Last Updated: March 2026
1. INTRODUCTION
BMA Law (“we,” “our,” “us,” or the “Firm”) is committed to protecting the privacy and security of personal data belonging to our clients, website visitors, and all individuals who interact with our services. This Privacy Policy (hereinafter referred to as the “Policy”) describes in comprehensive detail how we collect, use, process, store, share, and protect personal information obtained through our website located at bmalaw.com (the “Website”), as well as through any associated services, communications, consultations, and professional engagements undertaken by the Firm.
This Policy is designed to comply with applicable data protection and privacy legislation, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), the Data Protection Act 2018 (UK), and other applicable federal, state, and international privacy laws and regulations. By accessing or using our Website, engaging our legal services, or otherwise providing personal information to us, you acknowledge that you have read, understood, and agree to be bound by the terms and conditions set forth in this Policy and in our Terms of Service.
For information specifically related to your rights under the General Data Protection Regulation, please also review our dedicated GDPR Compliance page, which provides additional detail regarding the exercise of data subject rights under European Union law.
2. INFORMATION WE COLLECT
In the course of operating our Website and providing legal services, we collect and process various categories of personal data. The specific types of information we collect depend on the nature of your interaction with the Firm and may include, without limitation, the following:
2.1 Personal Data Provided Directly by You
When you contact us, request a consultation, engage our services, subscribe to our communications, or otherwise voluntarily provide information, we may collect: your full legal name; email address; telephone number(s); postal and residential address; date of birth; government-issued identification numbers where required for legal proceedings or regulatory compliance; employment information; financial information necessary for billing, payment processing, and the provision of legal services; details pertaining to your legal matter including but not limited to case facts, documentation, correspondence, and any other information you choose to provide in the course of the attorney-client relationship.
2.2 Usage Data and Automatically Collected Information
When you visit our Website, our servers and third-party analytics providers automatically collect certain technical and usage information, including but not limited to: your Internet Protocol (IP) address; browser type and version; operating system and platform; device type, screen resolution, and device identifiers; referring URL and exit pages; pages visited and the sequence of navigation; date, time, and duration of your visit; click-stream data and interaction patterns; search queries entered on the Website; and other diagnostic and statistical data related to your use of the Website. This information is collected through server logs, cookies, web beacons, pixel tags, and similar tracking technologies as described more fully in Section 9 of this Policy.
2.3 Cookie and Tracking Technology Data
We employ cookies and similar tracking technologies to enhance your experience on our Website, analyze usage patterns, and facilitate certain functionalities. Cookies are small text files stored on your device that allow us to recognize your browser, remember your preferences, and understand how you interact with our Website. The specific types of cookies we use and your options for managing them are described in detail in Section 9 (Cookies Policy) below.
2.4 Device and Technical Information
We may collect information about the device you use to access our Website, including hardware model, operating system and version, unique device identifiers, mobile network information, browser plug-in types and versions, time zone settings, and geolocation data derived from your IP address. This information is used to ensure compatibility, optimize performance, diagnose technical issues, and enhance the security of our Website and services.
3. HOW WE USE YOUR INFORMATION
We process personal data for a variety of lawful purposes directly related to the operation of our Firm, the provision of legal services, and the maintenance of our Website. Specifically, we use your information for the following purposes:
3.1 Service Delivery and Legal Representation
To provide legal advice, counsel, and representation; to prepare, file, and manage legal documents and proceedings; to communicate with you regarding your legal matter; to conduct legal research and analysis; to manage case files and client records; to perform conflict checks; to facilitate billing, invoicing, and payment processing; and to fulfill our professional and ethical obligations as legal practitioners.
3.2 Communication and Client Relations
To respond to your inquiries, requests, and correspondence; to send appointment reminders and case updates; to provide newsletters, legal updates, and marketing communications where you have consented to receive them or where we have a legitimate interest in doing so; to conduct client satisfaction surveys; and to maintain and improve our professional relationship with you.
3.3 Legal Compliance and Regulatory Obligations
To comply with applicable laws, regulations, legal processes, and enforceable governmental requests; to fulfill our obligations under anti-money laundering (AML) and know-your-client (KYC) regulations; to comply with court orders, subpoenas, and other legal processes; to maintain records as required by law and professional regulatory bodies; to report to tax authorities as required by applicable law; and to protect and defend the legal rights, property, and safety of the Firm, our clients, employees, and the public.
