Privacy Policy

This Privacy Policy informs you about how we use any personal data which you provide to us, including through our website at www.bonsai.blue (our “Site”). We are committed to protecting and respecting your privacy

1. Our role as data controller

We process personal data under the UK General Data Protection Regulation, the Data Protection Act 2018, the Data Use and Access Act 2025 and other applicable UK data protection laws (together, “Data Protection Laws”). The data controller is Bonsai Blue Consulting Ltd (company number 15833644), a limited company incorporated in England and Wales, with its registered office at 85 Great Portland Street, First Floor, London W1W 7LT (“Bonsai”, “we”, “our”, “us”).

2. Your role in keeping your personal data up to date

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes.

3. Contacting us about data protection

We are not required to appoint a statutory Data Protection Officer. For any data protection question, request or concern, email us at hello@bonsai.blue or write to us at the address above.

4. Categories of personal data obtained

We collect personal data when you interact with us via the Site, social media, email, telephone, post or in person, and sometimes from third parties (for example, publicly available sources or someone who has referred you to us). We group this data as follows:

  • Identity Data, such as your name.

  • Contact Data, such as your email address, telephone/fax number, address and other contact details.

  • Enquiry Data, such as your enquiries about engaging us for legal advice or job opportunities.

  • Correspondence Data, such as any correspondence between us and you about an enquiry.

  • Technical Data, such as your IP address, operating system, browser type and version, location and other information about how you use our Site.

  • Marketing and Communications Data, such as your communications preferences and how you have responded to our marketing communications.

  • Tracking Data, such as information we or others collect about you from cookies and similar tracking technologies, such as web beacons, pixels, and other digital identifiers.

  • Matter Data, which includes personal data about your matter where you instruct us (or seek to instruct us) on legal or AI advisory services, including correspondence, file notes, and information about your matter from third parties.

  • Verification Data, such as copies of your passport, driving licence, utility bills or other identification documents required for our anti-money laundering and client onboarding checks.

  • Financial Data, such as bank account, billing details, fees, costs and payments, and (for candidates) salary history and tax details.

  • Career Data, such as your CV, education and qualifications, skills and work history, where you apply (or are put forward) to work with us.

We also use aggregated, anonymised data (such as the percentage of users opening our newsletter), which is not personal data. If we combine it with personal data so you can be identified, we treat the combined data as personal data.

We do not usually collect special categories of personal data (such as health, ethnicity, religious beliefs, or criminal convictions data), but you may choose to disclose this to us, or we may need to process it where required by law or as an integral part of providing services to you.

5. Use of personal data

Our core purposes for processing personal data are to promote and operate the business of being an AI and legal consultancy, to provide AI and non-reserved legal services to our clients, to maintain our client and business records, to recruit, and to comply with the law and regulations.

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where it is necessary for us in order to perform a contract which we are about to enter into, or have entered into, with you (for example, a contract between you and us for us to provide legal advice to you).

  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests (for example, to monitor our IT systems and protect them).

  • Where we need to comply with a legal or regulatory obligation (for example, the rules which require us to verify the identity of someone before they can become a client).

  • Where we have your consent to do so (for example, if you are not a client and you ask us to sign you up for news and updates by email).

6. Lawful basis for the processing

We rely on the following lawful bases under UK GDPR Article 6, often more than one for a given activity:

Performance of a contract - to deliver services you (or your organisation) have engaged us to provide, including matter management, billing and client communications.

Legitimate interests - to operate, promote and protect our business and Site (including direct marketing to clients within the soft opt-in, fraud prevention, IT security, business reorganisations, analytics to improve the Site, and pursuing new client opportunities). We balance these interests against your rights and provide opt-outs where applicable.

Legal obligation - to comply with anti-money laundering, tax, regulatory and other statutory duties.

Consent - where required by the Privacy and Electronic Communications Regulations for certain electronic marketing, or otherwise where consent is the appropriate basis. You may withdraw consent at any time.

Where we process special-category data (for example, to provide legal advice), we rely on an additional condition under UK GDPR Article 9, typically the legal-claims condition or, where appropriate, explicit consent.

7. Use of Artificial Intelligence, Automated Tools and Human Oversight

We use artificial intelligence (“AI”) and other automated tools proportionately and responsibly to support the delivery of our services and the operation of our business. We are committed to ensuring that any use of AI is transparent, secure and consistent with our professional and legal obligations.

When we process personal data using AI, we do so as a data controller (see Our Role as Data Controller above).

Our use of AI is governed by applicable data protection laws, ICO guidance and our internal governance and information security frameworks. We apply appropriate technical and organisational measures, including contractual safeguards and human oversight.

Our use of AI does not change the lawful basis on which we process personal data. We rely on the lawful bases set out in the Lawful Basis for Processing section of this Privacy Notice. Where special category or criminal offence data is involved, we ensure an additional lawful condition applies, as described in the relevant section.

AI tools support and do not replace our professional judgment. We do not carry out solely automated decision-making that produces legal or similarly significant effects without appropriate safeguards. Where personal data is processed outside the UK, appropriate protections are applied in line with the International Transfers section.

8. Sharing your personal data

We keep client and prospective client information confidential, unless disclosure is required or permitted by law or by your consent. Our officers, employees and self-employed consultants (“colleagues”) may access your data where necessary to do their work.

We may share your personal data with: (a) HMRC, the ICO and other regulators or authorities where reporting or disclosure is required; (b) third-party service providers we use for IT, hosting, business administration, marketing and analytics (including Google for advertising and Google Analytics); (c) our insurers and professional advisers (lawyers, bankers, auditors and brokers) in connection with services they provide to us; and (d) any acquirer if we sell, transfer or merge parts of our business.

