1. Who We Are — Data Controller
Zavri Legal ("Zavri", "we", "us", "our") is the data controller in respect of personal data collected through this website and through our legal introduction services. As data controller, we are responsible for deciding how and why your personal data is processed.
Zavri Legal — Data Controller Contact Details |
Trading name: Zavri Legal Website: https://zavri-law.uk Email: [INSERT DATA PROTECTION / PRIVACY EMAIL] Address: [INSERT REGISTERED / CORRESPONDENCE ADDRESS] ICO Registration: [INSERT ICO REGISTRATION NUMBER — register at ico.org.uk if not yet registered] |
If you have any questions about how we handle your personal data, or if you wish to exercise any of your rights under UK GDPR, please contact us using the details above.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you contact the ICO.
Important — Network Firms as Separate Data Controllers |
When your enquiry is referred to a Network Firm (currently Londonium Chambers Limited, SRA: 620622, and any other SRA-authorised firm in our network), that firm becomes an independent data controller in respect of the personal data they process in connection with your legal matter. The Network Firm's own privacy policy will govern how they handle your data from the point of instruction onwards. You should request a copy of their privacy notice when you receive their client care letter. |
2. What Personal Data We Collect
We collect and process the following categories of personal data about you, depending on how you interact with us:
Data type | What it includes |
Identity data | Full name, date of birth, gender (where provided voluntarily) |
Contact data | Email address, telephone number, postal address |
Enquiry data | Details of your legal issue as described by you in our enquiry form or communications |
Identity verification data | Copies of identification documents where required for anti-money laundering (AML) or Know Your Client (KYC) checks |
Technical data | IP address, browser type and version, device type, operating system, time zone, pages visited, referral source |
Usage data | Information about how you use our website, which pages you visit, how long you spend on each page |
Marketing data | Your preferences regarding receiving marketing communications from us |
Communications data | Records of emails, messages, and other communications between you and Zavri Legal |
Special category data | In some legal matters you may voluntarily disclose health, ethnicity, or other sensitive data in your enquiry. We process this only to the extent necessary to refer your matter appropriately. |
We do not intentionally collect personal data about children under the age of 16. If you believe we have collected data about a child, please contact us immediately using the details in PP1.
3. How We Collect Your Personal Data
We collect personal data through the following means:
Direct interactions
You provide personal data directly when you: submit an enquiry through our website; create an account; email, call, or otherwise contact us; respond to a quote or instruction; or submit a review or feedback.
Automated technologies
When you visit our website, we automatically collect technical and usage data using cookies, server logs, and similar technologies. Please see our Cookie section (PP9) for further details.
Third parties
We may receive personal data about you from: identity verification providers; analytics providers (such as Google Analytics); advertising platforms (such as Google Ads); and publicly available sources where relevant to verifying the information you provide.
4. How We Use Your Personal Data — Lawful Bases
We are required by UK GDPR to have a lawful basis for processing your personal data. The table below sets out the purposes for which we process your data and the lawful basis we rely on in each case.
Purpose | Type of data | Lawful basis (UK GDPR) |
Process and respond to your legal enquiry | Identity, contact, enquiry data | Performance of a contract (or steps prior to entering one) |
Refer your enquiry to the appropriate Network Firm | Identity, contact, enquiry, verification data | Performance of a contract; Legal obligation (AML/KYC) |
Comply with anti-money laundering and identity verification obligations | Identity, verification data | Legal obligation (Money Laundering Regulations 2017) |
Send you a fixed-fee quote | Identity, contact, enquiry data | Performance of a contract |
Improve our website and services | Technical, usage data | Legitimate interests |
Monitor website performance and security | Technical data | Legitimate interests |
Send you marketing communications (with your consent) | Identity, contact, marketing data | Consent |
Comply with legal and regulatory obligations | All categories as required | Legal obligation |
Resolve complaints and disputes | Identity, contact, communications data | Legal obligation; Legitimate interests |
Fraud prevention and security | Identity, technical data | Legitimate interests; Legal obligation |
Where we rely on legitimate interests as our lawful basis, we have carried out a balancing test to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests — see PP7 for details.
Special category data
Where you voluntarily provide special category data (such as health information) in your legal enquiry, we process this on the basis of explicit consent (UK GDPR Article 9(2)(a)) for the purpose of referring your matter to an appropriate solicitor. You may withdraw this consent at any time, though doing so may affect our ability to refer your matter appropriately.
5. Who We Share Your Personal Data With
We may share your personal data with the following categories of recipients:
Network Firms
When you submit a legal enquiry, we share your personal data with the Network Firm we consider best placed to assist you. Currently our primary Network Firm is Londonium Chambers Limited (SRA: 620622). We may also refer to other SRA-authorised firms with whom we have a written referral agreement. Each Network Firm is an independent data controller and processes your data under its own privacy policy and SRA obligations from the point of referral onwards.
Service providers
We use third-party service providers to operate our business and website. These include:
- Website hosting and infrastructure providers (currently Hostinger)
- Analytics providers (currently Google Analytics — data processed in accordance with Google's privacy policy and our data processing agreement)
- Email service providers
- Identity verification and AML/KYC providers
- Customer relationship management (CRM) software providers
All service providers are required to process your data only on our documented instructions and in accordance with applicable data protection law. We carry out due diligence on all significant data processors before engaging them.
Legal and regulatory authorities
We may disclose your personal data to law enforcement agencies, regulatory bodies (including the SRA and ICO), courts, or other authorities where required or permitted by law.
Business transfers
If Zavri Legal is acquired, merged with another business, or transfers all or part of its assets, your personal data may be transferred to the acquirer as part of that transaction. We will notify you by email or prominent website notice before your data is transferred and becomes subject to a different privacy policy.
We do not sell your personal data to third parties. We do not share your personal data with any third party for their own marketing purposes.
6. . International Data Transfers
Zavri Legal is based in England and Wales. Some of our service providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place in accordance with UK GDPR, including:
- Transfers to countries with an adequacy decision from the UK Secretary of State;
- Use of the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; or
- Other lawful transfer mechanisms as approved by the ICO.
You may request details of the safeguards in place for any specific transfer by contacting us using the details in PP1.
7. Your Rights Under UK GDPR
Data type | What it includes |
Right of access | You may request a copy of all personal data we hold about you (a Subject Access Request). We will provide this within one month of receiving a valid request. |
Right to rectification | You may ask us to correct any personal data we hold about you that is inaccurate or incomplete. |
Right to erasure | You may ask us to delete your personal data where: it is no longer necessary for the purpose it was collected; you withdraw consent (where consent was the basis); you object and we have no overriding legitimate interest; or the data was unlawfully processed. |
Right to restrict processing | You may ask us to pause processing of your data in certain circumstances, for example while we investigate a rectification request. |
Right to data portability | Where we process your data by automated means and on the basis of consent or contract, you may ask us to provide your data in a structured, machine-readable format. |
Right to object | You may object at any time to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds. |
Right to withdraw consent | Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. |
Right not to be subject to automated decisions | You have the right not to be subject to decisions made solely by automated processing that produce legal or similarly significant effects on you. |
If you are unsatisfied with our response to any request, you have the right to lodge a complaint with the ICO at ico.org.uk.
8. Data Retention
We retain personal data only for as long as is necessary for the purposes set out in this policy, having regard to our legal, regulatory, and contractual obligations. The following retention periods apply:
Category | Retention period | Reason |
Enquiry data (not converted to instruction) | 12 months from date of enquiry | Legitimate interests — to respond to follow-up queries |
Enquiry data (converted to instruction at Network Firm) | 6 years from end of matter | Legal obligation — Limitation Act 1980; SRA file retention guidance |
AML / KYC verification records | 5 years from end of business relationship | Legal obligation — Money Laundering Regulations 2017, Reg. 40 |
Marketing consent records | Until consent withdrawn + 1 year | Legal obligation — ICO consent record-keeping guidance |
Website analytics data | 26 months (Google Analytics default) | Legitimate interests — website improvement |
Complaints records | 6 years from resolution | Legal obligation; Limitation Act 1980 |
Financial records | 6 years from end of financial year | Legal obligation — Companies Act 2006 |
Communications data | 3 years from last communication | Legitimate interests — dispute resolution |
Where data is no longer required, we delete or anonymise it securely. Where deletion is not immediately possible (for example because data is stored in backup systems), we will isolate the data from further processing until deletion is possible.
9. Cookies
Our website uses cookies — small text files placed on your device — to enable core functionality, analyse usage, and improve your experience. We use the following categories of cookies:
Data type | What it includes |
Strictly necessary cookies | Essential for the website to function. Cannot be disabled. Examples: session cookies, security tokens, cookie consent preferences. |
Analytics cookies | Help us understand how visitors use our site. We use Google Analytics. Data is anonymised where possible. You can opt out via our cookie banner or at tools.google.com/dlpage/gaoptout |
Functionality cookies | Remember your preferences and settings to improve your experience. |
Marketing cookies | Used to deliver relevant advertising. Only placed with your consent via our cookie consent banner. |
You can manage your cookie preferences at any time via the cookie consent banner shown when you first visit our website, or by adjusting your browser settings. Note that disabling strictly necessary cookies may affect how the website functions.
10. Data Security
We have implemented appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, or disclosure. These measures include:
- SSL/TLS encryption for all data transmitted to and from our website (HTTPS)
- Access controls limiting data access to authorised personnel only
- Regular software and security updates
- Secure password policies and multi-factor authentication where available
- Regular backups and disaster recovery procedures
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it and will notify you without undue delay where the breach is likely to result in a high risk to you.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in the law, our services, or our data processing activities. The date at the top of this page shows when it was last updated.
Where changes are material, we will notify registered users by email. Your continued use of our website after any changes constitutes acceptance of the updated policy. We recommend checking this page periodically.