Privacy Policy

This Privacy Policy (the “Policy”) explains how Castletown Law (“we”, “us” or our”) treats personal data that it collects and uses.

This Policy applies to different categories of individuals: namely our clients or representatives of our clients (including prospective clients), our staff, visitors to our website or social media accounts and other individuals including suppliers and contractors.

Collectively, we refer to these categories of individuals as “you”.

We are committed to respecting and protecting your privacy. This Policy describes in detail how and why we collect, store and use personal data you provide when you use our website, email or network with our people and when you or third parties who hold your data communicate with us. This policy also gives information about individual’s rights.

We may use personal information supplied to us for any of the purposes as set out in this Policy, or as otherwise disclosed when we collect that personal information.

Please note that when we refer in this Policy to European Data Protection Legislation, this includes the General Data Protection Regulation (Regulation (EU) 2016/670) (the “GDPR”), the UK Data Protection Act 2018 and any equivalent legislation amending, supplementing or replacing the GDPR and any other law applicable to data protection that applies to us.

We recommend that you read this Policy carefully as it explains how we process personal data.

What data do we collect?

1. The personal data you give to us may include:

  • your name and title
  • contact information, including telephone number, postal address and email address
  • information relating to your location, preferences and / or interests
  • employment and job application details, including date of birth, qualifications, employment history, equality monitoring information
  • photographic identification
  • your and others` signature(s), National Insurance number (s), financial details including bank account details and details of any important restrictions/sanctions
  • data relating to health (including disabilities), ethnicity, race, religious beliefs, trade union memberships and other `special category personal data` (in these circumstances we will tell you how and why we are collecting this type of data)
  • the contents of any enquiries submitted over our website
  • social media posts, `likes`, tweets and other interaction with our social media accounts
  • any other personal data we collect (including an assigned client reference number) in the context of our work for our clients or in the course of operating our business
  • Attendance records
  • Feedback forms

2. When you visit our website, the following information may be collected automatically:

  • Web usage information (e.g. IP address), your login information, browser type and version, time zone setting, operating system and platform.
  • Information about your visit, including the full Uniform Resource Locators (URLs) clickstream to, through and from our website (including date and time); time on page, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs)
  • Location, device and demographic information

3. The personal data described above may concern any of the following categories of persons:

  • our clients, clients’ personnel
  • target clients
  • our prospective employees, work experience students, job applicants
  • our staff, referrers, professional advisors, consultants and others who work in the context of our legal services including those with whom we work on our corporate responsibility initiatives
  • our contractors and suppliers
  • third parties with whom we are in contact by virtue of providing legal services (e.g. third party payers of invoices, opposing parties on a client’s matter and users of, or other individuals identified on, the extranet or other document storage, management or review sites or platforms that we make available in the context of the services we provide)
  • those who make enquiries via our website or social media accounts or whose details are otherwise entered into our client relationship management system
  • any visitors to our offices

4. We may ask you for information if you report a problem with our website.

5. We may keep a record of correspondence if you contact us.

How do we collect your data?

Most of the information collected by us is provided directly by you through a number of means:

  • Whilst we are working for you (or your business). We will almost always act as a data controller in this capacity but we may also occasionally act as a data processor. Where we are acting as a data processor, we will separately let you know and ensure that appropriate contract terms are in place.
  • Via our website (e.g. on our “Contact Us” page or our news, or job applications etc) and social media accounts
  • By email or other electronic correspondence including through the technical monitoring tools which we use for purely administrative/ technical reasons in respect of emails, to check our emails are sent to the intended recipients and are read
  • by telephone
  • networking (e.g. at law fairs, client events and/or other meetings or events either hosted or attended by us)
  • through the extranet or other document storage, management or review sites or platforms that we make available in the context of the services we provide
  • by operating security policies and procedures in our offices (e.g. by virtue of our access to CCTV footage recorded by our buildings’ landlord and other CCTV footage we collect in our offices)
  • otherwise through providing our legal services or operating our business.

How will we use your data? We may use your information for the following purposes:

  • to provide legal services (including responding to specific queries) that you submit to us
  • to instruct other service providers on your behalf (for example external counsel or experts) or opposing parties
  • administration: to collect our fees or costs including in relation to legal enforcement and to make payments to our suppliers
  • to manage our relationship with you (and/or your business), including by maintaining our database of clients and other third parties for administration and accounting and relationship management purposes
  • to complete our contractual obligations to you or otherwise taking steps as described in our engagement terms and/or Terms of Business
  • to carry out any relevant conflict checks, credit checks, anti-money laundering and sanctions checks and fulfilling our obligations under any relevant anti-money laundering law or regulations
  • to verify your identity using electronic verification
  • to send you or email or post any relevant information on our services and events that may be of interest to you using the email and/or postal address which you have provided, but only if you have given us your consent to do so or we are otherwise able to do so in accordance with applicable European Data Protection Legislation
  • to process any job application you (or your representative) has submitted
  • to administer our corporate responsibility initiatives
  • to ensure that our website’s content is presented in the most effective manner for you
  • to customise our website according to your interests
  • for contact and communication and marketing purposes: eg to send you legal updates, news about any events we are organising or participating in, and/or other information about us and the services that we provide that we believe may be of interest to you.  You can specify your contact preferences when registering online to receive communications from us (for example, through the Castletown Law website, or by subsequently advising us of your contact preferences using options provided on all of our marketing emails or via the contact details of our Data Controller as set out in the “How to contact us” section below
  • providing your contact details to legal directory providers (e.g. The Legal 500 and Chambers & Partners) to obtain your feedback and thus seek industry recognition to promote us
  • Making contact details available to our staff

to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey responses

  • to allow you to participate in any interactive features on our website when you choose to do so
    as part of our efforts to keep our website safe and secure
  • to measure or understand the effectiveness of advertising we send to you and others, and to deliver relevant advertising to you
  • to ensure we appropriately administer any attendance / visits to our offices
  • to comply with any other professional, legal and regulatory obligations which apply to us or policies or procedures that we have in place (including procedures by which we use software tools to review and access information stored on our system in order to assess, verify or otherwise process the personal data we hold)
  • as we feel is necessary to prevent illegal activity or to protect our interests
  • performing analytics – such as trends, sales intelligence, marketing effectiveness (such as click and open rates) uptake and progress
  • Utilising artificial intelligence to research news feeds, sites, posts etc and performing analytics to assist us in contacting you with relevant information
  • To provide press releases
  • Invitations to meet our staff
  • Internal communications.

On what basis do we process your data?

1. We will only process personal information where we have a legitimate reason to do so. We will rely on one of the following legal bases:

  • the processing is necessary for the performance of a contract that you are a party to or in order to take steps at your request prior to you entering into a contract;
  • the processing is necessary for our legitimate business interests (including the provision and marketing of our legal services);
  • the processing is necessary for us to comply with our legal obligations (i.e. compliance with anti-money laundering legislation);
  • processing is necessary for the establishment, exercise or defence of legal claims or in relation to a criminal investigation; and
  • the data subject has given consent to the processing of their personal information for one or more specific purposes

2. We will only use your personal information for the purpose for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

Sharing your information

1. Your information may be shared with nominated third parties such as service providers, contractors, support services and organisations that help market our services and third parties who enable us to fulfil our contractual obligations to you and/or our clients in the course of business.

2. Your personal information shared with third parties will either be processed by the third party as a data controller or as our data processor. This will depend on the purposes of our sharing your personal data. We will only share your personal data where we are legally permitted to do so and in compliance with the European Data Protection Legislation.

3. We may disclose your information to third parties when:

  • you specifically ask us to do so or if it is necessary to provide our legal services to you (e.g. when we need to instruct lawyers in another jurisdiction to provide advice which you have requested)
  • we feel that other companies’ products and services may be of interest you
  • our website is acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets
  • we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect the rights, property or safety of our website, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

4. Those third parties may include:

  • our bank which, for the purposes of preventing money laundering or terrorist financing, may require us to disclose your personal data to our bank from time to time where for example we hold monies in our Client Account on your behalf
  • credit-checking agencies
  • our insurers
  • our auditors, including external accreditation bodies
  • other professional advisors or third parties (including counsel, overseas lawyers, accountants, expert witnesses or costs draftsmen) with whom we engage as part of our work for our clients or who our clients separately engage
  • our regulator, the Law Society of Scotland
  • our data processors providing security, email security, data governance, archiving and other IT and business support services
  • our email marketing platform provider and our website platform provider
  • analytics and search engine providers that assist us in the improvement and optimisation of our website
  • any third party you ask us to share your data with.

