Privacy & cookies

HALEWOOD GROUP LTD – PRIVACY POLICY

This privacy policy applies to the Halewood Group Ltd and its subsidiaries ( we , us or our ). We are committed to protecting your privacy. This policy explains how we collect, use and share your personal data across each Subsidiary, whether we collect it through our website, our Evorix platform, in person or through other means

Halewood Group Ltd’s subsidiaries include (each a “Subsidiary” and collectively “Subsidiaries”):

• Halewood Accountancy Services Ltd
• Halewood Mortgages & Protection Ltd
• Halewood Financial Services Ltd
• Halewood Wills & Estate Planning Ltd
• Halewood Software Ltd t/a Evorix

Our different roles:

When We Act as Data Controllers

Each Subsidiary acts as an independent data controller when it collects and uses personal data for its own business purposes and client relationships. This means each Subsidiary:

• determines what personal data to collect and how to use it;
• is responsible for complying with data protection law;
• responds to your privacy rights requests; and
• makes decisions about your personal data independently.

Which Subsidiary is your controller?

Your data controller is the Subsidiary that provides services to you or with whom you have a direct relationship. For example:

• if you use mortgage services, Halewood Mortgages & Protection Ltd is the controller of personal data;
• if you use accountancy services, Halewood Accountancy Services Ltd is the controller of personal data;
• if you use financial planning services, Halewood Financial Services Ltd is the controller of personal data; and
• if you use will writing services, Halewood Wills & Estate Planning Ltd is the controller of personal data.

When Halewood Software Ltd Acts as a Data Processor

Halewood Software Ltd operates the Evorix digital platform, which provides workflow management and client portal infrastructure to other Subsidiaries and third parties (where the software has been licensed). If you are a client of a Subsidiary and your data is processed through the Evorix platform, the relevant Subsidiary determines what data to collect and how to use it.

Halewood Software Ltd does not:

• Assume ownership of client relationships managed through the Evorix platform
• Act as a joint controller with Subsidiaries unless expressly agreed in writing
• Use client data processed through the Evorix platform for its own purposes (except as necessary to provide and improve the platform services)

Information we collect

[Identity and contact details (all Subsidiaries)]

• Name, address, email address and phone number
• Professional details

[Service-related information (all Subsidiaries)]

• Transaction details for products and services you've purchased from us or enquiries about our products and services
• Your preferences for our services and your marketing preferences
• Feedback, complaints and compliments and survey responses

[Financial and payment information (all Subsidiaries)]

• Payment details for products and services you've purchased from us (including where relevant, credit reference information) and where relevant banking or payment card information

[Digital information (all Subsidiaries)]

• IP address and general location information derived from your IP address
• Search and browsing behaviour and user journeys
• Website usage patterns
• Cookie preferences and tracking

[Workflow and platform information (in relation to the Evorix platform)]

• Login credentials and authentication data
• Workflow data including milestones, status updates and transaction progress
• Communication and messaging records between users
• Document uploads and attachments
• User permissions and access controls
• Platform usage and activity logs

[Recordings (all Subsidiaries)]

• Call recordings
• Records of meetings and decisions

[Professional information (for job applicants and workers across all Subsidiaries)]

• Employment history
• Professional experience
• Required authorisations and licences
• Professional registrations
• Information about your right to work in the UK

How we collect personal data

• Directly from you when you: when you interact with us, contact us, fill out forms.
• Automatically when you: visit our website, use our technologies (to include our Evorix platform) and interact with our online services.
• From third parties: service providers, business partners, previous employers, government organisations and organisations or people authorised by you.
• In relation to our Evorix platform, when third parties: provide us with their customers' information to fulfil orders or when they use the Evorix platform to manage workflows for their customers.

How we use your information

Data protection law requires us to have proper legal reasons for using your personal data. We can only use your information when we have one or more of these legal bases.