3.4 Website Operation and Improvement
To operate, maintain, and improve our Website and its functionality; to personalize your experience; to analyze usage trends and preferences; to monitor and ensure the security and integrity of our Website; to detect, prevent, and address technical issues, fraud, and unauthorized access; and to develop new features and services.
4. LEGAL BASIS FOR PROCESSING
In accordance with Article 6 of the General Data Protection Regulation (GDPR), we process personal data only where we have a lawful basis to do so. The legal bases upon which we rely for the processing of your personal data include:
4.1 Consent (Article 6(1)(a) GDPR): Where you have given clear, informed, and unambiguous consent to the processing of your personal data for one or more specific purposes. You have the right to withdraw your consent at any time by contacting us at the details provided in Section 15. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
4.2 Performance of a Contract (Article 6(1)(b) GDPR): Where the processing is necessary for the performance of a contract to which you are a party, including our engagement letter and retainer agreement, or in order to take steps at your request prior to entering into a contract for legal services.
4.3 Legitimate Interests (Article 6(1)(f) GDPR): Where the processing is necessary for the purposes of the legitimate interests pursued by the Firm or by a third party, except where such interests are overridden by your fundamental rights and freedoms. Our legitimate interests include: the effective administration and management of our legal practice; the improvement of our services and client experience; the marketing of our services to existing and prospective clients; the prevention of fraud and unauthorized access to our systems; and the exercise or defense of legal claims.
4.4 Legal Obligation (Article 6(1)(c) GDPR): Where the processing is necessary for compliance with a legal obligation to which we are subject, including obligations under tax law, anti-money laundering regulations, professional conduct rules, and court orders or other binding legal processes.
4.5 Vital Interests (Article 6(1)(d) GDPR): In rare and exceptional circumstances, where the processing is necessary to protect the vital interests of the data subject or of another natural person.
5. DATA SHARING AND THIRD PARTIES
We do not sell, rent, lease, or trade your personal data to third parties for their marketing purposes. We may share your personal data with the following categories of recipients, solely to the extent necessary and in accordance with applicable data protection laws:
5.1 Payment Processors: We use PayPal and other reputable payment processing services to facilitate secure financial transactions. When you make a payment, your payment information is transmitted directly to the payment processor in accordance with their privacy policies and Payment Card Industry Data Security Standards (PCI DSS). We do not store your complete credit card or payment account numbers on our servers.
5.2 Analytics Providers: We use Google Analytics and similar analytics services to understand how visitors use our Website. Google Analytics collects information such as how often users visit the Website, what pages they visit, and what other sites they used prior to coming to the Website. We use the information obtained from Google Analytics to improve our Website and services. Google Analytics collects only the IP address assigned to you on the date you visit the Website and does not collect your name or other personally identifying information. You may opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
5.3 Hosting and Technology Providers: Our Website is hosted by third-party hosting providers who maintain the servers and infrastructure necessary for the operation of the Website. These providers may have access to personal data stored on their servers but are contractually obligated to process such data only in accordance with our instructions and applicable data protection laws.
5.4 Professional Advisors and Legal Requirements: We may disclose personal data to our professional advisors, including attorneys, accountants, and auditors, to the extent necessary for them to provide their services to us. We may also disclose personal data where required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of our clients or others.
5.5 Courts, Tribunals, and Regulatory Bodies: In the course of providing legal services, we may be required to share personal data with courts, tribunals, opposing parties, regulatory agencies, and other entities involved in legal proceedings, as necessary for the prosecution or defense of legal claims.
6. DATA RETENTION
We retain personal data only for as long as is necessary to fulfill the purposes for which it was collected, to comply with legal and regulatory obligations, to resolve disputes, and to enforce our agreements. The specific retention period applicable to your personal data depends on the nature of the data and the purpose for which it was collected. The criteria we use to determine appropriate retention periods include:
The duration of our ongoing relationship with you and the provision of legal services; the existence of any ongoing legal obligation requiring us to retain data, including professional regulatory requirements that mandate the retention of client files for specified periods following the conclusion of a matter; applicable statutes of limitation that may give rise to legal claims; guidance and recommendations from regulatory authorities and professional bodies; and the necessity of retaining data for the establishment, exercise, or defense of legal claims. Client files and records pertaining to legal matters are generally retained for a minimum period of seven (7) years following the conclusion of the matter, or longer where required by applicable law or professional regulations. Website usage data and analytics information is typically retained for a period of twenty-six (26) months. Marketing consent records are retained for the duration of the consent and for a reasonable period thereafter for compliance and audit purposes.
