Privacy Policy

Who we are

We’re Plume Law Limited, a limited company registered in England and Wales under company number 12666099 and are registered as a ‘controller’ with the Information Commissioner’s Office under number ZB048191 in relation to the personal data we hold as a business.

Our obligations

We’re required to handle personal data in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA) and certain other regulations.

We must ensure that the personal data we hold are:

  • used lawfully, fairly and in a transparent way
  • collected only for valid purposes that we’ve clearly told you about and not used for any purposes that aren’t compatible with those purposes
  • relevant and limited to what’s necessary for the purposes we’ve told you about
  • accurate and kept up to date
  • kept only for as long as necessary for the purposes we’ve told you about
  • kept confidential and secure

To help comply with our obligations, this policy provides information about the personal data we collect, how we obtain it, what we use it for (and the legal basis we rely on for processing it), who we share it with and how long we retain it for the following categories of individual:

  • Client
  • Prospective client
  • Watering Hole member
  • An attendee at one of our events
  • Visitor to our website
  • Prospective employee

Where we store personal data

The core systems we use to provide our services are hosted on servers in the United Kingdom and the European Economic Area. In relation to client matters, we won’t transfer any personal data outside the United Kingdom or European Economic Area unless:

  • you’re based outside the EEA
  • you use an email provider or other communications service which is hosted (or co-located) on servers outside the EEA
  • we need to communicate with someone outside the EEA
  • the transfer is necessary to form or perform a contract with you or someone else where the contract is in your interests
  • the transfer is necessary to establish, exercise or defend legal claims against us
  • the transfer is occasional and necessary for the purposes of our compelling legitimate interests
  • you give your consent to the transfer in relation to marketing, we use Hubspot which is hosted on servers in the USA. Both companies have self-certified under the EU-US Privacy Shield framework and our agreements with them include a set of clauses approved by the European Commission to ensure an adequate level of protection for personal data.

How we keep personal data secure

We take information security very seriously and maintain Cyber Essentials certification. We have implemented several technical and organisational measures to protect the information and personal data we hold, including:

  • Computers and other devices: All computers use BitLocker full-disk encryption and all mobile devices are owned and managed by us. We use Sophos Endpoint Security to protect against malware and viruses
  • Email: We can enable email encryption on request, however by default, all emails are sent using ‘opportunistic TLS’ which encrypts the connection to your email provider, but not the message itself. We use software to protect against malware and phishing attacks (and you should too!)
  • Cloud services: All cloud services that we use, including Microsoft Office 365, our document management system, onboarding platform and data room tools, are hosted on secure infrastructure which uses encryption in transit and, in most cases, encryption at rest
  • Communications tools: We tend to use whatever communications tools are preferred by our clients. Our preferred tool is Microsoft Teams which encrypts data at rest and in transit (but not end-to-end, which few commercial video conferencing tools do). Where we record any calls or videos using Microsoft Teams, recordings will be encrypted at rest.  
  • Training: All our staff are trained on data protection and good information security practices.

Call recording and email monitoring

We don’t routinely record telephone or video calls. However sometimes it may be useful for us to do so, for example, to ensure that we’ve got a detailed record of your instructions or to help us make a detailed note of a discussion we’ve had with a barrister or expert witness. If you’re present on such calls, we’ll notify you in advance and give you an opportunity to object to a recording being made.

There may be circumstances where inboxes are shared between members of our team (for example, if someone is on holiday or long-term sick leave). We may also monitor inboxes for the purposes of ensuring compliance with our legal and regulatory obligations and internal policies on electronic communications.

Marketing

You may subscribe to receive our newsletter or, if you’re using an email address provided by your employer and you’re a ‘corporate subscriber’, we may add your details to our mailing list. You can unsubscribe from our newsletter at any time by clicking the ‘Unsubscribe’ link at the bottom of each email or by emailing us at hello@plume.law.

