Privacy Policy

Last updated: February 2026

Privacy & Data Accountability Statement

Avalon SaaS Ltd Trading as Avalon Data (Co. No. 14158613)

Effective Date:

Regulatory Framework: UK GDPR | DPA 2018 | DUAA 2025 | SRA Transparency Rules 2018

1. Introduction

Avalon Data ("we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website avalondata.co.uk (the "Website").

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Website.

2. Data We Collect

We may collect personal data, including:

  • Contact Information: Name, email address, phone number, and company details when you submit our contact forms or request an audit.
  • Communication Data: Records of your correspondence with us.
  • Technical Data: IP address, browser type, operating system, and usage data through cookies and similar technologies.
  • Marketing Preferences: Your preferences for receiving marketing communications.

3. How We Use Your Data

We use your personal data for the following purposes:

  • To provide our website compliance services and respond to your enquiries
  • To deliver the 140-Point Website Audit and other website compliance services you request
  • To send you relevant information about website compliance requirements and regulatory updates from the ICO and the SRA
  • To improve our Website and services based on your feedback
  • To comply with legal obligations, including SRA and ICO requirements

4. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR) and the Data (Use and Access) Act 2025, we process your personal data based on:

  • Consent: Where you have given us permission to contact you
  • Contract: Where processing is necessary to fulfil a contract with you
  • Legitimate Interest: Where it is in our legitimate business interests to improve our services
  • Legal Obligation: Where we must comply with statutory requirements

5. Data Sharing

In accordance with Article 28 of the UK GDPR and the DUAA 2025, Avalon Data maintains a comprehensive Registry of all third-party sub-processors. We do not share data with generic 'service providers'; we only engage specific, vetted partners governed by a legally binding Data Processing Agreement (DPA). Our current sub-processors, their purposes, and their data locations are disclosed transparently in the table below (Section 5.1). This list serves as the definitive disclosure required under Article 13(1)(e).

5.1 Current Subprocessors

Processor Name Purpose of Processing Data Location Safeguards
LandingSite.ai Website Hosting & Site Builder Platform: Hosting of avalondata.co.uk and the AI-powered editor used to publish content. USA UK Standard Contractual Clauses, TLS encryption in transit.
Cloudflare Domain Registrar, DNS, CDN & DDoS Proxy: Registration of avalondata.co.uk, traffic routing, and edge caching. All visitor traffic passes through Cloudflare's network before reaching our hosting. UK / Global edge network UK Data Processing Addendum, ISO 27001 certified, EU-US Data Privacy Framework certified.
Google Email (Google Workspace) for [email protected] and Google Fonts (delivery of the 'Outfit' typeface used across the site). USA / Ireland UK-Extension Data Privacy Framework certified, Standard Contractual Clauses.

5.2 Subprocessor Obligations

All Subprocessors are contractually bound by data processing agreements that include:

  • Obligations to process personal data only on our documented instructions
  • Requirements to maintain appropriate technical and organisational security measures
  • Confidentiality obligations for all personnel with access to personal data
  • Requirements to assist us in responding to data subject rights requests
  • Obligations to delete or return all personal data upon termination of the agreement

5.3 Notification of Changes

We will notify our clients at least 14 days before engaging any new Subprocessor to process personal data. Clients may object to the engagement of a new Subprocessor by contacting us at [email protected] within 14 days of receiving such notification.

We do not sell your personal data to third parties.

5.4 Due Diligence Framework

We do not simply rely on a processor's self-certification. Our 2026 Due Diligence Framework involves:

  • Initiation Test: We only 'initiate' transfers that are strictly necessary for the audit service.
  • Quarterly Review: We verify that our sub-processors (LandingSite.ai, Cloudflare, Google) remain in good standing with their applicable UK Extension Data Privacy Framework certification or other valid transfer mechanism.
  • Audit Trail: We maintain internal records of every 'Data Protection Test' performed for a period of 7 years.

6. Data Security

We have implemented appropriate technical and organisational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption, access controls, and regular security assessments.

7. Your Rights

Under UK GDPR, you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate personal data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing: Request limitation on how we process your data
  • Right to Data Portability: Request your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

7.1 Data Subject Access Requests (DSAR)

To ensure your request is handled securely and in accordance with the Data (Use and Access) Act 2025, please submit all Data Subject Access Requests (DSAR) via our Dedicated Privacy Portal. This structured process allows us to verify your identity and process your request within the statutory one-month window under UK GDPR Article 12(3).

Our Privacy Portal collects:

  • Full Name and Contact Details: To identify you and respond to your request
  • Proof of Identity: We may request verification to ensure your data is only disclosed to you
  • Scope of Data Requested: Under Article 15(1A) UK GDPR (inserted by section 78 of the Data (Use and Access) Act 2025), our search must be reasonable and proportionate. Specifying the data you seek helps us conduct a thorough and targeted search.

Submit a DSAR via our Privacy Portal →

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. Typically, we retain enquiry data for 3 years and client data for 7 years in line with statutory limitation periods.

8.1 Data Retention Schedule

We retain personal data only for as long as is strictly necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Data Category Record Type Retention Period Statutory/Business Basis
Enquiry Data Contact forms, initial email correspondence. 3 Years from date of last contact. Limitation Act 1980 (Potential claims period).
Client Matter Files Case documents, legal advice, work product. 7 Years from conclusion of the matter. SRA Code of Conduct & Limitation Act 1980.
Financial Records Invoices, VAT records, payment history. 7 Years from the end of the financial year. HMRC / VAT Act 1994.
Identity Verification KYC/AML documents, passports, proof of address. 5 Years from end of business relationship. Money Laundering Regulations 2017.
Marketing Data Newsletter subscriptions, opt-in preferences. Until Opt-out (Reviewed every 24 months). UK GDPR / PECR (Consent-based).
CCTV/Access Logs Office visitor logs, security footage. 30 Days (unless incident reported). Public Interest/Security.

9. Special Category Data — Our Position

We do not routinely process special category data. Our website audit service is designed to assess publicly accessible web pages and the contact details of firms we are engaged with. The personal data we handle is therefore typically limited to ordinary business contact information (name, work email, work phone, firm details).

If special category data is encountered: Should we ever inadvertently come across special category data (as defined in Article 9 UK GDPR) during a website audit — for example, in an example contained within a client's existing privacy policy — we apply the following measures:

  • Immediate minimisation: We do not retain, copy, or process the data beyond what is strictly necessary to flag the relevant compliance issue back to the client.
  • No analysis or onward use: We do not analyse, profile, or share special category data with any third party.
  • Encryption in transit and at rest: All data on our systems is protected by TLS 1.2+ in transit and AES-256 at rest.
  • Reporting back, not retaining: If special category data is identified as a finding in an audit, we report this to the client in the audit deliverable so they can address it. We do not retain the underlying data ourselves beyond the audit cycle.

If you have any concerns that special category data has been shared with us in error, please contact us immediately at [email protected] and we will arrange secure deletion.

10. Cookies

Our Website uses cookies to distinguish you from other users and to improve your experience. For detailed information about the cookies we use, please refer to our Cookie Policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

12. Our Commitment to Accountability

Avalon Data ("we", "us", or "our") provides independent website auditing and remediation services for the UK legal sector. We operate under an "Accountability-First" model. This policy outlines how we handle personal data in strict alignment with the Data (Use and Access) Act (DUAA) 2025 and the SRA Transparency Rules 2018. Regulatory Alignment: While Avalon Data is not an SRA-regulated entity, our services are specifically engineered to assist SRA-regulated firms in meeting their website-related disclosure obligations. We operate as a specialist third-party supplier, ensuring that our data handling, security standards, and website audit methodologies provide the 'Evidence of Oversight' required for a firm's regulatory defence.

