ARBOR LEGIS LTD
Effective date: 19 May 2026
1. Introduction
1.1 This Privacy Policy explains how ARBOR LEGIS LTD (“Arbor Legis“, “we“, “us” or “our“) collects, uses, discloses and protects personal data when you visit https://www.arborlegis.co.uk (the “Website“), contact us, or engage or enquire about our services.
1.2 We are a private limited company incorporated in England and Wales under company number 11634259, with registered office at 802 Sovereign Tower, 1 Emily Street, London, United Kingdom, E16 1XH. For the purposes of the UK General Data Protection Regulation (“UK GDPR“) and the Data Protection Act 2018, Arbor Legis is the controller of the personal data described in this Policy.
1.3 This Policy should be read together with our Cookie Policy (https://www.arborlegis.co.uk/cookie-policy) and our Terms of Service (https://www.arborlegis.co.uk/terms-of-service).
1.4 “Personal data” means any information relating to an identified or identifiable individual. We may update this Policy at any time by posting the revised version on the Website; the “Effective date” indicates when it was last changed. Where changes are material, we will take reasonable steps to bring them to your attention.
2. Personal data we collect
2.1 Information you provide to us, including when you complete the contact or “book a consultation” form, email us, or otherwise communicate with us: your name, organisation, job title, email address, telephone number, the subject and content of your message, and any other information you choose to provide.
2.2 Client and engagement information, where you become or seek to become a client: contact and identification details, beneficial ownership information, and information required to perform client due diligence, including identity verification, sanctions, source-of-funds and anti-money-laundering checks, together with information relevant to the services you request.
2.3 Technical and usage information, collected automatically when you visit the Website: IP address, device and browser type, operating system, referring URLs, pages viewed, and dates and times of access. This is collected through cookies and similar technologies as described in our Cookie Policy.
2.4 Information from third-party and public sources (see clause 4A), where relevant to client acceptance or the provision of our services.
2.5 We do not intend to collect special category data through the Website. Please do not submit such data, or any confidential or privileged information, through the Website (see our Terms of Service).
3. How and why we use personal data, and our legal bases
We process personal data only where we have a lawful basis under the UK GDPR. The bases we rely on are:
3.1 To respond to enquiries and consultation requests and assess potential engagements — necessary for our legitimate interests in operating and growing our business and responding to those who contact us, and/or to take steps at your request prior to entering into a contract.
3.2 To provide our services and administer client engagements, including correspondence, project delivery and billing — necessary for the performance of a contract with you or your organisation, and/or for our legitimate interests in managing client relationships.
3.3 To carry out client acceptance and due diligence, including identity verification and anti-money-laundering, sanctions and source-of-funds checks — necessary for compliance with our legal obligations and/or our legitimate interests in managing legal and regulatory risk.
3.4 To operate, secure and improve the Website, including analytics, troubleshooting and preventing fraud or misuse — necessary for our legitimate interests in maintaining a safe, functional and effective Website. Non-essential cookies are used only with your consent (see Cookie Policy).
3.5 To send business communications about our services where permitted — based on consent where required, or our legitimate interests in marketing to business contacts. You may opt out at any time (see clause 8).
3.6 To comply with legal, regulatory and professional obligations and to establish, exercise or defend legal claims — necessary for compliance with a legal obligation and/or our legitimate interests in protecting our rights.
3.7 Where we rely on legitimate interests, we have assessed that those interests are not overridden by your interests or fundamental rights and freedoms. You may request further information about this assessment using the contact details below.
4. Disclosure of personal data
4.1 We may disclose personal data to:
(a) our personnel, on a need-to-know basis;
(b) service providers and processors acting on our behalf, including website hosting and IT providers, communications and email providers, analytics providers, and identity-verification and due-diligence providers, all of whom are bound by appropriate confidentiality and data-protection obligations and may process personal data only on our documented instructions;
(c) our professional advisers, including lawyers, accountants and insurers, where reasonably necessary;
(d) regulators, supervisory authorities, law enforcement, courts or other public authorities, where required or permitted by law or to comply with our legal, regulatory or professional obligations; and
(e) a third party in connection with any actual or proposed reorganisation, merger, sale or transfer of our business or assets.
