TEST ENVIRONMENT
We're hiring: Residential Conveyancers

Privacy Policy

1. Introduction

1.1 Important information and who we are

Welcome to Koala Legal Ltd's Privacy and Data Protection Policy ("Privacy Policy").

At Koala Legal Ltd ("we", "us", or "our") we are committed to protecting and respecting your privacy and Personal Data in compliance with the United Kingdom General Data Protection Regulation ("GDPR"), the Data Protection Act 2018 and all other mandatory laws and regulations of the United Kingdom. We are also accredited to the UK Government's Cyber Essentials security standards.

We are a conveyancing firm regulated by the Council for Licensed Conveyancers (CLC) (Licence Number: 14749).

This Privacy Policy explains how we collect, process and keep your data safe. The Privacy Policy will tell you about your privacy rights, how the law protects you, and inform our employees and staff members of all their obligations and protocols when processing data.

The individuals from which we may gather and use data can include:

  • Customers
  • Business contacts
  • Third parties connected to your customers
  • Any other people that the organisation has a relationship with or may need to contact.

This Privacy Policy applies to all our employees and staff members and all Personal Data processed at any time by us.

1.2 Your Data Controller

Koala Legal Ltd is your Data Controller and responsible for your Personal Data. We are not obliged by the GDPR to appoint a data protection officer and have not voluntarily appointed one at this time.

Contact Details:

  • Email: hello@koala.legal
  • Post: Unit F6/7 Leah's Yard, 22 Cambridge Street, Sheffield, S1 4HP, United Kingdom.

1.3 Processing data on behalf of a Controller and processors' responsibility to you

In discharging our responsibilities as a Data Controller we have employees who will deal with your data on our behalf (known as "Processors"). The responsibilities below may be assigned to an individual or may be taken to apply to the organisation as a whole. The Data Controller and our Processors have the following responsibilities:

  • Ensure that all processing of Personal Data is governed by one of the legal bases laid out in the GDPR (see 2.2 below for more information);
  • Ensure that Processors authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of Personal Data;
  • Obtain the prior specific or general authorisation of the Controller before engaging another Processor;
  • Assist the Controller in the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights;
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller;
  • Maintain a record of all categories of processing activities carried out on behalf of a Controller;
  • Cooperate, on request, with the supervisory authority in the performance of its tasks;
  • Ensure that any person acting under the authority of the Processor who has access to Personal Data does not process Personal Data except on instructions from the Controller; and
  • Notify the Controller without undue delay after becoming aware of a Personal Data Breach.

2. Legal Basis for Data Collection

2.1 Types of data / Privacy policy scope

"Personal Data" means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together below:

Profile/Identity Data
First name, last name, gender, date of birth, passports, driving licenses
Contact Data
Phone number, addresses, email addresses.
Marketing & Comms
Your preferences in receiving marketing and other information from us.
Billing Data
Debit/credit card information, name on payment details, billing address.
Financial Data
Banking details e.g. account number and sort code, mortgage offers and Source of Funds & Wealth such as bank statements.
Transactional Data
Records of all payments you have made for our services or products.
Communications Data
Records of communications we send and receive on your behalf or in connection with your transaction, including email correspondence, SMS and WhatsApp message logs, telephone call logs, and call recordings.
Technical Data
IP address, browser type/version, time zone/location, operating system/platform.
Analytics Data
Session recordings (replays of on-screen interactions), error and crash logs, page views and feature usage data, and performance metrics. This data is collected through our analytics platform to help us improve our services and diagnose technical issues.
Biometric Data
Data obtained from electronic identity verification tools used to confirm your identity. This constitutes special category data under UK GDPR when used for identification purposes.
Property Ownership
Legal ownership and title, Land Registry registers, deeds, charges, restrictions.
Property Transaction
Transaction status, agreed price, completion dates, chain details, correspondence.
Property Docs
Contracts, Searches, transfer deeds (TR1), lease agreements, planning permissions, certificates.
Special Category Data
We may occasionally process health data (e.g. for vulnerable client adjustments), ethnic origin (derived from ID documents), and biometric data (from electronic ID verification). We only process special category data where strictly necessary and where a lawful basis under Article 9 of UK GDPR applies, such as explicit consent or reasons of substantial public interest.

Aggregated Data: We also collect, use and share Aggregated Data such as information about trends in conveyancing transactions and property types, overall transaction outcomes and timescales, pricing and quote patterns, how our services and digital tools are used, and high-level compliance and fraud-prevention trends. This Aggregated Data is combined from multiple records and does not identify any individual.

