Skip to main content

Privacy Policy – Biz Right Ltd t/a LawRight

Effective date: 03/12/2025

This Privacy Policy describes how Biz Right Ltd trading as LawRight (“LawRight”, “we”, “us”, “our”) collects and processes personal data in connection with the provision of our services and related communications. It is intended to meet the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations 2003 (PECR), and other applicable UK data protection law.

Registered details:

  • Legal entity: Biz Right Ltd trading as LawRight
  • Company number: 10822277
  • Registered address: 2a Connaught Avenue, London, United Kingdom, E4 7AA

Definitions

  • “Our services” means software consulting and related professional services we provide to client and prospective client organisations, including:
  • Implementation, configuration, data migration, integration, customisation, optimisation, and support of: LEAP Legal Software, and/or Xero Accounting Software, and/or Microsoft Software, and/or other related software and services associated with the prior.
  • User enablement activities such as training (live and recorded), workshops, knowledge transfer, documentation and change management.
  • Project and account management, service desk/ticketing, incident response, portal access and administration, and associated consultancy.
  • “Legitimate topics” means news, information, updates, service notices and promotions relating to:
  • LEAP Legal Software;
  • Xero Accounting Software;
  • Microsoft 365;
  • Other related software and services associated with the above;
  • Our services and related professional enablement, including implementation guidance, product or feature updates, security or availability notices, maintenance windows, roadmap webinars, events, offers and training opportunities that recipients may use or be interested in.

References in this policy to particular platforms or offerings should be read as references to our services or legitimate topics, as defined above.

1. Data Controller and Contact Details

  • Controller: Biz Right Ltd trading as LawRight
  • Address: 2a Connaught Avenue, London, United Kingdom, E4 7AA
  • Email: info@lawright.co.uk
  • Data Protection Officer (if appointed): No DPO appointed. Queries may be directed to the contact above.

2. Scope of This Policy

This policy applies to:

  • Staff members and authorised representatives of our client and prospective client organisations (primarily law firms) whose details are provided to us by their organisation or obtained by us in the context of our services.
  • Users who interact with us via email, SMS, telephone, our client portal, or other communication channels.
  • Visitors to our website(s) and recipients of our service and marketing communications.

This policy does not cover personal data we process strictly as a processor on behalf of clients (for example, where we access client systems or environments under a services agreement). In such cases, we act according to the client’s instructions and the relevant data processing agreement. See also Section 2A (Processing of Client Data) for further details of our processor role and how we handle your client, case, and accounting information during service delivery.

2A. Processing of Client Data (Your Clients’ Legal, Business and Accounting Information)

  • Role designation: In the course of providing our services, we frequently process data that belongs to your organisation and concerns your clients, matters/cases, suppliers and employees (collectively, “Client Data”). For these activities, we act as a processor (or sub-processor) and your organisation is the controller, unless expressly stated otherwise in writing.
  • Nature and categories of Client Data: matter files, case metadata, contact and party details, documents and communications, time recording, billing and accounting records, ledgers, invoices, bank reconciliation data, document templates, configuration settings, and usage/audit logs generated within supported systems. Client Data may include special category data and criminal offence data where you lawfully process such data in your systems.
  • Purpose and instructions: We process Client Data solely to deliver our services (including implementation, configuration, migration, training, testing, troubleshooting, support and related administrative tasks) and strictly on your documented instructions, including instructions contained in our services agreement, statements of work, tickets and written communications. Where Client Data includes special category or criminal offence data, your organisation is responsible for identifying a valid condition under Article 9 or Article 10 (and any Schedule 1 appropriate policy document). We will process such data only on your documented instructions and with appropriate safeguards.
  • Confidentiality and access controls: Access to Client Data is restricted to personnel and sub-contractors who require it for service delivery and are bound by confidentiality obligations. Access is logged and limited on a least-privilege basis.
  • Security measures: We implement appropriate technical and organisational measures proportionate to the risks, including secure connectivity to your environments, encryption in transit and at rest where feasible, segregated environments, MFA for administrative systems, vulnerability and patch management, and incident response procedures.
  • Data location and transfers: Where Client Data is hosted in your own environments or your licensed platforms, we access it remotely as necessary. Any international transfers by us of Client Data are safeguarded in accordance with Section 8 (International Transfers) and our Data Processing Agreement (DPA).
  • Sub-processing: We may engage sub-processors to assist with service delivery (e.g., secure ticketing, remote support, secure file transfer, conferencing). Sub-processors are appointed under written contracts meeting UK GDPR Article 28 requirements. A current list of sub-processors is available on request.
  • Data breaches: In the event of a personal data breach affecting Client Data while in our control, we will notify you without undue delay and provide information and cooperation reasonably required for you to meet your legal obligations.
  • Return and deletion: Upon conclusion of services or on your written request, we will return or delete Client Data in our possession within a reasonable period, subject to any legal obligations to retain limited records and subject to Section 9 on retention of our own service records. Backups and archives will be overwritten in line with standard cycles.