• Consent - You have clearly agreed to us using your personal data for a specific purpose.
• Performance of a contract - We need to use your information to fulfil a contract with you, or because you've asked us to do something before entering into a contract.
• Legal duty - We must use your information to comply with the law.
• Vital interests - We need to use your information to protect someone's life.
• Public interest - We need to use your information to perform a task in the public interest or carry out official functions that have a clear legal basis.
• Legitimate interests - We have a genuine business reason to use your information, or a third party does, but only if this doesn't unfairly override your rights and interests. Where we rely on legitimate interests as our legal basis, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. These assessments consider:
  • The nature of our legitimate interest
  • The impact on you
  • Any safeguards we can implement
  • Your reasonable expectations
  • The broader context of our relationship

Note that we may process your personal data for more than one legal basis depending on the specific purpose for which we are using your data. We have listed the reasons we process your data and the legal basis below. Please reach out to us if you need further details about the specific legal basis we are relying on to process your personal data.

Managing your account and providing our services

[What we use your information for:]

• To enable you to access and use our Evorix platform, including providing login credentials
• To provide our services to you, including dispatch and delivery of products
• To contact and communicate with you about our services, including responding to support requests and enquiries and for dealing with complaints or claims
• Internal record keeping, administrative, invoicing and billing purposes
• To provide workflow management and tracking services (in relation to our Evorix platform)
• To enable you to communicate with service providers and other authorised users through our messaging system (in relation to our Evorix platform)
• To facilitate collaboration between multiple parties working on your transaction (in relation to our Evorix platform)
• To process milestone updates and status changes in your workflows (in relation to our Evorix platform)
• To store and manage documents you upload to our Evorix platform
• To manage user permissions and access controls for workflows (in relation to our Evorix platform)

[Legal basis for using this information:]

• Performance of a Contract
• Legal Duty (for billing and record-keeping requirements)
• Legitimate interests

[Types of information we use:]

• Identity and contact details
• Service-related information
• Financial Information
• Digital information
• Workflow and platform information

Client onboarding and verification

[What we use your information for:]

• To assess whether to take you on as a new client, including performing anti-money laundering, anti-terrorism, sanction screening, fraud and other background checks

[Legal basis for using this information:]

• Performance of a Contract
• Legal Duty
• Public Interest
• Legitimate interests
• Identity and contact details
• Financial information

Website enquiries and customer service

[What we use your information for:]

• To contact and communicate with you about any enquiries you make with us via our website

[Legal basis for using this information:]

• Legitimate interests

[Types of information we use:]

• Identity and Contact Data
• Digital Information

Business improvement and development

[What we use your information for:]

• Analytics including profiling on our website
• Market research and business development
• To operate and improve our services, associated applications and associated social media platforms

[Legal basis for using this information:]

• Legitimate interests

[Types of information we use:]

• Digital Information

Marketing and communications

[What we use your information for:]

• To send you promotional information about our services and information that we consider may be of interest to you
• To inform you about services offered by other Subsidiaries
• To send you newsletters and updates
• To invite you to events or webinars
• To conduct marketing campaigns

[Legal basis for using this information:]

• Legitimate interests
• Consent
• Identity and Contact Data
• Digital Information
• Service-related information

[Granular subscription management:]

• Your marketing preferences are managed separately for each Subsidiary
• You can choose to receive marketing from one Subsidiary and opt out from others
• Every marketing email includes a clear and easy-to-use unsubscribe link and you can unsubscribe at any time without giving a reason
• You can also update your preferences by contacting us directly

[Suppression list management:]

When you opt out of receiving marketing information, we add your details to a suppression list. This ensures you won't receive marketing even if your details are obtained again

[Compliance with PECR:]

We comply with the Privacy and Electronic Communications Regulations when sending marketing communications as follows:

• Electronic marketing to individuals: We only send marketing emails or texts where we have consent or can rely on the soft opt-in exception (for existing customers and similar services)
• Electronic marketing to businesses: We may send marketing to corporate email addresses based on legitimate interests

Recruitment and employment purposes

[What we use your information for:]

• To consider your application if you have applied to work with us and to keep you up to date with its progress
• In relation to self-declared disabilities in order for us to make a reasonable adjustments to support your application and any possible future employment
• In relation to any diversity or equal opportunities monitoring questionnaire data, to monitor and report on our equality and diversity composition and ensure fairness in the recruitment process
• In relation to any right to work information we collect, in order to ensure we comply with the law in employing you
• To keep you updated on any other suitable vacancies

