TransactionX.← Back home

Privacy Policy

PRIVACY NOTICE issued by Wealth Recovery Solicitors Ltd (“WRS”)

Introduction

WRS is a business which takes its responsibility over your privacy and your data seriously. This policy sets out how we deal with your data and rights you have over that data.

By personal data we mean information that relates to an identified or identifiable individual.

What identifies an individual could be as simple as a name or a number, address or could include other identifiers such as an IP address or a cookie identifier, or other factors. The Data Protection Act 2018 (“DPA 2018”) and the General Data Protection Regulation (“GDPR”) impose certain legal obligations in connection with the processing of personal data.

WRS is a data controller within the meaning of the GDPR and we process personal data. The firm’s contact details are as follows:

Data Protection Officer - Nicholas Johnson
3 Hardman Street, Manchester, M3 3HF

We may amend this privacy notice from time to time. If we do so, we will supply you with and/or otherwise make available to you a copy of the amended privacy notice.

Where we act as a data processor on behalf of a data controller we provide an additional schedule setting out required information as part of that agreement. That additional schedule should be read in conjunction with this privacy notice.

1. The purposes for which we intend to process personal data

We intend to process personal data for the following purposes:

  • To enable us to supply professional services to you as our client.
  • To fulfil our obligations under relevant laws in force from time to time (e.g. the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR 2017”).
  • To comply with professional obligations to which we are subject as a member of the Law Society and regulated by the Solicitors Regulation Authority.
  • To use in the investigation and/or defence of potential complaints, disciplinary proceedings and legal proceedings.
  • To enable us to invoice you for our services and investigate/address any attendant fee disputes that may have arisen.
  • To contact you about other services we provide which may be of interest to you if you have consented to us doing so.
  • To allow us to understand how you interact with our website and to allow us to obtain information to onboard you as a client.

The legal bases for our intended processing of personal data

  • At the time you instructed us to act, you gave consent to our processing your personal data for the purposes listed above.
  • The processing is necessary for the performance of our contract with you.
  • To allow us to gather personal data to identify you as a prospective client.
  • The processing is necessary for compliance with legal obligations to which we are subject (e.g. MLR 2017).
  • The processing is necessary for the purposes of the following legitimate interests which we pursue on your behalf.

It is a requirement of our contract with you that you provide us with the personal data that we request. If you do not provide the information that we request, we may not be able to provide professional services to you. If this is the case, we will not be able to commence acting or will need to cease to act.

Categories of personal data collected

We may collect personal data from other third parties in relation to your matter. This will vary depending on the nature of your case but can include other parties who we work with or deal with in dealing with your matter and who assist us in generating business and onboarding you as a client. If you require more information please contact us.

Persons/organisations to whom we may give personal data

We may share your personal data with:

  • HMRC
  • any third parties with whom you require or permit us to correspond
  • subcontractors
  • professional indemnity insurers, brokers, auditors
  • our regulator
  • other parties involved in your matter

If the law allows or requires us to do so, we may share your personal data with:

  • the police and law enforcement agencies
  • courts and tribunals
  • marketing and software developers
  • the Information Commissioner’s Office (“ICO”)

We may need to share your personal data with the third parties identified above in order to comply with our legal obligations, including our legal obligations to you. If you ask us not to share your personal data with such third parties we may need to cease to act.

Our role: controller and processor

Our role under UK GDPR depends on which part of the service you are using.

  • WRS as controller. We act as a controller for: (a) account registration and billing data (your name, work email, organisation, payment metadata from Stripe); (b) website analytics and security logging; and (c) marketing communications you have consented to.
  • WRS as processor (TransactionX SaaS use). When a professional customer (for example, an accountant, compliance officer, investigator or solicitor outside our firm) uploads bank statements relating to their client or subject of investigation in order to use TransactionX, that customer is the controller of the personal data contained in those statements and we act as a processor on their documented instructions. Our standard terms incorporate a Data Processing Addendum reflecting UK GDPR Art. 28 obligations (available on request and forming part of our Terms of Service).
  • WRS as controller for our own legal work. Where WRS itself uses TransactionX as part of legal services we provide to our own client, we are controller for the purposes set out elsewhere in this notice.

Data we receive about third parties (UK GDPR Art. 14)

When our customers use TransactionX, the bank statements they upload typically contain personal data about third parties — the account holder, payees, counterparties and others referenced in transaction lines. These individuals are not normally our direct customers, and we usually receive their personal data indirectly from our customer.