2.2 The Legal Basis for Collecting That Data

The main avenues we rely on are:

  • "Consent": Certain situations allow us to collect your Personal Data, such as when you tick a box that confirms you are happy to receive email newsletters from us, or 'opt in' to a service. Where we use session recordings to replay on-screen interactions, we will obtain your consent via our cookie banner before collecting this data.
  • "Contractual Obligations": We may require certain information from you in order to fulfil our contractual obligations and provide you with the promised service.
  • "Legal Compliance": We're required by law to collect and process certain types of data, such as fraudulent activity, money laundering, terrorist financing, Transfer of Funds Regulations 2017 and CLC regulatory requirements.
  • "Legitimate Interest": We might need to collect certain information from you to be able to meet our legitimate interests – this covers aspects that can be reasonably expected as part of running our business, that will not have a material impact on your rights, freedom or interests. This includes collecting error logs, page views, feature usage data, and performance metrics through our analytics platform to maintain, improve, and ensure the reliability of our services.
  • "Quality control": We might need to collect certain information from you to satisfy internal quality audits and to defend against potential legal claims.

3. How We Use Your Personal Data

3.1 Our data uses

We will only use your Personal Data when the law allows us to.

3.2 Marketing and content updates

You will receive marketing and new content communications from us if you have created an account and chosen to opt into receiving those communications. From time to time we may make suggestions and recommendations to you about goods or services that may be of interest to you.

3.3 Change of purpose

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

3.4 Analytics and session monitoring

We use an analytics platform to monitor how our website and portal are used, to identify and resolve errors, and to improve the quality of our services. This may include:

  • Recording and replaying user sessions to understand how visitors and clients interact with our website and portal. Session recordings may capture on-screen interactions such as clicks, scrolls, and page navigation. These recordings are used solely to improve usability and diagnose issues, and are never used for purposes unrelated to service improvement.
  • Logging errors and crashes that occur during your use of our services, so that we can identify and fix technical problems promptly.
  • Collecting data on page views and feature usage to understand which parts of our services are most used and where improvements are needed.
  • Monitoring performance metrics such as page load times to ensure our services operate reliably.

Session recordings are collected on the basis of your consent, provided via our cookie banner. Error logging, page view tracking, and performance monitoring are carried out on the basis of our legitimate interest in maintaining and improving our services. You can withdraw your consent to session recordings at any time by updating your cookie preferences.

3.5 Automated decision-making

We do not use any automated decision-making or profiling that produces legal or similarly significant effects on you. All decisions relating to your transaction are made by qualified and authorised persons.

4. Your Rights and How You Are Protected

4.1 Your legal rights

Under certain circumstances, you have the following rights:

  • Right to be informed.
  • Right of access. (Data Subject Access Request)
  • Right to rectification.
  • Right to erasure. Please note that this right is subject to our legal and regulatory obligations to retain certain data (see Section 6). Where a retention period has not yet expired, we may be unable to comply with a request for erasure.
  • Right to object. (Direct marketing, legitimate interest, etc.)
  • Right to restrict processing.
  • Right to data portability.

If you wish to make a request under any of these rights, please contact us at hello@koala.legal. We will respond to your request within one calendar month of receiving it. If your request is complex or we receive a high volume of requests, we may extend this period by a further two months, in which case we will notify you.

4.2 Control over Personal Data

Your account information will be protected by a password for your privacy and security. You need to prevent unauthorized access to your account and personal information by selecting and protecting your password appropriately and limiting access to your computer or device and by signing off after you have finished accessing your account. You will need to contact us if you would like to delete your account.

4.3 How Koala Legal Ltd protects customers' Personal Data

We implement a variety of security measures, including:

  • Appropriate technical and organisational measures.
  • Use of reputable, security-focused third-party service providers.
  • Access controls, encryption of data in transit and at rest.
  • Secure cloud infrastructure and internal handling policies.

While we strive to protect your Personal Data, we cannot ensure or warrant the security of any Personal Data you transmit to us. Any such transmission is done at your own risk.

4.4 Opting out and Data Requests

  • Opting out: Email hello@koala.legal at any time.
  • Fees: You will not normally have to pay a fee to access your Personal Data. However, we may charge a reasonable fee if your request is manifestly unfounded or excessive, or we may refuse to comply with your request in such circumstances.
  • Identity Verification: We may need to request specific information from you to help us confirm your identity before exercising your rights.

5. Your Data and Third Parties

5.1 Sharing your data

We may share non-Personal Data with third parties. We may share your Personal Data with subcontractors or affiliates, subject to confidentiality obligations.

