Privacy Policy
Last Reviewed: 7 January 2026
This privacy notice applies to three categories of individuals:
- customers;
- solicitors;
- consultants,
who may share personal data with Challengemy Group Limited and its group companies (referred to as either “CMG”, “we”, “us”, or “our”).
We recognise that your privacy is important. This privacy notice sets out how and why we might access, collect, store, use, and share (“process”) your personal information, when you use our services (“Services”) or otherwise choose to share personal information with us, including when you engage with us in other related ways, including any sales, marketing, or events.
This notice also applies to personal information we process about individuals who do not use our Services directly, such as solicitors, consultants, and other professional contacts engaged in connection with our business activities.
Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. By applying for a job with us, using our services, or otherwise engaging with us as contemplated by this privacy notice, you acknowledge that you have read and understood this document. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at compliance@challengemy.com.
We process your personal information via our website and an online platform (the “CMG Platform”), a secure digital environment that enables the exchange of personal information between customers, solicitors and consultants, so that we may deliver, and facilitate the delivery of, the Services to the customers.
Any personal data processed through the website, CMG Platform, or other method to enable us to deliver the Services is handled in accordance with this privacy notice and applicable data protection legislation.
The website, CMG Platform, and the Services are not intended for children (anyone under the age of 18) and we do not knowingly collect data relating to children.
1. The types of personal data we collect about you
Personal data means any information about an individual from which that person can be identified.
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data includes first name, last name, any previous names, username or similar identifier, marital status, title, date of birth and gender.
- Contact Data includes address, email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from you and other details of services you have purchased from us.
- Usage Data includes information about how you interact with and use our website, and the CMG Platform, and services: relating to usage of our IT systems, IP address(es), domain names, devices used, browser types and versions, time zone settings, operating systems and other technologies on the devices that you use, and records of network access.
- Communications with you: communications with you, including the content of website contact forms, transcripts and/or audio recordings of calls in which you have taken part in, electronic mails sent to you and received from you, your comments on or responses to blogs, seminars, benefits, services, products, articles, newsletters and survey requests.
- Communications on which we have been copied: communications with you, including transcripts of calls in which you have taken part in but which we have not (although we have been provided with said transcript), electronic mails sent to you and sent by you on which we have been copied.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals’ Usage Data to calculate the percentage of users accessing a specific website feature or element of the CMG Platform in order to analyse general trends in how users are interacting with our online services to help improve the website and our service offering.
2. How is your personal data collected?
We use different methods to collect data from and about you including through:
- Your interactions with us. You may give us your personal data by filling in online forms (using the website and/or CMG Platform) or by corresponding with us by post, phone, video conference, email or otherwise. This includes personal data you provide when you:
-
- enquire for and use our Services;
- enquire and register as a provider of our Services;
- engage with us in a professional capacity, for example as a solicitor, consultant, or other third-party advisor involved in the provision of our Services or related business activities.
- Recordings. Your interactions with us on calls may be recorded by Zoom AI or comparable technology, including in the form of written transcripts and/or oral recordings of the calls themselves. These recordings will be subject to our policy on data retention (see paragraph 10 of this document).
- Automated technologies or interactions. As you interact with our website or CMG Platform, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
- Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:
- Technical Data is collected from the analytics providers, such as Google, based both insiude and outside the UK.
- Contact, Financial and Transaction Data is collected from providers of technical, payment and delivery services such as Experian and Stripe based inside and outside the UK.
- Identity and Contact Data is collected from agents, consultants or aggregators based inside and outside the UK, such as Veriff.
- Identity and Contact Data is collected from publicly available sources such as Companies House and the Electoral Register based inside the UK.
Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device, preferences and generally help to improve your online experience. You can find more information about cookies at: www.allaboutcookies.org and www.youronlinechoices.eu.
You may disable the use of cookies by activating the setting on your internet browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.
We and our service providers use cookies and other similar technologies to automatically collect information, measure and analyse how you use our Services, including how you interact with content, enhance your experience, improve our Services, provide you with advertising, and measure the effectiveness of advertisements and other content.
4. How we use your personal data
The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:
- Performance of a contract with you: Where we need to perform the contract we are about to enter into or have entered into with you, for delivery of the Services or support in delivery of said Services.
- Legitimate interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud, carry out identity and credit checks, and enable us to give our customers the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
- Legal obligation: We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.
- Consent: We rely on consent only where we have obtained your express and informed consent to use your personal data for a specified purpose.
