
Privacy notice

Introduction
This page gives you information about how we use your personal data and your data rights. We take our obligations very seriously and we encourage you to read the whole notice, however, we have provided this information in a layered format so you can click through to the specific areas set out below. Alternatively, you can request a hard copy of this document by emailing GDPR@tlt.com
This notice does not apply to customers of our financial services clients (for example, a borrower or mortgage holder). If that is you, please see our notice at Third-Party Customers Privacy Notice | TLT LLP Data Use
If you are a job applicant, please see our notice for you at Job Application Privacy Policy | TLT LLP Recruitment Data
This notice explains how TLT collects and uses your personal information — what we collect, why we use it, who we share it with, and what rights you have over it.
It applies to you whether you are a TLT client, someone connected to a matter we are handling or simply visiting our website. Please read it alongside our Terms of Business and Cookies Policy.
This notice does not apply to customers of our financial services clients (for example, a borrower or mortgage holder) or job applicants. If that is you, please see https://www.tlt.com/privacy/third-party-customers-privacy-notice/ or https://www.tlt.com/legal-notices/job-application-privacy-policy
TLT is a law firm. Depending on the services we provide and your relationship with us, one or more of the following TLT entities may be responsible for your personal data:
When we say "TLT", "we" or "us" in this notice, we mean whichever TLT entity is relevant to your situation. TLT LLP is responsible for managing this notice.
Our role: In most cases, TLT acts as a data controller — meaning we are responsible for deciding how and why your personal data is used. Occasionally, we act as a data processor on behalf of a client, following their instructions, with appropriate data processing contracts in place to protect your data.
In some situations, TLT and our client act as joint controllers, sharing responsibility for how your data is used and for complying with data protection law. Where this applies, we have a written agreement with our client setting out each party's responsibilities. Under that arrangement:
- TLT LLP is your primary point of contact for any questions or rights requests.
- You may also exercise your data protection rights directly against our client.
- Whichever party you contact, we will ensure your request is handled properly and within the required timeframes.
Our Data Protection Officer (DPO)
Our DPO oversees how we handle personal data and is your point of contact for any questions about this notice, including which TLT entity is responsible for your data or what role we are playing in relation to it.
- Email: GDPR@tlt.com
- Post: Data Protection Officer, TLT LLP, One Redcliff Street, Bristol, BS1 6TP, United Kingdom
The information we collect depends on the legal services we provide and how you interact with us. It may include:
- Your identity — name, previous names, title, date of birth, gender, photo ID and proof of address.
- Your contact details — home address, billing address, email and telephone numbers.
- Financial information — bank account and payment card details, and other financial information relevant to your matter.
- Transaction details — details of payments to and from you and the services you have received from us.
- Technical information — your IP address, device and browser type, and device settings (collected when you use our website).
- Profile information — your username and password (if you have an online account with us), requests, preferences, feedback and survey responses.
- Professional information — your employer, job title, professional memberships and regulatory identifiers, and information needed for onboarding checks and identity verification.
- Website usage — how you use our website, products and services.
- Marketing preferences — your preferences for receiving communications and updates from us.
- Call recordings — recordings of certain telephone calls and related notes.
We may also create anonymised or aggregated data from your information for statistical or research purposes. Once data is properly anonymised, it is no longer personal data and this notice does not apply to it.
Sensitive personal data: Some of the work we do requires us to handle more sensitive types of personal data (called ‘Special Category Data’) — for example, health or medical information (including information about vulnerability or disability), information about racial or ethnic origin, or religious or philosophical beliefs. We only process this kind of information where the law specifically allows us to, and we will always tell you if we need to do so and why.
The table in Section 8 explains why we use your data. The types of data listed above may be used for any of those purposes, depending on what the work requires.
We may collect personal data:
- Directly from you — for example, when you contact us by email, telephone or post.
- From your employer or organisation.
- From third parties connected with your matter — such as your solicitor, financial adviser, debt management organisation or support agency.
- From courts, regulators and public authorities.
- From publicly available sources — such as Companies House or the Electoral Register.