13. Lawful Bases for Processing

We only process personal data where a valid lawful basis exists under Article 6 of the UK GDPR. In 2026, we specifically rely on:

  • Contractual Necessity: To perform website audits and deliver the "Essential Shield Suite" to our clients.
  • Recognised Legitimate Interests (DUAA 2025): We process data for crime prevention and detection, including the mitigation of "claimant bot" activity and safeguarding our proprietary audit intellectual property. Under the DUAA 2025, these specific interests are pre-approved and do not require a formal balancing test.

14. Enhanced Data Subject Rights (2026 Standards)

We facilitate the exercise of your rights in a manner that is reasonable and proportionate:

  • Subject Access Requests (DSARs): When you request access to your data, we will conduct searches that are reasonable and proportionate to the nature of your request, in line with Article 15(1A) UK GDPR (as amended by section 78 Data (Use and Access) Act 2025). Under the DUAA 2025 "Stop the Clock" rule, we may pause the one-month response deadline if we require further information or identity verification.
  • Legal Professional Privilege (LPP): As a consultancy serving law firms, we strictly enforce exemptions regarding LPP. Data that consists of confidential communications for the purpose of legal advice or litigation is exempt from disclosure.
  • Automated Decision-Making: We do not use fully automated systems for significant decisions. Any "Risk Scoring" in our audits involves meaningful human oversight by an expert auditor.

15. Statutory Complaints Procedure (Internal-First)

In line with the Data (Use and Access) Act 2025 framework, we operate an internal-first complaints procedure. We encourage you to raise any concerns with us directly before escalating to the regulator:

  • Direct Submission: If you have a concern regarding our data handling, you must first submit a complaint via our Statutory Complaints Portal (click for access).
  • Acknowledgement: We will acknowledge your complaint within 30 days.
  • Resolution: We will investigate thoroughly and proportionately, and provide a full written outcome explaining our findings and any remedial action.

Note: Under 2026 law, the Information Commission generally requires that you complete this internal process before escalating a complaint to the regulator.

16. Data Retention & Security

  • Retention: We retain website audit data for a period of 7 years to support law firms in their SRA and PII renewal cycles, after which data is securely pseudonymised or destroyed.
  • Security: We employ AES-256 encryption for data at rest and TLS 1.2+ for data in transit. All staff access is governed by Multi-Factor Authentication (MFA) and the Principle of Least Privilege.

17. International Transfers

We only transfer data outside the UK where the destination provides a level of protection that is not significantly lower than UK standards, as per the 2026 "Data Protection Test".

17.1 Transfer Risk Assessment & Validated Transfer Mechanisms

Avalon Data performs a formal Transfer Risk Assessment (TRA)—now defined under the DUAA 2025 as the 'Data Protection Test'—for every cross-border data flow. We ensure that the standard of protection in the destination country is not materially lower than that provided in the UK.

Our Validated Transfer Mechanisms:

  • Transfers to the EEA: These rely on the reciprocal UK-EU Adequacy Regulations, which confirm that EEA protections meet the UK's 'Data Protection Test'.
  • Transfers to the USA (LandingSite.ai, Cloudflare, Google):
    • Primary Mechanism: We only engage US providers certified under the Data Privacy Framework (DPF) with the UK Extension (UK-US Data Bridge).
    • Secondary Safeguard: Where a provider is not DPF-certified, we utilise the International Data Transfer Addendum (IDTA) alongside a documented TRA to ensure rights remain enforceable.
  • Ad-hoc Transfers: Any other restricted transfer is governed by the International Data Transfer Agreement (IDTA) and is subject to additional technical measures, such as AES-256 encryption at rest.

18. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

  • Email: [email protected]
  • Phone: 0333 041 9992
  • Address: Avalon SaaS Ltd Trading as Avalon Data, 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. Visit ico.org.uk for more information.