5. If you chose to access any websites via a link from our website, you should be aware that these websites have their own privacy policies. We do not accept any responsibility or liability for these policies.

6. We will not sell or rent our users’ or other contacts’ details to any other organisation or individual.

Sending your information outside of the EEA

1. Any personal data shared with a party outside the European Economic Area (“EEA”) (such as a professional advisor or third party engaged by us or you as part of our work under an engagement letter), will be in compliance with European Data Protection Legislation and we will ensure that any such transfer is strictly necessary in relation to a contractual arrangement between us. As part of this, we will have a set of EU-approved Model Clauses (or other approved protection mechanism) in place. If these transfers affect you, you may contact us to obtain more precise information and a copy of relevant documentation.

2. Our staff may access our system remotely when working abroad (including from jurisdictions outside the European Economic Area). Where they do so, they are required to use our systems and access any personal data in accordance with all the standard policies and procedures.

How do we store your data?

1. We take our obligations in relation to storage and confidentiality very seriously. We have strict security procedures in place as to how your personal information is stored and used and to ensure that only authorised persons are able to see it.

2. We limit access to your personal data. Our computer systems are encrypted. Our website is protected. We use anti-virus and firewall software. Our offices are locked whenever unattended. Our staff take appropriate security precautions when working away from our offices.

3. We will keep your information stored on our systems for as long as necessary to provide our services to you and in accordance with our Terms of business. Our general retention period for documentation created for the purposes of providing legal services is 12 years although in some circumstances there are legal, accounting and regulatory exceptions which might mean that documentation can be held for longer periods.

4. In relation to contact details stored in our client relationship management data base these will be kept on our data base for as long as is necessary although a business contact has the right to request that their contact details be deleted from Interaction.

5. In relation to third parties whom we have engaged on your behalf you should be aware that they will keep your data for as long as necessary to provide the services to you and in accordance with the retention periods established within their own policies.

6. In the event that any part of our business is sold or restructured, potential buyers or transferees may be permitted access to your personal data after they have signed appropriate confidentiality agreements.

Your rights

You have certain rights which are as follows:

  • the right to ask us to provide you (usually at no cost to you), or a third party, with copies of the personal information we hold about you at any time and to be informed of the contents and origin, verify its accuracy, or else request that such information be supplemented, updated or rectified;
  • the right to request rectification, erasure, anonymisation or blocking of your personal information that is processed in breach of the law;
  • the right to object on legitimate grounds to the processing of your personal information. In certain circumstances we may not be able to stop using your personal information, if that is the case, we will let you know why; and
  • the withdrawal of consent – when your personal information is processed on the basis of consent you have the right to withdraw consent at any time. In the event that you no longer want to receive any marketing material from us, please use the unsubscribe option (which is in all of our marketing emails to you) or contact our Data Controller as set out in our “How to contact us” section below.

To exercise such rights (save withdrawing from marketing emails – as described above) and if you have any questions about how we collect, store and use personal information, then please contact us using the details as set out in the “How to contact us” section below.


Cookies are text files placed on your computer to collect internet log and visitor behaviour information. When you visit our website, we may collect information automatically from you via our cookies or similar technologies. Please see our Cookie Policy for further detail.

Changes to our Privacy Policy

This Policy was last updated in September 2019. It may change from time to time but the up-to-date version will always be available on our website. The Policy will become effective immediately it appears on our website.

How to contact us

If you have any question, comments or requests about our Privacy Policy, the data we hold on you, or you would like to exercise one of your data protection rights, you can contact our Data Controller, Andrew Renton, 23 Melville Street, Edinburgh, EH3 7PE by or telephone 0131 240 3880. Alternatively, you can reach us via the Contact Us section of our website.

How to contact the appropriate authorities

Should you wish to make a complaint please contact us straightaway. However if you feel that we have not satisfactorily addressed your concern you may contact the Information Commissioner`s Office. For more details please visit the ICO website (