7. YOUR RIGHTS UNDER THE GDPR
If you are a resident of the European Economic Area (EEA) or the United Kingdom, you are entitled to the following rights under the General Data Protection Regulation. For detailed information on how to exercise these rights, please visit our GDPR Compliance page.
7.1 Right of Access (Article 15): You have the right to request confirmation as to whether or not personal data concerning you is being processed, and where that is the case, to obtain access to such personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data has been or will be disclosed; the envisaged retention period; and the existence of automated decision-making, including profiling.
7.2 Right to Rectification (Article 16): You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
7.3 Right to Erasure (Article 17): You have the right to obtain the erasure of personal data concerning you without undue delay where one of the following grounds applies: the personal data is no longer necessary in relation to the purposes for which it was collected; you withdraw consent and there is no other legal ground for the processing; you object to the processing and there are no overriding legitimate grounds; the personal data has been unlawfully processed; or the personal data must be erased for compliance with a legal obligation. This right is subject to certain exceptions, including where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defense of legal claims, or for reasons of public interest.
7.4 Right to Restriction of Processing (Article 18): You have the right to obtain restriction of processing where: you contest the accuracy of the personal data, for a period enabling us to verify the accuracy; the processing is unlawful and you oppose the erasure of the personal data and request restriction of its use instead; we no longer need the personal data for the purposes of processing, but it is required by you for the establishment, exercise, or defense of legal claims; or you have objected to processing pending the verification of whether our legitimate grounds override yours.
7.5 Right to Data Portability (Article 20): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and you have the right to transmit that data to another controller without hindrance from us, where the processing is based on consent or on a contract, and the processing is carried out by automated means.
7.6 Right to Object (Article 21): You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on legitimate interests or the performance of a task carried out in the public interest. We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
7.7 Rights Related to Automated Decision-Making and Profiling (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where the decision is necessary for entering into or performance of a contract, is authorized by Union or Member State law, or is based on your explicit consent. We do not currently engage in automated decision-making or profiling that produces legal effects or similarly significantly affects individuals.
8. YOUR RIGHTS UNDER THE CCPA
If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA/CPRA”), provides you with the following rights with respect to your personal information:
8.1 Right to Know: You have the right to request that we disclose to you the categories of personal information we have collected about you, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting or selling personal information, the categories of third parties with whom we share personal information, and the specific pieces of personal information we have collected about you, in each case covering the 12-month period preceding your request.
8.2 Right to Delete: You have the right to request that we delete personal information about you that we have collected, subject to certain exceptions provided under the CCPA/CPRA, including where retention is necessary to complete the transaction for which the personal information was collected, to comply with a legal obligation, or for other lawful internal purposes compatible with the context in which the information was provided.
8.3 Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you, taking into account the nature of the personal information and the purposes of the processing.
8.4 Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale or sharing of your personal information. We do not sell your personal information, nor do we share your personal information for cross-context behavioral advertising purposes.
8.5 Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you different prices or rates, provide you a different level or quality of goods or services, or suggest that you may receive a different price or rate or different level or quality of goods or services as a result of exercising your rights.
To exercise any of these rights, please contact us at [email protected]. We will respond to verifiable consumer requests within forty-five (45) days of receipt, as required by the CCPA/CPRA.
9. COOKIES POLICY
Our Website uses cookies and similar tracking technologies to distinguish you from other users of the Website, to enhance your browsing experience, and to analyze the use of our Website. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your device. We use the following types of cookies:
9.1 Strictly Necessary Cookies: These cookies are essential for the operation of our Website and enable you to navigate the site and use its features. Without these cookies, services you have asked for, such as setting your privacy preferences, logging in, or filling in forms, cannot be provided. These cookies do not gather information about you that could be used for marketing or remembering where you have been on the Internet and do not require your consent.
9.2 Analytics and Performance Cookies: These cookies allow us to recognize and count the number of visitors to our Website and to see how visitors move around the Website when they are using it. This helps us to improve the way our Website works, for example, by ensuring that users find what they are looking for easily. These cookies collect aggregated, anonymous statistical information and do not identify individual visitors. We use Google Analytics for this purpose.
9.3 Functionality and Preference Cookies: These cookies are used to recognize you when you return to our Website and enable us to personalize our content for you, greet you by name, and remember your preferences such as your choice of language or region. These cookies may be set by us or by third-party providers whose services we have added to our pages.
