Personal Data Processing, Protection, and EU‑US Data Privacy Framework Policy

Last updated: March 30, 2026

SRipLaw, P.A. (“SRipLaw”, “we”, “us”, or “our”) respects your privacy and is committed to protecting personal data that we process in connection with our legal services and business operations. This Policy explains how we collect, use, disclose, and protect personal data, including personal data transferred from the European Economic Area (EEA), the United Kingdom, and Switzerland to the United States.

This Policy applies to personal data we process about:

• Website visitors
• Prospective, current, and former clients and their personnel
• Vendors, service providers, and business partners
• Job applicants, employees, and contractors (where applicable)

If you have any questions about this Policy, please contact us using the details below.

Controller and Contact Information

SRipLaw, P.A. is the controller of personal data described in this Policy.

SRipLaw, P.A.
21301 Powerline Road, Suite 212
Boca Raton, Florida 33433
United States

Email: info@sriplaw.com

For EU/EEA, UK, or Swiss individuals, you may also contact us at the same email address with “Data Privacy Framework Request” in the subject line.

Categories of Personal Data We Process

The personal data we process depends on your relationship with us and the context in which we collect the data, and may include:

• Identification and contact details (name, address, email, phone number, job title, employer, bar number or other professional IDs)
• Account and relationship information (matter details, client reference numbers, engagement and billing records, communication preferences)
• Case‑related information (information contained in pleadings, correspondence, evidence, discovery materials, and other documents related to legal matters)
• Technical and usage data (IP address, browser type, device identifiers, access logs, pages viewed, and similar data collected via our website and online services)
• Financial and billing data (payment information, tax IDs, bank details, invoices, and payment histories)
• HR and recruitment data (CVs/resumes, cover letters, background information, employment history, references, compensation and benefits information, performance data)

We may also process sensitive personal data where necessary and permitted by law, for example:

• Information about alleged or actual offenses or litigation matters
• Health‑related information if relevant to a legal claim
• Information about race or ethnicity, trade union membership, or other data provided in connection with legal representation or employment

We process sensitive data only where required for our legal services or employment purposes, where permitted by law, and subject to additional safeguards.

Purposes and Legal Bases for Processing

We process personal data for the following purposes:

• Providing legal advice and representation, including litigation, counseling, transactions, and dispute resolution
• Managing client relationships, including onboarding, conflicts checks, billing, collections, and client communications
• Complying with legal and regulatory obligations (anti‑money laundering, sanctions, know‑your‑client, court orders, professional rules)
• Managing our business operations (IT and security management, risk management, quality control, audits, financial management)
• Marketing and business development (client alerts, newsletters, event invitations, and other communications, where permitted by law)
• Recruitment, hiring, and HR management (for applicants, employees, and contractors)

Where EU/EEA, UK, or Swiss data protection law applies, we rely on one or more of the following legal bases:

• Performance of a contract or taking steps at your request prior to entering into a contract
• Compliance with legal obligations
• Legitimate interests (e.g., provision of legal services, client management, security, and business operations)
• Your consent, where required (for certain marketing communications or specific uses of sensitive data)

EU‑US Data Privacy Framework

SRipLaw, P.A. complies with the EU‑US Data Privacy Framework (EU‑US DPF), the UK Extension to the EU‑US DPF, and the Swiss‑US Data Privacy Framework (Swiss‑US DPF), as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union, the European Economic Area, the United Kingdom (and Gibraltar), and Switzerland to the United States. [web:21]

SRipLaw, P.A. has certified to the U.S. Department of Commerce that it adheres to the EU‑US Data Privacy Framework Principles, the UK Extension to the EU‑US DPF Principles, and the Swiss‑US Data Privacy Framework Principles (together, the “DPF Principles”). If there is any conflict between the terms in this Policy and the DPF Principles, the DPF Principles will govern. [web:21]

To learn more about the Data Privacy Framework program, and to view our certification once it is approved, please visit the Data Privacy Framework website at:

https://www.dataprivacyframework.gov [web:21]

(Once available, we will also include a direct link to our organization’s listing on the Data Privacy Framework List.)

SRipLaw, P.A. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) in connection with our adherence to the DPF Principles. [web:21]

Notice for EU/EEA, UK, and Swiss Personal Data

For personal data subject to the EU‑US DPF, the UK Extension to the EU‑US DPF, or the Swiss‑US DPF, we may process such data for the purposes described above, including:

• Providing legal services to our clients and managing client relationships
• Operating, securing, and improving our website and IT systems
• Fulfilling our legal and regulatory obligations
• Managing our internal business operations and HR activities

We will not use EU/UK/Swiss personal data for purposes materially different from those described in this Policy unless we have a lawful basis to do so and, where required, we provide you with an opportunity to opt out (or opt in for certain sensitive data). [web:21]

Choice

If you are an individual whose personal data is subject to the EU‑US DPF, the UK Extension to the EU‑US DPF, or the Swiss‑US DPF, you have the right to:

• Opt out of our disclosure of your personal data to a third party (other than our agents performing tasks on our behalf) or our use of your personal data for a purpose materially different from the purposes described in this Policy.
• For sensitive personal data, we will obtain your affirmative opt‑in consent where required before using or disclosing such data for a purpose other than that for which it was originally collected, or for a purpose authorized by you subsequently. [web:21]

You can exercise these choices by contacting us at info@sriplaw.com.

