Privacy Policy

Last updated: February 2026

Privacy & Data Accountability Statement

Paul Avalon Trading as Avalon Data

Effective Date:

Regulatory Framework: UK GDPR | DPA 2018 | DUAA 2025

1. Introduction

Avalon Data ("we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website avalondata.co.uk (the "Website").

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Website.

2. Data We Collect

We may collect personal data, including:

  • Contact Information: Name, email address, phone number, and company details when you submit our contact forms or request an audit.
  • Communication Data: Records of your correspondence with us.
  • Technical Data: IP address, browser type, operating system, and usage data through cookies and similar technologies.
  • Marketing Preferences: Your preferences for receiving marketing communications.

3. How We Use Your Data

We use your personal data for the following purposes:

  • To provide our GDPR compliance services and respond to your enquiries
  • To deliver the 140-Point Audit and other consultancy services you request
  • To send you relevant information about compliance requirements and regulatory updates
  • To improve our Website and services based on your feedback
  • To comply with legal obligations, including SRA and ICO requirements

4. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR) and the Data (Use and Access) Act 2025, we process your personal data based on:

  • Consent: Where you have given us permission to contact you
  • Contract: Where processing is necessary to fulfil a contract with you
  • Legitimate Interest: Where it is in our legitimate business interests to improve our services
  • Legal Obligation: Where we must comply with statutory requirements

5. Data Sharing

In accordance with Article 28 of the UK GDPR and the DUAA 2025, Avalon Data maintains a comprehensive Registry of all third-party sub-processors. We do not share data with generic 'service providers'; we only engage specific, vetted partners governed by a legally binding Data Processing Agreement (DPA). Our current sub-processors, their purposes, and their data locations are disclosed transparently in the table below (Section 5.1). This list serves as the definitive disclosure required under Article 13(1)(e).

5.1 Current Subprocessors

Processor Name Purpose of Processing Data Location Safeguards
Microsoft Primary Infrastructure: Website hosting (Azure/GitHub Pages) and professional email (Outlook). UK (South) UK-Standard DPA, AES-256 Encryption.
Google Analytics & Security: Google Analytics 4 (IP Anonymised) and reCAPTCHA for spam prevention. Ireland / USA DUAA-Compliant Opt-Out, UK Standard Contractual Clauses.
GoDaddy / Ionos Domain & DNS: Management of avalondata.co.uk routing and server-side security. UK / EU TLS 1.2+ Security Protocols.
LinkedIn Insight & Engagement: Providing relevant compliance updates to professional contacts via Insight Tags. Ireland Strict Opt-In Consent via Cookie Banner.
TrustArc Consent Management: Governing cookie preferences and regulatory opt-outs. EU (Ireland) UK-Standard DPA, IAB TCF v2.2 Compliant.
Stripe Payment processing EU (Ireland) PCI-DSS Level 1 Compliant, AES-256 Encryption.

5.2 Subprocessor Obligations

All Subprocessors are contractually bound by data processing agreements that include:

  • Obligations to process personal data only on our documented instructions
  • Requirements to maintain appropriate technical and organisational security measures
  • Confidentiality obligations for all personnel with access to personal data
  • Requirements to assist us in responding to data subject rights requests
  • Obligations to delete or return all personal data upon termination of the agreement

5.3 Notification of Changes

We will notify our clients at least 14 days before engaging any new Subprocessor to process personal data. Clients may object to the engagement of a new Subprocessor by contacting us at [email protected] within 14 days of receiving such notification.

We do not sell your personal data to third parties.

5.4 Due Diligence Framework

We do not simply rely on a processor's self-certification. Our 2026 Due Diligence Framework involves:

  • Initiation Test: We only 'initiate' transfers that are strictly necessary for the audit service.
  • Quarterly Review: We verify that our sub-processors (Microsoft, Google, etc.) remain in good standing with the UK-US Data Bridge.
  • Audit Trail: We maintain internal records of every 'Data Protection Test' performed for a period of 7 years.

6. Data Security

We have implemented appropriate technical and organisational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption, access controls, and regular security assessments.

