top of page

 

Privacy & Cookies Policy

​

Overview

Andrew Croft & Co takes the security and privacy of personal data seriously and is committed to complying with its legal obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Our use of personal data is governed by your instructions, applicable data protection legislation, our professional duty of confidentiality, and the Solicitors Regulation Authority’s Codes of Conduct.

This Privacy & Cookies Policy explains how and why we collect, use, store and share personal data, the legal bases on which we rely, and your rights in relation to that data. It also explains how to contact us or the relevant supervisory authority if you have a complaint.

This policy supplements any other privacy information we may provide to you in specific circumstances and is not intended to override those notices.

We review this policy regularly and may update it from time to time. Any updates will be published on our website. You should read and understand this policy before submitting personal data to us.

​

Data Controller

Andrew Croft & Co is the data controller for the purposes of UK data protection legislation. This means we are responsible for deciding how personal data is held and used.

​

Contact and Queries

Andrew Croft, Principal Solicitor, is responsible for overseeing data protection matters.

If you have any questions about this policy, or wish to exercise your legal rights, please contact:

Name: Andrew Croft
Contact: ac@andrewcroft.com


If you believe your data protection concerns have not been addressed satisfactorily, you have the right to raise a complaint with the Information Commissioner’s Office (ICO).

​

Scope of This Policy

This policy applies to personal data collected through:

  • use of this website;

  • contact forms, email, telephone or postal correspondence;

  • enquiries about our legal services.

If you become a client of the firm, you may be provided with additional privacy information specific to your matter.

This policy applies to personal data held electronically, on paper, or in any other format.

Our website may contain links to third-party websites. We are not responsible for the privacy practices of third-party sites and encourage you to review their privacy policies when you leave our website.

​

Data Protection Principles

We process personal data in accordance with the following principles:

  • lawfully, fairly and transparently;

  • for specified, explicit and legitimate purposes;

  • in a manner that is adequate, relevant and limited to what is necessary;

  • accurately and kept up to date;

  • retained only for as long as necessary; and

  • securely, using appropriate technical and organisational measures

What We Mean by “Processing”

“Processing” includes any operation performed on personal data, including collection, storage, use, disclosure, alteration, retrieval, restriction or deletion, whether automated or manual.

​

Personal Data We Collect

Depending on the circumstances, we may collect and process the following categories of personal data:

  • Identity Data: name, title, date of birth.

  • Contact Data: postal address, email address, telephone number.

  • Background Data: information provided in connection with an enquiry about legal services, which may include sensitive or criminal offence data.

  • Technical Data: IP address, browser type, device information.

  • Usage Data: information about how you use our website.

  • Aggregated Data: statistical or analytical data that does not identify you.

Where necessary for the provision of legal services, we may also process special category data or criminal offence data in accordance with applicable legal conditions.

​

Lawful Bases for Processing

We process personal data only where we have a lawful basis to do so. These include:

  • Contract: to take steps at your request prior to entering into a contract, or to perform a contract with you.

  • Legal obligation: to comply with regulatory, legal and professional requirements.

  • Legitimate interests: for the operation and administration of the firm, provided those interests are not overridden by your rights and freedoms.

We do not rely on consent as a general basis for processing personal data, except where required by law (for example, in relation to certain cookies).

​

Lawful Bases for Processing

We process personal data only where we have a lawful basis to do so. These include:

  • Contract: to take steps at your request prior to entering into a contract, or to perform a contract with you.

  • Legal obligation: to comply with regulatory, legal and professional requirements.

  • Legitimate interests: for the operation and administration of the firm, provided those interests are not overridden by your rights and freedoms.

We do not rely on consent as a general basis for processing personal data, except where required by law (for example, in relation to certain cookies).

​

Data Sharing

We may share personal data where necessary with:

  • courts, tribunals and regulators;

  • banks, lenders and public bodies;

  • barristers, experts and professional advisers instructed on your behalf;

  • insurers and professional indemnity providers;

  • IT and administrative service providers.

All third parties are required to protect personal data and process it only in accordance with our instructions and professional obligations.

We do not sell personal data and do not share it for marketing purposes.

​

International Transfers

We do not routinely transfer personal data outside the United Kingdom.

​

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including to comply with legal, regulatory and professional obligations.

In summary:

  • Client files: retained for a minimum of six years after matter closure.

  • Enquiries (non-clients): retained for up to twelve months.

  • Website analytics: anonymised and retained in accordance with Wix analytics settings.

When personal data is no longer required, it is securely deleted or anonymised.

​

Data Security

We have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, loss or misuse.

Access to personal data is limited to those who need it for legitimate business purposes and who are subject to duties of confidentiality.

We have procedures in place to deal with suspected data breaches and will notify affected individuals and regulators where legally required.

Your Rights

Under data protection legislation, you have rights including:

  • the right to be informed;

  • the right of access;

  • the right to rectification;

  • the right to erasure;

  • the right to restrict processing;

  • the right to object to processing;

  • the right to data portability.

You also have the right to complain to the Information Commissioner’s Office.

Requests to exercise your rights should be made in writing to Andrew Croft using the contact details above. We will respond within one month, subject to permitted extensions.

​

Cookies

Cookies are small text files placed on your device when you visit a website.

Our website uses essential cookies and analytics cookies provided by Wix to enable website functionality and to understand how visitors use the site.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of some parts of the website.

Updates to This Policy

This policy may be updated from time to time. The latest version will always be published on our website.

Last updated: January 2026

bottom of page