  • Categories of personal data. Names, sort codes / partial account numbers, transaction amounts and dates, free-text payment references and merchant names, and any other personal data appearing in statement narratives.
  • Source. The personal data is provided to us by our customer (the controller), who has typically obtained the statement from the data subject themselves, from their financial institution, or under legal authority. We do not acquire bank statement data from publicly available sources.
  • Purposes. To provide the TransactionX classification and reporting service to our customer and, where applicable, to support the customer's professional, regulatory or legal workflow.
  • Lawful basis. Determined by the customer-controller. Common bases include performance of a contract with the data subject, legal obligation (e.g. MLR 2017 / SARs), or legitimate interests in fraud prevention, audit or litigation.
  • Recipients. The sub-processors listed in the table above and, where relevant, our customer's other professional advisers as instructed by the customer.
  • International transfers. See "Transfers of personal data outside the UK / EEA" below.
  • Retention. See "TransactionX-specific retention" below.
  • Rights. Data subjects have the rights set out later in this notice (access, rectification, erasure, restriction, objection, portability and complaint to the ICO). Because we ordinarily process this data as a processor on the customer's instructions, data subjects should in the first instance contact the customer who uploaded the statement; we will assist that customer in responding.
  • Profiling and automated processing. Our classification of transactions as potentially crypto-related is, in UK GDPR terms, a form of profiling: it evaluates personal aspects of an individual (here, aspects of their financial behaviour) using automated processing. The logic combines (i) deterministic rules that match transaction text against a curated database of crypto exchanges, wallets and on/off-ramp providers, and (ii) large-language-model classification of ambiguous descriptions. The envisaged consequences for an individual are that the resulting report may inform a professional review (for example, an audit, AML enquiry, tax review or litigation matter) carried out by our customer. TransactionX outputs are indicative only and are always subject to human review by the customer. We do not use these outputs to make solely-automated decisions producing legal or similarly significant effects on an individual within the meaning of UK GDPR Art. 22.
  • Customer responsibility. Our customer warrants in our Terms that they have a lawful basis to upload the statement and have, where required, provided the data subject with appropriate privacy information under Art. 13 or 14. WRS is not ordinarily in a position to notify data subjects directly.

Sub-processors and recipients we rely on

To provide the TransactionX service, WRS engages the following third-party processors and sub-processors, each under written agreements incorporating UK GDPR Art. 28 terms and, where relevant, Standard Contractual Clauses (with the UK Addendum) for international transfers. We will give customers reasonable advance notice (by email or in-app notice) of any new sub-processor for the SaaS service, so they may object.

Sub-processorPurposeProcessing location
Supabase (via Lovable Cloud)Application database, authentication, encrypted file storage for uploaded statements and extracted data.EEA (Frankfurt region)
Cloudflare, Inc.Hosting, CDN, edge compute, DDoS protection.Global edge network; primary EU/UK PoPs for EU/UK visitors
Stripe Payments Europe Ltd / Stripe, Inc.Subscription payment processing. Stripe is the controller for card data; we never see or store full card numbers.Ireland / United States
Google LLC ("Gemini")Large-language-model used (via the Lovable AI Gateway) to extract transaction rows from PDFs, classify ambiguous descriptions, and generate plain-English summaries. Provider is contractually prohibited from using inputs to train its models.United States (with EU/UK transfer safeguards)
OpenAI, L.L.C.Alternative LLM for classification and summarisation tasks (via the Lovable AI Gateway). Inputs are not used to train models.United States (with EU/UK transfer safeguards)
Resend / Lovable email infrastructureOutbound transactional and notification emails (account, billing, processing alerts).EEA / United States

Use of artificial intelligence (AI)

We use AI models to (a) extract transaction data from PDF bank statements you upload, (b) classify transaction descriptions to identify likely crypto-related activity, and (c) generate short, plain-English summaries of the analysis. The providers act as our (sub-)processors and are contractually prohibited from using your data to train their models. AI outputs are indicative only, may include false positives or false negatives, and are intended to be reviewed by a suitably qualified professional. We do not use AI to make solely-automated decisions producing legal or similarly significant effects on you within the meaning of UK GDPR Art. 22.

Transfers of personal data outside the UK / EEA

Some of our processors (notably Google LLC, OpenAI, L.L.C., Stripe, Inc. and Cloudflare, Inc.) are based in the United States or operate global infrastructure. Where personal data is transferred outside the UK/EEA, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses (with the UK Addendum where applicable), and supplementary technical and organisational measures (including encryption in transit and at rest) to ensure an adequate level of protection. You can request a copy of the relevant transfer mechanism by contacting our Data Protection Officer.

TransactionX-specific retention

Retention periods set out in the next section apply where WRS acts as controller in respect of its own client files. The following retention defaults apply specifically to data processed by TransactionX in our role as processor for SaaS customers, unless our written agreement with the customer says otherwise:

  • Uploaded statements (PDF/CSV). Retained for the lifetime of the customer's account so the customer can re-run analysis. Customers can delete an uploaded statement at any time from the dashboard, which triggers deletion of the underlying file from storage within 30 days.
  • Extracted transaction data and classifications. Retained alongside the corresponding statement and deleted with it.
  • Account closure. On account termination, uploaded statements and extracted transaction data are deleted within 30 days, except where we are required by law to retain them (for example, for AML record-keeping where WRS itself is the controller for a legal matter).
  • Backups. Encrypted backups may persist for up to 35 days after deletion before being overwritten.
  • Billing records. Invoice and payment metadata are retained for 6 years from the end of the relevant tax year, in line with HMRC requirements.