We use Hubspot to manage our email marketing campaigns. Hubspot uses tiny invisible images called ‘pixels’ that are contained within emails to enable us to see:

  • whether you opened an email
  • where in the world the device used to open the email was located (based on your device’s IP address)
  • whether you shared the email on any social media platforms
  • whether you marked the email as spam
  • your overall level of engagement with our email marketing campaigns

We don’t use this information any purposes except if it appears that you’re not opening our emails, we’ll automatically unsubscribe you from our mailing list.

Cookies

Our website uses small text files, called cookies, which are stored on your device when you access certain features of our website. You can find out more about the cookies used on our website and how you can control them by visiting this section of our policy.

Your rights

You’ve got several important rights in relation to the personal data we hold about you. The most relevant are:

  • Access: You’ve the right to request access to and be provided with a copy of the personal data held about you together with certain information about the processing of such personal data to check that we’re holding it lawfully and processing it fairly
  • Correction: You’ve the right to ask us to correct any inaccurate or incomplete personal data held about you
  • Deletion: You’ve the right to ask us to delete or remove any personal data held about you where there’s no good reason for us to continue holding it or where you’ve exercised your right to object
  • Restriction: You’ve the right to ask us to restrict how we hold your personal data, for example, to confirm its accuracy or our reasons for holding it
  • Objection: You’ve the right to object to our holding of any personal data about you which is based on our legitimate interests or those of a third party based on your circumstances. You also have the right to object to our holding your personal data for direct marketing purposes.

Some of the above rights only apply in certain circumstances and may be subject to certain exemptions. For example:

  • If we obtain your personal data from someone else in the course of seeking legal advice from us, this will be subject to legal professional privilege and, as we have a professional obligation to maintain the confidentiality of such personal data, you’re not entitled to be informed about our processing of your personal data or request a copy of it
  • You don’t have any of the above rights where the disclosure of your personal data is required by law or an order of a court of tribunal
  • You don’t have any of the above rights where disclosure of your personal data is necessary for the purpose of, or relates to, any current or prospective legal proceedings, is necessary for someone to obtain legal advice from us or is necessary for the purposes of establishing, exercising or defending our legal rights or those of our clients

You’ll not have to pay any fee to exercise any of the above rights, though we may charge a reasonable fee or refuse to comply with your request where permitted to do so by law. Where this is the case, we’ll let you know. To protect the confidentiality of your personal data we may ask you to verify your identity before fulfilling any request in relation to your personal data.

You’ve the right to complain if you’re not happy with how we have collected or used your personal data. We would hope to resolve any issues informally but, if we can’t, you also have the right to raise a complaint with the Information Commissioner’s Office (ICO).

Questions

If you’ve got any questions, or want to exercise any of your rights, please email us at hello@plume.law.

clients

What personal data do we collect?

  • Biographical details (name, job title and other information about you or your role)
  • Contact details (both private and work, where appropriate)
  • Identity documents and supporting records (such as driving licence, passport, and proof of address)
  • Business information (which may or may not include your personal data)
  • Financial details (such as personal bank account details and records of transactions with us including invoices and credit notes)
  • Records of communications with us (including emails, call history and audio/video recordings, where agreed with you in advance)
  • Feedback and survey results

Where do we get your personal data from?

  • If you’re our client, we’ll usually get your personal data directly from you
  • If you work for our client, we may get your personal data from your colleagues, other professional advisers or other parties involved in a matter

What do we use your personal data for?

  • Onboarding you, or the organisation you work for, as a client, including verifying your identity where required
  • Performing our obligations and exercising our rights in line with our instructions and our terms of business
  • Complying with our legal and professional obligation
  • Telling you more about the services we provide by email

What is our lawful basis for using your personal data?

There are six available legal groundsfor using personal data. The grounds relied upon by us for the above purposes are:

  • We’ll use your contact details and identity documents to verify your identity in accordance with our legal obligation to do so under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (however, where you agree to us verifying your identity for our third party provider, we will do this based on your consent)
  • If you’re our client, we’ll use your personal data to provide our services in line with your instructions and to manage the relationship between us, including invoicing and payment, under our contract with you (which includes our engagement letters, instruction forms and terms of business)
  • If you work for our client, we’ll use your personal data to provide our services to the person or company that has employed or engaged you in line with our legitimate interests in providing our services
  • In any case, we’ll use your personal data for our legitimate interests in complying with our legal and professional obligations, reviewing and improving the quality of the services we provide and how we provide them, sharing know-how internally and training our team and ensuring the security and stability of our systems

Who will we share your personal data with?

