Privacy Policy

Biz Right Ltd trading as LawRight

This Privacy Policy describes how Biz Right Ltd trading as LawRight (“LawRight”, “we”, “us”, “our”) collects and processes personal data in connection with the provision of our services and related communications. It is intended to meet the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations 2003 (PECR), and other applicable UK data protection law.

This Privacy Policy forms part of our Terms of Business, which are published at www.lawright.co.uk/terms. In the event of any conflict between this Privacy Policy and the Terms of Business, the Terms of Business prevail.

Registered details

• Legal entity: Biz Right Ltd trading as LawRight

• Company number: 10822277

• Registered address: 2a Connaught Avenue, London, United Kingdom, E4 7AA

In this Privacy Policy, the following definitions apply in addition to those set out in the Terms of Business:

“Our services”  means software consulting and related professional services provided to client and prospective client organisations, including: (i) implementation, configuration, data migration, integration, customisation, optimisation, and support of software platforms used by clients in connection with our engagements; (ii) user enablement activities such as training (live and recorded), workshops, knowledge transfer, documentation, and change management; and (iii) project and account management, service desk and ticketing, incident response, portal access and administration, and associated consultancy. References to particular platforms or software in this policy should be read as references to our services as defined here.

“Legitimate topics”  means news, information, updates, service notices, and promotions relating to software platforms and services relevant to our clients’ work, including practice management, accounting, and productivity software; and our own services and professional enablement activities, including implementation guidance, product or feature updates, security or availability notices, maintenance windows, roadmap webinars, events, offers, and training opportunities.

• Controller: Biz Right Ltd trading as LawRight

• Address: 2a Connaught Avenue, London, United Kingdom, E4 7AA

• Email: info@lawright.co.uk

• Data Protection Officer: No DPO is currently appointed. Queries may be directed to the contact details above.

This policy applies to:

• Staff members and authorised representatives of our client and prospective client organisations whose details are provided to us by their organisation or obtained by us in the context of our services.

• Users who interact with us via email, SMS, telephone, our client portal, or other communication channels.

• Visitors to our website(s) and recipients of our service and marketing communications.

This policy does not cover personal data we process strictly as a processor on behalf of clients — for example, where we access client systems or environments under an Agreement. In such cases, we act according to the client’s instructions and the relevant data processing agreement. See section 2A for further details of our processor role.

2A.  Processing of Client Data

In the course of providing our services, we frequently process data that belongs to your organisation and concerns your clients, matters and cases, suppliers, and employees (collectively, “Client Data” as defined in the Terms of Business). The following applies to that processing:

• Role designation: For activities involving Client Data, we act as a processor (or sub-processor) and your organisation is the controller, unless expressly stated otherwise in writing.

• Nature and categories of Client Data: matter files, case metadata, contact and party details, documents and communications, time recording, billing and accounting records, ledgers, invoices, bank reconciliation data, document templates, configuration settings, and usage and audit logs generated within supported systems. Client Data may include special category data and criminal offence data where you lawfully process such data in your systems.

• Purpose and instructions: We process Client Data solely to deliver our services (including implementation, configuration, migration, training, testing, troubleshooting, support, and related administrative tasks) and strictly on your documented instructions, including those in our Agreement, statements of work, tickets, and written communications. Where Client Data includes special category or criminal offence data, your organisation is responsible for identifying a valid condition under Article 9 or Article 10 UK GDPR. We will process such data only on your documented instructions and with appropriate safeguards.

• Confidentiality and access controls: Access to Client Data is restricted to personnel and sub-contractors who require it for service delivery and who are bound by confidentiality obligations. Access is logged and limited on a least-privilege basis.

• Security measures: We implement appropriate technical and organisational measures proportionate to the risks, including secure connectivity to your environments, encryption in transit and at rest where feasible, segregated environments, MFA for administrative systems, vulnerability and patch management, and incident response procedures.