- From our office systems — including CCTV and guest Wi-Fi if you visit one of our offices, or at events and networking activities.
- From our website — including through online forms, enquiries, event sign-ups and other interactions.
- During the course of a matter — from documents, correspondence and other material generated as the legal work progresses.
Our website also automatically collects certain technical data through cookies and similar tools. For more information on this, including how to manage your cookie settings, please see our Cookies Policy.
You do not have to provide your personal data to us. However, if you choose not to, we may not be able to carry out the legal work you need or progress the matter you are involved in.
If you share someone else's personal data with us (for example, a family member or business contact), please make sure:
- you are allowed to share it;
- the information is accurate; and
- the person knows their information may be used by us as described in this notice.
Where we receive personal data about someone who has not shared it with us directly, we will tell that person how we use their data as required by law, unless an exemption applies — for example, where telling them would be disproportionately difficult (e.g., because there are a very large number of people involved) or would undermine the purpose of our work.
Our services are not generally directed at children. Children are generally represented by a parent, guardian or litigation friend, and we deal with that representative rather than the child directly. Where a matter involves a child's personal data, we will explain to their representative why we need the information and how we will use it.
If you are a child and want to know more about how your personal data is used, please ask your parent, guardian or representative to contact us.
We only use your personal data where the law allows us to. We always consider whether our use of your data is fair and proportionate. Before setting out the specific purposes, here is a plain English explanation of what the legal bases mean:
- Performance of a contract — we need your data to carry out the legal work you or our client has asked us to do, or to take steps before starting that work.
- Legal obligation — the law requires us to use your data. For example, we must carry out anti-money laundering and identity checks.
- Legitimate interests — we have a genuine business reason to use your personal data where this is proportionate and does not override your rights. This includes delivering legal services, managing relationships, maintaining secure systems, preventing fraud, handling complaints, and establishing, exercising or defending legal claims. We assess this before relying on this basis and you can contact us for more information.
- Vital interests — we need to use your personal data to protect your life or someone else's life, or to prevent serious harm to a person. This is a narrow basis that we would only rely on in urgent or emergency situations.
- Consent — we have asked you, and you have agreed, to a specific use of your data. You can withdraw your consent at any time by contacting us or using the unsubscribe link in any marketing email. Where we use sensitive personal data on the basis of consent, we will always ask for your explicit agreement — see Section 9 for more detail.
We only handle this type of information where the law allows us to do so. Depending on the circumstances, the conditions we rely on may include:
- Explicit consent – you have clearly and explicitly agreed to a specific use of your information.
- Legal claims – it is necessary to establish, exercise or defend legal claims.
- Substantial public interest – the law permits processing for specific public interest reasons.
- Vital interests – it is necessary to protect your life or someone else's life in an emergency.
Where criminal offence data is involved, we only process it where authorised by law. We take additional steps to protect this information and, where appropriate, will explain why we need it and the legal basis we rely on.
We do not use profiling (where an electronic system uses personal information to try and predict something about you) or automated decision making (where an electronic system uses personal information to make a decision about you without human intervention).
We may use analytical tools to understand website usage or tailor marketing communications, but these activities do not involve automated decision-making with legal or similarly significant effects.
You have the right to object to profiling for marketing purposes at any time. If you think an automated decision has been made about you, please contact us at GDPR@tlt.com and we will arrange for a person to review it.
We may share your personal data where necessary to deliver our services, run our business or comply with legal and regulatory requirements. Recipients may include:
- Our clients, to provide related legal services;
- Other TLT offices and entities, including those in the UK and South Africa;
- Courts, tribunals and dispute resolution bodies, and other parties to a matter — such as borrowers, guarantors and their legal representatives;
- Professional advisers and service providers involved in a matter — such as barristers, experts, process servers, tracing agents and debt recovery providers;
- Panel providers who allocate legal work to us as a law firm;
- Financial institutions involved in a transaction — such as banks, lenders, insurers and intermediaries;
- Government bodies, regulators and law enforcement agencies where required by law or for the prevention or detection of crime — including HM Land Registry, HMRC, the Financial Conduct Authority (FCA), the Solicitors Regulation Authority (SRA), the Law Society of Scotland, the Law Society of Northern Ireland, the Information Commissioner's Office (ICO), and the Information Regulator (South Africa);
- Our professional indemnity insurers and advisers, where needed for risk management or defending legal claims;
- Our service providers, including those supporting IT, document management, communications and business operations;
- Organisations involved in a business transaction, such as a merger or restructuring of our firm;
- External auditors and accreditation bodies; and
- Emergency services or support agencies where there is an urgent risk to you or others.
Some of these recipients are independent organisations responsible for their own data protection compliance. Others act on our instructions, and we require them to keep your data secure and use it only for the purpose for which we have engaged them.
We may not always know at the start of a matter exactly who will need to receive your personal data — this can depend on how the matter develops.
In some circumstances, personal data may be accessed from or transferred outside the UK, including by our South Africa operations and by some of our service providers. Where this happens, we put appropriate safeguards in place to protect your personal data. These may include UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or other safeguards permitted by data protection law.
If you would like more information about the safeguards in place for any specific transfer, please contact us at GDPR@tlt.com.
We take data security seriously. Our security measuresinclude encryption, access controls and staff training to protect your personaldata from accidental loss, unauthorised access, or misuse. Access to your datais limited to staff and third parties who genuinely need it, and they are boundby a duty of confidentiality.
If we give you login credentials to access your matter onour systems, please keep these secure and do not share them with anyone.
If we ever experience a data breach that is likely to putyour rights or freedoms at serious risk, we will let you know promptly and takeimmediate steps to limit any harm.
We only keep personal data for as long as necessary. Retention periods vary depending on the type of matter, record and legal or regulatory requirement. For most legal matters, we keep data for 10 years from the date the matter concludes. Some records — such as financial and anti-money laundering documentation — may be kept for longer where the law requires it.
For data not connected to a legal matter — such as website analytics, CCTV footage and marketing records — we retain data only for as long as necessary for the relevant purpose.
To find out more about how long we keep a specific type of data, or to request deletion, please email GDPR@tlt.com. Please note that we may need to retain certain information for legal, regulatory or legitimate business reasons even after a deletion request, and we may anonymise data for ongoing use.
Under UK data protection law, you have a number of rights in relation to your personal data. These are summarised below. Some rights are subject to legal conditions and exemptions, but we will always explain these to you if they apply.
How to exercise your rights: Email us at GDPR@tlt.com or write to us at the address below. There is usually no charge. We may ask you to confirm your identity before we respond. We will respond within one calendar month, and we will let you know if we need more time because your request is complex.
If you have any questions about this notice or want to exercise your rights, please get in touch:
- Email: GDPR@tlt.com
- Post: Data Protection Officer, TLT LLP, One Redcliff Street, Bristol, BS1 6TP, United Kingdom
If you are unhappy with how we have handled your personal data, we would welcome the chance to put things right. You can raise a complaint using the contact details above, through our online complaints form, or in another format if you need assistance or reasonable adjustments.
We will acknowledge your complaint within 30 days, may ask you to confirm your identity or clarify the issues, and will keep you updated while we investigate and respond. We may not be able to disclose certain information where this would affect confidentiality, legal professional privilege or the rights of others. You can read our Data Protection Complaints Policy for more detail.
If you are based in the UK, you also have the right to complain to the Information Commissioner's Office (ICO) at any time. The ICO can investigate complaints and take enforcement action. Find out more at www.ico.org.uk. We would, however, prefer the chance to resolve your concerns before you go to the ICO.
If you live or work outside the UK, you can complain to your local regulator.
We review this notice regularly and will let you know about any significant changes — for example, by email or by posting a notice on our website. Please also check back periodically. This version was last updated on 29 June 2026.
If your personal details change, please let us know so that we can keep our records accurate.
Our website may contain links to other websites. We are not responsible for the privacy practices of those sites and we encourage you to read their privacy notices when you visit them.