3. Categories of Personal Data Collected

We may collect and process the following categories of personal data concerning client and prospective client personnel:

  • Identification and contact data: name, job title/role, business email address, business telephone/mobile number, firm name, office address.
  • Professional information: practice area(s), departmental affiliation, system usage role, licence/user status.
  • Communication data: preferences, marketing opt-out/in status, records of correspondence and interactions across email, SMS, telephone and client portal.
  • Technical/usage data: portal account identifiers, login timestamps, audit logs and activity data on our client portal or scheduling platforms, IP addresses and device information (for security and service delivery).
  • Project/service data: information necessary to scope, deliver, support and improve our services (e.g., training attendance, configuration choices, implementation notes).
  • Website data: cookies and similar technologies as described in our Cookie Notice section 14.

We do not intentionally collect special category data or criminal offence data for the purposes described in this policy. If such data is inadvertently provided, it will be deleted or minimised unless retention is legally required or strictly necessary for a specific, disclosed purpose.

4. Sources of Personal Data

  • Directly from your organisation (e.g., when your firm provides staff contact lists for implementation, training, support or account administration in relation to our services).
  • Directly from you (e.g., when you contact us, attend training, or use the client portal).
  • Public sources and professional platforms (e.g., firm websites, professional directories, LinkedIn) where relevant to business-to-business engagement on legitimate topics.
  • Our service delivery tools (e.g., helpdesk, project management, conferencing and portal platforms generating usage metadata).
  • Where we have not obtained your professional contact details directly, we will provide you with the required privacy information at the earliest practicable opportunity and no later than the statutory timeframe, with a clear ability to opt out of marketing.

5. Purposes and Legal Bases for Processing

We rely on different lawful bases depending on the purpose. We rely on legitimate interests for the purposes identified below where appropriate. You have the right to object to processing based on legitimate interests at any time, including an absolute right to object to direct marketing.

We process personal data for the following purposes and corresponding legal bases:

A. Service delivery and contract administration

  • Purposes: scoping, delivering and improving our services; user training; support and maintenance; scheduling meetings; managing user access to our portal; incident management; project reporting; invoicing and credit control.
  • Legal basis: Article 6(1)(b) UK GDPR (performance of a contract or taking steps prior to entering into a contract) and Article 6(1)(f) (legitimate interests in delivering and improving services to corporate clients).

B. Service communications

  • Purposes: essential and/or critical notifications relating to projects, training logistics, security and availability notices, feature or configuration changes, and other operational updates about our services.
  • Legal basis: Article 6(1)(b) (contract) and Article 6(1)(f) (legitimate interests in maintaining effective service delivery and customer care).

C. Business-to-business marketing and information updates

  • Purposes: sending news, information, updates, service notices or promotions limited to legitimate topics.
  • Legal basis: Article 6(1)(f) (legitimate interests in promoting and developing our services to corporate contacts). For electronic marketing, we comply with PECR. Where PECR requires consent, we will obtain it; otherwise, we rely on the soft opt-in or B2B exemption as applicable. For live marketing calls, we screen numbers against the Telephone Preference Service (TPS/CTPS) and honour any objections. You may opt out at any time.