• Data location and transfers: Where Client Data is hosted in your own environments or your licensed platforms, we access it remotely as necessary. Any international transfers of Client Data by us are safeguarded in accordance with section 8 (International Transfers) and our Data Processing Agreement (DPA).

• Sub-processing: We may engage sub-processors to assist with service delivery (e.g. secure ticketing, remote support, secure file transfer, conferencing). Sub-processors are appointed under written contracts meeting UK GDPR Article 28 requirements. A current list of sub-processors is available on request.

• Data breaches: In the event of a personal data breach affecting Client Data while in our control, we will notify you without undue delay and provide information and cooperation reasonably required for you to meet your legal obligations.

• Return and deletion: Upon conclusion of services or on your written request, we will return or delete Client Data in our possession within a reasonable period, subject to any legal obligations to retain limited records (see section 9). Backups and archives will be overwritten in line with standard cycles.

We may collect and process the following categories of personal data concerning client and prospective client personnel:

• Identification and contact data: name, job title and role, business email address, business telephone and mobile number, firm name, and office address.

• Professional information: practice area(s), departmental affiliation, system usage role, and licence and user status.

• Communication data: preferences, marketing opt-out and opt-in status, and records of correspondence and interactions across email, SMS, telephone, and client portal.

• Technical and usage data: portal account identifiers, login timestamps, audit logs and activity data on our client portal or scheduling platforms, IP addresses, and device information (for security and service delivery).

• Project and service data: information necessary to scope, deliver, support, and improve our services (e.g. training attendance, configuration choices, and implementation notes).

• Website data: cookies and similar technologies as described in section 14.

We do not intentionally collect special category data or criminal offence data for the purposes described in this policy. If such data is inadvertently provided, it will be deleted or minimised unless retention is legally required or strictly necessary for a specific, disclosed purpose.

• Directly from your organisation (e.g. when your firm provides staff contact lists for implementation, training, support, or account administration in connection with our services).

• Directly from you (e.g. when you contact us, attend training, or use the client portal).

• Public sources and professional platforms (e.g. firm websites, professional directories, LinkedIn) where relevant to business-to-business engagement on Legitimate topics.

• Our service delivery tools (e.g. helpdesk, project management, conferencing, and portal platforms generating usage metadata).

Where we have not obtained your professional contact details directly, we will provide you with the required privacy information at the earliest practicable opportunity and no later than the statutory timeframe, with a clear ability to opt out of marketing.

We rely on different lawful bases depending on the purpose. Where we rely on legitimate interests, you have the right to object to that processing at any time, including an absolute right to object to direct marketing.

A.  Service delivery and contract administration

• Purposes: scoping, delivering, and improving our services; user training; support and maintenance; scheduling; managing user access to our portal; incident management; project reporting; invoicing and credit control.

• Legal basis: Article 6(1)(b) UK GDPR (performance of a contract or steps prior to entering a contract) and Article 6(1)(f) (legitimate interests in delivering and improving services to corporate clients).

B.  Service communications

• Purposes: essential and critical notifications relating to projects, training logistics, security and availability notices, feature or configuration changes, and other operational updates about our services.

• Legal basis: Article 6(1)(b) (contract) and Article 6(1)(f) (legitimate interests in maintaining effective service delivery and client care).

C.  Business-to-business marketing and information updates

• Purposes: sending news, information, updates, service notices, or promotions limited to Legitimate topics.

• Legal basis: Article 6(1)(f) (legitimate interests in promoting and developing our services to corporate contacts). For electronic marketing, we comply with PECR. Where PECR requires consent, we will obtain it; otherwise, we rely on the soft opt-in or B2B exemption as applicable. For live marketing calls, we screen numbers against the Telephone Preference Service (TPS/CTPS) and honour any objections. You may opt out at any time.

D.  Analytics, service improvement, and security

• Purposes: analysing engagement to improve content relevance on Legitimate topics; monitoring portal and systems usage for performance, support, and security; detecting, preventing, and investigating security incidents or misuse. Engagement analytics (e.g. delivery, opens, clicks) are limited to improving relevance and deliverability and are not used to make decisions producing legal or similarly significant effects.

• Legal basis: Article 6(1)(f) (legitimate interests in operating secure systems and improving our services).

E.  Legal and regulatory compliance; record-keeping

• Purposes: compliance with legal obligations, responding to regulatory or law enforcement requests, managing and defending legal claims, and maintaining statutory records.

• Legal basis: Article 6(1)(c) (legal obligation) and Article 6(1)(f) (legitimate interests in establishing, exercising, or defending legal claims).

Accountability: We have conducted Legitimate Interests Assessments (LIAs) for B2B communications and service communications and keep these under review. Our B2B communications are targeted, proportionate, and relevant to recipients’ professional roles. We provide simple, free opt-outs in every marketing communication.

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on individuals. If that changes, this policy will be updated and specific information and safeguards provided.

We may share personal data with:

• Our personnel and contractors on a need-to-know basis under confidentiality obligations.

• Service providers (processors) assisting with hosting, CRM, email and SMS gateways, client portal, project management, conferencing, ticketing, analytics, identity management, and security for our services and communications.

• Vendors and partners relevant to our services where engagement is required to support or troubleshoot, and where permitted by contract and law.

• Professional advisers (accountants, auditors, lawyers) and insurers as necessary.

• Authorities, regulators, courts, or counterparties where required by law or necessary to establish, exercise, or defend legal claims.

We do not sell personal data. Disclosures are limited to our sub-contractors and processors, and to necessary vendor engagements to support or troubleshoot our services, each under appropriate contractual and confidentiality terms. We require all processors to implement appropriate technical and organisational measures and to process personal data only on our documented instructions.

Some processors or sub-processors may be located outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including one or more of the following:

• Adequacy regulations under UK law.

• UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses.

• Supplementary measures where necessary.

Details of current transfer mechanisms and destinations are available on request.

We retain personal data for the minimum period necessary for the purposes set out above:

• Service and project records: typically for the duration of the engagement plus 7 years for limitation and accounting purposes.

• Portal account records and logs: for the life of the account and for up to 12 months thereafter for security and audit purposes, unless a longer period is necessary.

• Marketing contact data: until you opt out or we identify prolonged inactivity. We maintain a suppression list to respect opt-outs and conduct periodic data hygiene reviews.

• Training recordings: 3 to 12 months, or earlier on request.

• Engagement analytics logs for email and SMS: retained for 12 months, then aggregated or deleted.

Retention periods may be extended where required by law or to establish, exercise, or defend legal claims. Data will be securely deleted or anonymised at the end of the applicable retention period.

Under UK data protection law, you have the following rights (subject to applicable conditions and exemptions):

• Access: to obtain a copy of your personal data and supplementary information about how it is processed.

• Rectification: to correct inaccurate or incomplete personal data.

• Erasure: to request deletion of your personal data in certain circumstances.

• Restriction: to request that we restrict processing of your personal data in certain circumstances.

• Portability: to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller where technically feasible.

• Objection: to object at any time to processing based on our legitimate interests, including an absolute right to object to B2B direct marketing. We will stop processing for marketing purposes immediately upon objection.

• Withdraw consent: where consent is the lawful basis (e.g. certain PECR scenarios), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, please contact us using the details in section 1. We may need to verify your identity and scope your request appropriately.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at www.ico.org.uk, telephone 0303 123 1113. We would welcome the opportunity to address any concerns before you approach the ICO.

• You may opt out of marketing at any time by: using the unsubscribe link in emails; replying STOP to SMS where supported; updating your preferences in the client portal; or contacting us directly (see section 1).

• We apply your objection across all marketing channels and maintain a minimal suppression record to ensure your preference is respected in future communications.

• We will continue to send essential service communications related to ongoing projects, security, or account administration. These are operational communications, not marketing, and cannot be opted out of while an active engagement is in place.

• For emails and SMS, we apply consent or the soft opt-in and B2B rules under PECR as applicable, and include an opt-out in each message. For live marketing calls, we screen numbers against TPS/CTPS and honour any objections.

• Recording: Training sessions (including remote webinars and on-site sessions captured via conferencing tools) may be recorded for quality assurance, refresher training, and to support staff who could not attend live. Recordings may capture screen shares, configurations, and examples that include your internal workflows and, in some cases, Client Data.

• Lawful basis and role: For recordings that include personal data of your staff, we rely on legitimate interests (Article 6(1)(f) UK GDPR) in delivering and improving our services. Where recordings include Client Data, we act as your processor and handle the content in accordance with section 2A and the applicable Data Processing Agreement.

• Sharing and access: By default, recordings will be made available to your organisation’s staff who require access for training purposes via secure links or your chosen platform. Access can be limited to specified groups on request. We will share recordings with your staff unless your appointed contacts instruct otherwise.

• Opt-out and restrictions: If your appointed contacts prefer that sessions are not recorded, or that recordings are edited, access-restricted, or deleted after a defined period, please notify us before or immediately after the session. We will comply with reasonable instructions and can provide redacted versions where feasible.

• Minimisation: Trainers will use anonymised or synthetic examples where practicable and will avoid displaying live Client Data unless necessary for the training objective and agreed with your organisation.

• Retention: Unless you instruct otherwise, training recordings are retained for 3 to 12 months and then securely deleted, subject to earlier deletion upon your request.

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include access controls, encryption in transit and at rest where feasible, vulnerability management, logging and monitoring, least-privilege principles, staff confidentiality undertakings, and regular review of our suppliers’ security practices.

Despite these measures, no system is completely secure. We maintain incident response procedures to manage and notify breaches as required by law.

Our website(s) and client portal may use cookies and similar technologies for functionality, security, analytics, and preference management. Where required by law, we provide a cookie banner and obtain consent for non-essential cookies.

For full details, please see our Cookie Notice at https://lawright.co.uk/cookies. You can adjust your preferences at any time via our cookie management tool or your browser settings.

Where your organisation provides your personal details to us:

• Your organisation is responsible for ensuring it has a lawful basis to share your data with us and for providing appropriate privacy information to you directly.

• We will process your data in accordance with this policy and applicable law.

• We will respect any opt-outs you notify to us directly, independently of any instructions from your organisation.

Our services are directed at professionals. We do not knowingly collect or process personal data relating to children under the age of 18. If we become aware that we have inadvertently collected such data, we will delete it promptly.

We update this Privacy Policy from time to time. The current version is always published at www.lawright.co.uk/terms. We operate the same two-tier notice system as our Terms of Business:

—  Non-material updates — such as corrections, clarifications, or changes to contact details — take effect immediately upon publication. No direct notification will be given for changes of this kind.

—  Material changes — being any change that substantively affects how we collect or process personal data, or that affects your rights as a data subject — will be communicated directly to affected individuals and organisations using the contact details we hold. Such changes will not take effect for active clients until at least 30 days after notice is given.

We monitor regulatory developments, including guidance and updates arising from the Data (Use and Access) Act 2025 and ICO publications, and will update this policy and our practices accordingly.

We encourage you to check www.lawright.co.uk/terms periodically. Continued use of our services following any update constitutes acceptance of the revised Privacy Policy.

For questions about this policy or to exercise your rights, please contact:

• Biz Right Ltd trading as LawRight, 2a Connaught Avenue, London, United Kingdom, E4 7AA

• Email: info@lawright.co.uk

We communicate via email, SMS, telephone, and client portal notifications regarding Legitimate topics. All contacts are set to receive marketing and critical service communications unless they opt out, consistent with our legitimate interests and PECR requirements. Opt-out mechanisms are available for each channel as set out in section 11.

We do not share your personal details with any external organisation for their own independent purposes. We only share personal data with our sub-contractors and processors where necessary to provide our services and communications, or with vendors involved in supported platforms where necessary to support or troubleshoot our services. All such sharing is governed by appropriate contractual and confidentiality terms.