Conveyancing requires us to share your personal information with specific third parties:

  • HM Land Registry: To register your ownership or charges.
  • HMRC: For the submission of Stamp Duty Land Tax (SDLT) returns.
  • Lenders: To report on the title and manage mortgage funds.
  • Other Side's Legal Representative: To facilitate the exchange and completion.
  • Trusted suppliers (e.g. ID company, search provider, our IT service provider, and our analytics platform provider)
  • Twilio Inc.: To provide communication services including email, voice calls, SMS, and WhatsApp messaging in connection with your transaction.
  • The CLC & Legal Ombudsman: For regulatory audits or complaint handling.

Your personal information stored on our case management system may be seen by external providers of technical services if they need to access the system, to fix a technical problem or to support our business.

We may also share data in the event of a change in control, acquisition, or sale of the business.

5.2 Cookies

Our website uses cookies and similar technologies to distinguish you from other users, to support the functionality of our site, and to help us improve your experience. For full details of the cookies we use, their purpose, and how to manage your preferences, please see our Cookie Policy at https://www.koala.legal/cookie-consent.

5.3 Third-Party Links

This Site may include links to third-party websites. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites.

6. How Long We Retain Your Data

We retain your Personal Data only for as long as is necessary to fulfil the purpose for which it was collected, after which it will be securely destroyed. The retention periods vary depending on the nature of your relationship with us.

6.1 Website Users (Quote Enquiries)

If you request a quote through our website but do not proceed to instruct us, we will retain the personal data you provided for up to 1 year from the date your quote was generated. This allows us to assist you should you return to discuss or proceed with your quote. After this period, your data will be securely deleted.

Analytics data collected from your browsing sessions (such as session recordings, page views, and error logs) is retained in accordance with your cookie consent preferences and our analytics platform's retention settings, and is deleted automatically once the applicable retention period expires.

6.2 Clients (Instructed Transactions)

Where you have signed our Terms of Engagement and become a client, we will retain your file as follows:

  • Purchases: 15 years following completion. This extended period ensures we hold the necessary records to assist you should any latent defects or title issues arise in the future.
  • Sales: 6 years following completion.
  • Aborted or fallen-through transactions: 6 years from the date the transaction was closed.
  • AML Records: Your identity verification documents will be retained for 5 years after the conclusion of our business relationship, in accordance with anti-money laundering regulations.

6.3 Secure Destruction

After the applicable retention period has expired, your electronic and physical data will be securely destroyed.

We may retain data for longer than the periods stated above in the event of a complaint, regulatory investigation, or the prospect of litigation.

7. International Transfer of Data

We endeavour to keep your Personal Data within the United Kingdom and the European Economic Area (EEA). However, some of the third-party service providers we use to deliver our services are based outside of the UK and EEA, which means your Personal Data may be transferred to, stored, or processed in countries that do not benefit from a UK adequacy decision.

7.1 Current international transfers

We use Twilio Inc. to provide communication services including email, voice (including call recording), SMS, and WhatsApp messaging. While Twilio's email and voice services are processed within the European Union, certain data is transferred to the United States:

  • SMS message logs: Records of SMS messages sent and received in connection with your transaction.
  • WhatsApp message logs: Records of WhatsApp messages sent and received in connection with your transaction.

7.2 Safeguards

Where we transfer Personal Data outside of the UK, we ensure that appropriate safeguards are in place to protect your data in accordance with UK GDPR. Twilio's cross-border data transfers are protected by:

  • Binding Corporate Rules (BCRs): Twilio maintains approved Binding Corporate Rules, which were approved by EU data protection authorities and function as a binding code of conduct ensuring that all personal data is adequately protected regardless of where it is processed within the Twilio group of companies. These BCRs serve as the primary lawful transfer mechanism.
  • UK International Data Transfer Agreement (UK IDTA): Twilio's Data Protection Addendum also incorporates the UK IDTA issued by the Information Commissioner's Office, providing an additional layer of contractual protection for transfers of personal data from the United Kingdom.

If we engage any additional international service providers in the future, we will ensure that equivalent safeguards are in place before any Personal Data is transferred and will update this Privacy Policy accordingly.

8. Notification of Changes and Acceptance

We keep our Privacy Policy under review. This version is dated April 2026. Continued access or use of Koala Legal Ltd will constitute your express acceptance of any modifications.

9. Interpretation

All uses of the word "including" in this Privacy Policy mean "including but not limited to". Any references to legislation include any amendments, re-enactments, or successor legislation from time to time in force.

10. Terms of Use

Please also see our Terms of Engagement.

11. Complaints

If you wish to make a complaint about how we have handled your personal data, please contact Bonita Wolfenden, Head of Legal Practice (HOLP), using the details set out in our Terms of Engagement or by emailing hello@koala.legal. If you are not satisfied with our response, you have the right to make a complaint to the Information Commissioner's Office (ICO) at www.ico.org.uk.

We use cookies to help improve your experience. Learn more