Privacy Policy

This Policy. This Privacy Policy (“Policy”) explains how we process your Personal Data. This policy may be amended from time to time, please check regularly for updates. This Policy is issued by ZMA Legal, an Illinois professional corporation, (together, “we”, or “us” or “our”). This Policy is addressed to individuals outside our organization with whom we interact including users of the Site (together, “you”). 

Collection of Personal Data. We may collect or obtain Personal Data about you: (i) directly from you (e.g., when you contact us); (ii) when you visit our Site; or (iii) when you interact with any third-party app or advertising on our Site. We may also receive Personal Data about from third parties (e.g. law enforcement agencies).  We may collect Personal Data about you from the following sources: (a) Data You Provide. We may obtain Personal Data when you provide it to us (e.g., when you contact us via email or by any other means); (b) Relationship Data. We may collect or obtain Personal Data in the ordinary course of our relationship with you (e.g., in the course of corresponding with you); (c) Data You Make Public. We may collect or obtain your Personal Data that you choose to make public, including via social media (e.g., we may collect information from your social media profile(s), if you make a public post); (d) Site Data. We may collect or obtain your Personal Data when you visit our Site or use any features or resources available on or through our Site; (e) Registration Data. We may collect or obtain your Personal Data when you register to use our Site or services; (f) Content and Advertising Information. If you choose to interact with any third-party content or advertising on a Site, we may receive Personal Data about you from the relevant third party; and (g) Third-Party Information. We may collect or obtain your Personal Data from third parties who provide it to us (e.g., law enforcement agencies). 

Creation of Personal Data. We may create Personal Data about you (e.g., records of your interactions with us). 

Categories of Personal Data We May Process. We may Process: (i) your personal details (e.g., your name); (ii) demographic data (e.g., your age); (iii) your contact details (e.g., your address); (iv) matter details (e.g., your instructions to us); (v) records of your consents to our Processing of your Personal Data; (vi) payment details (e.g., your billing address); (vii) information about your use of our Site; (viii) any views or opinions you provide to us. 

Text Messaging and SMS Communication.  If you provide your mobile phone number to us, you consent to receive text messages from us for informational, administrative, or service-related purposes, including responding to inquiries, coordinating appointments, and other firm-related communications. Message frequency may vary, and message and data rates may apply. You may opt out of text messages at any time by replying STOP, or request assistance by replying HELP. We do not sell or share phone numbers for third-party marketing purposes, and SMS messages may be delivered through third-party telecommunications providers solely to facilitate message delivery and compliance.

Sensitive Personal Data. Where we need to Process your Sensitive Personal Data for a legitimate purpose, we do so in accordance with applicable law. We may have to Process your sensitive Personal Data in the ordinary course of our business. Where it becomes necessary to process your Sensitive Personal Data for any reason, we rely on one of the following legal bases: (a) Compliance with Applicable Law. We may Process your Sensitive Personal Data where the Processing is required or permitted by applicable law; (b) Detection and Prevention of crime. We may Process your Sensitive Personal Data where the Processing is necessary for the detection or prevention of crime (including the prevention of fraud); (c) Establishment, Exercise or Defense of Legal Rights. We may Process your Sensitive Personal Data where the Processing is necessary for the establishment, exercise or defense of legal rights; or (d) Consent. We may Process your Sensitive Personal Data where we have, in accordance with applicable law, obtained your express consent prior to Processing your Sensitive Personal Data (this legal basis is not used in relation to Processing that we are legally required to carry out).

Purposes of Processing and Legal Bases for Processing. We Process Personal Data for the following purposes: providing our Site and services to you; compliance checks; operating our business; communicating with you; managing our IT systems; health and safety; financial management; conducting surveys; ensuring the security of our premises and systems; conducting investigations where necessary; compliance with applicable law; improving our Site, and services and fraud prevention. We have obtained your prior consent to the Processing (this legal basis is not used in relation to Processing that we are legally obliged to carry out).

Disclosure of Personal Data to Third Parties. We may disclose your Personal Data to: (i) legal and regulatory authorities; (ii) our external advisors; (iii) our processors; (iv) any party as needed in connection with legal proceedings; (v) any party necessary for investigating, detecting or preventing criminal offences; (vi) any successor organization, affiliated entity, or partner organization; and (vii) any third party providers of advertising, plugins or content used on our Site.

International Transfer of Personal Data. We may transfer your Personal Data to recipients in other countries. We use cloud hosted services for some of our systems, which may include document management, email and collaboration systems. Accordingly, Personal Data that you provide to us, or that we create or process on your behalf, may be stored or accessed through these cloud-based services.

Data Security. We implement appropriate technical and organizational security measures to protect your Personal Data. Please ensure that any Personal Data that you send to us are sent securely. Because the Internet is an open system, the transmission of information via the Internet is not completely secure. Although we will implement all reasonable measures to protect your personal data, we cannot guarantee the security of your data transmitted to us using the Internet; any such transmission is at your own risk, and you are responsible for ensuring that any Personal Data that you send to us are sent securely.

Data Accuracy. We take every reasonable step to ensure that your Personal Data is kept accurate and up-to-date and are erased or rectified if we become aware of inaccuracies.  From time to time, we may ask you to confirm the accuracy of your Personal Data.

Data Minimization. We take every reasonable step to ensure that your Personal Data that we Process is limited to the Personal Data reasonably necessary in connection with the purposes set out in this Policy.

Data Retention. We take every reasonable step to ensure that your Personal Data is only Processed for the minimum period necessary for the purposes set out in this Policy. The criteria for determining the duration for which we will keep your Personal Data are as follows: we will retain copies of your Personal Data in a form that permits identification only for as long as is necessary in connection with the purposes set out in this Policy, unless applicable law requires a longer retention period. In particular, we may retain your Personal Data for the duration of any period necessary to establish, exercise or defend any legal rights.

Your Legal Rights. Under applicable law, you may have a number of rights, including: (i) the right not to provide your Personal Data to us; (ii) the right of access to your Personal Data; (iii) the right to request rectification of inaccuracies; (iv) the right to request the erasure, or restriction of Processing, of your Personal Data; (v) the right to object to the Processing of your Personal Data; (vi) the right to have your Personal Data transferred to another Controller; (vii) the right to withdraw consent; (viii) and the right to lodge complaints with Data Protection Authorities. We may require proof of your identity before we can give effect to these rights.

Cookies and Similar Technologies. When you visit a Site or use an App we may place Cookies onto your device, or read Cookies already on your device, subject always to obtaining your consent, where required, in accordance with applicable law. We use Cookies to record information about your device, your browser and, in some cases, your preferences and browsing habits. We may Process your Personal Data through Cookies and similar technologies.

Terms and Conditions. All use of our Sites, our Apps, or our services is subject to our Terms and Conditions. We recommend that you review our Terms and Conditions regularly, in order to review any changes we might make from time to time.

Direct Marketing. We may Process your Personal Data to contact you via email, telephone, direct mail or other communication formats to provide you with information regarding services that may be of interest to you. If we provide services to you, we may send information to you regarding our services and other information that may be of interest to you, using the contact details that you have provided to us and always in compliance with applicable law. You may unsubscribe from our promotional email list at any time by simply clicking on the unsubscribe link included in every promotional email we send. After you unsubscribe, we will not send you further promotional emails, but we may continue to contact you to the extent necessary for the purposes of any services you have requested.

For California Residents Only. Pursuant to the California Consumer Privacy Act of 2018 (“CCPA”), California residents have the right to request and obtain information from us about our use of their Personal Information as described in this Policy. Please note that we do not sell, rent, trade or share Personal Information with third parties for their own marketing purposes. To the extent we were to commence doing so, we will provide an opt out right to California residents.

Your Right to Request Information about our Use of Your Personal Information. Under the CCPA California residents have the right to (independently or through an authorized agent) request and obtain from us twice a year, free of charge, information related to Personal Information we have collected in the twelve (12) months preceding the request, including the categories of Personal Information collected, the categories of sources from which the Personal Information is collected, the specific pieces of Personal Information we have collected, the business or commercial purpose for collecting Personal Information, the categories of Personal Information that we disclose to third-parties and the categories of third-parties with whom we share Personal Information. Please note that Personal Information is retained by us for as long as is necessary in connection with the purposes set out in this Policy and/or as permitted or required by law, so we may not be able to fully respond to what might be relevant going back twelve (12) months prior to the request.

Right to Request Deletion of Personal Information. California residents have a right to request the deletion of Personal Information that we collect or maintain about them. To submit a request to delete personal information, please submit an email request to us at info@zmalegal.com and include “California Request to Delete” in the subject line. Please specify the personal information about you that you would like to have deleted, which can be all of your personal information as required by the CCPA. Under the CCPA, we may decline to delete your Personal Information under certain circumstances, for example, (1) comply with legal obligations; (2) otherwise use your Personal Information, in a lawful manner that is compatible with the context in which the consumer provided the information.

Non-Discrimination. We will not discriminate against you in a manner prohibited by the CCPA because you exercise your CCPA rights.

Contact Details. If you have any comments, questions or concerns, or complaints about data privacy, including the processing of personal data carried out by us, or on our behalf, please contact us at info@zmalegal.com. 

Definitions.

“Controller” means the entity that decides how and why Personal Data are Processed.

“Cookie” means a small file that is placed on your device when you visit a website (including our Sites). In this Policy, a reference to a “Cookie” includes analogous technologies such as web beacons and clear GIFs.

“Data Protection Authority” means an independent public authority that is tasked, by law, with overseeing compliance with applicable data protection laws.

“Personal Data” means information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

“Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable individual or household. This includes, for example, identifiers such as a name, postal address, email address, account name, unique personal identifier, online identifier, Internet Protocol (IP) address, telephone number, or other similar identifiers; commercial information, such as records of products or services purchased or considered; Internet or network activity information; geolocation data; audio, electronic, or visual information; professional or employment-related information; education information; and inferences drawn from any of the foregoing to create a profile about an individual’s preferences, characteristics, or behavior.

“Personal Information” does not include publicly available information, aggregated information, or deidentified information, nor does it include data otherwise excluded from applicable privacy laws such as the California Consumer Privacy Act (as amended by the California Privacy Rights Act) or the EU and UK General Data Protection Regulation.

“Process”, “Processing” or “Processed” means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Sensitive Personal Data” means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that may be deemed to be sensitive under applicable law.

“Site” means any website operated, or maintained, by us or on our behalf.

Updated January 1, 2026