7. Your Rights

Under UK GDPR, you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate personal data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing: Request limitation on how we process your data
  • Right to Data Portability: Request your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

7.1 Data Subject Access Requests (DSAR)

To ensure your request is handled securely and in accordance with the Data (Use and Access) Act 2025, please submit all Data Subject Access Requests (DSAR) via our Dedicated Privacy Portal. This structured process allows us to verify your identity and process your request within the statutory 30-day window.

Our Privacy Portal collects:

  • Full Name and Contact Details: To identify you and respond to your request
  • Proof of Identity: We may request verification to ensure your data is only disclosed to you
  • Scope of Data Requested: Under the DUAA 2025 "Reasonable Search" clause, specifying the data you seek helps us conduct a thorough and targeted search

Submit a DSAR via our Privacy Portal →

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. Typically, we retain enquiry data for 3 years and client data for 7 years in line with statutory limitation periods.

8.1 Data Retention Schedule

We retain personal data only for as long as is strictly necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Data Category Record Type Retention Period Statutory/Business Basis
Enquiry Data Contact forms, initial email correspondence. 3 Years from date of last contact. Limitation Act 1980 (Potential claims period).
Client Matter Files Case documents, legal advice, work product. 7 Years from conclusion of the matter. SRA Code of Conduct & Limitation Act 1980.
Financial Records Invoices, VAT records, payment history. 7 Years from the end of the financial year. HMRC / VAT Act 1994.
Identity Verification KYC/AML documents, passports, proof of address. 5 Years from end of business relationship. Money Laundering Regulations 2017.
Marketing Data Newsletter subscriptions, opt-in preferences. Until Opt-out (Reviewed every 24 months). UK GDPR / PECR (Consent-based).
CCTV/Access Logs Office visitor logs, security footage. 30 Days (unless incident reported). Public Interest/Security.

9. Safeguards for Special Category Data (Appropriate Policy Document)

Condition for Processing: We process special category data under Article 9(2)(f) (Legal Claims) and Schedule 1, Part 2 of the DPA 2018 (Substantial Public Interest). This section constitutes our Appropriate Policy Document (APD) as required by the Data (Use and Access) Act 2025.

Legal Ground: Avalon Data relies on Article 9(2)(g) UK GDPR and Schedule 1, Part 2, Paragraph 8 of the DPA 2018 (Equality of Opportunity) and Paragraph 14 (Preventing Fraud).

Rationale: Our processing is necessary for the 'Substantial Public Interest' of ensuring that SRA-regulated firms—who manage the administration of justice—maintain robust data standards. This promotes the public interest in legal professional integrity and the prevention of data-related fraud within the UK legal system.

We may occasionally process 'Special Category' data (as defined in Article 9 UK GDPR), including information relating to health, ethnic origin, or religious beliefs, where this is strictly necessary for the performance of our compliance audits or as part of a client's legal matter.

In addition to our standard security measures, we apply the following enhanced safeguards to all Special Category Data:

  • Strict Necessity & Minimisation: We only collect the minimum sensitive data required for a specific audit purpose and ensure it is not 'stockpiled' beyond its immediate utility.
  • Access Control & Encryption: SCD is subject to 'Level 2' access controls, restricted to senior auditors only, and is encrypted both at rest and in transit using AES-256 standards.
  • The 'Necessity Test': For every engagement involving sensitive data, we conduct a documented Necessity Test to ensure no less intrusive means are available to achieve the same regulatory outcome.
  • Shorter Retention: SCD is subject to accelerated deletion schedules. Once the relevant audit remediation is verified, sensitive identifiers are pseudonymised or destroyed within 30 days, unless a statutory retention period applies.
  • Staff Training: All Avalon Data auditors undergo mandatory, biannual training on the ethical handling of sensitive legal and medical data under the DUAA 2025 framework.

