Last updated: 31 May 2026.

Privacy, Cookies and Data Protection

This page combines the website privacy notice, cookie notice, data protection policy and practice summary, and a Hong Kong style Personal Information Collection Statement (PICS). It is written for a public website with an international audience and should be read together with the Disclaimer and the Terms of Use.

Scope and role

This notice applies to personal data processed through this website. This includes browsing pages, using site features, clicking outbound links, submitting correspondence, or communicating with the site operator. This policy does not govern third party websites or platforms accessed after leaving this site.

Under privacy laws, the site operator acts as the data controller for website publishing, security, correspondence, and first-party analytics. Vendors processing data solely based on the operator’s instructions serve as processors. However, any third-party vendor that determines its own processing purposes acts as an independent controller, subject to its own privacy policy.

Jurisdiction map

  • Australia: Where Australian law applies, this notice aligns with the Privacy Act framework and Australian Consumer Law mandatory protections.
  • Canada: This notice operates consistently with the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy requirements. This includes Quebec civil law privacy protections where applicable.
  • European Union and European Economic Area (EEA): Where EU law applies, this notice supports transparency under the General Data Protection Regulation (GDPR), formally Regulation (EU) 2016/679, and local ePrivacy implementation rules.
  • Hong Kong: Sections regarding collection purpose, transferee classes, retention, and access or correction function as a Personal Data (Privacy) Ordinance (PDPO) transparency statement in Personal Information Collection Statement (PICS) style.
  • Mainland China: Where People’s Republic of China (PRC) law applies, personal information handling and cross border transfer are subject to the Personal Information Protection Law (PIPL) and related mandatory rules.
  • Other jurisdictions: Additional mandatory rights and obligations may apply based on residence, location of processing, or the nature of interaction. Those mandatory rules prevail where they conflict with this notice.
  • Singapore: Where the Personal Data Protection Act 2012 applies, this notice is intended to describe the collection, use, disclosure, and care of personal data at a baseline level.
  • United Kingdom: Where UK law applies, this notice supports transparency under the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable Privacy and Electronic Communications Regulations (PECR) rules. This includes Scotland where relevant.
  • United States: Privacy obligations vary by state and sector. Where applicable, state rights including California privacy rights are handled according to mandatory local law.

Jurisdiction and dispute-resolution note

This notice and the wider website legal framework are drafted for cross-border use. For baseline contractual interpretation, the site operator intends the laws of England and Wales to govern the website terms where that choice is legally permitted. Disputes connected with this notice or website use are intended to fall within the non-exclusive jurisdiction of the courts of England and Wales so that urgent local relief or mandatory local procedures can still be used where required.

Nothing in this section is intended to remove or restrict rights that cannot be excluded under mandatory consumer, data protection, privacy, or unfair terms law in the place where a user is habitually resident or where mandatory law otherwise applies. If such mandatory law conflicts with this baseline allocation, the mandatory rule prevails to that extent.

Where a contract-specific document separately includes a valid arbitration clause, that clause may govern dispute process for that specific contract only. Public web visitors should assume court-based resolution applies unless a separately agreed written contract states otherwise.

Personal data we may collect

Depending on how you use the site, the following categories may be collected or generated:

  • technical and usage data, such as IP address, browser type, device characteristics, pages viewed, referrer information, approximate geolocation, and timestamps;
  • analytics and event data, such as page visits, on-site interactions, and outbound link click events;
  • preference data stored on your device, such as theme preference in local or session storage and language-related settings or cookies;
  • correspondence data, such as your name, email address, organisation, and the contents of messages you send voluntarily;
  • professional or business context you choose to provide when making an enquiry.

This site is not intended to collect special category or similarly sensitive personal data through ordinary browsing. Please do not send unnecessary sensitive personal data through open web forms, email, or other uncontrolled channels.

How we use personal data

Personal data may be used to:

  • operate, secure, maintain, and improve the website;
  • understand readership, traffic sources, and content performance;
  • remember user preferences such as theme or language choices;
  • attribute outbound traffic and backlinks through tagged referral links where configured;
  • respond to enquiries, proposals, speaking requests, or legitimate business communications;
  • detect abuse, defend legal claims, comply with legal obligations, and protect the integrity of site infrastructure and content.

Cookies, storage technologies, and online tracking

This website may use cookies or similar technologies directly or through third-party services. They may include:

  • essential or functional items used to remember theme or interface preferences and support user experience;
  • language-related cookies or settings where translation features are used, including browser- or service-generated language preferences;
  • analytics technologies used to understand page usage, referrals, and click behaviour;
  • link attribution parameters appended to outbound links so destination sites and analytics platforms can identify the referring campaign or source.

Cookies and similar technologies may be session-based or persistent. Some are first-party. Others may be set or read by third-party services such as Google services used for analytics or translation-related functionality.

As a cross-jurisdiction baseline, this site uses a consent-first model for optional categories. Essential storage remains active for security and core operation. Functional and analytics categories remain off until enabled. You can also control cookies through browser settings, extension controls, device settings, or relevant third-party privacy controls. Blocking some technologies may reduce site functionality.

This site provides a cookie and consent notice with a preferences panel. The panel supports category-level choices for:

  • essential storage (always active);
  • functional tools (for example translation-related preferences);
  • analytics (for example Google Analytics 4 (GA4), Google Tag Manager (GTM) event triggers, Google tag-based usage measurement, and optional self-hosted/open-source adapters).

You can reopen these controls at any time using the Cookie Preferences link in the site footer, or by selecting Cookie Preferences where supported.

Where consent is required by law, optional categories are not activated until consent is recorded. Where consent is not required for certain processing under local law, this site still keeps optional categories disabled by default as a cross-jurisdiction baseline unless and until the user opts in.

Current website-specific practices

At the date of this notice, the site may use or expose the following classes of functionality:

  • Google Analytics 4 (GA4) and/or Google Tag Manager (GTM), configured so optional analytics tags are blocked by default and activated only after user opt-in, with any consent-state signaling limited to legally permitted, non-advertising purposes;
  • Google tag-based usage measurement for interaction events where configured (for example page views, internal and outbound link clicks, scroll-depth milestones, and form submissions). Event measurement is limited to interaction metadata and does not intentionally capture form field content;
  • outbound link tracking events for analytics and backlink attribution;
  • local or session storage for theme preferences;
  • Google Translate or similar translation-related preferences where enabled;
  • optional adapters for self-hosted/open-source analytics stacks (for example Matomo, Umami, or Plausible-compatible deployments) where configured.

Configuration may change. Material changes will be reflected in an updated notice.

For cookie and analytics operations, role boundaries are applied as follows:

  • Controller (site operator): decides whether optional analytics/functional categories are available, sets the lawful-use posture, configures retention intent, and determines which providers are enabled.
  • Processor or service provider (where contractually applicable): hosts or processes analytics/telemetry data according to documented instructions and contract terms.
  • Independent controller (where provider decides purposes): third-party platforms may process data under their own policies and legal obligations when they determine independent purposes.

This role mapping is functional and context-dependent. A provider may act as processor/service provider for one workflow and as independent controller for another, depending on contract and technical configuration.

Where UK GDPR or EU GDPR applies, processing may rely on one or more of the following legal bases, depending on context:

  • legitimate interests in operating, securing, measuring, and improving the website and protecting content and infrastructure;
  • consent where required for optional cookies, analytics, or similar tracking technologies;
  • steps prior to contract or performance of a contract where you request services or enter into a direct engagement;
  • legal obligation where retention, disclosure, or incident handling is required by law;
  • establishment, exercise, or defence of legal claims where relevant.

Where consent is the basis relied on, you may withdraw it prospectively using available technical controls or by contacting the site operator where appropriate.

Hong Kong Personal Information Collection Statement

If you are a data subject in Hong Kong and you provide personal data directly, the following additional points apply:

  • provision of personal data is generally voluntary unless the site operator states that a requested item is necessary to respond to your enquiry or perform a requested service;
  • the principal purposes of collection are site operation, analytics, security, correspondence handling, professional communication, and service assessment;
  • personal data may be transferred to service providers that support hosting, analytics, communications, security monitoring, productivity, or professional administration, whether in or outside Hong Kong;
  • failure to provide data that is reasonably necessary for a specific request may limit the ability to respond or deliver that request;
  • you may request access to, or correction of, personal data held about you, subject to applicable law and lawful exemptions.

This section is intended to support Data Protection Principle 1 (DPP1)-style transparency, not to displace any more specific notice that may be given for a particular service, event, or engagement.

Data sharing and transfers

Personal data may be shared with trusted processors or service providers that support website hosting, analytics, communications, security, or administration. Data may also be disclosed where reasonably necessary to investigate misuse, enforce rights, comply with law, respond to lawful requests, or protect the safety, rights, and property of the site operator or others.

Because web services operate internationally, personal data may be processed or accessed outside the place where you are located. Where cross-border transfer rules apply, the site operator intends to use proportionate safeguards appropriate to the service context. Public-web visitors should nevertheless recognise that internet communications and global service providers inherently involve cross-border exposure and infrastructure dependencies.

Retention

Personal data is kept only for as long as reasonably necessary for the purposes described above, including analytics evaluation, security monitoring, correspondence management, legal recordkeeping, and dispute handling. Retention periods vary by data type, sensitivity, operational need, and legal obligation.

Security and data protection practice

The site operator aims to apply reasonable technical and organisational measures proportionate to the nature of the site. Those measures may include access controls, service-provider selection, authentication controls, software maintenance, and monitoring for misuse or abuse. No internet-facing system can be guaranteed fully secure, and you should transmit information accordingly.

Your rights

Depending on applicable law, you may have rights to request access, correction, deletion, restriction, objection, portability, withdrawal of consent, or complaint to a supervisory authority or regulator. Those rights are not absolute and may depend on the jurisdiction, role of the parties, legal basis, exemptions, and the nature of the data involved.

For Hong Kong data subjects, access and correction rights are subject to the PDPO framework. For UK or EU data subjects, rights are subject to the relevant GDPR regime and applicable exemptions. For Singapore and the United States, available rights depend on the applicable statutory framework and the facts of interaction.

Children

This site is not directed at children. If you believe personal data relating to a child has been provided inappropriately, please make contact so that the matter can be reviewed.

Contact and requests

For privacy or personal-data requests, use the contact details published on this site or email the site operator at hello@zenithlaw.com. To help process a request responsibly, include enough information to identify the interaction and verify that you are the relevant person or an authorised representative.

Official reference points

The following public sources are relevant starting points for readers who want the official legal or regulatory background: