider
Case management system provider

Our third party service providers are primarily located in the UK. Where services are provided from outside the UK, all international data transfers are conducted in accordance with UK GDPR requirements and appropriate transfer mechanisms. Your information will be shared with these service providers only where necessary to: (1) provide our legal services, (2) fulfil our contractual obligations, (3) comply with legal requirements, or (4) pursue our legitimate business interests in an efficient and secure manner. Each service provider has signed appropriate data processing agreements that comply with Article 28 of the UK GDPR and implement appropriate technical and organizational measures to protect your data.

While we maintain confidentiality of our specific service provider relationships, we will provide you with detailed information about categories of recipients of your data, including the sectors they operate in and their data protection safeguards, upon request. If you require information about specific service providers processing your personal data, you may submit a request via our contact form or email. We will assess such requests on a case-by-case basis, considering our obligations under UK GDPR, our legitimate business interests, and any applicable legal or regulatory requirements.

Legal basis for processing: legitimate interests (Article 6(1)(f) of the UK General Data Protection Regulation). We have conducted and documented a legitimate interests assessment to ensure this basis is appropriate.

Legitimate interest relied on: where we share your information with these third parties in a context other than where is necessary to perform a contract (or take steps at your request to do so), we will share your information with such third parties in order to allow us to run and manage our business efficiently.

Legal basis for processing: necessary to perform a contract and/or to take steps at your request prior to entering into a contract (Article 6(1)(b) of the General Data Protection Regulation).

Reason why necessary to perform a contract: we may need to share information with our service providers to enable us to perform our obligations under that contract or to take the steps you have requested before we enter into a contract with you.

Google Analytics

Information collected by Google Analytics (including your IP address and website usage data) is transferred to and stored on Google's servers in the United States. You can access Google’s privacy policy here: https://www.google.com/policies/privacy/

Country of storage: United States of America. This country is not subject to an adequacy decision by the UK government under the UK GDPR. We have implemented appropriate safeguards as detailed below.

Safeguard(s) used: Our data transfers to Google are protected by appropriate safeguards in accordance with UK data protection laws, including standard contractual clauses approved by the UK government. We implement additional technical and organizational measures as required to ensure the security of your data.

Updating your personal data

We take reasonable steps to ensure your personal data remains accurate and up to date based on the information you provide to us. You are responsible for informing us of any changes to your personal data (such as your surname or address) in a timely manner. You have the right to request rectification of any inaccurate personal data we hold about you, and we will respond to such requests within one month as required by Article 12(3) of the UK GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. For security purposes and to protect your privacy, we will verify your identity and validate any requested changes before implementation.

Keeping your personal data secure

We have implemented appropriate technical and organizational measures in accordance with Article 32 of the UK GDPR to ensure a level of security appropriate to the risk. While we maintain robust security measures to prevent personal data from being accidentally lost, used, or accessed unlawfully, no data transmission or storage system can be guaranteed to be 100% secure. We regularly review and update our security measures based on current industry standards and threat landscapes. We limit access to your personal data to those who have a genuine business need to access it, subject to strict confidentiality obligations. For third-party processors, including our case management system provider with operations in India, we have implemented specific security controls including role-based access controls and multi-factor authentication.

All parties processing your information, including authorized personnel of our case management system provider, whether located in the UK, India, or elsewhere, are required to process data only in an authorized manner and are subject to strict contractual confidentiality obligations and data security protocols.

We contractually require our business partners, suppliers and other third parties, including our case management system provider and their international operations, to implement appropriate security measures under Article 32 of the UK GDPR.

We maintain documented procedures to deal with personal data breaches in accordance with Article 33 of the UK GDPR. Where required by law, we will notify relevant supervisory authorities and affected individuals of qualifying breaches within applicable statutory timeframes, subject to any applicable exemptions.

If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.

How to complain

We aim to address any query or concern you may raise about our use of your information through our internal complaint resolution process.

Under UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), which is the UK's supervisory authority for data protection matters. We strongly encourage you to contact us first to resolve any concerns through our internal dispute resolution process, as this often leads to faster and more satisfactory outcomes.

The contact details for the ICO are:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

For more information about how we handle data protection complaints, please contact our COLP: bola@net-solicitors.co.uk.

Changes to this privacy policy

This privacy policy was published on 11 May 2018 and updated in August 2025.

We may update this privacy policy from time to time. We will notify you of any material changes via email and/or prominent notice on our website prior to the changes taking effect. Where we make significant changes to our processing activities that require consent under UK GDPR, we will obtain your explicit consent before implementing such changes. While continued use of our services following notification of minor changes constitutes acceptance of those changes, explicit consent will be required for significant changes affecting your privacy rights.

How to contact us

Please contact us by post, email or telephone if you have any questions about this privacy policy or the information we hold about you.

Do you need extra help?

If you would like this policy in another format (for example audio, large print, braille) please contact us (see ‘How to contact us’ above).

Our contact details are shown below: