Privacy policy

We treat personal data as something we are temporarily entrusted with, not as an asset of the firm. The principles below apply to the website you are currently reading, the intake form, the secure client portal, and any document you share by email.

1. Who is the data controller

Vista Reclaim Advisors Ltd, Company No. 14982317, registered office at 27 Old Gloucester Street, London WC1N 3AX, United Kingdom. For data-protection enquiries please write to the email at the foot of this page.

2. What we collect, and when

Public site visits

If you do nothing more than read pages, we record only the minimum needed to keep the site running and to spot abuse: your IP address (truncated at the third octet for analytics), the referring page, the page you reached, the browser family, and the time of the request. These records are kept for 30 days then discarded.

Intake form submissions

When you complete the intake form we collect the fields you typed: your name, email, optional phone number, the practice area you selected, an optional indication of loss, country of residence, and the free-text description of the case. We collect these so we can read your enquiry and reply.

Client engagement

If we accept the case, additional categories of data are processed inside the secure client portal: bank and card statements, broker portal exports, KYC artefacts, communication logs, and on-chain transaction references. These are collected only with your written consent inside the engagement letter.

3. Why we process it (lawful basis under UK GDPR)

• Article 6(1)(b) — performance of a contract for everything inside an accepted engagement.
• Article 6(1)(f) — legitimate interest for replying to the intake form and for keeping minimum site-operation logs.
• Article 9(2)(a) — explicit consent for any special-category data shared during a case (for example, health information that may be relevant to APP-fraud framing).

4. Who can see your data

Inside the firm, access is limited to the principal handling your case plus a single case officer assigned to the file. We do not sell, rent or share personal data with third parties for marketing. Where a case requires us to submit material to your bank, card issuer, regulator or ombudsman, that disclosure happens only after you have approved the submission in writing.

We use a small number of service providers — a UK-hosted document store, an email provider, and a transactional payment processor for fees. Each is bound by a written data-processing agreement and each holds the appropriate certifications.

5. How long we keep it

• Unaccepted intake submissions — 90 days, then permanently deleted.
• Open case files — for the duration of the engagement plus six years (statutory limitation period).
• Closed case files — six years from closure, then permanently deleted, unless you ask us to delete sooner.
• Website operation logs — 30 days.

6. Your rights

Under UK GDPR you have the right to access your data, to ask for corrections, to object to processing, to request erasure where lawful, and to receive a portable copy of what we hold. Write to us and we will respond within one month. You also have the right to complain to the Information Commissioner's Office (ICO) at any time.

7. Transfers outside the UK

Our service providers operate within the UK and the European Economic Area. Where a transfer outside is unavoidable (for example a SWIFT recall request travelling through a correspondent bank), the transfer is necessary for the performance of your contract and is the minimum required.

8. Cookies

The cookies we use are described separately in our cookie policy.

9. Changes to this policy

If we materially change how we handle data we will update this page and, for active clients, notify by email. Routine clarifications are made silently with the "last reviewed" date updated at the top.

10. Contact

For any privacy enquiry: [email protected], or by post to the registered office.