Privacy Policy
We take your privacy seriously. This policy explains what personal information we collect about you, how we use it, who we share it with, and the rights you have under UK data protection law.
Last updated: 25 April 2026
1. Who we are
Prowse Phillips Law Limited (“we”, “us”, “our”) is the data controller responsible for your personal information.
- Company number: 9483512 (England & Wales)
- Registered office: Unit 15, Connect Business Village, 24 Derby Road, Liverpool L5 9PR
- Authorised and regulated by the Solicitors Regulation Authority (SRA No. 621870)
- Where required by the Data Protection (Charges and Information) Regulations 2018, we are registered with the Information Commissioner's Office. Our current registration can be verified on the ICO public register at ico.org.uk.
- Contact for data protection queries: info@prowsephillips.co.uk · 0151 515 6880
2. The information we collect
We collect and process the following categories of personal information when you use our services:
- Identifiers and contact details — first name, last name, date of birth, email address, phone number, postal address.
- Financial information — details of your debts, creditor names and balances, income and expenditure, employment status, and (where relevant) bank account details for Direct Debit setup.
- Case information — correspondence with creditors, court documents, statements, letters of authority, signatures, and any documents you upload to support your case.
- Identity verification data — information used to verify your identity in line with anti-money-laundering and SRA requirements.
- Special category data — where you choose to share information about your health, mental wellbeing, or other vulnerability indicators relevant to assessing affordability or hardship, we will process this only with your explicit consent or where another lawful condition applies under Article 9 UK GDPR.
- Technical and usage data — IP address, device type, browser, pages visited, and interactions with our site (see our Cookie Policy on prowsephillips.co.uk/cookie-policy).
Information we obtain from third parties
Most of the information we hold about you is provided directly by you. We also receive personal information about you from third parties in the following situations:
- Introducer firms and referral partners — where you have engaged with another firm or platform that has referred you to us, the introducer may share with us your name, contact details, and a summary of your circumstances so we can pick up your enquiry. Your relationship with the introducer is governed by their own privacy notice.
- Your creditors and their representatives — once we hold your Letter of Authority, we will request copies of your credit agreements, statements, account histories, default notices, and related correspondence from the lenders, debt purchasers, and collection agencies we contact on your behalf.
- Credit reference agencies — we may obtain credit file information from agencies such as Experian, Equifax, and TransUnion to help us identify and assess the debts in your name.
- Identity-verification providers — to meet our anti-money-laundering and know-your-client obligations, we may receive identity-verification results and source-of-funds checks from regulated providers.
- Public registers — including the electoral roll, Companies House, and the insolvency register, where we need to verify information you have given us or carry out conflict checks.
Where we receive your information from a third party, we will tell you about it within one month (or sooner if we contact you in the meantime) and confirm the source unless we are restricted from doing so by law.
3. Why we use your information (lawful bases)
Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for each purpose for which we process personal data. The table below shows which basis we rely on for each of our main processing purposes. Where we rely on consent, you can withdraw it at any time by emailing info@prowsephillips.co.uk.
| Why we process your data | Lawful basis (UK GDPR Art 6) | Special category basis (Art 9), where relevant |
|---|---|---|
| To assess your enquiry and decide whether we can help with your case | Contract — taking steps at your request before entering a contract | — |
| To deliver our legal services once you instruct us (creditor correspondence, drafting, advice, plan management) | Contract | — |
| To verify your identity and screen for sanctions / politically exposed persons | Legal obligation (Money Laundering Regulations 2017) | — |
| To meet our SRA, accountancy, and tax record-keeping duties | Legal obligation | — |
| To assess affordability and vulnerability where you have shared information about your health or wellbeing | Contract (necessary to deliver the service) | Explicit consent (Art 9(2)(a)) — and / or Art 9(2)(f) where the information is necessary for the establishment, exercise, or defence of legal claims |
| To take payment from you for our work | Contract | — |
| To send you transactional and case-update messages by email, SMS, or phone | Contract / Legal obligation | — |
| To send you marketing communications about our other services | Consent (or PECR “soft opt-in” for similar services to those you have already received) | — |
| To prevent and detect fraud, abuse, or unauthorised access to our systems | Legitimate interests — keeping our service and our clients secure | — |
| To improve our website, defend or bring legal claims, manage our insurance, and run our business | Legitimate interests | — |
Where we rely on legitimate interests, we have carried out a balancing test and are satisfied that our interests are not overridden by your rights and freedoms. You can ask for a copy of the balancing test by contacting us.
4. Who we share your information with
We only share your information where it is necessary to deliver our services, meet a legal obligation, or protect our legitimate interests. The categories of recipient include:
- Your creditors and their representatives — to negotiate, dispute, or settle balances on your behalf, under the authority you give us.
- Service providers (sub-processors) who help us operate the service. The principal processors are listed in the table below. All are contractually bound to protect your data.
- Regulators, courts, and law enforcement — where required by law or in response to a valid legal request.
- Professional advisers — including counsel, auditors, and insurers, where engaged on a confidential basis.
All personal information is processed within the United Kingdom or the European Economic Area at all times. Where a provider is corporately based outside the UK/EEA, we use that provider's UK or EU data region only, supported by the UK Addendum to the EU Standard Contractual Clauses where applicable.