D. Analytics, service improvement and security

  • Purposes: analysing engagement to improve content relevance on legitimate topics; monitoring portal and systems usage for performance, support and security; detecting, preventing and investigating security incidents or misuse. Engagement analytics (e.g., delivery, opens, clicks) are limited to improving relevance and deliverability and are not used to make decisions producing legal or similarly significant effects.
  • Legal basis: Article 6(1)(f) (legitimate interests in operating secure systems and improving our services).

E. Legal and regulatory compliance; record-keeping

  • Purposes: compliance with legal obligations, responding to regulatory or law enforcement requests, managing and defending legal claims, and maintaining statutory records.
  • Legal basis: Article 6(1)(c) (legal obligation) and Article 6(1)(f) (legitimate interests in establishing, exercising or defending legal claims).

Accountability: We have conducted a Legitimate Interests Assessment (LIA) for B2B communications about legitimate topics and for service communications, and we keep these assessments under review.

Legitimate interests assessment summary: Our B2B communications are targeted, proportionate and relevant to recipients’ professional roles. We balance our interests with recipients’ reasonable expectations and provide simple, free opt-outs in every marketing communication.

6. Automated Decision-Making

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on individuals. If that changes, this policy will be updated and specific information and safeguards provided.

7. Recipients and Categories of Recipients

We may share personal data with:

  • Our personnel and contractors on a need-to-know basis under confidentiality obligations.
  • Service providers (processors) assisting with hosting, CRM, email/SMS gateways, client portal, project management, conferencing, ticketing, analytics, identity management and security for our services and communications.
  • Vendors and partners relevant to our services where engagement is required to support or troubleshoot and where permitted by contract and law.
  • Professional advisers (accountants, auditors, lawyers) and insurers as necessary.
  • Authorities, regulators, courts or counterparties where required by law or necessary to establish, exercise or defend legal claims.

We do not sell personal data. Disclosures are limited to our sub-contractors and processors, and to necessary vendor engagements to support or troubleshoot our services, each under appropriate contractual and confidentiality terms. We require processors to provide appropriate technical and organisational measures and to process personal data only on our documented instructions.

8. International Transfers

Some processors or sub-processors may be located outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards, such as:

  • Adequacy regulations under UK law; or
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses; and
  • Supplementary measures where necessary.

Details of current transfer mechanisms and destinations are available on request.

9. Data Retention

We retain personal data for the minimum period necessary for the purposes set out above:

  • Service and project records: typically for the duration of the engagement plus 7 years for limitation and accounting purposes.
  • Portal account records and logs: for the life of the account and a limited period thereafter for security/audit (12 months unless a longer period is necessary).
  • Marketing contact data: until you opt out or we identify prolonged inactivity, and in any event subject to periodic data hygiene reviews. We maintain a suppression list to respect opt-outs.
  • Training recordings: 3–12 months or earlier on request.
  • Engagement analytics logs for email/SMS: retained for 12 months, then aggregated or deleted.

Retention periods may be extended where required by law or to establish, exercise or defend legal claims. Data will be securely deleted or anonymised at the end of the retention period.

10. Your Rights

Under UK data protection law, you have the following rights (subject to conditions and exemptions):

  • Access: to obtain a copy of your personal data and supplementary information.
  • Rectification: to correct inaccurate or incomplete data.
  • Erasure: to request deletion of personal data in certain circumstances.
  • Restriction: to request restriction of processing in certain circumstances.
  • Portability: to receive personal data you provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller where technically feasible.
  • Objection: to object at any time to processing based on our legitimate interests, including B2B direct marketing on legitimate topics; we will stop processing for marketing immediately upon objection.
  • Withdraw consent: where consent is relied upon (e.g., certain PECR scenarios), withdrawal at any time will not affect prior lawful processing.

To exercise rights, contact us using the details in Section 1. We may need to verify identity and scope requests appropriately. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO): www.ico.org.uk, telephone 0303 123 1113. We would appreciate the opportunity to address concerns before the ICO is approached.

