Free initial discussion available — freephone 0800 214 216
Call 0800 214 216 Free Discussion

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how Curtis Legal Limited (“we”, “us”, “our”) collects, uses, stores, and protects your personal information. Curtis Legal Limited is a data controller registered with the Information Commissioner’s Office (ICO). We are authorised and regulated by the Solicitors Regulation Authority (SRA No. 450129).

We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read this policy carefully. If you have any questions, contact us using the details at the bottom of this page.

1. Who We Are

Curtis Legal Limited is a solicitors firm based at The Alder Suite, Mamhilad Park Estate, Torfaen, NP4 0HZ. We provide legal services in probate and estate administration, medical negligence, and personal injury.

Our data controller contact is Simon Jenkins, Director & Solicitor. You can contact us at:

2. What Personal Data We Collect

We may collect and process the following categories of personal data:

Information you provide to us directly

  • Your full name
  • Your contact details including address, telephone number and email address
  • Details of your legal matter, including information about deceased persons in probate matters
  • Financial information necessary to carry out your legal matter
  • Identity documents provided for anti-money laundering verification purposes
  • Information about third parties involved in your matter, such as other beneficiaries, defendants, or medical professionals

Information collected automatically when you use our website

  • Your IP address
  • Browser type and version
  • Pages visited and time spent on each page
  • How you arrived at our website (search engine, referral link etc.)
  • Device type and operating system

Special category data

In the course of providing legal services, particularly in medical negligence matters, we may need to process special category data including health and medical information. We will only process this data where we have a lawful basis to do so and where it is necessary for the provision of legal services.

3. How We Collect Your Personal Data

We collect personal data in the following ways:

  • When you complete our online enquiry form
  • When you contact us by telephone, email, or post
  • When you instruct us to act on your behalf
  • From third parties involved in your matter, such as medical experts, courts, or opposing parties
  • From publicly available sources, such as HM Land Registry or Companies House
  • Automatically through our website using cookies and analytics tools

4. Why We Process Your Personal Data — Our Lawful Basis

We must have a lawful basis for processing your personal data. Depending on the circumstances, we rely on the following bases:

Performance of a contract / taking steps prior to entering a contract

Where you have instructed us or are considering instructing us, we process your data to provide legal services and to take steps at your request before entering into a client agreement.

Legal obligation

We are subject to legal and regulatory obligations that require us to process personal data, including anti-money laundering obligations, SRA regulatory requirements, and obligations under the Proceeds of Crime Act 2002.

Legitimate interests

We process certain data on the basis of legitimate interests, including:

  • Managing and improving our website
  • Protecting our business and clients from fraud
  • Maintaining records of our legal work for professional indemnity purposes

Consent

Where we rely on consent — for example, for optional marketing communications — we will make this clear at the time of collection and you may withdraw your consent at any time.

5. How We Use Your Personal Data

We use your personal data for the following purposes:

  • To provide legal services to you
  • To communicate with you about your matter
  • To comply with our legal and regulatory obligations, including anti-money laundering checks
  • To manage our business and maintain our records
  • To process payments and manage our accounts
  • To improve our website and services
  • To protect against fraud and other criminal activity
  • To respond to enquiries submitted through our website or by other means

6. Who We Share Your Data With

We will only share your personal data where it is necessary and lawful to do so. We may share your data with:

  • Courts and tribunals — where required in the course of legal proceedings
  • Opposing parties and their legal representatives — where required in the course of your matter
  • Medical experts and other professionals — instructed to assist with your case
  • HM Revenue & Customs — in probate and estate administration matters
  • The Solicitors Regulation Authority — in the exercise of their regulatory functions
  • Our professional indemnity insurers — where necessary to manage claims or potential claims
  • IT service providers — who provide case management, storage, and communication services on our behalf under strict data processing agreements
  • Banks and financial institutions — where required to handle client funds

We do not sell your personal data to any third party. We do not share your data for marketing purposes without your explicit consent.

7. International Data Transfers

We aim to keep your data within the UK wherever possible. Where we use third-party services that may transfer data outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements, such as standard contractual clauses or adequacy decisions.

8. How Long We Keep Your Data

We retain personal data for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal and regulatory obligations. Our standard retention periods are:

  • Client matter files: 7 years from the conclusion of the matter, in line with SRA guidance and limitation periods
  • Financial records: 7 years in accordance with HMRC requirements
  • Anti-money laundering records: 5 years from the end of the business relationship
  • Website enquiries that did not result in instructions: 12 months
  • Website analytics data: 26 months (as set by Google Analytics default)

After the relevant retention period, data is securely deleted or anonymised.

9. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access — You have the right to request a copy of the personal data we hold about you (a Subject Access Request)
  • Right to rectification — You have the right to ask us to correct inaccurate or incomplete personal data
  • Right to erasure — In certain circumstances, you have the right to ask us to delete your personal data
  • Right to restrict processing — In certain circumstances, you have the right to ask us to restrict how we process your data
  • Right to data portability — Where processing is based on consent or contract, you have the right to receive your data in a structured, machine-readable format
  • Right to object — You have the right to object to processing based on legitimate interests
  • Rights in relation to automated decision-making — You have the right not to be subject to solely automated decisions that have a significant effect on you

To exercise any of these rights, please contact us using the details below. We will respond within one month. We may need to verify your identity before processing your request.

Please note that some rights are subject to exceptions. For example, we may not be able to delete data that we are legally required to retain.

10. Cookies

Our website uses cookies. For full information about the cookies we use and how to control them, please see our Cookie Policy.

11. Security

We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, destruction, or alteration. These measures include:

  • Secure, encrypted connections (HTTPS) on our website
  • Access controls limiting who within our firm can access client data
  • Secure case management systems
  • Staff training on data protection and information security
  • Regular review of our security practices

If you suspect that your personal data has been compromised, please contact us immediately.

12. Links to Other Websites

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to read their privacy policies before providing any personal data to them.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “last updated” date. Where changes are significant, we will make this clear on our website. We encourage you to review this policy periodically.

14. How to Complain

If you are unhappy with how we have handled your personal data, please contact us in the first instance so we can try to resolve your concern. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

15. Contact Us

For any questions about this Privacy Policy or to exercise your data protection rights, please contact us: