Privacy Notice
This page explains what we do with personal data at Tacit Legal, and how you can exercise your rights over it.
We last updated it on 14 September 2023.
Who we are and how to contact us
We are Tacit Legal LLP. We are a limited liability partnership registered in England with number OC441066. You can contact us by email on [email protected] or by writing to us at Tacit Legal LLP, Delta House, 16 Bridge Road, Haywards Heath, RH16 1UA. If you email us about your personal data, it would be helpful to include the words “data protection” in the subject line.
What we do with personal data, and our legal basis for doing it
In our business we work with personal data in a few different ways.
Carrying out our work for our clients
In doing our legal work for our clients we will necessarily process the names and business contact information of the people who work at our clients and at the other businesses that they work with like their customers and suppliers, so that we can communicate with them.
We do this on the basis of our legitimate interest in carrying out our work for our clients.
We keep those names and contact details together with any correspondence and other documents in which they appear as part of our files for as long as the relevant client engagement lasts, and for 6 years afterwards.
Promoting our business
We promote our business through the channels you would expect, such as personal networking, online research, searching for leads using social media such as LinkedIn, and attending and speaking at events. In the course of doing that, we will either be given or will find out from publicly available sources the names and business contact details of people with who work at businesses we think could be interested in our services, or who could act as a source of referrals. We will then use those contact details to reach out to them to see if they might be interested.
We do this on the basis of our legitimate interest in promoting our services to businesses. We will always honour requests to stop contacting people in this way.
We will keep data gathered for this purpose until the business in question becomes a client (in which case we will continue processing that data as necessary for that purpose) or it becomes clear that there is no prospect of its becoming a client, which we determine based on when the last contact took place and what the outcome of that contact was (for example, if they asked us to stop contacting them).
Providing email newsletters and alerters
Sometimes we may offer email newsletters or alerters on legal or other topics, which you can subscribe to if you wish. If you do, then we will use the email address you give us to send you the newsletter or alerter that you subscribe for.
We do this on the basis of your consent, which you can withdraw at any time by clicking the “unsubscribe” or similar link at the bottom of the newsletter or alerter email.
We will keep this data until the recipient unsubscribes from the relevant newsletter or alerter or it becomes clear that the recipient’s email address is no longer valid.
Market research
We occasionally carry out market research, typically in the form of a questionnaire.
Providing your name and contact details will typically be optional, but if you do provide them we process your responses on the basis of our legitimate interest in carrying out market research.
We will keep data gathered for this purpose until we have drawn the conclusions our market research was intended to inform. If we do keep it longer, we'll anonymise it first.
Complying with our legal and regulatory obligations
As solicitors we have to maintain certain records and sometimes, depending on the kind of work we are doing, we need to perform certain “know your client” checks to make sure we know who our clients are and to help prevent things like money laundering or to ensure they do no appear on sanctions lists. So, if you work for or are a beneficial owner of one of our clients, we may ask you to provide us with information about ultimate ownership or sources of funds, or copies of identity documents like passports and driving licences. We will only use that information for compliance purposes. You do not have to provide that information, but if you don’t then we may not be able to act.
From time to time the law, the rules of our profession, or our regulator, the SRA, can require us to do other things with personal data; for example, we may be required to share information with the SRA or with other UK government authorities.
We do this on the basis that it is necessary to comply with our legal obligations.
We keep this information for the duration of the relevant client engagement and for 6 years afterwards.
Billing and general administration of our business
In operating and administering our business we will necessarily process the names and business contact information of our contacts at our clients, suppliers and the other organisations we work with. For example, if you are our contact at a client we will process your contact details to mark our bill for your attention and to send it to you.
We do this on the basis of our legitimate interest in operating and administering our business.
We keep those names and contact details together with any correspondence and other documents in which they appear as part of our business records for as long as the relevant relationship lasts, and for 6 years afterwards.
Running our website
Our website logs information about which pages are viewed and when, which IP address requested them and some technical information about the device used. We use that data to fix problems with the website and to help us understand how it is used. To help us with that, we use a third party log analysis tool called Plausible Analytics.
We do this on the basis of our legitimate interests in fixing problems with our website and in understanding how it is used.
We keep those logs for up to two years, though we may also delete them earlier than that.
Our website only uses cookies and similar technologies to deliver essential functions.
Preventing spam
We use Google reCAPTCHA Enterprise to protect our website contact form against spam bots. Google reCAPTCHA works by sending certain data to Google about your software, hardware and interactions with our site, which Google uses to “score” your risk.
We only do this when you interact with our contact forms.
We do this on the basis of our legitimate interests in preventing email spam. We do not store this data ourselves.
