Privacy policy.
Privacy Policy
Orange Grove Consultancy UK Limited t/a Orange Grove Law
Company number 9935867 | The Old Church, 32 Byron Hill Road, Harrow-on-the-Hill, Middlesex, HA2 0HY
info@orangegrovelaw.co.uk
Published April 2021. Last updated June 2026.
Privacy at a glance
WHO WE ARE:
Orange Grove Law, a UK law firm.
WHAT WE COLLECT:
Contact details, identity information, billing and payment data, and information about how you use our services and website.
WHY:
To provide legal services, comply with our regulatory obligations, prevent fraud, and run our business.
WHO WE SHARE WITH:
Service providers, professional advisers, regulators, and credit reference agencies — only where necessary.
HOW LONG WE KEEP IT:
As long as we need it for the purpose it was collected, or as required by law.
YOUR RIGHTS:
Access, correction, erasure, restriction, portability, objection, and rights in relation to automated decisions.
COMPLAINTS:
Contact us first. If unresolved, you can escalate to the Information Commission.
Privacy in detail
WHO WE ARE
We are Orange Grove Consultancy UK Limited, trading as Orange Grove Law (company number 9935867), with our registered office at The Old Church, 32 Byron Hill Road, Harrow-on-the-Hill, Middlesex, HA2 0HY. We are the controller of the personal data described in this policy. References to "we", "us" and "our" are to Orange Grove Law.
PERSONAL DATA WE COLLECT
We may collect and use the following personal data about you:
your name, contact details (including email address and telephone number), and company details;
to verify your identity, such as your date of birth;
billing, transaction, and payment card information;
your professional online presence (for example, a LinkedIn profile);
information from accounts you link to us;
information to carry out credit or other financial checks;
information about how you use our website and IT systems.
We collect most of this information directly from you — in person, by telephone, by email, or via our website. We may also collect information from publicly accessible sources (such as Companies House), from third parties (such as sanctions screening providers, credit reference agencies, and customer due diligence providers), and through automated monitoring of our technical systems.
For more information about our use of cookies, please see our cookie policy.
WHY WE USE YOUR PERSONAL DATA
Under data protection law, we must have a lawful basis for using your personal data. The summary below sets out what we use your data for and the basis on which we do so.
Purpose: Providing legal services to you
Legal basis: Performance of a contract with you, or steps taken at your request before entering into one
Purpose: Updating and maintaining your records
Legal basis: Contract performance; legal obligation; legitimate interests (keeping our records accurate)
Purpose: Verifying your identity and conducting anti-money-laundering checks
Legal basis: Legal obligation
Purpose: Screening for financial sanctions and embargoes
Legal basis: Legal obligation
Purpose: Complying with regulatory and professional obligations (including responses to regulatory enquiries and audits)
Legal basis: Legal obligation
Purpose: Statutory returns
Legal basis: Legal obligation
Purpose: Preventing and detecting fraud
Legal basis: Legitimate interests (protecting you and us from fraud and criminal activity); recognised legitimate interest (crime detection and prevention)
Purpose: Preventing unauthorised access to and modifications of our systems
Legal basis: Legitimate interests; legal obligation
Purpose: Ensuring business policies (e.g. security and acceptable use) are followed
Legal basis: Legitimate interests (sound internal governance)
Purpose: Statistical analysis and operational efficiency
Legal basis: Legitimate interests (running our business efficiently)
Purpose: Ensuring confidentiality of commercially sensitive information
Legal basis: Legitimate interests (protecting trade secrets); legal obligation
Purpose: Staff administration and safe working practices
Legal basis: Legitimate interests; legal obligation
Purpose: Marketing our services to existing and former clients, and to third parties who have expressed an interest in our services
Legal basis: Legitimate interests (promoting our business)
Purpose: Credit reference checks
Legal basis: Legitimate interests (assessing ability to pay)
Purpose: External audits and quality checks (e.g. ISO accreditation, accounts audit)
Legal basis: Legitimate interests (maintaining accreditations); legal obligation
A legitimate interest is a business or commercial reason to use personal data, provided it is not overridden by your own rights and interests. Where we rely on legitimate interests, we carry out an assessment to balance our interests against yours.
A recognised legitimate interest is a specific category of processing that data protection law identifies as inherently legitimate — for example, detecting or preventing crime, safeguarding national security, or responding to an emergency — where we are not required to carry out a separate balancing test. We only rely on this basis where it genuinely applies to our processing activities.
Special category data: where we process special category personal data (such as health data), we will also ensure we have an additional condition for doing so — most commonly your explicit consent, necessity to protect vital interests, or necessity to establish, exercise, or defend legal claims.
MARKETING
We may use your personal data to send you updates about our services by email, telephone, text, or post. We rely on our legitimate interests to do this and, for most communications, do not need your separate consent. Where consent is required, we will ask for it clearly.
You can opt out of marketing at any time by:
1. emailing us at info@orangegrovelaw.co.uk; or
2. using the unsubscribe link in any marketing email.
We will never share your personal data with third parties for their own marketing purposes.
WHO WE SHARE YOUR PERSONAL DATA WITH
We share personal data only where necessary. Recipients include:
service providers who help us deliver our services (for example, payment providers, IT systems providers, and legal consultants);
professional advisers, including our insurers, brokers, and bank;
credit reference agencies;
marketing agencies and website hosts;
external auditors;
law enforcement agencies and regulators, where we are legally required to do so;
third parties approved by you (for example, social media platforms you connect to your account); and
potential buyers of our business, on a confidential basis, in connection with a sale or restructuring.
We require all third-party service providers to protect your personal data and to use it only as we instruct.
OUR PROCESSORS
We use the following processors to help deliver our services. We have a written data processing agreement with each of them, as required by Article 28 of the UK GDPR.
Processor: Themis Solutions Inc.
Service: Cloud-based practice and case management system
Where your data is serviced: Primarily in the UK/EEA, with some processing in the United States by its sub-processors, subject to appropriate transfer safeguards (see International transfers below).
Processor: Microsoft (Microsoft 365)
Service: Cloud productivity, email and document storage
Where your data is processed: In the UK/EEA (our account is hosted in the UK/EEA). Microsoft may use sub-processors outside the UK in limited circumstances, subject to appropriate transfer safeguards (see International transfers below).
If you would like more detail about the recipients of your data, please contact us.
INTERNATIONAL TRANSFERS
We sometimes need to transfer your personal data outside the UK or EEA. When we do, we ensure that one of the following applies:
the destination country has been granted an adequacy decision by the UK government (a list of these countries is available at the ICO's international transfers page);
we have put in place appropriate safeguards, such as a UK International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission's standard contractual clauses; or
a specific exception under data protection law applies (for example, the transfer is necessary to perform our contract with you, or you have explicitly consented after being informed of the risks).
To request a copy of the relevant transfer safeguards, please contact us.
Some of our processors, including our practice management provider (Themis Solutions Inc.), may process your personal data outside the UK, including in the United States. Where they do, the transfer is protected by an adequacy decision (such as the UK Extension to the EU-US Data Privacy Framework, often called the UK-US data bridge) or by appropriate safeguards (the UK International Data Transfer Agreement, or the UK Addendum to the European Commission standard contractual clauses).
HOW LONG WE KEEP YOUR DATA
We keep your personal data for as long as we are providing services to you and, after that, for as long as we need it to:
respond to questions, complaints, or claims;
demonstrate that we treated you fairly; or
comply with our legal and regulatory record-keeping obligations.
Different retention periods apply to different categories of data. When we no longer need your data, we delete or anonymise it.
KEEPING YOUR DATA SECURE
We have appropriate technical and organisational measures in place to protect your personal data from accidental loss, unauthorised access, use, or disclosure. Access to your data is limited to those with a genuine business need. We have procedures for handling suspected data security breaches and will notify you and the Information Commission where we are legally required to do so.
YOUR RIGHTS
You have the following rights, which you can exercise free of charge:
Right: Access
What it means: To receive a copy of the personal data we hold about you
Right: Rectification
What it means: To ask us to correct inaccurate personal data
Right: Erasure
What it means: To ask us to delete your personal data in certain circumstances
Right: Restriction
What it means: To ask us to restrict our use of your personal data in certain circumstances
Right: Portability
What it means: To receive your personal data in a structured, machine-readable format, or to have it transferred to another controller, in certain circumstances
Right: Objection
What it means: To object to processing based on our legitimate interests, or to direct marketing at any time
Right: Automated decision-making
What this means: Where we take a significant decision about you based solely on automated processing, you have the right to be given information about it, to make representations, to obtain human involvement from us, and to contest the decision. Stricter conditions apply where such a decision involves special category data.
To exercise any of these rights, please contact us with enough information to identify you and describe your request. For further information, see the Information Commission's guidance on individuals' rights.
HOW TO COMPLAIN
If you have a concern about how we use your personal data, please contact us first (see below). We take all such concerns seriously, will acknowledge your complaint within 30 days, investigate it, and tell you the outcome without undue delay.
If you remain dissatisfied, you have the right to complain to the Information Commission (which has replaced the Information Commissioner's Office under the Data (Use and Access) Act 2025) or another relevant data protection supervisory authority:
Online: ico.org.uk/make-a-complaint
Telephone: 0303 123 1113
CHANGES TO THIS POLICY
We may update this policy from time to time. When we do, we will publish the updated version on our website and, where appropriate, notify you directly.
HOW TO CONTACT US
To contact us about this policy, to exercise your rights, or to raise a complaint:
Orange Grove Consultancy UK Limited t/a Orange Grove Law
The Old Church, 32 Byron Hill Road, Harrow-on-the-Hill, Middlesex, HA2 0HY
info@orangegrovelaw.co.uk
DO YOU NEED THIS NOTICE IN ANOTHER FORMAT?
If you would like this notice in a different format (for example audio, large print, or braille), please contact us using the details above.