At Carton & Co, we take your privacy seriously. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the choices and rights you have under UK data protection law (UK GDPR and the Data Protection Act 2018).
1. Who we are
Carton & Co
is the trading name of Allan Carton, a sole trader based in Manchester, United Kingdom.
Email:
solutions@cartonconsultants.com
2. Our role: Data Controller and sometimes Data Processor
In most cases, Carton & Co acts as a Data Controller for personal data collected via our website, marketing and business development activities, and our own engagement administration (for example, contacts, proposals, contracts, project files and invoicing).
When we work with law firms and their suppliers, we may handle personal data on the firm’s instructions. In those cases, we may act as a Data Processor. Where this applies, it will be set out in our engagement terms and/or a data processing agreement.
Client listening / research programmes: depending on how the programme is structured, Carton & Co may act as a Data Controller (for example, where we design the research, determine the methodology and produce aggregated outputs) or as a Data Processor (where we conduct activity strictly on a client’s instructions). We will make this clear in the relevant project documentation.
3. Who this policy applies to
- • Visitors to our website
- • People who contact us or receive communications from us
- • Client contacts and project participants (including workshop/training attendees)
- • Client listening interviewees and survey respondents
- • Users of any platform we administer for a project (e.g., DataWise, where applicable)
4. Personal data we collect
4.1 Information you provide to us
- • Name, job title and contact details (email, phone)
- • Organisation details and professional role
- • Enquiries submitted via our website or by email
- • Information shared during consultancy projects, workshops or training (including feedback and notes)
- • Client listening interview notes, transcripts (where used) and survey responses
- • Recordings of interviews/workshops (where used): if an interview, workshop or session is recorded, we will tell you in advance and explain the purpose and how long we will keep the recording
- • Account and access information for project platforms (e.g., username, role, activity logs)
- • Commercial and billing information (e.g., purchase order details, invoicing contacts, business bank details for payment processing)
4.2 Information collected automatically (website)
- • IP address, device type, browser type, and basic technical identifiers
- • Pages visited and interactions with our website
- • Cookie and analytics data (see section 10)
4.3 Information from third parties
- • Information provided by a client organisation during a project (e.g., stakeholder lists and project contacts)
- • Data shared by trusted project partners or technology suppliers where needed for delivery
- • Public sources such as LinkedIn and Companies House (typically business contact information)
4.4 Special category data
We do not normally need to process special category data (such as health, religious beliefs, or ethnicity). In client listening interviews or workshops, individuals may occasionally share sensitive information voluntarily. If special category data is required for a specific engagement, we will explain this separately and apply additional safeguards.
5. How we use your personal data (and our lawful basis)
UK GDPR requires us to have a lawful basis to process your personal data. The table below explains the main purposes and the lawful bases we rely on.
| Purpose | Typical personal data | Lawful basis |
|---|---|---|
| Responding to enquiries and initial discussions | Contact details, enquiry content | Legitimate interests / steps prior to entering a contract |
| Delivering consultancy, advisory, workshops and training | Project contacts, notes, materials, feedback | Contract / legitimate interests |
| Legal technology and AI adoption support | Project data, stakeholder inputs, meeting notes | Contract / legitimate interests |
| Client listening and research programmes | Interview/survey responses, notes (and recordings if used) | Legitimate interests (and consent where required) |
| Providing and administering project platforms (e.g., DataWise) | User accounts, access logs, usage data | Contract / legitimate interests |
| Operational administration (contracts, invoicing, payment) | Business contact details, billing information | Contract / legal obligation |
| Sending insights, updates and business communications | Contact details, preferences, interaction history | Legitimate interests and/or consent (depending on the channel and relationship) |
| Website improvement and analytics | Device data, IP, site usage, cookies | Legitimate interests (essential) / consent (non-essential cookies) |
| Legal, regulatory, and professional compliance | Relevant engagement records | Legal obligation / legitimate interests |
Our legitimate interests
Where we rely on legitimate interests, these typically include: delivering professional services efficiently, maintaining relationships with business contacts, improving our services and website, and running our business in a sustainable and secure way. We balance these interests against your rights and expectations.
6. If you do not provide personal data
If you choose not to provide certain information, we may be unable to respond to your enquiry, deliver an engagement, provide access to a platform, or include you in a client listening programme.
7. Marketing preferences
We may send occasional insights and updates relevant to legal sector leaders. Where consent is required, we will ask for it. You can opt out at any time by using the unsubscribe option in an email (where present) or by contacting solutions@cartonconsultants.com.
If you object to marketing, we may keep a minimal record of your details on a suppression list to ensure we respect your preferences.
8. Sharing your personal data
We do not sell your personal data.
We may share personal data with carefully selected third parties where necessary to run our business or deliver services, including:
- • Professional advisers(e.g., accountants) as needed for business administration
- • Technology providers(e.g., hosting, email, document management, analytics, project platforms) acting as processors
- • Trusted subcontractors or associates supporting delivery of a specific engagement (under suitable confidentiality and data protection obligations)
- • Client organisations where necessary for delivery (for example, sharing project updates or aggregated outputs)
- • Regulators, law enforcement or authorities where disclosure is required by law
Where third parties process personal data on our behalf, we use appropriate contracts and require them to implement suitable security measures.
9. International transfers
Some of our service providers may process data outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards are used (for example, adequacy regulations or approved contractual safeguards). You can request further information about the safeguards we use by contacting solutions@cartonconsultants.com.
10. Cookies and website analytics
Our website may use cookies and similar technologies:
- • Essential cookies(needed for core site functions)
- • Non-essential cookies(such as analytics) to understand site usage and improve performance
Where required by law, we will only place non-essential cookies if you provide consent via our cookie banner/controls. You can also manage cookies through your browser settings.
Analytics on assess.cartonconsultants.com
Our AI Readiness Self-Assessment tool at assess.cartonconsultants.com uses Google Analytics 4 to collect anonymous usage data. This helps us understand how visitors use the tool and improve the experience. The information collected includes pages visited, time spent on the site, device type, browser, approximate geographic location, and how you arrived at the site (for example, via a link from LinkedIn or our website). We also track anonymous interaction events such as whether you started the assessment, completed it, or clicked on follow-up links.
Google Analytics does not collect your name, email address, firm name, or any of the answers you provide in the assessment. No personally identifiable information from the assessment form is shared with Google. Google may process this data on servers outside the UK; Google’s own privacy policy applies to their handling of this data.
You can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on, available at tools.google.com/dlpage/gaoptout.
11. AI and tools used during delivery
We may use modern productivity tools (including AI-enabled features) to support legitimate business activities such as drafting, summarising meeting notes, or producing workshop outputs. We take care to protect confidentiality and minimise personal data. Where client confidential information or sensitive personal data is involved, we apply appropriate safeguards and follow the agreed approach in the engagement terms.
12. Data security
We use appropriate technical and organisational measures to protect personal data, which may include access controls, encryption where appropriate, secure storage, least-privilege access, and supplier due diligence. No method of transmission or storage is completely secure, but we work to reduce risk proportionately.
13. How long we keep your personal data
We keep personal data only for as long as necessary for the purposes set out in this policy, taking into account legal, contractual and operational requirements. Typical retention periods include:
- • Website enquiries: usually 12–24 months after the last meaningful interaction
- • Business development contacts: while we have an active relationship and for a reasonable period afterwards, unless you opt out
- • Client engagements (project files and key records): typically up to 7 years after completion (unless a different period is agreed or required)
- • Client listening raw materials (notes/recordings/transcripts where used): typically retained for a limited period required to produce outputs, then deleted or anonymised/aggregated, subject to the engagement’s agreed methodology
- • Financial records: retained in line with legal and tax requirements
14. Your rights
You have rights under UK GDPR, including the right to:
- • Access your personal data
- • Request correction of inaccurate data
- • Request deletion (in certain circumstances)
- • Object to or restrict processing (in certain circumstances)
- • Request data portability (in certain circumstances)
- • Withdraw consent where processing is based on consent
To exercise your rights, email solutions@cartonconsultants.com. We may ask for information to verify your identity. We will respond within the timescales required by law.
15. Complaints
If you are unhappy with how we have handled your personal data, please contact us first and we will try to resolve the issue. You also have the right to complain to the UK Information Commissioner’s Office (ICO).
16. Automated decision-making
We do not use your personal data to make solely automated decisions that have legal or similarly significant effects on you.
17. Links to other websites
Our website may contain links to third-party websites. We are not responsible for their privacy practices. Please review the privacy policies of any third-party sites you visit.
18. Changes to this policy
We may update this Privacy Policy from time to time. We will publish the updated version on this page and update the “Last updated” date shown on the page.
19. Contact us
If you have questions about this policy or how we handle personal data, contact:
Email:
solutions@cartonconsultants.com
If you are participating in a client listening programme commissioned by a law firm, and you prefer to contact the commissioning organisation directly about how your data is used, please do so. Where Carton & Co acts as a processor on their instructions, the commissioning organisation will be the primary controller.