[Legal basis for using this information:]

• Legitimate interests
• Legal Duty
• Consent
• Performance of a Contract

[Types of information we use:]

• Identity and Contact Data
• Professional Data

Legal compliance

[What we use your information for:]

• Comply with our legal obligations or if otherwise required or authorised by law

[Legal basis for using this information:]

• Legal Duty

[Types of information we use:]

• All relevant Personal Data

Intra-Group Data Sharing

Personal data may be shared between each subsidiary for the following purposes:

Administrative purposes

• Group-wide IT infrastructure and support
• Centralised billing and payment processing
• Shared customer relationship management systems
• Quality assurance and compliance monitoring
• Internal reporting and business analytics

Service delivery purposes

• Coordinating services where you use multiple Halewood Group services
• Facilitating referrals between group entities (with appropriate consent)
• Providing integrated client support across services
• Managing workflows that involve multiple group entities

Marketing purposes

• Informing you about relevant services offered by other Halewood Group entities
• Coordinating marketing communications across the group
• Managing your marketing preferences across entities

Lawful Basis for Intra-Group Sharing

We only share personal data between group entities where we have a lawful basis to do so including:

• Performance of a contract
• Legitimate interests
• Consent (to include soft opt in)
• Legal obligation

Multi-Party Access and Workflow Sharing

The Evorix platform enables collaboration between multiple parties working on your transaction or service delivery.

[How workflow sharing works:]

When you use services through the Evorix platform, the business providing your service (such as a mortgage advisor, accountant, or conveyancer) creates and manages your workflow. They may invite other authorised professionals to access relevant parts of your workflow to assist with your transaction.

[Who may access your workflow:]

Depending on the services you're receiving, authorised access may be granted to:

• Conveyancers or solicitors
• Mortgage advisors or brokers
• Estate agents
• Accountants
• Insurance advisors
• Financial advisors
• Other professionals involved in your transaction

[Access controls:]

• Only your primary service provider can grant access to third parties
• Third-party users can only view the necessary information they need to provide their services
• You can see who has access to your workflow through the platform
• Access is controlled through permissions and can be revoked by the primary service provider
• Different users have different permission levels (view only, edit, full access)

Automated decision making and profiling

We do not use solely automated decision-making without human oversight. This means:

• We do not make decisions about you based purely on automated processing that would significantly affect you
• Where we use automated tools or AI to assist with decisions, there is always human review and oversight
• You will not be subject to a decision based solely on automated processing that has legal or similarly significant effects on you

Where we use automated decision-making, we will:

• Inform you of the logic involved
• Explain the significance and envisaged consequences
• Provide you with the right to human intervention
• Allow you to express your point of view
• Enable you to contest the decision

Our disclosures of personal data to third parties (all Subsidiaries)

We may disclose personal data to:

Service providers

• IT service providers including Hubspot
• Data storage and cloud service providers including Amazon Web Services
• Web hosting and server providers
• Payment processors including Stripe
• Marketing and advertising providers
• Analytics providers including Google Analytics
• Analytics providers including Google Analytics

Professional advisers

• Bankers
• Auditors
• Insurers and insurance brokers
• Legal advisers

Business partners

• Our existing or potential agents
• Our business partners or contractors
• Our Subsidiaries

Business clients and platform users

Corporate transactions

If we merge with or are acquired by another company, or sell our business assets:

• Your information may be disclosed to our advisers
• Your information may be disclosed to the potential purchaser's advisers
• Your information may be included in the transferred assets

Legal and regulatory bodies

• Courts and tribunals
• Regulatory authorities including as required for reporting obligations
• Law enforcement officers

Other parties

• Third parties you have authorised
• Emergency services when necessary
• Any other parties as required or permitted by law
• Authorised third-party domain users who have been granted access to specific workflows by the workflow owner (such as conveyancers, mortgage advisors, estate agents, accountants, or other professionals working on your transaction)

HubSpot

We use HubSpot as our customer relationship management and marketing automation platform across our Subsidiaries. HubSpot enables us to:

• Manage client relationships and communications
• Track service delivery and client interactions
• Coordinate marketing campaigns
• Analyse client engagement and service performance
• Provide customer support

Data processing role: HubSpot acts as a data processor on our behalf. We have a data processing agreement in place with HubSpot that ensures appropriate safeguards for your personal data.