Retention of personal data

When acting as a data controller and in accordance with Law Society practice guidance we will retain all of our records relating to you as follows:

  • It is our policy to retain information for 6 years from the date the business relationship ceased but we reserve the right to vary this as and when necessary.
  • where we have an ongoing client relationship, data which is needed for more than one matter is retained throughout the period of the relationship, but will be deleted 6 years after the end of the business relationship unless you as our client ask us to retain it for a longer period but we reserve the right to vary this as and when necessary.

Our contractual terms provide for the destruction of documents after 6 years and therefore agreement to the contractual terms is taken as agreement to the retention of records for this period, and to their destruction thereafter.

You are responsible for retaining information that we send to you and this will be supplied in the form agreed between us.

Where we act as a data processor as defined in DPA 2018, we will delete or return all personal data to the data controller as agreed with the controller in accordance with their timetable.

Requesting personal data we hold about you (subject access requests)

You have a right to request access to your personal data that we hold. Such requests are known as ‘subject access requests’ (“SARs”).

Please provide all SARs in writing marked for the attention of Nicholas Johnson.

To help us provide the information you want and deal with your request more quickly, you should include enough details to enable us to verify your identity and locate the relevant information. For example, you should tell us:

  • your date of birth
  • previous or other name(s) you have used
  • your previous addresses in the past five years
  • personal reference number(s) that we may have given you, for example your client or matter number, or an archive number for documents we hold for you
  • what type of information you want to know

You must send a copy of:

  • the back page of your passport or a copy of your driving licence; and
  • a recent utility bill.

DPA 2018 requires that we comply with a SAR promptly and in any event within one month of receipt. There are, however, some circumstances in which the law allows us to refuse to provide access to personal data in response to a SAR (e.g. if you have previously made a similar request and there has been little or no change to the data since we complied with the original request).

We will not charge you for dealing with a SAR.

You can ask someone else to request information on your behalf - for example, a friend, relative or solicitor. We must have your authority to respond to a SAR made on your behalf. You can provide such authority by signing a letter which states that you authorise the person concerned to write to us for information about you, and/or receive our reply.

Where you are a data controller and we act for you as a data processor, we will assist you with SARs on the same basis as is set out above.

Putting things right (the right to rectification)

You have a right to obtain the rectification of any inaccurate personal data concerning you that we hold. You also have a right to have any incomplete personal data that we hold about you completed.

Should you become aware that any personal data that we hold about you is inaccurate and/or incomplete, please inform us immediately so we can correct and/or complete it.

Deleting your records (the right to erasure)

In certain circumstances you have a right to have the personal data that we hold about you erased. Further information is available on the ICO website (www.ico.org.uk). If you would like your personal data to be erased, please inform us immediately and we will consider your request. In certain circumstances we have the right to refuse to comply with a request for erasure. If applicable, we will supply you with the reasons for refusing your request.

The right to restrict processing and the right to object

In certain circumstances you have the right to ‘block’ or suppress the processing of personal data or to object to the processing of that information. Further information is available on the ICO website (www.ico.org.uk). Please inform us immediately if you want us to cease to process your information or you object to processing so that we can consider what action, if any, is appropriate.

Obtaining and reusing personal data (the right to data portability)

In certain circumstances you have the right to be provided with the personal data that we hold about you in a machine-readable format, e.g. so that the data can easily be provided to a new professional adviser. Further information is available on the ICO website (www.ico.org.uk).

The right to data portability only applies:

  • to personal data an individual has provided to a controller;
  • where the processing is based on the individual’s consent or for the performance of a contract; and
  • when processing is carried out by automated means.

We will respond to any data portability requests made to us without undue delay and within one month. We may extend the period by a further two months where the request is complex or a number of requests are received but we will inform you within one month of the receipt of the request and explain why the extension is necessary.

Withdrawal of consent

Where you have consented to our processing of your personal data, you have the right to withdraw that consent at any time. Please inform us immediately if you wish to withdraw your consent.

Please note:

  • the withdrawal of consent does not affect the lawfulness of earlier processing
  • if you withdraw your consent, we may not be able to continue to provide services to you
  • even if you withdraw your consent, it may remain lawful for us to process your data on another legal basis (e.g. because we have a legal obligation to continue to process your data)

Automated decision-making

We do not intend to use automated decision-making in relation to your personal data.

Complaints

If you have requested details of the information we hold about you and you are not happy with our response, or you think we have not complied with the GDPR or DPA 2018 in some other way, you can complain to us. Please send any complaints to Nicholas Johnson.