In addition to our staff (which may include self-employed consultants) and those providing technical services to us (such as cloud service providers that host our business systems), we may share your personal data with:

  • Other parties and professional advisers involved in a matter, as necessary
  • Government agencies such as HMRC, courts, tribunals, and law enforcement agencies, as appropriate
  • Our solicitors’ regulator, the Solicitors Regulation Authority
  • Debt collection agencies, where necessary

How long will we keep your personal data for?

We retain invoices, credit notes and supporting records for 6 years from the relevant invoice or credit note date.

We retain client files for 7 years from the date we close them (or 7 years from the date of initial contact if a matter is aborted). We may retain files for longer periods if requested by you or where we’ve a good reason to retain them for longer.

We retain identity documents for 5 years from the date on which our relationship ends or 5-10 years from the date that any related transaction completed, unless we’ve a good reason to retain them for longer.

potential clients

What personal data do we collect?

  • Biographical details (name, job title and other information about you or your role, professional and personal interests)
  • Contact details (both private and work, where appropriate)
  • Business information (which may or may not include your personal data)
  • Records of communications with us (including emails, call history and audio/video recordings, where agreed with you in advance)
  • Other personal data which is provided to or inferred by us, for example, from access or dietary requirements

Where do we get your personal data from?

We’ll usually get your personal data directly from you, although we may also be provided with it from your colleagues, other professional advisers or referrers.

What do we use your personal data for?

  • Communicating with you about our services in relation to your needs or those of someone else
  • Inviting you to events we think may be of interest to you
  • Telling you more about the services we provide by email

What is our lawful basis for using your personal data?

There are six available legal groundsfor using personal data. The grounds relied upon by us for the above purposes are:

  • We’ll communicate with you about our services in response to a request directly from you or made on your behalf by another person on the basis of our legitimate interests in responding to enquiries and developing our business
  • If we obtained your email address in the course of discussions about providing our services to you and you are a business, we will email you based on our legitimate interests in marketing and promoting our services and events (see the Marketing section of our main Privacy Policy)
  • In any case, we’ll use your personal data for our legitimate interests in complying with our legal and professional obligations, reviewing and improving the quality of the services we provide and how we provide them, sharing know-how internally and training our team and ensuring the security and stability of our systems

Who will we share your personal data with?

In addition to our staff (which may include self-employed consultants) and those providing technical services to us (such as cloud service providers that host our business systems), we may share your personal data with:

  • External marketing agencies engaged by us, where necessary

How long will we keep your personal data for?

Where we have recorded any information about you or your enquiry in our CRM system, we will retain this information for 5 years from the date it was entered (although if you subsequently become a client, this information may be added to your client file and retained for a further 7 years from the date such file is closed).

We retain marketing contact details until you unsubscribe or object to receiving direct marketing from us, or we believe you’re not longer interesting in receiving any marketing communications for us.

members of the Watering Hole

What personal data do we collect?

  • Biographical details (name, job title and other information about you or your role)
  • Contact details (both private and work, where appropriate)

Where do we get your personal data from?

We’ll usually get your personal data directly from you.

What do we use your personal data for?

  • Sending you our email newsletter to provide information about us, our services, and our events

What is our lawful basis for using your personal data?

There are six available legal groundsfor using personal data. The grounds relied upon by us for the above purposes are:

  • We’ll send you our email newsletter based on your consent where you’ve subscribed to receive it or our legitimate interests where you’re using an email address provided by your employer and you’re a ‘corporate subscriber’

How long will we keep your personal data for?

We retain marketing contact details until you unsubscribe or object to receiving direct marketing from us, or we believe you’re not longer interesting in receiving any marketing communications for us.

attendees at one of our events

What personal data do we collect?

  • Biographical details (name, job title and other information about you or your role)
  • Contact details (both private and work, where appropriate)
  • Access or dietary requirements
  • Photographs or video containing images of you (we’ll always tell you if we’re doing this in advance. If you’re part of a large group of people, this won’t represent your personal data; however if you’re part of a small group of people or you’re photographed or recorded individually, then it will)
  • Feedback forms (which may be completed anonymously)

Where do we get your personal data from?

We’ll usually get your personal data directly from you, although we may get your personal data from your colleagues if they register you to attend an event on your behalf

What do we use your personal data for?

  • Managing and running events
  • Ensuring access and dietary requirements are met

What is our lawful basis for using your personal data?

There are six available legal groundsfor using personal data. The grounds relied upon by us for the above purposes are:

  • We’ll use your personal data in line with our legitimate interests in managing and running our events
  • Where necessary, we may need to your personal data to protect your vital interests, for example, if you suffer an allergic reaction, take ill or are injured at any of our events. We may ask for your consent to use your name in connection with any photographs, video or testimonials relating to an event
  • We’ll also use your personal data to comply with our legal obligations, for example, under equality, health and safety laws

Who will we share your personal data with?

In addition to our staff (which may include self-employed consultants) and those providing technical services to us (such as cloud service providers that host our business systems), we may share your personal data with:

  • Any person or organisation that we’re co-hosting an event with (where they will be a joint controller with us)
  • Any event venue or catering provider

How long will we keep your personal data for?

We retain personal data about event attendees for a period of 6 months from the date of the event. If you’ve subscribed for our newsletter, then we will retain until you unsubscribe or object to receiving direct marketing from us, or we believe you’re not longer interesting in receiving any marketing communications for us.

visitors to our website

What personal data do we collect?

  • Your name and email address if you subscribe to our newsletter
  • Technical data about the device used by you to access our website which we obtain through server logs and the use of cookies and similar technologies (see below), including the internet protocol (IP) address of the device and characteristics of such device
  • Usage data about your visit, which we obtain through server logs and the use of cookies and similar technologies (see below), including the pages viewed by you, how you moved about our website and how you interacted with particular pages

We also collect and use aggregated data such as statistical or demographic data for any purpose. This aggregated data could be derived from your personal data but isn’t considered personal data as this data won’t directly or indirectly reveal your identity. We don’t combine aggregated data with other data in order to identify you.

Where do we get your personal data from?

We’ll get your personal data directly from you when you access our website

What do we use your personal data for?

  • Sending you our email newsletter, where you’ve subscribed to receive it
  • Administering and protecting our website through security monitoring, reporting and testing
  • Improving and optimising our website and marketing

What is our lawful basis for using your personal data?

There are six available legal groundsfor using personal data. The grounds relied upon by us for the above purposes are:

  • We’ll rely on the consent you give when accepting non-essential cookies on our website to use your data for analytical and advertising purposes
  • We’ll access our server logs based on our legitimate interests in protecting the security and stability of our website and understanding how our website is used by visitors

How does our website use cookies?

Our website uses small text files, called cookies, which are stored on your device when you access and use certain features of our website. Apart from those cookies which are strictly necessary for us to provide you with access to our website or any features that you’ve requested, we’ll only store cookies on your device if you’ve consented to this when you first access our website and every 90 days thereafter. As cookies are unique, we can use them to distinguish you from other users for the purposes described above, however we’ve configured our analytical cookies so that your IP address is anonymised.

To find out more about cookies, how to refuse them and how to change your device’s cookie settings, you should visit the ICO Cookie Guidance.

Our website uses the following cookies (categorised based on guidance produced by the International Chamber of Commerce):

Cookie Type Duration Domain Further info
Google Analytics (_ga, _gid, _gat_gtag_UA [string])  Analytics 2 years (_ga), 1 month (_gid and _gat),  Plume.law  See Google Analytics Cookie Usage and the Google Privacy Policy
__hstc, hubspotutk, __hssc, __hssrc  Analytics  2 years  Hubspot.com  See Hubspot cookie policy and privacy policy
_gaexp  Analytics  Depends on the length of the Optimize experiment, but typically 90 days.  optimize.google.com  Used to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. 