We have set out below, in a table format, a description of all the ways we plan to use the various categories of your personal data, depending on how or your reason for engaging with us, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Customers
| Purpose/Use | Type of data | Legal basis |
|---|---|---|
| To register you as a new customer |
|
We may process and verify your information to provide you with the requested service |
| To perform a soft credit check on you via Experian |
|
|
|
To process your order for, and deliver to you, our Services, including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us |
|
|
|
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy (b) Dealing with your requests, complaints and queries |
|
|
| To enable you complete a survey |
|
|
| To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
|
|
| To deliver relevant website content and online advertisements to you and measure or understand the effectiveness of the advertising we serve to you |
|
Necessary for our legitimate interests (to study how clients/customers use our services, to develop them, to grow our business and to inform our marketing strategy) |
| To use data analytics to improve our website, services, CMG Platform, client/customer relationships and experiences and to measure the effectiveness of our communications and marketing |
|
Necessary for our legitimate interests (to define types of clients/customers for our services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
| To improve and develop our artificial intelligence (AI) systems and tools (AI Tools) |
|
Necessary for our legitimate interests (to develop our business and services) |
| To send you relevant marketing communications and make personalised suggestions and recommendations to you about services that may be of interest to you based on your Profile Data |
|
Necessary for our legitimate interests (to carry out direct marketing, develop our services and grow our business) or Consent, having obtained your prior consent to receiving direct marketing communications |
| To manage relationships with solicitors, consultants, and other professional contacts who help provide our Services |
|
Necessary for our legitimate interests (to manage business relationships and engage professional services) |
Solicitors and Consultants
| Purpose/Use | Type of data | Legal basis |
|---|---|---|
| To register you as a solicitor / consultant |
|
We may process your information to provide you with the requested service |
| To verify your suitability as a consultant for engagement with us |
|
(a) Necessary for our legitimate interests. For (a) and (b), as necessary for our legitimate interests to confirm details of the Disclosure and Barring Service check, validate qualifications, or confirm other details that are prerequisite to engagement by us. (b) Necessary for our legitimate interests and, as (c) is special category data, we process it solely as necessary to carry out our obligations under employment and safeguarding law |
| To register you as a provider of our Services |
|
Performance of a contract |
|
To process your order for, and deliver to you, our Services, including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us |
|
|
|
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy (b) Dealing with your requests, complaints and queries |
|
|
| To enable you complete a survey |
|
|
| To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
|
|
| To deliver relevant website content and online advertisements to you and measure or understand the effectiveness of the advertising we serve to you |
|
Necessary for our legitimate interests (to study how solicitors/consultants use our services, to develop them, to grow our business and to inform our marketing strategy) |
| To use data analytics to improve our website, services, CMG Platform, solicitor/consultant relationships and experiences and to measure the effectiveness of our communications and marketing |
|
Necessary for our legitimate interests (to define types of solicitors/consultants for our services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
| To improve and develop our artificial intelligence (AI) systems and tools (AI Tools) |
|
Necessary for our legitimate interests (to develop our business and services) |
| To send you relevant marketing communications and make personalised suggestions and recommendations to you about services that may be of interest to you based on your Profile Data |
|
Necessary for our legitimate interests (to carry out direct marketing, develop our services and grow our business) or Consent, having obtained your prior consent to receiving direct marketing communications |
| To manage relationships with solicitors, consultants, and other professional contacts who help provide our Services |
|
Necessary for our legitimate interests (to manage business relationships and engage professional services) |
5. Marketing
5.1 Direct marketing
5.1.1 You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving the marketing.
5.1.2 We may also analyse your Identity, Contact, Technical, Usage and Profile Data to form a view which services and offers may be of interest to you so that we can then send you relevant marketing communications.
5.2 Third-party marketing
5.2.1 We will get your express consent before we share your personal data with any third party for their own direct marketing purposes.
5.3 Opting out of marketing
5.3.1 You can ask to stop sending you marketing communications at any time by following the opt-out links within any marketing communication sent to you or by contacting us using the details in paragraph 12.
5.3.2 If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes.
6.1 CMG are utilising and developing artificial intelligence technologies and tools (“AI Tools”) to help provide and develop its website, CMG Platform and Services.
6.2 Personal data may be contained within documents uploaded to our AI Tools. We are the data controller of your personal data when it is used, and the AI supplier/contractor is a data processor. We have signed agreements in place with each supplier/contractor to ensure that your personal data is protected. Users of our AI Tools know to process personal data in accordance with the UK GDPR and our data protection policies.