10. Cookies

Our Website uses cookies to distinguish you from other users and to improve your experience. For detailed information about the cookies we use, please refer to our Cookie Policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

12. Our Commitment to Accountability

Avalon Data ("we", "us", or "our") provides independent auditing and remediation services for the UK legal sector. We operate under an "Accountability-First" model. This policy outlines how we handle personal data in strict alignment with the Data (Use and Access) Act (DUAA) 2025 and the SRA Management and Control standards. Regulatory Alignment: While Avalon Data is not an SRA-regulated entity, our services are specifically engineered to assist SRA-regulated firms in meeting their obligations under SRA Principle 7 (Management and Control). We operate as a 'Critical Third-Party' provider, ensuring that our data handling, security standards, and audit methodologies provide the 'Evidence of Oversight' required for a firm's regulatory defence.

13. Lawful Bases for Processing

We only process personal data where a valid lawful basis exists under Article 6 of the UK GDPR. In 2026, we specifically rely on:

  • Contractual Necessity: To perform audits and deliver the "Essential Shield Suite" to our clients.
  • Recognised Legitimate Interests (DUAA 2025): We process data for crime prevention and detection, including the mitigation of "claimant bot" activity and safeguarding our proprietary audit intellectual property. Under the DUAA 2025, these specific interests are pre-approved and do not require a formal balancing test.

14. Enhanced Data Subject Rights (2026 Standards)

We facilitate the exercise of your rights in a manner that is reasonable and proportionate:

  • Subject Access Requests (DSARs): When you request access to your data, we will conduct searches that are proportionate to the nature of your request. Under the DUAA 2025 "Stop the Clock" rule, we may pause the one-month response deadline if we require further information or identity verification.
  • Legal Professional Privilege (LPP): As a consultancy serving law firms, we strictly enforce exemptions regarding LPP. Data that consists of confidential communications for the purpose of legal advice or litigation is exempt from disclosure.
  • Automated Decision-Making: We do not use fully automated systems for significant decisions. Any "Risk Scoring" in our audits involves meaningful human oversight by an expert auditor.

15. Statutory Complaints Procedure (Internal-First)

In accordance with the mandatory requirements of the DUAA 2025, we operate a formal Data Protection Complaints Procedure:

  • Direct Submission: If you have a concern regarding our data handling, you must first submit a complaint via our Statutory Complaints Portal (click for access).
  • Acknowledgement: We will acknowledge your complaint within 30 days.
  • Resolution: We will investigate and provide a full written outcome without undue delay.

Note: Under 2026 law, the Information Commission generally requires that you complete this internal process before escalating a complaint to the regulator.

16. Data Retention & Security

  • Retention: We retain audit data for a period of 7 years to support law firms in their SRA and PII renewal cycles, after which data is securely pseudonymised or destroyed.
  • Security: We employ AES-256 encryption for data at rest and TLS 1.2+ for data in transit. All staff access is governed by Multi-Factor Authentication (MFA) and the Principle of Least Privilege.

17. International Transfers

We only transfer data outside the UK where the destination provides a level of protection that is not significantly lower than UK standards, as per the 2026 "Data Protection Test".

17.1 Transfer Risk Assessment & Validated Transfer Mechanisms

Avalon Data performs a formal Transfer Risk Assessment (TRA)—now defined under the DUAA 2025 as the 'Data Protection Test'—for every cross-border data flow. We ensure that the standard of protection in the destination country is not materially lower than that provided in the UK.

Our Validated Transfer Mechanisms:

  • Transfers to the EEA: These rely on the reciprocal UK-EU Adequacy Regulations, which confirm that EEA protections meet the UK's 'Data Protection Test'.
  • Transfers to the USA (Google/Microsoft/LinkedIn):
    • Primary Mechanism: We only engage US providers certified under the Data Privacy Framework (DPF) with the UK Extension (UK-US Data Bridge).
    • Secondary Safeguard: Where a provider is not DPF-certified, we utilise the International Data Transfer Addendum (IDTA) alongside a documented TRA to ensure rights remain enforceable.
  • Ad-hoc Transfers: Any other restricted transfer is governed by the International Data Transfer Agreement (IDTA) and is subject to additional technical measures, such as AES-256 encryption at rest.

18. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. Visit ico.org.uk for more information.