Client Privacy Notice

What data we hold

As one of our clients, or an individual who is a contact for one of our corporate or organisational clients we will hold the following personal information about you for the length of time that we consider you to an existing customer, or we are required to keep the information for risk management, regulatory or legal reasons.

  • The information that is needed to fulfil our contract with you or your organisation. This will be your contact details, as we need to know who you are and we need to invoice you.
  • Because you are an existing client, we will contact you from time to time to let you know about our services that may be of interest to you. There will always be an option for you to unsubscribe from these mails.
  • If you give us a ring or make contact by email, we will follow up on your enquiry and see if there is a way in which we can help you. We keep a record of enquiries received, so that we know what we have said to whom.
  • Technical personal data is also captured if you use the website.
  • Information and documents about your matters or enquiries, including communications with and about you.

Using Your Information
Giving you compliance advice

We use the information we hold about you and your business — both personal and otherwise — to give you the advice we’ve agreed to provide.

We also use your information to bill you, and keep track of payments that you make.

The lawful basis under which we process this data, is that it is necessary to deliver the service to you.

ID checks

We may have carried out an ID check on you before you or your organisation become a client. If you do not instruct us for a while, we may need to do another ID check. We will do what we can to make this as painless as possible. If you would prefer not to provide this information, we will not be able to act for you.

We retain identity verification information for as long as you are our client, and then for a further seven years.

We have to do this processing to comply with legal and regulatory obligations.

Sources of money

We may need to ask questions about the source of your money, to discharge our regulatory obligations relating to proceeds of crime and terrorist funding. If you would prefer not to provide these information, we will not be able to act for you.

Again, we have to do this processing to comply with legal and regulatory obligations.


If you are reporting issues with the functionality of our website, we will generally collect your name, and contact details, and other information necessary to investigate the problem and advise of the outcome.

Transfers of your data

We only transfer data outside of the EEA if it is to a country or organisation that is deemed by the EU to have adequate protection of data. For example, our cloud data providers in the US are all signed up to the Privacy Shield.

Third parties

As a general principle, we will not transfer your personal data to third parties without your permission but we do have a small number of companies providing services to us, e.g. cloud service providers. These are our processors and we have confirmed that they adhere to the requirements of the GDPR.

Technical and operational security

As an organisation, Orcro is committed to protecting personal data. This includes technical security measures (e.g. intrusion, detection, firewalls, monitoring), encryption of personal data, restricted access to personal data, protection of our physical premises and hard assets, maintaining security measures for our team members (e.g. pre-screening), a data-loss prevention strategy and regular testing of our security policies, processes, technology and procedures.

All of our employees are trained on Data Privacy and work to the highest ethical standards to protect your rights.

Your rights

You have lots of rights in respect of our processing of your personal data. The relevant rights are:

  • Request a copy of your personal data and information about our processing of it
  • Request that we delete information on you if we do not need to hold it
  • Request that we correct any personal data that we hold on you
  • Request that we stop processing your data, for certain things, e.g. marketing although we can still hold it
  • Request that we move your data to another organisation’s IT system electronically
  • Withdraw consent at any time, e.g. for marketing purposes
  • If you want to exercise any of these rights, please just contact us on
  • You also have the right to lodge a complaint about our processing with a supervisory authority — in the UK that is the Information Commissioner’s Office.

Contact us

If you want to talk to us about this, please email