4.2 We do not sell personal data.
4A. Personal data obtained from other sources
4A.1 Where we do not collect personal data directly from you, we may obtain it from: identity-verification, sanctions-screening and due-diligence providers; public registers and official sources (including company and beneficial-ownership registries); sanctions and politically-exposed-person databases; your organisation, colleagues or representatives; and publicly available sources, including professional networking sites and websites.
4A.2 The categories of such data are those described in clause 2 (in particular clause 2.2), and we process them for the purposes and on the legal bases set out in clause 3 (in particular clauses 3.3 and 3.6).
5. International transfers
5.1 We are based in the United Kingdom and primarily process personal data within the UK. Where any service provider or recipient is located outside the UK, we transfer personal data only where the destination is subject to UK adequacy regulations, or where appropriate safeguards are in place (such as the International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism), together with a transfer risk assessment where required. You may request information about the safeguards applied using the contact details below.
6. Retention
6.1 We retain personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, regulatory, tax, accounting or professional requirements and to establish, exercise or defend legal claims. The periods below are general guidance; actual periods may vary where a longer or shorter period is required by law or is necessary for a specific matter.
Category of data | Indicative retention period | Basis |
Website enquiries / consultation requests not leading to an engagement | Up to 12 months from last contact, then deleted or anonymised | Legitimate interests |
Client engagement and matter records | For the duration of the engagement and up to 6 years after it ends | Contract; legitimate interests; limitation periods |
Anti-money-laundering and client due-diligence records | 5 years from the end of the business relationship or completion of the transaction | Legal obligation (Money Laundering Regulations 2017) |
Accounting, tax and billing records | 6 years from the end of the relevant financial year | Legal obligation |
Marketing contact data | Until you opt out or after a reasonable period of inactivity | Consent / legitimate interests |
Website technical and analytics data | As set out in our Cookie Policy | Consent / legitimate interests |
6.2 When personal data is no longer required, we securely delete or anonymise it.
7. Your rights
7.1 Subject to applicable law and certain exemptions, you have the right to: request access to your personal data; request rectification of inaccurate data; request erasure; restrict or object to processing (including processing based on legitimate interests, and direct marketing); request data portability; and, where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
7.2 To exercise any right, contact us using the dedicated channel in clause 11. We may need to verify your identity before responding. We will respond within the time limits required by law (generally one month, extendable by up to two further months for complex or numerous requests, in which case we will tell you). Exercising these rights is free of charge in most cases, although we may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive.
7.3 You have the right to lodge a complaint with the UK Information Commissioner’s Office (“ICO“) at https://ico.org.uk, by telephone on 0303 123 1113, or by post to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would, however, appreciate the opportunity to address your concerns before you approach the ICO.
8. Marketing
8.1 Where we send business communications about our services, you may opt out at any time by using the unsubscribe mechanism in the relevant communication or by contacting us. We will action opt-out requests promptly.
9. Automated decision-making and profiling
9.1 We do not make decisions producing legal effects concerning you, or similarly significantly affecting you, based solely on automated processing. Where we use automated tools (for example, for sanctions or due-diligence screening), any decision that significantly affects you is subject to meaningful human review before it is acted upon.
10. Security
10.1 We maintain appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. However, no transmission over the internet or method of storage is completely secure, and any transmission is at your own risk. Where we are legally required to do so, we will notify the relevant authority and, where applicable, affected individuals of a personal data breach.
11. How to contact us and exercise your rights
11.1 For any question about this Policy, about how we handle personal data, or to exercise your rights, please contact us, marking your communication “Data Protection / Privacy”:
ARBOR LEGIS LTD Email: info@arborlegis.co.uk Telephone: +44 7791 53 85 39 Address: 802 Sovereign Tower, 1 Emily Street, London, United Kingdom, E16 1XH
11.2 Marking your request as above helps us identify and prioritise it as a data-protection matter and respond within statutory time limits.
11.3 This Policy is governed by the law of England and Wales.
12. Children
12.1 The Website is intended for businesses and professionals and is not directed at children. We do not knowingly collect personal data from individuals under 18. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.