9.4 Managing Cookies: Most web browsers allow you to control cookies through their settings preferences. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Website may become inaccessible or not function properly. For more information about cookies and how to manage them, visit www.aboutcookies.org or www.allaboutcookies.org.
10. CHILDREN’S PRIVACY
Our Website and services are not directed to, and we do not knowingly collect personal data from, children under the age of sixteen (16) in the European Economic Area or under the age of thirteen (13) in the United States. If we become aware that we have inadvertently collected personal data from a child under the applicable age threshold without verified parental consent, we will take commercially reasonable steps to delete such information from our records as soon as practicable. If you believe that we may have collected personal data from a child under the applicable age, please contact us immediately at [email protected] so that we may take appropriate action.
11. INTERNATIONAL DATA TRANSFERS
Your personal data may be transferred to, stored in, and processed in countries other than the country in which it was collected, including countries that may not provide an equivalent level of data protection as your home jurisdiction. Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection by the European Commission or other competent authority (an “Adequacy Decision”), we ensure that appropriate safeguards are in place to protect your personal data in accordance with this Policy and applicable law. Such safeguards may include: the European Commission’s Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914; the UK International Data Transfer Agreement or Addendum; binding corporate rules approved by competent supervisory authorities; or your explicit consent to the transfer, after having been informed of the possible risks. By engaging our services and providing us with your personal data, you acknowledge and consent to the transfer, storage, and processing of your personal data in accordance with the safeguards described herein.
12. SECURITY MEASURES
We have implemented and maintain appropriate technical and organizational security measures designed to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, damage, theft, or disclosure. These measures include, without limitation: encryption of personal data in transit using Transport Layer Security (TLS/SSL) protocols; encryption of sensitive personal data at rest using industry-standard encryption algorithms; strict access controls and authentication mechanisms, including role-based access control and multi-factor authentication, to ensure that personal data is accessible only to authorized personnel who have a legitimate need to access such data; regular security assessments, vulnerability scanning, and penetration testing; continuous monitoring and logging of access to systems containing personal data; physical security measures at our premises and data center facilities; employee training and awareness programs on data protection and information security; and incident response procedures designed to detect, investigate, and respond to security incidents in a timely manner. While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.
13. DATA BREACH NOTIFICATION
In the event of a personal data breach, as defined under Article 4(12) of the GDPR, we will comply with our obligations under applicable data protection laws regarding notification. Specifically, where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we shall notify the competent supervisory authority without undue delay and, where feasible, not later than seventy-two (72) hours after having become aware of the breach, in accordance with Article 33 of the GDPR. Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we shall communicate the personal data breach to the affected data subjects without undue delay, in accordance with Article 34 of the GDPR. Such notification shall describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences of the breach, and the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects. We maintain comprehensive incident response procedures to ensure timely detection, assessment, and notification of data breaches.
14. CHANGES TO THIS PRIVACY POLICY
We reserve the right to modify, amend, or update this Privacy Policy at any time and for any reason, in our sole discretion. Any changes to this Policy will be effective immediately upon posting of the revised Policy on our Website, with an updated “Last Updated” date at the top of this page. We encourage you to review this Policy periodically to stay informed about how we are protecting the personal data we collect. Your continued use of our Website or services following the posting of changes constitutes your acknowledgment and acceptance of such changes. Where changes are material and where required by applicable law, we will provide additional notice, such as by email or by posting a prominent notice on our Website, prior to the changes becoming effective. Material changes include, but are not limited to, changes to the purposes of processing, the categories of personal data collected, or the categories of recipients of personal data. For material changes affecting processing based on consent, we will seek your renewed consent where required by applicable law.
15. CONTACT INFORMATION
If you have any questions, concerns, or requests regarding this Privacy Policy, your personal data, or our data processing practices, please contact us using the following information:
BMA Law
Email: [email protected]
Website: bmalaw.com
For GDPR-specific requests (including data subject access requests, rectification, erasure, and other rights under the GDPR), please direct your correspondence to:
Email: [email protected]
We will endeavor to respond to all legitimate requests within the time frames required by applicable law. For GDPR requests, we will respond within thirty (30) days of receipt, in accordance with Article 12(3) of the GDPR, subject to extension where permitted by law. For CCPA/CPRA requests, we will respond within forty-five (45) days of receipt of a verifiable consumer request.
For further information on our terms and conditions governing the use of our Website and services, please review our Terms of Service. For additional information regarding our compliance with the General Data Protection Regulation, please visit our GDPR Compliance page.