Whilst we have no direct control over how Google uses this data, Google says that it only uses this information for the purposes of providing, maintaining, and improving reCAPTCHA Enterprise and for general security purposes, and that it will not be used for personalised advertising. You can read more about it in Google’s privacy notice.
The third parties we share personal data with
Generally the only third parties we share personal data with are our suppliers, where it’s necessary to their service to do something with that data on our behalf. They do that as our “processors”, under contracts which (among other things) require them to keep the data safe and not to use it for other purposes.
Sometimes the law or the rules of our profession can also require us to share information with the SRA and government agencies. For example, the SRA requires us to display on our website a “badge” hosted by them (or their subcontractor), and which may enable them to gather some information about you such as your IP address.
The main suppliers who handle personal data on our behalf are:
- Microsoft. We use Microsoft 365 as our core technology platform. That means that we use it for email, audio and video conferencing, storage of internal documents, CRM, and for integrating the other technologies we use. So, if you work with us or communicate with us, your personal data will be hosted by Microsoft on our behalf.
- NetDocuments. We use NetDocuments as our document management system for client matters, and as our electronic “matter file”. So, any personal data held in client matter files will be hosted by NetDocuments on our behalf.
- Xero. We use Xero as our accounting platform. So, if you are a billing contact at a client or a supplier, then your name and business contact details will be hosted by Xero on our behalf.
- Foxit. We use Foxit eSign for handling electronic signings for our clients. So, if you are a signatory to an agreement that we have worked on, and it is agreed that we will administer signing, then your name, job title and email address will be shared with Foxit for that purpose.
- Digital Ocean. We use Digital Ocean to host our website and some of our back-office systems. So, they will host the server logs we described above and some of our internal business administration data on our behalf.
- Amazon Web Services. We use Amazon Web Services to host certain disaster recovery systems. They host copies of some of our internal business administration data on our behalf.
- Plausible Analytics. We use Plausible Analytics on our website to give us some information about how our website is used. Plausible is a cookie-less solution that aims to offer a more privacy-friendly alternative to other analytics providers. You can read more about them in their Privacy Policy.
- Google. When you interact with our contact forms, our website shares certain software, hardware and user interaction data with Google. It does so to prevent spam – for more information see the “Preventing spam” section above.
Transferring personal data overseas
Wherever possible, we have set up our services with our technology providers to host our data within the UK.
There are a few exceptions where it is not possible to store data in the UK, because the vendor does not offer that as an option. Those exceptions are as follows:
- Our service with Foxit. All data is stored in the EU other than your email address and password, which is stored in the United States. Foxit protects your personal data in the USA through entry into and enforcement of approved standard contracts, which we consider to be sufficient given the very limited personal data processed in the USA by Foxit.
- Our service with Plausible Analytics. It is likewise hosted in the EU and run out of their offices in Estonia.
- Our service with Xero. It is hosted on Amazon Web Services and is operated in New Zealand and the USA. New Zealand benefits from an “adequacy decision”, which means that the British government has assessed its data protection laws and considers that they offer sufficient protections without additional safeguards being necessary. Xero protects your personal data in the USA through entry into and enforcement of approved standard contracts, which we consider to be sufficient given the very limited personal data processed by Xero on our behalf.
Otherwise, we only send personal data overseas on our clients’ instructions or incidentally in the course of things like email correspondence with people based outside the UK.
Your rights and how to exercise them.
UK and EU data protection laws give you certain rights over your personal data, which we summarise below. If you would like to exercise any of these rights, you can contact us using the details above.
Your right of access. You have a right to a copy of information that we hold about you. That right has certain exceptions designed to protect the rights of others. For example, we may decline to give you information on the grounds of client confidentiality or legal professional privilege.
Your right of correction. You have the right to have information about you corrected if it is factually inaccurate or incomplete.
Your right of erasure. In some limited circumstances, you have the right to have information about you deleted, generally if we no longer have a valid basis for keeping it.
Your right to have processing restricted. In some limited circumstances, chiefly in connection with a dispute or complaint about how we handle your data, you have the right to restrict what we do with that data.
Your right to object. If we are processing your personal data on the basis of our legitimate interests, then you have the right to object to that, and we must assess whether we have a good reason to continue which outweighs that objection. In the case of direct marketing (e.g. newsletters), your right to object is absolute.
Your right to data portability. If we are carrying out automated processing of information that you have given us, and we are doing that with your consent, then you have the right to have a copy of that data provided to you in a commonly-used electronic format.
Your right to complain. If you are unhappy with how we have handled your personal data, you have the right to complain to your local data protection authority, which in the UK is the Information Commissioner's Office. If you are based in the EU, then you can find the contact details for your local supervisory authority on the website of the European Data Protection Board.
You can read more about your rights on the ICO’s website.