<<COMPLIANCE NOTE — please verify this list matches production integrations and the configured data regions before publishing.>>
| Processor | Purpose | Location of processing |
|---|---|---|
| GoCardless Ltd | Direct Debit mandate setup and payment collection | United Kingdom |
| Twilio Ireland Ltd | SMS messaging and voice telephony | European Economic Area (Ireland region) |
| Resend | Transactional and notification email delivery | European Economic Area (EU region) |
| Amazon Web Services (S3) | Encrypted document storage | United Kingdom / EEA |
| Vercel Inc. | Website hosting and content delivery | European Economic Area |
| Neon | Database hosting | European Economic Area |
5. International transfers
It is our policy to keep all personal information within the United Kingdom and the European Economic Area. We do not authorise any onward transfer of personal data outside this region. If this position ever changes, we will update this policy and rely on UK Government adequacy regulations or the International Data Transfer Agreement / UK Addendum to the EU Standard Contractual Clauses, supported by appropriate technical and organisational safeguards.
6. How long we keep your information
- Client matter files — retained for at least 6 years from the date your matter is closed, in line with the SRA Code of Conduct and our professional indemnity insurance requirements.
- Financial and accounting records — 6 years from the end of the relevant tax year (HMRC requirement).
- Marketing data — until you opt out, or 3 years after your last engagement with us, whichever is sooner.
- Identity verification records — 5 years from the end of the relationship (Money Laundering Regulations 2017).
- Website analytics and technical logs — typically up to 14 months.
7. Security
We use appropriate technical and organisational measures to protect your information, including encryption in transit (TLS) and at rest, role-based access controls, regular access reviews, secure password handling, audit logging, and staff training on data protection. We test our systems regularly and review our controls in line with industry standards.
8. Personal data breaches
Despite our security measures, no system is completely free from risk. If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, in line with Article 33 UK GDPR;
- Tell you directly and without undue delay if the breach is likely to result in a high risk to your rights and freedoms, in line with Article 34 UK GDPR. We will explain in plain language what has happened, what we are doing about it, and the steps you can take to protect yourself; and
- Keep an internal record of every breach (whether reportable or not) and review our controls so the same issue cannot happen again.
If you suspect that your information has been compromised through us, please email info@prowsephillips.co.uk with the subject line “Data security concern” and we will investigate as a priority.
9. Automated decision-making
We do not make decisions about you using solely automated processing that produces legal or similarly significant effects. Some routine processing (for example, sending reminders or routing an enquiry to the right team) is automated, but final decisions about your case are made by people.
10. Marketing communications
We will only send you marketing communications where you have given consent or where the law permits us to do so. You can opt out at any time by clicking the unsubscribe link in any email, replying STOP to a marketing SMS, or emailing info@prowsephillips.co.uk. Opting out of marketing does not stop us sending you essential service communications about your case.
11. Children
Our services are intended for adults aged 18 and over. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.
12. Your data protection rights
Under UK data protection law, you have the following rights:
- Right of access — to ask for a copy of the personal information we hold about you.
- Right to rectification — to ask us to correct information that is inaccurate or incomplete.
- Right to erasure — to ask us to delete your information in certain circumstances.
- Right to restrict processing — to ask us to limit how we use your information in certain circumstances.
- Right to object — to object to our processing of your information for direct marketing or where we rely on legitimate interests.
- Right to data portability — to receive certain information in a structured, commonly used, machine-readable format.
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out beforehand.
You will not have to pay a fee to exercise any of these rights. We have one calendar month to respond from the date we receive your request and verify your identity. In limited circumstances we may extend that period by up to a further two months for complex or numerous requests; if we do, we will tell you within the first month and explain why.
To exercise any of these rights, email info@prowsephillips.co.uk or write to us at the registered office above.
How we verify your identity before responding
Because the information we hold is sensitive — covering financial, legal, and sometimes health-related matters — we will not act on a rights request until we are satisfied the request has come from you. Our standard process is:
- We will acknowledge your request and confirm the email address or postal address we will reply to.
- If you are an existing client, we will normally verify your identity using information already held on your file, supported by a one-time passcode sent to the email or phone number we have on record.
- If you are not an existing client, or the information on file is inconclusive, we may ask for one form of photographic ID (passport or driving licence) and one proof of address dated within the last three months. Documents may be supplied as redacted scans showing only the fields we need to confirm.
- We will not ask for sensitive information (such as bank account or card details) for identity verification, and we will tell you if we cannot proceed because identity could not be confirmed.
Where someone makes a request on your behalf (for example, a relative, an attorney under a Lasting Power of Attorney, or another solicitor) we will also need to see written authority from you and evidence of the agent's identity.
13. How to complain
If you have concerns about how we use your personal information, please contact us first at info@prowsephillips.co.uk so we can try to put things right. You can also complain directly to the Information Commissioner's Office:
- Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Helpline: 0303 123 1113
- Website: www.ico.org.uk
For complaints about the legal service we provide, please see our Complaints Procedure.
14. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page tells you when it was most recently revised. Material changes will be communicated to active clients by email.