Legal
Privacy policy
Who we are
Pension Legal is the trading name of Peneos Ltd, a Scottish private limited company providing specialist pensions law advice. Peneos Ltd is the data controller for personal data processed through this website and the client portal. We are registered with the Information Commissioner's Office.
Information we collect
When you use the site or portal we may collect: your name, email address and contact details; the matter facts you tell us during intake; documents you upload (typically trust deeds, scheme rules, member records or correspondence); messages exchanged with us through the portal; identity verification information needed for anti-money-laundering checks; payment information processed by our payments provider; and technical information such as login timestamps, IP address and browser type used to operate and secure the service.
How we use your information and on what legal basis
We use your information to scope and provide the legal services you have asked us for (performance of our contract with you, Article 6(1)(b) UK GDPR), to meet our anti-money-laundering and other professional-conduct obligations (legal obligation, Article 6(1)(c)), and to defend any future legal claim against the firm (legitimate interests, Article 6(1)(f)). Where a matter substantively involves special-category data we additionally rely on Article 9(2)(f) — establishment, exercise or defence of legal claims.
AI tools used at the enquiry (intake) stage
When you first contact us through the site — before any engagement letter is in place — we use AI (Anthropic PBC's Claude service and OpenAI's API) to help gather the facts of your enquiry and prepare your fixed fee quotation. At this stage your information is anonymised before it reaches any AI provider: a per-matter token map replaces your name and other named parties with placeholders; a Microsoft Presidio service catches additional personal data such as third-party names, addresses, dates of birth, phone numbers, email addresses, NI numbers and account numbers; and a regex fallback catches residual high-risk patterns. Documents you upload at this stage are processed on our own infrastructure and only redacted text extracts are used. The legal basis for this processing is Article 6(1)(b) UK GDPR — steps taken at your request prior to entering into a contract. A solicitor reviews the output before your quotation is issued.
AI tools used for drafting once you instruct us
After you accept our engagement letter, we use Anthropic PBC's Claude service to produce first drafts of the advice and documents you have instructed us to prepare. So that the drafts are accurate and specific to your scheme, this processing uses the actual matter information — including the names of the parties and the scheme, and the documents you have uploaded (such as trust deeds and scheme rules) — as described in the AI clause of our engagement letter. Anthropic processes this data as our processor under a written data processing agreement: your data is not used to train AI models, retention is contractually limited, and every draft is reviewed and signed off by a qualified solicitor before it is shared with you. If you prefer, you can ask us to apply strict anonymisation to your matter instead, in which case identifying details are replaced with placeholders before any AI processing (this can reduce the specificity of first drafts, which the reviewing solicitor then completes).
Sub-processors and international transfers
We use the following sub-processors: Anthropic PBC (AI drafting, USA), Vercel Inc. (application hosting and durable storage, USA and EU regions), Resend (transactional email, USA / EU), Stripe Payments UK Ltd (card payments, UK and USA), Amiqus Resolution Ltd (UK identity / AML verification), and Logflare (log analytics, USA). Where personal data is transferred to a country outside the UK we rely on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK Addendum, supplemented by the redaction measures described above. A current list of sub-processors and the relevant transfer mechanism is available on request.
How long we keep your information
We keep matter records for six years from the close of the matter, in line with the limitation period for legal claims against the firm. Identity and anti-money-laundering records are kept for five years from the end of the business relationship, as required by the Money Laundering Regulations 2017. Accounting records are kept for six years from the end of the tax year. Routine technical logs are kept for up to thirteen months. After these periods data is securely deleted in the firm's quarterly retention sweep.
Your rights
You have the right to ask for a copy of the personal data we hold about you, to ask us to correct or delete it, to ask us to restrict its processing, to object to processing carried out under our legitimate interests, and to receive it in a portable format. To exercise any of these rights please contact us using the details below. We will respond within one calendar month and may extend that period by up to two further months for complex requests. Some rights are subject to legal exceptions — for example, we cannot delete records we are required to keep under the Money Laundering Regulations until the statutory retention period has expired. If you are unhappy with how we have handled your information you can complain to the Information Commissioner's Office at ico.org.uk or 0303 123 1113.
Cookies
We use a small number of strictly necessary cookies for site security and to keep you signed in to the portal. We do not use advertising or third-party analytics cookies and we do not track you across other sites.
Confidentiality and security
We protect your information with TLS encryption in transit, encryption at rest within our hosting provider, role-based access controls, two-factor authentication for the reviewer console, optional two-factor authentication for client portal accounts, and audit logging of access to matter records. We carry professional indemnity insurance with explicit cover for AI-assisted work product.
Contact
For any privacy enquiry or to exercise your rights, please contact the Director and data-protection point of contact through the email address shown on the firm's website, or write to the firm's registered office.