Privacy Notice

Effective Date: 06 February 2026
Last Updated: 05 June 2026

1. Introduction
This Privacy Notice explains how Grace Kentish-Beard, trading as GR Ace Legal Compliance Specialist ("we", "us" or "our"), collects, uses, shares and protects your personal data.

We operate as a sole trader in the United Kingdom and are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and applicable privacy and electronic communications laws, including the Privacy and Electronic Communications Regulations 2003 (PECR), as amended by the Data (Use and Access) Act 2025 (DUAA).

This Privacy Notice applies when you visit our website, www.gracelegal.net (the Website), contact us, make an enquiry, engage our services, interact with us online, or otherwise provide personal data to us.

2. Personal Data We Collect
We may collect and process the following categories of personal data:

Identity and Contact Data
This may include your name, business name, job title, email address, telephone number and postal address.

Business and Enquiry Data
This may include company details, information about your organisation, the nature of your enquiry, service requirements, and information you provide in connection with compliance, consultancy or legal-support services.

Communications Data
This may include information contained in emails, website forms, telephone calls, meeting notes, correspondence and other communications with us.

Technical and Usage Data
This may include your IP address, browser type and version, device information, operating system, time zone setting, website usage information, referral source, pages viewed and interactions with the Website.

Marketing and Preference Data
This may include your preferences for receiving marketing communications from us and your communication preferences.

Special Category Data
We do not intentionally collect special category data unless it is voluntarily provided by you and is necessary for the provision of our services. Special category data includes information about health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, sex life or sexual orientation.

Where special category data is processed, we will only do so where a valid UK GDPR Article 9 condition applies.

3. How We Collect Personal Data

We may collect personal data:

  • directly from you when you contact us, complete a form, request information, book a consultation or engage our services;
  • through our Website and related technologies, such as cookies and analytics tools;
  • from correspondence, meetings, telephone calls or video calls;
  • from publicly available sources, such as Companies House, professional directories, websites or social media platforms; and
  • from third parties where this is relevant to the services we provide and lawful to do so. 

4. Lawful Bases for Processing

We only process personal data where we have a lawful basis under UK data protection law. Depending on the circumstances, we may rely on one or more of the following lawful bases:

Consent
Where you have given clear consent for a specific purpose, such as receiving certain marketing communications.

Contract
Where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract.

Legal Obligation
Where processing is necessary to comply with a legal or regulatory obligation.

Legitimate Interests
Where processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights, freedoms and interests. This may include managing our business, responding to enquiries, improving our services, maintaining records, protecting our legal rights and ensuring website security.

Recognised Legitimate Interests
Where applicable, we may rely on the DUAA's recognised legitimate interests lawful basis for specific public-interest purposes permitted by law. This basis does not require the same balancing test as ordinary legitimate interests, but it can only be used where the relevant statutory conditions are met.

In practice, we expect most of our routine processing to rely on contract, legal obligation, consent or ordinary legitimate interests rather than recognised legitimate interests.

5. How We Use Your Personal Data

We may use your personal data to:

  • respond to enquiries and communicate with you;
  • provide compliance, consultancy and related services;
  • assess whether we can assist you or your organisation;
  • manage client relationships and service delivery;
  • prepare proposals, engagement documents, invoices and records;
  • operate, maintain and improve the Website;
  • understand how visitors use the Website;
  • manage our business administration, accounting and record keeping;
  • comply with legal, regulatory and tax obligations;
  • protect our legal rights and prevent misuse of our services or Website;
  • send marketing communications where permitted by law; and
  • maintain appropriate security, audit and compliance records.

6. Marketing Communications

We may send you marketing communications where you have consented to receive them or where we are otherwise permitted to do so under applicable law.

You can opt out of marketing communications at any time by using the unsubscribe option in our communications, where available, or by contacting us using the details in section 17.

We will not sell your personal data to third parties for marketing purposes.

7. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Website, support security, improve functionality, understand website usage and enhance user experience.

Some cookies are strictly necessary for the Website to function. Others, such as analytics or preference cookies, may be optional. The DUAA amends PECR and allows some types of cookies to be used without consent in limited circumstances, including certain cookies used for statistical purposes or to improve website functionality. (ico.org.uk)

Where consent is required, we will ask for it before placing non-essential cookies on your device. Further information about the cookies we use and how to manage your preferences is set out in our Cookie Policy.

8. Automated Decision-Making

We do not currently use solely automated decision-making that produces legal or similarly significant effects on individuals.

If this changes, we will update this Privacy Notice and ensure that appropriate safeguards are in place. The DUAA updates the rules on automated decision-making and allows organisations to rely on a broader range of lawful bases in certain circumstances, subject to safeguards and applicable restrictions, particularly where special category data is involved.

9. Research, Analytics and Statistical Purposes

We may use limited personal data or aggregated information to understand how our Website and services are used, improve our services, measure performance and generate internal business statistics.

Where possible, we use anonymised or aggregated data that does not identify individuals. Where personal data is used for analytics or statistical purposes, we will ensure that appropriate safeguards are in place.

The DUAA includes changes relating to research, archiving and statistical processing, including circumstances where further privacy information may not be required if providing it would involve disproportionate effort. (ico.org.uk)

10. Data Sharing

We do not sell or rent personal data.

We may share personal data with:

  • trusted third-party service providers who support our business operations, such as website hosting providers, IT providers, cloud storage providers, email providers, analytics providers, payment processors, accountants and professional advisers;
  • regulators, law enforcement agencies, courts, tribunals or other authorities where required by law or where necessary to protect our legal rights;
  • professional advisers, insurers or legal representatives where necessary for advice, claims, risk management or compliance purposes; and
  • other third parties where you have authorised us to do so or where it is necessary to provide our services.

Where we use service providers, we require them to process personal data only in accordance with our instructions and to apply appropriate confidentiality and security measures.

11. International Transfers

Some of our third-party service providers may process personal data outside the United Kingdom.
Where personal data is transferred outside the UK, we will ensure that appropriate safeguards are in place. These may include:

  • UK adequacy regulations;
  • the UK International Data Transfer Agreement;
  • the UK Addendum to the EU Standard Contractual Clauses; or
  • other safeguards permitted under UK data protection law.

12. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including for legal, accounting, regulatory, tax, contractual and legitimate business purposes.

Retention periods may vary depending on the nature of the data, the purpose of processing and any applicable legal requirements.

In general:

  • enquiry records may be retained for a reasonable period after the enquiry is resolved;
  • client and service records may be retained for the duration of the relationship and for a period afterwards to comply with legal, tax, accounting or professional obligations;
  • marketing preferences may be retained until you opt out or withdraw consent; and
    technical and analytics data may be retained for shorter periods unless needed for security, audit or legal purposes.
  • When personal data is no longer required, we will delete it, anonymise it or securely archive it.

13. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, misuse, alteration, disclosure or destruction.

These measures may include access controls, secure storage, password protection, confidentiality obligations, data minimisation, supplier due diligence and appropriate business procedures.

However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

14. Your Data Protection Rights

Subject to applicable conditions and exemptions, you have the following rights under UK data protection law:

  • the right to access the personal data we hold about you;
  • the right to request correction of inaccurate or incomplete personal data;
  • the right to request erasure of your personal data;
  • the right to request restriction of processing;
  • the right to object to processing, including processing based on legitimate interests;
  • the right to withdraw consent where processing is based on consent;
  • the right to data portability, where applicable;
  • rights relating to automated decision-making, where applicable; and
  • the right to complain to the Information Commissioner's Office.

When responding to a subject access request, we may ask you to provide information to verify your identity and help us locate the relevant personal data. The DUAA clarifies aspects of subject access handling, including that searches for personal data should be reasonable and proportionate.

To exercise your rights, please contact us using the details in section 17.

15. Complaints Handling

If you have a concern about how we handle your personal data, please contact us first using the details in section 17 so that we can investigate and respond.

The DUAA requires organisations to have a process for handling data protection complaints from individuals, including providing a way to submit complaints electronically and informing individuals of the outcome.

When you make a complaint, please provide enough information for us to understand your concern and identify the relevant personal data or processing activity.

We will acknowledge and consider your complaint, may ask for further information where necessary, and will respond with the outcome within a reasonable period.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters.

16. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our services, legal requirements, regulatory guidance or business operations.

Any changes will be posted on this page with an updated "Last Updated" date. Where changes are significant, we may take additional steps to notify you where appropriate.

17. Contact Details

If you have any questions about this Privacy Notice, wish to exercise your data protection rights, or wish to make a data protection complaint, please contact:

Grace Kentish-Beard
Trading as GR Ace Legal Compliance Specialist
Email: info@gracelegal.net 
Website: www.gracelegal.net 

You can also contact the Information Commissioner's Office at www.ico.org.uk.