Privacy Policy

Martin Tolhurst Partnership LLP – Privacy Policy February 2026, version 2.

Martin Tolhurst Partnership LLP (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal data lawfully, fairly and transparently.

We are a firm of solicitors regulated by the Solicitors Regulation Authority (SRA). We process personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and other applicable laws and professional obligations. We are also required to comply with other legal duties that affect how we use your information, including (where relevant) the Money Laundering Regulations, the Proceeds of Crime Act 2002, and legal professional privilege.

1. Who we are (Data Controller)

For most purposes we act as the data controller, meaning we decide how and why your personal data is used. If you have any questions about this Privacy Policy, or wish to exercise your rights, please contact our Data Protection Officer using the details in Schedule A.

2. ICO registration and complaints

We are registered with the Information Commissioner’s Office (ICO) and our ICO registration number is Z5424235

If you believe we have mishandled your personal data, please contact us first so we can investigate and resolve the issue. You also have the right to complain to the ICO. If you are unable to resolve the matter with us please raise the issue with the ICO on 0303 123 1113 or via their website https://ico.org.uk/

3. What data we collect

We collect and process personal data to provide legal services to you and to meet our legal and regulatory obligations. This data may be provided by:

you directly
other parties involved in your matter (e.g. counterparties, estate agents, lenders, experts)
public sources (e.g. Land Registry, Companies House) • third-party verification providers (e.g. identity checks)

The personal data we process may include:

identity information (name, date of birth, address, contact details)
financial information (bank details, source of funds evidence, transaction details)
information relating to your legal matter (documents, correspondence, instructions)
electronic identifiers (email addresses, IP addresses where relevant for security)

We do not normally need to collect “special category” personal data (such as health information, ethnicity, religious beliefs, sexual orientation) or criminal offence data. However, in some types of legal work we may need to process it where it is necessary and lawful.

4. Why we use your data

We use your personal data in a variety of ways and in order to progress your legal transaction or case with us. This work may mean we use data to:

identify you and verify your identity
communicate with you (post, telephone, email, text, and secure digital tools) • provide legal advice and progress your matter
comply with legal and regulatory obligations
prevent fraud and protect client money
manage our business, quality standards and risk
maintain our records and defend legal claims if required

5. Lawful bases for processing

Under the UK GDPR, we must have a lawful basis for processing your personal data. Depending on the circumstances, we rely on one or more of the following:

Contract – processing is necessary to provide the legal services you have instructed us to deliver
Legal obligation – processing is required to comply with laws and regulations (e.g. anti-money laundering requirements)
Legitimate interests – processing is necessary for our legitimate interests in running a law firm, providing services efficiently, and protecting our clients and business, provided those interests are not overridden by your rights
Consent – where we ask for your consent for a specific purpose and please note that you may withdraw consent at any time.

6. Anti-Money Laundering and identity checks

We are within the regulated sector under the Money Laundering Regulations 2017 and we must comply with anti-money laundering legislation. We also seek to comply with all legislation regarding the prevention of fraud. This means we may need to obtain and retain identity documents, evidence of address, and source of funds / source of wealth documentation.

We also carry out electronic verification checks using specialist providers (for example, SmartSearch, or Credas). These checks are required by law and form part of our compliance obligations.

7. Who we share your data with

We do not sell your personal data.

We will only share your information where it is necessary and lawful, including where:

it is needed to progress your legal matter
we are required by law or regulation
it is necessary to protect your legal rights
you have asked us to do so or would reasonably expect us to do so in the context of your matter

Depending on the type of legal matter that we are dealing with for you we may share data and information with:

courts and tribunals
barristers and experts
HMRC, HM Land Registry, Companies House, banks, estate agents, surveyors, financial advisors and mortgage lenders (where relevant)
other solicitors and third parties involved in your matter
trusted IT and legal service providers acting under our instructions

8. Our suppliers, systems and technology (including AI)

To provide services efficiently and securely, we use case management systems, document management tools, secure email and communication platforms, and vetted third-party suppliers.

We may use AI-enabled tools to assist with administrative and legal work. For example, summarising documents, drafting non-final wording, identifying issues, or improving efficiency. We will do so responsibly and will not use AI tools in a way that breaches confidentiality or legal professional privilege. We take steps to minimise personal data shared with such tools and to ensure appropriate safeguards are in place.

9. International transfers

Some suppliers we use or rely upon may process data outside the UK or EU. Where this occurs, we will ensure appropriate safeguards are used, such as adequacy regulations and/or UK GDPR approved contractual protections.

