How we handle your personal information.

Who is the data controller

Harveys Legal Limited is the data controller for personal information you provide to us through this website or in the course of an engagement. We are a UK-incorporated firm regulated by the Immigration Advice Authority.

• —Firm: Harveys Legal Limited
• —Office: Birmingham, United Kingdom
• —Email for data protection enquiries: hello@harveyslegal.com
• —Regulator: Immigration Advice Authority (Firm Reg F202537009)

What information we collect

We collect only the information needed to respond to enquiries, deliver our services, meet our regulatory obligations, and operate this website. The categories below describe what we typically collect.

• —Enquiry information: name, email, company, phone (optional), topic, urgency, and any details you provide in the consultation request form
• —Client engagement information: information about your business, employees, sponsored workers, documents, and circumstances relevant to the matter you instruct us on
• —Identity and regulatory information: information required to meet our regulatory and identity-verification obligations
• —Correspondence: records of our correspondence with you (email, calls, meetings)
• —Website usage information: basic technical information about how visitors use the website, such as pages viewed and approximate location

How we use your information

We use your personal information for clearly defined purposes related to our work. We do not use your information for purposes you would not reasonably expect, and we do not sell it.

• —Responding to enquiries and scoping consultations
• —Delivering legal services on instructed matters
• —Meeting our regulatory obligations (e.g. record-keeping requirements of the Immigration Advice Authority)
• —Communicating with you about your matter or our service to you
• —Maintaining our internal records and complying with applicable law (e.g. tax, anti-money laundering)
• —Improving our website and the way we communicate (using only aggregate, non-identifying information)

Lawful basis for processing

Under UK GDPR we must have a lawful basis for processing your personal information. The lawful bases we rely on vary by purpose.

• —Performance of a contract: processing required to deliver the legal services you instruct us on
• —Legitimate interests: responding to enquiries, scoping consultations, operating our website, and running our business effectively
• —Legal obligation: meeting record-keeping, regulatory, and statutory obligations
• —Consent: where we rely on consent (for example, for any optional marketing), you can withdraw it at any time

Who we share your information with

We do not sell personal information. We share it only with parties who need to receive it to deliver our services or meet our regulatory obligations.

• —Our advisers, contractors, and authorised staff working on your matter
• —Third-party service providers we use to operate the firm (e.g. email, document storage, accounting) — each is contractually bound to handle data appropriately
• —Regulators and authorities where we are legally required to do so (e.g. Immigration Advice Authority, courts, tax authorities)
• —Other parties only where you have specifically asked us to do so, or where it is necessary to deliver the service you have instructed

How long we keep your information

We retain personal information for as long as we need it to deliver our services, meet our regulatory and legal obligations, and resolve any disputes. Retention periods vary based on the type of information and the purpose.

• —Enquiry-only contact (no engagement): typically up to 2 years from last contact
• —Engaged matter records: typically 7 years after matter conclusion, in line with regulatory and professional standards
• —Identity-verification records: in line with anti-money-laundering record retention requirements (typically 5 years)
• —Website analytics: aggregated and retained only as long as needed for trend analysis

Your rights under UK GDPR

You have a range of rights in relation to your personal information. You can exercise these rights by emailing us at hello@harveyslegal.com.

• —Right of access — to ask for a copy of the personal information we hold about you
• —Right of rectification — to ask us to correct inaccurate information
• —Right of erasure — to ask us to delete information where there is no overriding lawful reason to keep it
• —Right to restrict processing — to ask us to limit how we use your information in certain circumstances
• —Right to data portability — to ask for a copy of information you provided to us in a portable format
• —Right to object — to object to processing based on our legitimate interests
• —Right to withdraw consent — where we rely on consent, you can withdraw it at any time
• —Right to complain — to the Information Commissioner's Office (ICO) if you believe we have not handled your information correctly

Security

We take appropriate technical and organisational measures to protect personal information against unauthorised access, loss, disclosure, or destruction.

These measures include access controls, secure storage, encryption in transit, and staff confidentiality obligations. Despite these measures, no transmission or storage system is entirely secure. If you have specific security concerns about how to send information to us, please let us know.

Contacting us about privacy

If you have a question about this policy, how we handle your information, or you would like to exercise any of your rights under UK GDPR, please email hello@harveyslegal.com with 'Data protection' in the subject line.

If you are unhappy with how we have handled a data protection matter, you can complain to the Information Commissioner's Office (ICO) — the UK's independent regulator for data protection.