Privacy Policy

1. Data Controller

The controller responsible for processing your personal data under the GDPR is:

Vance IP Legal GmbH
Alsterarkaden 3
20354 Hamburg, Germany
HRB 112438 Hamburg
Phone: +49 40 3888 7200
Email: hello@vance-ip.com

For all data protection matters, please contact our Data Protection Officer: dpo@vance-ip.com

2. Data Collected

We may collect and process the following categories of personal data:

• Identity data: First name, last name, title, company name and role.
• Contact data: Email address, telephone number, postal address.
• IP matter data: Details relating to intellectual property you disclose to us in the course of legal instructions — including invention disclosures, trademark information, and business confidential information.
• Communication data: Correspondence submitted via our contact form, email and telephone communications.
• Technical and usage data: IP address, browser type, operating system, referring URLs, pages visited, time on site, device identifiers — collected via server logs and analytics cookies.

3. Purposes of Processing

We process your personal data for the following purposes:

• Responding to enquiries and providing initial consultations.
• Providing legal advice and representation in IP and technology law matters.
• Managing our client relationships and maintaining accurate matter files.
• Complying with our professional obligations under German attorney law (BRAO, BORA).
• Complying with anti-money laundering and know-your-client obligations (GwG).
• Sending you case updates and legal alerts relevant to your instructions (not marketing without consent).
• Improving our website performance and user experience through analytics.
• Defending or exercising legal claims where necessary.

4. Legal Basis (GDPR Art. 6)

We rely on the following legal bases for processing your personal data:

• Art. 6(1)(b) GDPR – Contract: Processing necessary for the performance of, or steps prior to, a contract for legal services.
• Art. 6(1)(c) GDPR – Legal obligation: Processing necessary to comply with legal obligations, including professional conduct rules and anti-money laundering requirements.
• Art. 6(1)(a) GDPR – Consent: Where you have given explicit consent, e.g., for analytics cookies or optional marketing communications.
• Art. 6(1)(f) GDPR – Legitimate interests: Processing necessary for our legitimate interests in running a professional law practice, improving our services and protecting our legal rights — balanced against your rights and interests.

5. Data Retention

We retain personal data only for as long as necessary:

• Client matter files: 10 years from conclusion of the matter, in accordance with BRAO requirements and German commercial and tax law (§ 257 HGB, § 147 AO).
• Non-client enquiries: 6 months from the date of the enquiry unless a client relationship is established.
• Technical log data: 90 days from collection.
• Analytics data: Up to 26 months, subject to your consent preferences.

6. Third Party Sharing

We do not sell your personal data. We may share data with the following categories of parties:

• Patent offices and trade mark registries (DPMA, EPO, EUIPO, WIPO) — as required to prosecute your IP matters.
• Associate law firms and patent attorneys in other jurisdictions — where required for international IP matters, under strict confidentiality obligations.
• IT service providers — hosting, email and analytics platforms acting as data processors under Art. 28 GDPR DPAs.
• Professional advisors — auditors, insurers and accountants, bound by confidentiality obligations.
• Regulatory authorities or courts — where required by law or court order.

7. International Transfers

In the course of representing clients in international IP matters, it may be necessary to transfer data to third countries (e.g., when filing PCT patent applications or instructing associate attorneys in non-EEA countries). All such transfers are carried out in compliance with Chapter V GDPR, relying on adequacy decisions, Standard Contractual Clauses (SCCs), or other appropriate safeguards. We will inform you of any such transfers relevant to your matter upon request.

8. Data Security

We implement robust technical and organisational measures to protect your data, including:

• End-to-end TLS/SSL encryption for all website communications and email.
• Encrypted client file storage with role-based access controls.
• Multi-factor authentication for all staff accessing client data systems.
• Regular penetration testing and security audits.
• Staff training on data protection and information security.
• Physical access controls to our offices and server infrastructure.

9. Your Rights

Under the GDPR, you have the following rights in respect of your personal data:

• Right of access (Art. 15): Request a copy of your personal data and information about how it is processed.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your data where there is no longer a lawful basis, subject to our legal retention obligations.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format where processing is based on consent or contract.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any right, contact us at dpo@vance-ip.com. We will respond within one month of receipt (extendable by two further months for complex requests).

10. Cookies

Our website uses cookies and similar technologies to enhance functionality and analyse usage. For full details of the cookies we set, their purposes and how to manage them, please see our Cookie Policy.

11. Minors

Our services are directed at legal professionals and businesses. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided us with personal data, please contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our processing activities, legal requirements or our organisation. We will update the "last updated" date at the top of this page. For material changes, we will provide additional notice where required by law.

13. Complaints

You have the right to lodge a complaint with the competent data protection supervisory authority if you believe your data has been processed unlawfully. The relevant authorities for Hamburg are:

You may also contact the federal supervisory authority:

14. Contact

For any questions about this Privacy Policy or your personal data:

Vance IP Legal GmbH — Data Protection
Alsterarkaden 3, 20354 Hamburg, Germany
Email: dpo@vance-ip.com
Phone: +49 40 3888 7200