We require all third parties to keep personal data secure, process it only on our instructions and not use it for their own purposes. We will not otherwise share personal data except where permitted or required by law.

9. Advertising, marketing and your communications preferences

We use your Identity, Contact, Technical and Tracking Data to send you communications we think may be relevant. You can unsubscribe at any time using the link in our communications or by emailing hello@bonsai.blue.

We also work with partners to display online advertising and analyse its effectiveness using cookies and similar tracking technologies.

10. Cookies

We use cookies for advertising, analytics and to help the Site work properly. For a full list, see our Cookies Policy. You can control whether you provide consent to such cookies via our cookie banner (including withdrawing any previously provided consents) or set your browser to refuse all or some cookies; if you do, some parts of the Site may not function properly.

11. International transfers

We may hold personal data on systems outside the UK, or share it with colleagues or service providers located overseas. When we transfer personal data outside the UK, we use mechanisms approved under UK data protection law — including adequacy regulations issued by the ICO and the UK's International Data Transfer Agreement (or the EU Standard Contractual Clauses with the UK Addendum) for transfers to the US and other non-adequate jurisdictions.

12. Safeguarding personal data

We have put in place appropriate technical and organisational measures to safeguard your personal data including using systems with end-to-end encryption.

13. Retaining personal data

We keep personal data only as long as necessary for the purposes we collected it, including to meet any legal, accounting or reporting requirements. To set retention periods we consider the amount, nature and sensitivity of the data, the risk of harm from unauthorised use, the purposes for which we hold it, and applicable legal requirements. Unless Part B or Part C below applies, or you remain subscribed to our newsletter, we will delete your data within two years of the date we receive it.

14. Your rights

We set out below a summary of the rights you may have under data protection laws in relation to your personal data.

  • Request access to your personal data (a data subject access request) — to receive a copy of the data we hold about you.

  • Request correction of inaccurate or incomplete data — we may need to verify accuracy of the new data.

  • Request erasure of your personal data where there is no good reason for us to keep processing it. We may not be able to comply for specific legal reasons, which we will explain at the time.

  • Object to processing where we rely on legitimate interests (and your situation makes you want to object), or where we process data for direct marketing.

  • Request restriction of processing — for example while we verify accuracy, where processing is unlawful but you don’t want erasure, or where you need us to hold data for legal claims.

  • Request transfer of your personal data to you or a third party in a structured, machine-readable format (only applies to automated data processed under consent or contract).

  • Withdraw consent at any time where we rely on consent. This does not affect prior lawful processing. If you withdraw consent we may not be able to provide certain services, and we will tell you if that is the case.

If you wish to exercise any of the rights set out above, please choose one of the following options:

  • To unsubscribe from our newsletter and updates, please use the unsubscribe link in the newsletter or email hello@bonsai.bluewith the subject line “Opt-Out Request”.

  • To exercise any other rights, please email hello@bonsai.blue.

You will not pay a fee to exercise these rights, though we may charge a reasonable fee or refuse to comply if a request is clearly unfounded, repetitive or excessive. We may ask you for information to confirm your identity. We aim to respond within one month, but may take longer for complex or multiple requests, in which case we will let you know.

15. Supervisory authority

We are supervised by the Information Commissioner's Office (ICO) (www.ico.org.uk). For questions, requests to exercise your rights, or complaints about our use of your data, please email hello@bonsai.blue. You can also complain to the ICO at any time, but we would prefer the opportunity to resolve matters with you first.

16. Third-party links

Our Site may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.

17. Updating our Privacy Policy

We update this Privacy Policy from time to time. The current version is always on our Site.

Part B: Additional notice for clients

1. Use of personal data

When you instruct (or seek to instruct) us, we process your personal data to provide AI advisory and legal services, invoice and collect fees, keep client and matter records, and meet our anti-money laundering and other regulatory obligations.

2. Additional sharing

To progress your matter we may share personal data with other professionals involved (for example, lawyers acting for other parties, or AI or cybersecurity consultants).

3. Retention of client files

We store client files digitally or in hard copy (sometimes using third-party storage providers). Retention periods depend on the nature of the matter, our regulatory and professional record-keeping obligations, applicable limitation periods for claims, and any specific instructions you have given us. As a general guide, we keep closed client files for at least seven years from the date the matter closes, and longer where the law or our insurers require. We will destroy your files at the end of their storage period, or earlier with your consent. Tell us in writing if you object. We may charge for retrieving your files after the matter has closed.

4. Source of personal data

Most personal data comes directly from you, but we may also obtain data about you (or others) from other parties connected with your matter and from publicly available sources.

5. If you do not provide personal data

You are not obliged to give us personal data (unless required by law or court order), but if we need it to act for you and you do not provide it, we may not be able to continue acting; we will tell you if that is the case.

6. Client updates and events

We send clients periodic updates and invitations to events we think may be of interest. To opt out, email hello@bonsai.blue.

Part C: Additional notice for job applicants

1. Use of personal data

We process applicants' personal data to assess suitability for a role with us, conduct identity and background checks, correspond about your application, and (if successful) set up onboarding and payment arrangements.

2. Sharing and background checks

We may share applicant data with our insurers, regulators, professional advisors and colleagues, requiring recipients to keep it confidential and secure. We may also conduct a disclosure-and-barring (DBS) check and verify your identity.

3. Retention of applicant data

If your application succeeds, we will issue a fuller privacy notice as part of your onboarding documentation. If your application is unsuccessful, we delete your data within two years of our rejecting it or your withdrawing your candidacy.

4. Source of personal data

Most data comes directly from you, but we may also obtain it from third parties (for example, someone who recommends you) or publicly available sources.

5. If you do not provide personal data

We cannot properly consider your application without your CV and (typically) one or more interviews.