Who will we share your personal data with?

In addition to our staff (which may include self-employed consultants) and those providing technical services to us (such as cloud service providers that host our business systems), we may share your personal data with:

  • External marketing agencies engaged by us, where necessary

How long will we keep your personal for?

We retain our server logs for up to 12 months. We’ve configured all of the analytics and advertising tools that we use to anonymise the IP address of your device so that we can’t identify you and we may retain this data indefinitely.

We retain marketing contact details until you unsubscribe or object to receiving direct marketing from us, or we believe you’re not longer interesting in receiving any marketing communications for us.

prospective employees

What personal data do we collect?

  • Contact details (generally private only)
  • Biographical details (name and any other information you choose to provide us with such as your date of birth, six, gender or gender identity, marital status, dependants, disabilities, or medical conditions)
  • Education and employment history (whether in your CV, job application or covering letter)
  • Notes of your responses to questions raised at interview
  • The results of any exercises or tests undertaken by you during the recruitment process
  • References obtained from any previous employer(s)
  • Receipts for travel expenses, where we have agreed to reimburse you for these
  • Information we find about you online, such as public social media profiles
    We may also collect, or you may choose to provide us with, the following “special categories of personal data” about you:
  • Information about your race or ethnicity, religious beliefs or sexual orientation (whether or not indicated by your gender or gender identity)
  • Information about your health, including any disability or medical condition
  • Information about criminal convictions or offences

Where do we get your personal data from?

  • We’ll usually get your personal data directly from you
  • We may be provided with your personal data by a recruitment agency engaged by us to find candidates
  • We’ll check the SRA and any other regulator (applicable to your role) website for details of any disciplinary or regulatory decisions that have been published about you in line which its Decision Publication Policy
  • We’ll undertake anti-money laundering and credit checks through our third-party AML and identity checking provider for any solicitors, professional advisers or staff who will have access to our client systems
  • We’ll undertake a basic Disclosure and Barring Service (DBS) check for all employees through an approved third-party DBS checking provider
  • We may obtain personal data about you through social media platforms (to the extent your privacy settings enable us to view your profile or content that you’ve shared on them)

What do we use your personal data for?

  • Undertaking and communicating with you about our recruitment and selection process
  • Monitoring the effectiveness of our recruitment and selection policies and procedures for internal purposes
  • Evaluating whether we need to provide appropriate adjustments during the recruitment and selection process
  • Ensuring meaningful equal opportunity monitoring and reporting to the Law Society or the SRA (you will not be identified in any reports)
  • Complying with our legal and professional obligations, to include checking your eligibility to work in the UK as required by immigration law

What is our lawful basis for using your personal data?

There are six available legal groundsfor using personal data. The grounds relied upon by us for the above purposes are:

  • We’ll review and consider your CV or application, take notes of any interviews, and communicate with you by any means in line with our legitimate interests in employing or engaging suitable staff as part of our recruitment and selection process
  • We may take up references as part of the steps we need to take to enter into an employment or consultancy contract with you
  • We’ll check the SRA website and undertake AML, identity and criminal records checks in line with our legal obligation to ensure that anyone working for us is entitled to work in the UK and is of good character and suitability to work within a regulated law firm
  • If we review your social media profile, this will be based on our legitimate interests in ensuring the character and suitability of those working for us and protecting our reputation

Who will we share your personal data with?

In addition to our staff (which may include self-employed consultants) and those providing technical services to us (such as cloud service providers that host our business systems), we may share your personal data with:

  • Any recruitment agency engaged by us to find candidates
  • The Solicitors Regulation Authority

How long will we keep your personal data for?

If you’ve been successful, the personal data relating to your application will be transferred to your employment record and will be retained for a period of 6 years from the commencement of your employment, in the event that we have to review the basis on which you were employed.

If you’ve not been successful, we’ll immediately delete any information obtained for verification and vetting purposes and retain the personal data relating to your application for a period of 12 months after such decision has been made.

With your permission, we may retain your CV for a period of 12 months in the event that there are any future vacancies.