6.3 In most cases, we process your personal data using the AI Tools to improve the efficiency, quality, and speed of our business processes. We will also use your personal data to improve our AI Tools and or products over time. But your personal data will not be disclosed by the AI Tools or any of our products to any third parties except as set out in this privacy policy.
6.4 Any supplier who has access to your data is assessed for compliance with data protection legislation before any information is processed by them.
6.5 We do not use AI to make automated decisions. There is always a human intervention to review and approve any outputs from the AI tools. Decisions are not made solely by automated means.
6.6 Your personal information may be converted into statistical or aggregated data (known as “anonymised data”) in such a way that ensures that you cannot be identified from it. Anonymised data cannot, by definition, be linked back to you as an individual and may be used to conduct research and analysis, including the preparation of statistics for use in our reports.
7. Disclosures of your personal data
Your personal data will be seen and used by our partners and staff (whether consultants, solicitors, or support staff) in the course of their duties or others lawfully working with us in the ordinary course of our business (for example, former staff or partners working with us on a consultancy basis).
We may share your data with third-party vendors, service providers, contractors, or agents (‘third parties’) who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties, which are designed to help safeguard your personal information. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will also not share your personal information with any organisation apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct.
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
In the course of carrying out the activities referred to above we may transfer your data to other countries, which may not have the same legal protections for your data as the UK.
Where data is being transferred outside of the UK and/or European Economic Area, we will take steps to ensure that your data is adequately protected in accordance with UK legal requirements and the EU GDPR (as applicable).
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy policy, unless a longer retention period is required as a result of the following:
- a legal request or obligation, including obligations of CMG or to comply with applicable law;
- a governmental investigation;
- an investigation of possible breaches our terms or policies;
- for safety and security purposes and to prevent harm to other users of our Services;
- to protect ourselves, including our rights, property or products; and/or
- if required in relation to a legal claim, complaint, litigation or regulatory proceedings.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
11. Your legal rights
Under relevant data protection laws, you have rights including:
Access – you have the right to ask us for copies of your personal information, subject to applicable law. See ‘Contact Details’ section below for further information about how you can exercise this right.
Rectification – You have the right to ask us to rectify personal information you think is inaccurate and can ask us to complete information you think is incomplete, subject to applicable law. See ‘Contact Details’ section below for further information about how you can exercise this right.
Erasure – You have the right to ask us to erase your personal information in certain circumstances and subject to applicable law. See ‘Contact Details’ section below for further information about how you can exercise this right.
Restriction – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Objection – You have the right to object to the processing of your personal information in certain circumstances.
Portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
We will consider and act upon any request in accordance with applicable data protection laws. These rights may be limited in some circumstances by applicable law.
Complaints: If you have concerns about how we handle your personal data, we encourage you to contact us first using the details provided in this notice. We will do our best to resolve your concerns.
If your concerns remain unresolved, you have the right to lodge a complaint with your applicable data protection authority.
- For UK users, you can contact the Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns/.
- If you are located outside the UK, you may also have the right to complain to your local data protection authority. Please refer to your national regulator’s website for more information.
Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in paragraph 12 below or updating your preferences through your account.
However, please note that if you choose to withdraw your consent this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
Opting out of marketing and promotional communications: You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, or by contacting us using the details provided in paragraph 12 below. You will then be removed from the marketing lists. However, we may still communicate with you, for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.
12. Third Party Services
In some cases, you may provide personal information to third parties with which we work. This could be, for instance, a third party website where you apply for a job at CMG (e.g., via LinkedIn). The use of such third party websites may be governed by separate terms of use and privacy policies which are not under our control and are not subject to this privacy notice. We encourage you to review these policies. Please contact such third parties if you have any questions with respect to their approach to data privacy, or any other requests you may have in relation to your personal data.
13. Contact details
If you have any questions about this privacy policy or about the use of your personal data or you want to exercise your privacy rights, please contact us in the following ways:
- Email address: compliance@challengemy.com.
- Postal address: 124-128 City Road, London, EC1V 2NX.
14. Changes to the privacy policy and your duty to inform us of changes
We may update this privacy policy from time to time. The updated version will be indicated by an updated ‘Revised’ date at the top of this privacy policy. If we make material changes to this privacy policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy policy frequently to be informed of how we are protecting your information.