Please note that certain data may be required for us to provide legal services or comply with legal obligations; if you choose not to provide such data or to request its deletion, we may not be able to provide certain services.

Accountability for Onward Transfers

We may share personal data, including personal data subject to the DPF Principles, with:

• Service providers and agents who process data on our behalf (e.g., IT providers, e‑discovery vendors, expert witnesses, document management and hosting providers, professional advisors)
• Opposing parties, courts, tribunals, governmental authorities, and other third parties as necessary in the context of legal representation or as required by law
• Other third parties as instructed by our clients or as reasonably necessary to provide legal services

When we transfer personal data subject to the DPF Principles to third‑party agents or service providers, we do so in accordance with the DPF requirements: [web:21]

• We transfer data only for limited and specified purposes consistent with the purposes described in this Policy or otherwise disclosed to you.
• We take reasonable and appropriate steps to ensure that our agents process personal data in a manner consistent with our obligations under the DPF Principles, including through contractual commitments.
• We require our agents to notify us if they can no longer meet these obligations, and we will take appropriate remedial actions.

SRipLaw, P.A. remains responsible under the DPF Principles if an agent processes personal data in a manner inconsistent with those Principles, unless SRipLaw proves that it is not responsible for the event giving rise to the damage. [web:21]

Data Security

We use reasonable and appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures take into account the nature of the personal data and the risks involved in processing it.

Data Integrity and Purpose Limitation

We limit the personal data we collect to what is relevant for the purposes described in this Policy and we process it only in ways compatible with those purposes or as later authorized by you. [web:21]

We take reasonable steps to ensure that personal data is accurate, complete, and current, as appropriate to the purposes for which it is used. We retain personal data only for as long as necessary to achieve the purposes of processing, to comply with legal and regulatory obligations, and to protect or establish legal claims, after which we will delete or anonymize the data. [web:21]

Access, Correction, and Other Rights

If you are located in the EU/EEA, UK, or Switzerland, or if your personal data is processed under the DPF Principles, you have the right to:

• Obtain confirmation as to whether we hold personal data about you
• Access the personal data we hold about you
• Request that we correct, amend, or delete personal data that is inaccurate or processed in violation of the DPF Principles or applicable law [web:21]

These rights may be subject to limitations, for example where honoring your request would conflict with our legal obligations, the rights of others, or our ability to maintain legal privilege.

To exercise your rights, please contact us at info@sriplaw.com. We will respond to your request within a reasonable timeframe and in accordance with applicable law and the DPF Principles. [web:21]

Complaints, Dispute Resolution, and Binding Arbitration

If you have a question or complaint regarding this Policy or our handling of your personal data, please contact us first at:

Email: info@sriplaw.com
Subject line: “Data Privacy Framework Complaint”

We will investigate and attempt to resolve complaints or disputes regarding the use or disclosure of your personal data in accordance with this Policy and the DPF Principles, and we will respond within 45 days. [web:21]

If your complaint involves personal data transferred from the EU/EEA, the UK (and Gibraltar), or Switzerland under the DPF, and we are unable to resolve it satisfactorily, you may submit your complaint free of charge to our designated independent recourse mechanism:

JAMS – Data Privacy Framework (DPF) Dispute Resolution
(Data Privacy Framework Independent Recourse Mechanism)

For information on how to submit a complaint to JAMS under the Data Privacy Framework, including how to open a DPF dispute‑resolution case, please visit:

https://www.jamsadr.com/DPF-Dispute-Resolution [page:1]

JAMS provides independent dispute resolution services to investigate and resolve complaints regarding our compliance with the DPF Principles at no cost to you with respect to consumer‑initiated DPF disputes. [page:1]

For human resources data about individuals in the EU/EEA in the context of an employment relationship (if covered by our DPF certification), we will cooperate with the competent EU data protection authorities (DPAs) and comply with their advice. [web:21]

Under certain conditions, more fully described on the Data Privacy Framework website, you may be entitled to invoke binding arbitration before the Data Privacy Framework Panel as a last resort if your complaint is not resolved by SRipLaw, JAMS, and through other available mechanisms. [web:21][page:1]

Disclosure for National Security or Law Enforcement

We may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. [web:21]

Children’s Data

Our services are not directed to children, and we do not knowingly collect personal data from children except where necessary in connection with a legal matter and in accordance with applicable law and professional obligations. If we learn that we have collected personal data from a child contrary to applicable law, we will take appropriate steps to delete it.

Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, legal requirements, or the DPF program. The “Last updated” date at the top of this Policy indicates when it was last revised. [web:21]

If we make material changes, we will take reasonable steps to inform you, such as posting a prominent notice on our website or contacting you directly, where appropriate.