1. Controller Information

2. Applicability

GDPR applies to our processing of personal data when:

• You are located in the EU, UK, or EEA when you contact us or use our services
• You are an EU/UK/EEA resident or citizen, regardless of location
• We offer services to individuals in the EU/UK/EEA
• We monitor behavior of individuals in the EU/UK/EEA (e.g., website analytics)

3. Personal Data We Collect

Contact Information

• Name
• Email address
• Phone number
• Mailing address

Estate Planning Information

• Family relationships
• Financial information (assets, liabilities)
• Property ownership details
• Beneficiary designations
• Healthcare directives and preferences

Technical Data

• IP address
• Browser type and version
• Device information
• Usage data (pages visited, time spent)
• Cookie data

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

5. Your GDPR Rights

Under GDPR, you have the following rights:

6. Exercising Your Rights

To exercise any of your GDPR rights, contact us:

We will respond within one month of receiving your request. In complex cases, we may extend this by two additional months and will notify you.

7. Data Retention

We retain personal data for as long as necessary to:

• Active Clients: Duration of attorney-client relationship plus 7 years (California Rules of Professional Conduct)
• Prospective Clients: 3 years from last contact
• Marketing Contacts: Until you unsubscribe or request deletion
• Website Analytics: 26 months (Google Analytics default)
• Legal Holds: As required by law or litigation

8. International Data Transfers

Your personal data may be transferred to and processed in the United States, which is not subject to an EU adequacy decision. We implement appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Encryption in transit and at rest
• Access controls and authentication
• Regular security assessments

Third-Party Processors: When we use third-party services (e.g., Zoho CRM, Google Analytics), we ensure they provide adequate data protection safeguards through SCCs or Privacy Shield successor frameworks.

9. Cookies and Tracking

Our website uses cookies and similar technologies. We obtain consent before placing non-essential cookies.

Cookie Categories

• Strictly Necessary: Essential for website functionality (no consent required)
• Performance: Google Analytics for website improvement (consent required)
• Functional: Remember your preferences (consent required)
• Targeting: Marketing and advertising (consent required)

You can manage cookie preferences through your browser settings or our cookie consent tool. Withdrawing consent may affect website functionality.

10. Marketing Communications

We will only send marketing emails to EU/UK/EEA residents with explicit consent. Every marketing email includes an unsubscribe link.

You can opt out of marketing at any time by:

• Clicking "unsubscribe" in any marketing email
• Emailing dustin@cpt.law with "Unsubscribe" in the subject
• Calling (866) 400-0058

11. Data Security

We implement appropriate technical and organizational measures:

• Encryption: TLS/SSL for data in transit, AES-256 for data at rest
• Access Controls: Role-based access, multi-factor authentication
• Regular Audits: Security assessments and penetration testing
• Staff Training: GDPR and data protection training for all staff
• Incident Response: Data breach notification procedures
• Business Continuity: Regular backups and disaster recovery plans

12. Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware
• Notify you without undue delay if there is a high risk to your rights
• Describe the nature of the breach and likely consequences
• Describe measures taken or proposed to address the breach

13. Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal data from children. If we learn we have collected data from a child without parental consent, we will delete it promptly.

14. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.

15. Supervisory Authority

You have the right to lodge a complaint with your local data protection authority:

• EU Member States: Find your local authority
• United Kingdom: Information Commissioner's Office (ICO) - ico.org.uk

16. Changes to This Notice

We may update this GDPR Compliance Notice from time to time. Material changes will be communicated via:

• Prominent notice on our website
• Email to active clients
• Updated "Effective Date" at the top of this page

17. Contact Us

For questions about this GDPR Compliance Notice or to exercise your rights: