Privacy Policy
Last updated: 30 April 2026
1. Introduction
This Privacy Policy explains how Law Street Ltd collects, uses, shares and protects personal data when you use LawStreet at lawstreet.co.uk.
It also explains your rights under UK data protection law, including the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
We are committed to handling personal data fairly, lawfully and transparently.
2. Who we are
The data controller for personal data collected through LawStreet is:
Law Street Ltd
Company number: 16123633
Registered office: 85 Great Portland Street, First Floor, London, W1W 7LT
ICO registration: ZC124777
In this Privacy Policy, LawStreet, we, us and our mean Law Street Ltd.
If you have questions about how we handle personal data, you can contact us at:
Email: [email protected]
In most cases, Law Street Ltd acts as a controller of personal data processed through LawStreet. Where solicitor firms, law firms or legal services providers add content about their staff, team members, clients or other individuals, the relevant firm is responsible for ensuring that it has the necessary rights, permissions and lawful basis to provide that personal data to us for publication or use on LawStreet.
3. Key terms used in this policy
Account data means information connected with a LawStreet account, such as name, email address, password hash, account status and account activity.
Firm Content means content, information, data or materials added, uploaded, submitted, edited, approved or published by or on behalf of a solicitor firm, law firm or legal services provider. This may include logos, photographs, team member information, biographies, testimonials, service descriptions, pricing information, accreditations, calls to action and other profile content.
Third-Party Data means data, content or information obtained from third-party sources and displayed, referenced or used on LawStreet. This may include data from regulators, public bodies, government agencies, ombudsman schemes, legal aid sources, legal directories, review platforms, accreditation bodies and other external sources, including data sourced from the Solicitors Regulation Authority or the SRA register.
4. What personal data we collect
The personal data we collect depends on how you use LawStreet.
4.1 Browsing the Website
When you visit lawstreet.co.uk, we may collect technical and usage data, including:
- IP address;
- browser type and version;
- device type;
- operating system;
- pages visited;
- timestamps;
- referring URL;
- page URL and query string;
- response status;
- browser user-agent; and
- basic security and server log information.
We use this information to operate the Website, understand how it is used, improve search and content, monitor performance, and protect the Website from fraud, abuse and security threats.
4.2 Cookies and analytics
If you consent to analytics cookies, we may use Google Analytics and analytics tags loaded through Google Tag Manager where applicable. These tools may collect usage data such as page views, interactions and navigation paths.
We also use first-party server-side analytics to understand how the Website is used. Raw server-side analytics events may include IP address, page URL, query string, referring URL, browser user-agent, response status and timestamp. We keep raw events for a limited period and then aggregate them into anonymous statistics, such as per-day visit counts, top pages, search counts and per-firm engagement totals.
Our Cookies Policy provides more information about the cookies and similar technologies we use.
4.3 Creating an account
When you create a LawStreet account, we collect:
- first name;
- last name;
- email address;
- password; and
- account settings and activity.
Your password is stored using one-way cryptographic hashing. We cannot read your password.
4.4 Claiming a firm profile
When you submit a claim to manage a firm profile, we collect information needed to review and manage the claim, including:
- your name;
- email address;
- phone number;
- role at the firm;
- organisation being claimed;
- date and status of the claim;
- verification and review information; and
- internal notes relating to the claim.
We use this information to assess whether you are authorised to act on behalf of the relevant organisation and to manage access to the firm portal.
4.5 Managing a firm profile
If your claim is approved, you may add Firm Content to your firm's public profile.
Firm Content may include personal data, such as:
- team member names;
- job titles;
- biographies;
- contact details;
- photographs;
- SRA identification numbers;
- testimonials;
- accreditations;
- service information; and
- pricing or profile information linked to individuals.
Some Firm Content may be published on your firm's public profile page or otherwise displayed on LawStreet.
You must not add confidential client information, legally privileged information, special category personal data, or information about identifiable client matters unless there is a lawful basis, the relevant rights and permissions are in place, and publication is lawful and professionally appropriate.
4.6 Subscriptions and payments
If you upgrade to a paid subscription, payments are processed by Stripe or another payment provider we appoint.
We do not collect or store full payment card details.
Payment providers may collect and process information such as:
- name;
- email address;
- billing details;
- payment method information;
- transaction details; and
- fraud-prevention and compliance information.
We may store payment-related identifiers and subscription information, such as Stripe customer IDs, subscription IDs, invoice IDs, payment status, billing cycle and webhook event records, so we can manage subscriptions and billing.
4.7 Contacting us, complaints and support
If you contact us by email, contact form, complaint form, support request or another channel, we collect the information you provide, which may include:
- name;
- email address;
- phone number;
- organisation;
- message content;
- attachments;
- correspondence history; and
- any other information you choose to provide.
4.8 Marketing preferences
We may collect and record your marketing preferences, including whether you have opted in, opted out, unsubscribed or otherwise changed your marketing settings.
We may send marketing communications where permitted by law. This may include sending marketing emails with your consent, or relying on our legitimate interests for business-to-business marketing where the law allows. You can opt out of marketing emails at any time by using the unsubscribe link in the email or by contacting us.
4.9 Third-Party Data
Some personal data displayed or used on LawStreet may come from Third-Party Data sources rather than directly from you.
This may include publicly available or externally sourced information about solicitors, firms, staff, office locations, regulatory status, authorisations, accreditations, reviews, legal aid information, ombudsman information, disciplinary or regulatory information, or legal service provision.
Where Third-Party Data is inaccurate, incomplete or out of date, you may need to contact the original source to correct the source data.
4.10 Data we do not intentionally request
We do not intentionally ask you to provide special category data, such as health information, ethnicity, political opinions, religious beliefs or trade union membership.
You should not include special category data, confidential client information, legally privileged information or detailed information about identifiable client matters when using LawStreet, unless there is a lawful basis, the relevant rights and permissions are in place, and it is lawful and professionally appropriate to do so.
We do not collect or store full payment card numbers or bank account details. These are handled by our payment provider.
5. How we use personal data and our lawful bases
Under UK GDPR, we must have a lawful basis for each use of personal data. The table below explains how we use personal data and the lawful bases we rely on.
| Processing activity | Lawful basis |
|---|---|
| Creating and maintaining accounts, verifying email addresses, authenticating users and providing account features | Contract, where necessary to provide the account service; legitimate interests for security, administration and fraud prevention |
| Processing firm profile claims, reviewing authority, notifying users of claim outcomes and managing firm portal access | Contract, where necessary to provide the service requested by the organisation or account user; legitimate interests in ensuring profiles are managed only by authorised representatives |
| Managing subscriptions, billing, invoices, payment status and payment-provider records | Contract; legal obligation for accounting and tax records |
| Displaying Firm Content on firm profiles, including team profiles, testimonials, images, service descriptions and pricing information | Contract, where necessary to provide the service to the organisation or account user; legitimate interests, where we display firm-supplied profile information about other people, such as team members, subject to the firm confirming it has the necessary rights, permissions and lawful basis |
| Displaying, organising, indexing, ranking and making searchable Third-Party Data about solicitor firms, law firms and legal services providers | Legitimate interests: making relevant publicly available or externally sourced information about legal services providers accessible, searchable and useful to users |
| Displaying regulatory-status notices, warnings, profile visibility changes or other information derived from Third-Party Data | Legitimate interests: helping users understand relevant profile information and maintaining the accuracy, safety and usefulness of LawStreet |
| Sending transactional or service emails, including account verification, password resets, claim confirmations, claim decisions, subscription notices, payment notices and security messages | Contract; legitimate interests for service administration and security |
| Sending marketing communications about LawStreet, including product updates, firm profile features and subscription services | Consent where required; legitimate interests for business-to-business marketing where permitted by law. You can opt out at any time |
| Analytics cookies and tags, including Google Analytics loaded through Google Tag Manager where applicable | Consent |
| First-party server-side analytics, including understanding visitor numbers, page popularity, search performance and outbound engagement with firm profiles | Legitimate interests: understanding how the Website is used so we can improve content, search, user experience and firm listings |
| Maintaining site security, preventing fraud and abuse, detecting attacks and protecting systems | Legitimate interests |
| Responding to enquiries, support requests, complaints and rights requests | Legitimate interests; legal obligation where applicable |
| Handling content concerns, rights complaints, data accuracy issues and profile disputes | Legitimate interests; legal obligation where applicable |
| Keeping financial, company and tax records | Legal obligation |
| Responding to lawful requests from regulators, law enforcement, courts or competent authorities | Legal obligation |
| Establishing, exercising or defending legal claims | Legitimate interests; legal obligation where applicable |
Where we rely on legitimate interests, we have considered whether our interests are overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests, as explained below.
6. Who we share personal data with
We do not sell personal data.
We may share personal data with the following categories of recipients. Some act as processors on our behalf, while others may act as independent controllers depending on the service they provide.
- Payment providers, such as Stripe, for payment processing, subscription management, invoices, fraud prevention and compliance. Payment providers may also process personal data as independent controllers for their own legal, regulatory, fraud prevention and compliance purposes, as explained in their privacy notices.
- Cloud hosting, infrastructure and content delivery providers, to host the Website, store uploaded files, deliver pages and maintain security.
- Email service providers, to send transactional, service and marketing emails where permitted.
- Analytics providers, where analytics cookies or tags are used with consent.
- Cookie consent and tag-management providers, where used to manage cookie preferences and analytics tags.
- Scheduling or demo-booking providers, where you choose to book a call or demo through the Website.
- Professional advisers, such as accountants, lawyers, insurers and auditors, where necessary for business, legal, financial or compliance purposes.
- Regulators, public authorities, law enforcement, courts or competent authorities, where required by law or where disclosure is necessary to protect our rights, users, firms or others.
- Business transfer recipients, if Law Street Ltd is involved in a merger, acquisition, reorganisation, investment, sale of assets or similar transaction.
We may also share or publish personal data where it forms part of Firm Content or Third-Party Data displayed on LawStreet in accordance with this Privacy Policy, our Terms and Conditions and, where applicable, the Firm Terms of Service.
7. International data transfers
LawStreet is based in the United Kingdom.
Some of our service providers may process personal data outside the United Kingdom. Where personal data is transferred internationally, we use appropriate safeguards where required by law.
Where a US recipient is certified under the UK Extension to the EU-US Data Privacy Framework, we may rely on the UK-US Data Bridge.
Where the UK-US Data Bridge or another adequacy arrangement does not apply, we may rely on the International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism.
You can contact us for more information about the safeguards in place for a specific transfer.
8. How long we keep personal data
We keep personal data only for as long as necessary for the purposes for which it was collected, or as required for legal, regulatory, accounting, tax, security, dispute-resolution or operational reasons.