11. Marketing Preferences and Opt-Out

  • You may opt out of marketing at any time by using the unsubscribe link in emails, replying STOP to SMS where supported, updating preferences in the client portal, or contacting us (see Section 1).
  • We apply your objection across all marketing channels and maintain a minimal suppression record to ensure your preference is respected in future.
  • We will continue to send essential service communications related to ongoing projects, security, or account administration for our services, as these are not marketing.
  • For emails and SMS, we apply consent or the soft opt-in/B2B rules under PECR as applicable and include an opt-out in each message. For live marketing calls, we screen numbers against TPS/CTPS and honour any objections.

12. Recording of Training Sessions and Use of Case Examples

  • Recording: Training sessions (including remote webinars and on-site sessions captured via conferencing tools) may be recorded for quality assurance, refresher training and to support staff who could not attend live. Recordings may capture screen shares, configurations and examples that include your internal workflows and, in some cases, Client Data.
  • Lawful basis and role: For recordings that include personal data of your staff, we rely on legitimate interests (Article 6(1)(f) UK GDPR) in delivering and improving our services. Where recordings include Client Data, we act as your processor and will handle the content in accordance with Section 2A and the DPA.
  • Sharing and access: By default, recordings will be made available to your organisation’s staff who require access for training purposes via secure links or your chosen platform. Access can be limited to specified groups on request. We will share the recordings with your staff unless the appropriate contacts (project managers/partners/business owners, etc.) request otherwise.
  • Opt-out and restrictions: If your appointed contacts prefer that sessions are not recorded, or that recordings are edited, access-restricted, or deleted after a defined period, please notify us before or immediately after the session. We will comply with reasonable instructions and can provide redacted versions where feasible.
  • Minimisation: Trainers will encourage the use of anonymised or synthetic examples where practicable and will avoid displaying live Client Data unless necessary for the training objective and agreed with you.
  • Retention: Unless you instruct otherwise, training recordings are retained for 3–12 months and then securely deleted, subject to earlier deletion upon your request.

13. Security

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit and at rest where feasible, vulnerability management, logging and monitoring, least-privilege principles, staff confidentiality undertakings, and regular review of our suppliers’ security practices. Despite these measures, no system is completely secure; we maintain incident response procedures to manage and notify as required by law.

14. Cookies and Similar Technologies

Our website(s) and client portal may use cookies and similar technologies for functionality, security, analytics and preference management. Where required, we provide a cookie banner and obtain consent for non-essential cookies. For details, please see our Cookie Notice https://lawright.co.uk/cookies and adjust preferences via our cookie management tool or browser settings.

15. Data Provided by Your Organisation

Where your organisation provides your details to us:

  • Your organisation is responsible for ensuring it has a lawful basis to share your data and for providing appropriate privacy information to you.
  • We will process your data in accordance with this policy and applicable law.
  • We will respect any opt-outs you notify to us directly, independent of your organisation.

16. Children

Our services are directed at professionals. We do not knowingly collect or process data relating to children.

17. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via our website or client portal, or directly where appropriate. The Effective date at the top will reflect the latest version. We monitor regulatory developments, including ICO updates arising from the Data (Use and Access) Act 2025, and will update this policy and our practices as required.

Contact

For questions or to exercise your rights, contact:

  • Biz Right Ltd trading as LawRight, 2a Connaught Avenue, London, United Kingdom, E4 7AA
  • Email: info@lawright.co.uk

Channel-Specific Communications Statement

We communicate via email, SMS, telephone and client portal notifications regarding legitimate topics. All contacts are set to receive marketing and critical service communications unless they opt out, consistent with our legitimate interests and PECR requirements. Opt-out mechanisms are available for each channel as set out in Section 11.

Third-Party Sharing Clarification

We do not share your details with any external organisation for their own independent purposes. We only share personal data with our sub-contractors and processors where necessary to provide our services and communications, or with vendors involved in supported platforms where necessary to support or troubleshoot our services, each under appropriate contractual and confidentiality terms.