10. Quality assurance, audit and regulation

We hold quality accreditations and are regulated. As a result, your file may be inspected (where appropriate) for auditing, regulatory or quality assurance purposes, including by external auditors, our accountants, and regulators.

11. Cyber security and fraud risk

Cybercrime is a serious risk for all businesses, including law firms such as ours. We take security seriously and use measures including secure storage systems, firewalls, anti-virus and anti-malware protection, and staff training. We seek to protect and invest considerable time, money and effort in protecting all client assets including personal data.

12. How long we keep your data

We retain your file and information for legitimate legal and business reasons, including compliance, audit requirements, and the defence of legal claims.

Our standard retention periods are:

Hard copy files: a minimum of 7 years from closure of your file • Electronic files: a minimum of 12 years from closure of your file

Some matters may require longer retention (for example, deeds, trusts, matters involving minors or where required by law).

13. Accuracy of your data

We must keep personal data accurate and up to date. If you believe any information we hold is incorrect, please notify your case handler or the Data Protection Officer so we can correct it promptly.

14. Your rights under UK GDPR

You have rights in relation to your personal data, including:

the right to be informed
the right of access
the right to rectification
the right to erasure (in certain circumstances)
the right to restrict processing
the right to data portability (in certain circumstances)
the right to object (in certain circumstances)
rights relating to automated decision-making

15. Use of the Martin Tolhurst Solicitors Portal App

If you choose to use the Martin Tolhurst Solicitors Portal mobile application (the “App”), we will process limited personal data through the App so that we can provide you with secure access to information about your legal matter.

What the App does

On initial launch, the App allows you to:

view the milestones for your legal matter
view notes and updates added by your legal team
additional features may be added over time. You will be informed of any significant changes that affect how your personal data is processed.

What data the App uses

The App displays information about your legal matter that we already hold and process in accordance with this Privacy Policy. The App does not collect new categories of data about you. It provides secure access to:

your identity information (to authenticate your access)
matter milestones and progress updates
notes created by your legal team

This information is taken directly from our case management system so that you can view it securely on your device. No biometric data, device contact lists, photographs, or GPS location data are collected by the App.

Who provides the App technology

The App technology is provided by Law Firm Services Limited under the trading name of Minerva. They act as the data processor for us by supplying the secure platform that delivers the App to you. We remain the data controller for all data shown in the App. Minerva only processes your data under our instruction, in accordance with UK GDPR, and under a written contract that ensures your data is protected to the standards required by law. Minerva have provided us with assurances regarding protection of data from ourselves and our clients.

Legal basis for processing

The legal basis for processing data through the App is:

legitimate interests, so that we can communicate progress to you efficiently; and/or
contractual obligation, where these updates are required to deliver our services to you.

Security of your data in the App

The App uses secure encrypted connections. Access requires verification using your email address and a password or other authentication method.

Your rights

All of your usual UK GDPR rights continue to apply to data made available through the App. Please see above for a summary of your rights under GDPR in the UK. If you no longer wish to use the App, you may delete it from your device at any time. Please note however this will not delete any data we are required to retain for regulatory, legal or business purposes.

16. Cookies Policy

Our website may use cookies and similar technologies to help the site function properly, improve your experience, and understand how visitors use our website.

What are cookies?

Cookies are small text files stored on your device when you visit a website. They help websites recognise your device and remember certain information. We do not use cookies to sell your personal data or to carry out intrusive advertising profiling.

Types of cookies we may use. We may use:

Strictly necessary cookies – required for the website to operate securely and correctly.
Functional cookies – to remember your preferences (where applicable).
Analytics/performance cookies – to help us understand how the website is used and improve it (for example, by counting visits and page interactions).

Managing cookies

You can control or block cookies through your browser settings. Please note that disabling strictly necessary cookies may affect the way the website works.

Third-party cookies

Some website features may rely on third-party services (for example embedded maps or analytics). Those providers may set their own cookies. Where this applies, their cookies are governed by their own privacy and cookie policies.

More information

For more information about cookies and how to manage them, please visit the ICO website.

Schedule A – Contact details

Data Protection Officer: Richard Carter
Martin Tolhurst Partnership LLP, 4 Ambley Green, Gillingham, Kent ME8 0NJ
Email: rcarter@martintolhurst.co.uk
Telephone: 01233 505578

Deputy Data Protection Officer: John McIntyre
Martin Tolhurst Partnership LLP, 4 Ambley Green, Gillingham, Kent ME8 0NJ
Email: jmcintyre@martintolhurst.co.uk
Telephone: 01634 728129