Our usual retention periods are:
| Data | Retention period |
|---|---|
| Account data, including name, email address, password hash and account settings | Life of the account, then deleted or anonymised within a reasonable period unless needed for legal, security, dispute-resolution or record-keeping purposes |
| Claim records, including contact name, phone number, role, claim status and admin notes | Life of the account plus up to 6 years where needed for audit, dispute-resolution, fraud prevention or legal claims |
| Subscription and billing records, including Stripe IDs, invoice data and payment records | 6 years after the end of the relevant financial year, or longer where required for legal, tax, accounting or dispute-resolution purposes |
| Firm Content, including team profiles and profile information | Life of the account or until deleted by the organisation, subject to legal, regulatory, operational, technical, dispute-resolution and record-keeping requirements |
| Firm Content removed from public display | May remain in backups, logs or internal records for a limited period, or longer where needed for legal, regulatory, security, dispute-resolution or record-keeping purposes |
| Contact, support and complaint correspondence | Usually 2 years after resolution, unless a longer period is needed for legal, regulatory, dispute-resolution or record-keeping purposes |
| Server and security logs | Usually 90 days, unless a longer period is needed for security, investigation, fraud prevention or legal reasons |
| First-party server-side analytics raw events | Usually 90 days, after which raw events are deleted or aggregated into anonymous statistics |
| Aggregated anonymous analytics statistics | May be kept indefinitely for trend analysis, service improvement and reporting |
| Google Analytics data | Usually 14 months, unless changed in our analytics settings |
| Cookie consent preference | Usually 1 year, after which the banner may reappear |
| Marketing preference and suppression records | Until you change your preference, or longer where needed to maintain a suppression list and respect opt-outs |
When personal data is no longer needed, we securely delete or anonymise it. If deletion is not immediately possible, for example because data is held in backups, we will protect it from further routine use until deletion occurs in line with our backup processes.
9. Your rights
Under UK data protection law, you have rights in relation to your personal data. These rights are not absolute and may be subject to legal exemptions, but we will explain our reasoning if we cannot fulfil a request.
You have the following rights:
- Right to be informed — this Privacy Policy explains how we use personal data.
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate or incomplete personal data.
- Right to erasure — you can ask us to delete your personal data in certain circumstances.
- Right to restrict processing — you can ask us to temporarily restrict processing in certain circumstances.
- Right to data portability — where we process your data on the basis of consent or contract and by automated means, you can request a copy in a structured, commonly used and machine-readable format.
- Right to object — you can object to processing based on legitimate interests. You have an absolute right to object to direct marketing at any time.
- Right to withdraw consent — where we rely on consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Rights relating to automated decision-making — you have rights in relation to certain automated decisions that have legal or similarly significant effects. We do not currently use automated decision-making of this kind.
You can exercise your rights by contacting us at:
Email: [email protected]
We may need to verify your identity before responding to a request. We will usually respond within one month. If a request is complex or we receive a number of requests from you, we may take up to three months, but we will let you know if this applies.
If you are not satisfied with how we handle your request, you have the right to complain to the Information Commissioner's Office ("ICO"):
Website:
ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe
House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would appreciate the opportunity to address your concerns before you contact the ICO.
10. Data security
We take appropriate technical and organisational measures to protect personal data.
These measures may include:
- HTTPS encryption in transit;
- one-way password hashing;
- access controls;
- restricted access to personal data on a need-to-know basis;
- software updates and patching;
- monitoring for misuse, fraud and security threats;
- firewall and DDoS mitigation; and
- using reputable hosting, payment and infrastructure providers.
Payment card data is handled by our payment provider and does not pass through or remain on our servers.
No system is completely secure. If you believe your data or account has been compromised, please contact us promptly at [email protected].
11. Children
LawStreet is not directed at children under 18. The firm portal and subscription services are intended for business users.
We do not knowingly collect personal data from children. If we discover that we have collected personal data from a child, we will delete it where appropriate.
12. Third-party links
LawStreet may contain links to third-party websites and resources, including solicitor firm websites, regulator websites, public body websites, review platforms, legal directories and other external sites.
We are not responsible for the privacy practices of third-party websites or resources. You should read their privacy policies before providing them with personal data.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, services or legal requirements.
When we make changes, we will update the "last updated" date at the top of this page.
For significant changes, we may provide a more prominent notice on the Website or contact you where appropriate.
We encourage you to review this Privacy Policy periodically.
14. Contact us
If you have questions about this Privacy Policy or how we handle personal data, please contact us:
Email: [email protected]
Post: Law Street Ltd, 85 Great Portland Street, First Floor, London, W1W 7LT