International transfers: HubSpot is a US-based service provider. Personal data processed through HubSpot may be transferred to and stored in the United States.

Workflow and Client Portal System

Evorix Platform (operated by Halewood Software Ltd)

The Evorix platform is a proprietary workflow management and client portal system, operated by Halewood Software Ltd. Evorix enables us to:

• Provide secure client portals for document sharing and communication
• Manage service workflows and transaction progress
• Facilitate collaboration between clients and service providers
• Track milestones and status updates
• Enable secure messaging between authorised parties

When we license (to include white labelling) the Evorix platform to third parties, they become independent data controllers where they determine what personal data to collect and for what purpose. In the case of such third-party controllers:

• Halewood Software Ltd acts as a data processor, providing the platform infrastructure; and
• The licensee (not Halewood Software Ltd) determines what data to collect and how to use it

Overseas transfers

Where we store and access your information

We store your personal data in the United Kingdom. However, your information may be transferred to locations outside the United Kingdom in these circumstances:

• When our service providers are located overseas
• When we work with overseas business partners
• When using cloud-based services or data storage solutions
• When required by law or legal proceedings

Our approach to overseas transfers

When we transfer your personal data outside the United Kingdom, we ensure it receives appropriate protection by:

• Only transferring your information to countries that UK data protection law recognises as providing adequate protection for personal data, or
• Putting in place a contract with the third party that means they must protect personal data to the same standards as the UK.
• Transferring personal data to organisations that are part of specific agreements on cross-border data transfers with the UK.

What this means for you

We only transfer the minimum amount of personal data necessary and require all recipients to:

• Protect your information to the same standards required by UK law
• Use your information only for the purposes we've agreed
• Allow us to monitor how they handle your information
• Provide you with the same rights over your information that you have under UK law

Children’s Personal Data

We do not knowingly collect or process personal data from children under 13 years of age without appropriate parental or guardian consent.

If you are under 13, please do not provide personal data to us without first asking your parent or guardian for permission.

If we become aware that we have collected personal data from a child under 13 without verified parental consent, we will take steps to delete that information as quickly as possible.

Parents and guardians have the right to:

• Review any personal data we hold about their child
• Request correction or deletion of their child's personal data
• Refuse or withdraw consent for further collection or use of their child's data
• Contact us with any concerns about their child's privacy

If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately using the details provided in this policy.

Data retention

How long we keep your information

We only keep your personal data for as long as we need it to:

• Provide our services to you
• Meet our legal, tax, accounting or regulatory obligations
• Handle any complaints or legal issues that may arise

We may keep your information for longer periods if:

• You make a complaint that we need to investigate or respond to
• We reasonably believe legal action involving our relationship with you might occur
• The law requires us to keep it for specific timeframes

How we decide retention periods

When determining how long to keep your information, we consider:

• How much information we have and how sensitive it is
• The risk of harm if the information was accessed without permission
• Whether we can achieve our purposes in other ways
• What legal, regulatory, tax or accounting rules require
• The nature of our relationship with you and the services we provide

What happens when we no longer need your information

Once we no longer need your personal data, we will securely delete or destroy it in accordance with our data retention policies and legal requirements.

Your Rights

You can request information about retention periods for your data and ask for early deletion where legally possible.

Your privacy rights and choices

Providing information

You can choose whether to provide personal data to us, however, if you don't provide certain information, we may not be able to provide some services. Let us know if you don’t want to provide information and we will let you know when information is required versus optional.

Right of Access

You have the right to ask us for copies of your personal data. You can request other information such as details about where we get personal data from and who we share personal data with. There are some exemptions which means you may not receive all the information you ask for.

Right to Rectification

You have the right to ask us to correct or delete personal data you think is inaccurate or incomplete.

Right to Erasure (“Right to be forgotten”)

You can request deletion of your personal data in certain limited circumstances as set out in data protection law, such as where the data is no longer necessary or has been unlawfully processed. This right is not absolute and we may be required or entitled to retain your data for legal, regulatory or legitimate business reasons.

Right to Restrict Processing

You can ask us to suspend processing where:

• You contest the accuracy of the data
• Processing is unlawful but you don't want erasure
• We no longer need the data but you need it for legal claims
• You've objected to processing pending verification of our legitimate grounds

Right to opt-out of marketing communications

You can opt-out of receiving marketing communications at any time. Each marketing communication will include an unsubscribe option. You can change your marketing preferences by contacting us. We will process your request as soon as practicable.

Right to Data Portability

Where technically feasible, you can receive your personal data in a structured, commonly used format or have it transmitted to another controller where:

• Processing is based on consent or contract
• Processing is automated

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

How to Exercise Your Rights

To exercise any of these rights, contact us using the details below. We may ask for proof of identity and will respond within one month (extendable to three months for complex requests).

These rights are available under data protection law, though some may not apply in every situation. We'll let you know if any limitations apply when you make a request.

Making a complaint

[If you have concerns about how we handle your information.]

If you're unhappy with how we've used your personal data, please get in touch with us first using the contact details at the end of this policy. When you contact us:

• Give us full details about your complaint
• We'll investigate your concerns promptly
• We'll respond to you in writing explaining what we found and what we'll do to address your complaint

[Your right to complain to the regulator]

You can also make a complaint directly to the Information Commissioner's Office (ICO), the UK's data protection regulator, at any time.

The ICO’s address:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

You don't have to contact us first before going to the ICO, but we'd appreciate the opportunity to try to resolve your concerns directly with you.

Protecting your information

We use multiple layers of security to protect your information.

Technical safeguards

• Enterprise-grade encryption for data storage and transmission
• Regular security testing and monitoring
• Automated threat detection systems

Operational security

• Staff training on security and privacy
• Strict access controls based on job requirements
• Regular security audits and incident response procedures testing

Physical security

• Secure premises with controlled access
• Secure disposal of physical documents
• Equipment security protocols

Public information

Please note that any information you choose to share publicly on online platforms (such as comments or reviews) can be accessed and used by others. We cannot control or protect information that you make publicly available.

Cookies and analytics

Cookies

We may use essential cookies and similar tracking technologies on our website to enhance your browsing experience and improve our services.

[What are cookies?]

Cookies are small text files that are stored on your device when you visit our website. They help us remember your preferences and understand how you use our site.

[Types of cookies we may use]

• Essential cookies: Necessary for the website to function properly
• Performance cookies: Help us understand how visitors interact with our website
• Functionality cookies: Remember your preferences and settings
• Marketing cookies: Used to deliver relevant advertisements and track campaign effectiveness

[Cookie consent]

Where we use cookies, when you first visit our website or Evorix platform, you will see a cookie notice explaining our use of cookies. You can choose which types of cookies to accept through our cookie preference centre. You’ll find more information about the cookies we use in our cookie pop-up.

[Managing your preferences]

If cookies are used, you can change your cookie preferences at any time by:

• Using our cookie preference centre on the website or Evorix platform
• Adjusting your browser settings to refuse or delete cookies
• Visiting our cookie policy for detailed information about specific cookies

Please note that disabling certain cookies may affect the functionality of our website or Evorix platform and your user experience.

Amendments

We may update this policy at any time by posting the revised version on our website. We recommend that you review our website regularly to stay current with any policy changes.

Our contact details

For privacy matters specific to a particular Subsidiary, please contact:

• Halewood Accountancy Services Ltd

  • Email: hello@thehalewoodgroup.co.uk
  • Phone: 0300 373 0209

• Halewood Mortgages & Protection Ltd

  • Email: hello@thehalewoodgroup.co.uk
  • Phone: 0300 373 0209

• Halewood Financial Services Ltd

  • Email: hello@thehalewoodgroup.co.uk
  • Phone: 0300 373 0209

• Halewood Wills & Estate Planning Ltd

  • Email: hello@thehalewoodgroup.co.uk
  • Phone: 0300 373 0209

• Halewood Software Ltd t/a Evorix

  • Email: hello@thehalewoodgroup.co.uk
  • Phone: 0300 373 0209

Last update: 24 March 2026

© LegalVision Law UK Ltd