Privacy Policy

Last Updated: March 2026

Our Core Commitment: BMA Law does not sell, share, rent, lease, or disclose customer data to any third party, for any reason, under any circumstances. Your data stays with us. Period.

1. Introduction

BMA Law ("we," "our," "us," or the "Firm") is committed to protecting the privacy and security of personal data belonging to our clients, website visitors, and all individuals who interact with our services. This Privacy Policy describes how we collect, use, process, store, and protect personal information obtained through our website at bmalaw.com, as well as through any associated services, communications, and professional engagements.

This Policy complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"), the Data Protection Act 2018 (UK), and the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). By accessing or using our Website, you acknowledge that you have read and agree to be bound by this Policy and our Terms of Service.

For GDPR-specific rights, see our GDPR Compliance page. For information about our AI systems, see our EU AI Act Transparency Policy.

2. Information We Collect

2.1 Information You Provide

When you contact us, request a consultation, or engage our services, we may collect: your name, email address, phone number, postal address, employment information, financial information for billing, and details pertaining to your legal matter including case facts, documentation, and correspondence.

2.2 Automatically Collected Information

When you visit our Website, we automatically collect: IP address, browser type, operating system, device type, pages visited, date and time of visit, referring URL, and click-stream data. This is collected through server logs, cookies, and similar technologies.

2.3 AI Interaction Data

When you interact with our AI assistant (Tracy), we process the messages you send to provide responses. Session data is not retained after your browsing session ends unless you explicitly create an account. We do not use your conversations to train AI models. See our EU AI Act Transparency Policy for details.

3. How We Use Your Information

We use your information for: providing our arbitration preparation services; communicating with you about your case; processing payments; complying with legal obligations; operating and improving our Website; and sending service-related communications.

4. We Do Not Share Your Data

BMA Law does not share customer data with anyone, for any reason. Specifically, we do not:

  • Sell your personal data to any third party
  • Share your data with advertisers, data brokers, or marketing companies
  • Provide your information to AI model providers for training purposes
  • Disclose your case details to other clients, businesses, or organizations
  • Transfer your data to entities not directly involved in providing your service
  • Rent, lease, or trade your personal information

The only exceptions to this policy are:

  • Payment processing: Payment information is transmitted directly to PayPal or our payment processor under PCI DSS standards. We do not store payment card numbers.
  • Legal obligation: We may disclose data if required by law, court order, or valid legal process.
  • Website hosting: Our hosting provider maintains the servers that store our Website data under strict contractual data processing agreements.

5. Cookies

We use essential cookies for Website operation, analytics cookies (Google Analytics) to understand usage patterns, and functionality cookies to remember your preferences. You can control cookies through your browser settings. Disabling cookies may affect Website functionality.

6. Data Retention

We retain client records for a minimum of seven (7) years following conclusion of a matter, as required by professional regulations. Website analytics data is retained for twenty-six (26) months. AI interaction session data is not retained after your session ends.

7. Your Rights

Depending on your jurisdiction, you have the right to: access your personal data; correct inaccurate data; delete your data; restrict processing; data portability; object to processing; and opt out of automated decision-making. For GDPR-specific rights, see our GDPR Compliance page.

California residents: We do not sell your personal information. You have the right to know, delete, correct, and opt out under CCPA/CPRA. Contact [email protected] to exercise these rights.

8. Security

We implement encryption in transit (TLS/SSL), access controls, multi-factor authentication, regular security assessments, and incident response procedures. No method of transmission is completely secure, but we use commercially reasonable measures to protect your data.

9. Children's Privacy

Our services are not directed to children under 16 (EEA) or 13 (US). If we become aware we have collected data from a child, we will delete it promptly.

10. International Transfers

Where data is transferred outside the EEA, we use Standard Contractual Clauses (SCCs) or other approved safeguards. Your data is never shared with third parties during transfer.

11. Changes to This Policy

We may update this Policy at any time. Material changes will be posted on our Website with an updated date. Continued use of our services constitutes acceptance of changes.

12. Contact

BMA Law
Email: [email protected]
GDPR inquiries: [email protected]
Website: bmalaw.com