Privacy Policy

1. Introduction

Safe Harbour Legal ("we", "our", or "us") is committed to protecting your privacy and handling your personal data transparently. This Privacy Policy explains how we collect, use, store, and safeguard your information when you visit our website (www.safeharbour.legal), subscribe to our newsletter, or make an enquiry through this website.

Safe Harbour Legal is the trading name used by Aaron Johnson, Consultant Solicitor. Aaron practises under the authorisation of Legal Studio Solicitors, which is a trading name of MDLS Solicitors Limited — authorised and regulated by the Solicitors Regulation Authority (SRA ID 598793). MDLS Solicitors Limited is registered in England & Wales (Company No. 08599445).

This policy is issued in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

2. Data Controller

For personal data collected through this website (enquiries, newsletter signups, questionnaires), the data controller is:

For queries about data collected through this website or newsletter, please contact:

For queries about client data processed in connection with legal matters, please contact the MDLS Solicitors Limited Data Protection Officer:

3. How We Collect Your Data

We collect personal data through the following means:

• Website forms: Enquiry forms, questionnaires (Wills, Probate, Lasting Powers of Attorney, general enquiry), and discovery call booking forms
• Newsletter signup: Footer subscription form and guide download forms on our website
• Phone and email: When you contact us by phone or email to make an enquiry
• Client portal: When you use our secure client portal (LawConnect) to share documents with us
• In-person consultations: When you meet with us to discuss your legal matter
• Public sources: Where necessary for your legal matter (e.g., Land Registry, probate registries, Companies House)

4. Information We Collect

We may collect the following categories of personal information:

• Contact information: Name, email address, phone number, postal address
• Legal matter information: Details about your legal enquiry, family circumstances, beneficiaries, executors, attorneys, and related parties
• Identity verification documents: Passport, driving licence, utility bills, and bank statements — collected for anti-money laundering compliance via electronic verification (eCos) or certified copies
• Financial information: Asset values, property details, and estate information where relevant to your legal matter
• Technical data: IP address, browser type, device information, and pages visited — collected automatically via server logs
• Marketing preferences: Your consent status and preferences for receiving communications from us
• Consent records: The text you consented to, the date and time of consent, and the method of collection — retained for audit purposes

5. Legal Basis for Processing

Under UK GDPR Article 6, we must have a lawful basis for processing your personal data. The bases we rely on are:

6. How We Use Your Information

We use your personal information to:

• Provide legal services and respond to your enquiries
• Process and manage your legal matters
• Carry out conflict of interest checks
• Verify your identity in accordance with anti-money laundering legislation
• Comply with legal, regulatory, and professional obligations (including SRA requirements)
• Share documents with you securely via our client portal
• Send invoices and process payments
• Send you relevant legal updates and information about our services (with your consent)
• Improve our website and services

7. Newsletter and Mailing List

If you subscribe to our newsletter or mailing list via our website, we collect your email address and record your explicit consent (including the consent text and a timestamp) for audit purposes.

Newsletter subscriber data is managed through MailerLite (UAB MailerLite, registered in Lithuania, EU). MailerLite stores data on servers within the European Union and operates in compliance with GDPR. We have a Data Processing Agreement (DPA) in place with MailerLite.

Important:

• Only individuals who voluntarily sign up via our website are added to our mailing list.
• We do not add Legal Studio client data or any data from internal client databases to MailerLite.
• Newsletter data is kept entirely separate from our legal case management systems.
• You can unsubscribe at any time using the link in every email, or by contacting us directly.
• Upon unsubscription, your data is removed from our active mailing list within 30 days.

We only send marketing emails to individuals who have given explicit opt-in consent, in compliance with the Privacy and Electronic Communications Regulations 2003 (PECR).

8. Data Processors and Third-Party Sharing

We share your personal data only where necessary to provide our services or comply with legal obligations. The following third parties may process your data on our behalf:

Sanity CMS is used for website content management but does not process personal data. Google Fonts are self-hosted via our website framework (Next.js) — no requests are made to Google servers and no personal data is transferred to Google.

Note: Client matter data held within LEAP and LawConnect is controlled by MDLS Solicitors Limited (trading as Legal Studio Solicitors) and is governed by their privacy policy, not this website privacy policy. For details, see legalstudio.co.uk/privacy-policy.

We may also disclose your information to regulatory bodies (including the SRA, HMRC, and courts) where required by law or in connection with your legal matter (e.g., HM Courts & Tribunals Service, the Office of the Public Guardian, or the Land Registry).

We do not sell, rent, or trade your personal information to third parties.

9. International Data Transfers

Most of our data processors operate within the United Kingdom or the European Economic Area (EEA). Where personal data is processed outside the UK or EEA, appropriate safeguards are in place.

Google Fonts are self-hosted, eliminating any data transfer to Google. Where Netlify processes server logs on infrastructure outside the EEA, appropriate safeguards (UK International Data Transfer Agreement or Standard Contractual Clauses) are in place to ensure an equivalent level of protection for your personal data.

Resend (a US-based email delivery service) processes email addresses transiently for form submission notifications only. Email content is not stored by Resend beyond delivery. Standard Contractual Clauses are in place and Resend's Data Processing Agreement governs this processing.

10. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are:

After the applicable retention period, data is securely destroyed in accordance with our data destruction procedures. Original documents (such as signed Wills) are returned to you or stored as separately agreed.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These include:

• Encrypted data transmission (HTTPS/TLS) across our website and all communications
• Secure client portal (LawConnect) for document exchange — avoiding transmission of sensitive documents by email
• Access controls ensuring only authorised personnel can access your data
• Password protection and multi-factor authentication on all systems containing personal data
• Regular review and updating of security measures
• Staff training on data protection and information security
• Secure destruction of paper records when no longer required
• Compliance with SRA requirements for information security

12. Cookies and Tracking

This website uses only strictly necessary cookies required for the website to function correctly (e.g., session management). We do not use:

• Analytics cookies (e.g., Google Analytics)
• Advertising or retargeting cookies
• Third-party tracking cookies
• Social media tracking pixels

As we only use strictly necessary cookies, a cookie consent banner is not required under PECR. You can control cookies through your browser settings at any time.

13. Your Rights Under UK GDPR

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

• Right of access (Subject Access Request) — You can request a copy of the personal data we hold about you.
• Right to rectification — You can ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — You can request deletion of your data, subject to our legal obligations to retain certain records (see Section 10).
• Right to restrict processing — You can ask us to limit how we use your data in certain circumstances.
• Right to data portability — You can request your data in a structured, commonly used, machine-readable format.
• Right to object — You can object to processing based on legitimate interests or to direct marketing at any time.
• Right to withdraw consent — Where we process your data based on consent (e.g., newsletter), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent for newsletters, use the unsubscribe link in any email or contact us directly.
• Rights related to automated decision-making — See Section 14 below.

To exercise any of these rights, contact us at aaron@safeharbour.legal or write to us at the address in Section 2. We will respond within one month of receiving your request. In most cases, there is no fee. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on it, and we will explain why.

14. Automated Decision-Making

We do not use automated decision-making or profiling as defined in Article 22 of the UK GDPR. All decisions affecting your legal matter are made by qualified solicitors. No algorithms or automated systems are used to make decisions that produce legal effects or significantly affect you.

15. Children's Data

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. Where we process information about children in connection with a client's legal matter (for example, naming guardians in a Will), this is done on the basis of the instructing client's consent and in the child's best interests.

If you believe we have inadvertently collected personal data from a child without appropriate consent, please contact us immediately.

16. Electronic Communications (PECR)

We comply with the Privacy and Electronic Communications Regulations 2003 (PECR) in all our electronic marketing activities:

• We only send marketing emails to individuals who have provided explicit opt-in consent
• Every marketing email includes a clear and functional unsubscribe mechanism
• We do not make unsolicited marketing calls
• We do not send unsolicited marketing text messages
• We honour all unsubscribe requests promptly

17. Complaints About Data Handling

If you are unhappy with how we have handled your personal data, we encourage you to contact us first so that we can try to resolve the matter. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

18. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact:

19. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Where changes are material, we will take reasonable steps to notify affected individuals directly.

20. Governing Legislation

This Privacy Policy is governed by the laws of England and Wales. The key legislation governing our data processing includes:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations 2003 (PECR)
• Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
• Solicitors Regulation Authority Standards and Regulations