Privacy Policy
Last modified: January 27, 2026
This Privacy Policy (this “Policy”) describes how Davis Graham & Stubbs LLP (“Davis Graham,” “we,” “us,” or “our”) collects, uses, discloses, and otherwise processes personal information:
- When you visit or communicate with us through davisgraham.com, davisgraham.com/alumni, and any other website that links to this Policy and is owned and operated by Davis Graham (collectively, the “Davis Graham Sites” or “Sites”), or offline as a prospective client or general contact;
- In connection with the provision of legal services to our clients (and for purposes of this Policy, references to our “clients” include their employees whose personal information we process in connection with such legal services) (collectively, “Client Services”); and
- In connection with our employment and recruiting activities, including job applications and candidate evaluation.
The Davis Graham Sites are provided for general informational purposes and convenience only. Please be advised that browsing the Sites, or using its services or functionality, does not make you a client. Our Sites do not provide or constitute, and should not be construed as, legal advice.
Definitions
The following terms have the following meanings in this Policy:
- “Data Controller” means the legal entity that determines the purposes and means of the processing of Personal Information. Davis Graham typically acts as a Data Controller with respect to Personal Information processed in connection with Client Services. In limited circumstances and subject to written agreements, we may act as a Data Processor to clients for certain client-directed services. Davis Graham also acts as a Data Controller with respect to Personal Information processed for firm administration and internal business operations.
- “Personal Information” means information that is linked or reasonably linkable to an identified or identifiable individual.
- “Processing” means any operation or set of operations performed on Personal Information, including collection, organization, structuring, storage, retrieval, consultation, use, dissemination or otherwise making available, restriction, erasure or destruction.
- “Sensitive Personal Information” or “SPI” means a subset of Personal Information that requires heightened safeguards due to the nature of the information. SPI (sometimes referred to under certain laws as “special categories of data”) generally includes information that, if compromised or misused, could result in substantial harm or unfairness to an individual, such as Personal Information revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status.
This Policy applies only to Personal Information collected and processed by Davis Graham as described above. This Policy does not apply to Personal Information collected:
- Through any other means not expressly described in this Policy;
- Through any other website operated by Davis Graham that does not link to this Policy; or
- By any third party, including through any content (such as advertising, embedded tools, or links) that may link to or be accessible from the Davis Graham Sites.
Please read this Policy carefully to understand our practices regarding Personal Information. If you do not agree with this Policy, you should not access or use the Davis Graham Sites. By accessing or using these Sites, you acknowledge that you have read and understood this Policy.
Personal Information We May Collect
You are not required to provide Personal Information to access or browse the Davis Graham Sites. However, you may choose to provide Personal Information to us by corresponding with us by telephone, email, through our Sites, or otherwise.
The Personal Information you provide to us, or that we collect, may include:
- Identity information, such as your name, job title, and employer or company name;
- Contact information, such as your email address, telephone number, and mailing address;
- Matter-related information, including information relating to a matter for which you seek our legal advice or representation;
- Business or professional information, such as qualifications, credentials, or work experience;
- Company-related information, including Personal Information relating to directors, officers, beneficial owners, or agents;
- Other Personal Information contained in correspondence or documents which you may provide to us;
- Job candidate information, including information relating to your employment history, qualifications, skills, education, licensure or certifications, professional references, and other Personal Information contained in resumes, cover letters, applications, or similar materials submitted in connection with employment opportunities; and
- Other identifiers that permit Davis Graham to contact you.
This Personal Information may be required to enable us to evaluate, establish, or provide Client Services. Where Personal Information relates to directors, shareholders, beneficial owners, employees, customers, agents, associates, or family members, it may not be reasonably practicable for us to provide such individuals with this Policy directly. Accordingly, where appropriate, you should provide a copy of, or link to, this Policy to such individuals.
Sensitive Personal Information (SPI)
Davis Graham generally does not seek to collect SPI through the Davis Graham Sites. However, if you choose to provide SPI through our Sites, such information may include account credentials (such as usernames and passwords) used to access password-protected areas, such as our alumni portal and network.
In the course of advising or acting for you as a client, prospective client, or potential employer, we may also collect SPI, including:
- Date of birth, age, gender, marital or family status;
- Government-issued identification, such as passports, national identification cards, driver’s licenses, or similar documentation;
- Immigration status, citizenship status, or work authorization information;
- Financial information, such as bank account details or payment information;
- Demographic information, such as race or ethnicity, educational background, sexual orientation, veteran or military status, or disability status;
- Information relating to legal matters for which you seek advice or representation, including criminal or regulatory information;
- SPI contained in correspondence or documents you provide to us; or
- Other SPI relevant to the provision of legal advice or services.
Where Davis Graham processes SPI, we do so only where permitted under applicable privacy and data protection law, including, as applicable, with your consent, to establish, exercise or defend legal claims, or to prevent or detect security incidents, fraud, theft or other unlawful activity.
Personal Information Collected from Third Parties
We generally collect Personal Information directly from you. However, we may also collect Personal Information about you from third parties, including:
- Publicly available sources, such as professional networking platforms or publicly accessible professional profiles (e.g., name, contact information, professional experience, and qualifications);
- Due diligence, compliance, or risk management providers, including information relating to sanctions screening, fraud prevention, or credit and financial risk; and
- In the case of job applicants or candidates, recruiters, references, background check providers, or publicly available sources, to the extent permitted by applicable law.
We may also collect Personal Information from third parties with your consent, such as information from financial institutions, professional advisors engaged in connection with a matter, or your employer.
How We Collect Personal Information
We may collect Personal Information when:
- You voluntarily provide it to us through the Davis Graham Sites or offline;
- You subscribe to receive newsletters, alerts, or other communications;
- You communicate with us through the Davis Graham Sites or offline;
- We obtain information from third-party sources to verify professional qualifications, conduct due diligence, or perform compliance checks; or
- You apply for employment or submit information in connection with a job application, recruiting process, or employment-related inquiry, including through recruiters or background check providers, to the extent permitted by applicable law.
We may also collect information about your use of the Davis Graham Sites through cookies and similar tracking technologies. For additional information, please see our Cookie Policy.
How We Use Personal Information
We use Personal Information in connection with the operation of our Sites, the provision of Client Services, and our employment and recruiting activities (including job applications and candidate evaluation), as described in this Policy. The purposes for which we process Personal Information, the categories of Personal Information involved, and, where applicable, the legal bases for such processing are summarized below.
We will use Personal Information only for the purposes for which it was collected, unless a compatible purpose applies or use is otherwise permitted or required by law. If we rely on a new legal basis for a materially different purpose, we will provide notice where required by law. References to “legal bases” below apply where European Union (“EU”) or United Kingdom (“UK”) privacy and data protection laws govern the processing.
With respect to our use of Personal Information in connection with providing Client Services, our processing is subject to your instructions, applicable privacy and data protection laws, and our professional duties of confidentiality.
We may also use and disclose Personal Information for any purpose disclosed at the time you provide it or with your consent. Aggregated or de-identified information may be used without restriction.
Use of Personal Information in Connection with the Davis Graham Sites
| Categories of Personal Information | Purposes for Processing Personal Information | Legal Basis for Processing Personal Information |
| Commercial information Customer records Identifiers | To enable registration and access to password-protected areas of the Davis Graham Sites and to respond to inquiries and provide information or services you request through the Sites. | It is in our legitimate interests to operate the Davis Graham Sites, respond to inquiries, provide requested information, and develop and maintain business relationships. We consider these uses to be necessary for our legitimate interests and proportionate, and will not be prejudicial or detrimental to you. |
| Commercial information Customer records Identifiers | To send newsletters, alerts, bulletins, legal updates, event invitations, and other marketing or informational communications. | It is in our legitimate interests to inform existing contacts about our services and developments of potential interest. We consider this use to be proportionate and will not be prejudicial or detrimental to you. Where required by applicable law, we will obtain consent before sending electronic marketing communications to new contacts. You can always opt-out of receiving direct marketing-related email communications by using the “unsubscribe” link provided in our marketing communications. |
| Commercial information Customer records Identifiers | To send administrative communications, including notices regarding changes to this Policy, our Terms of Use, or other legal or operational notices; To enforce the Terms of Use and other policies applicable to the Davis Graham Sites. | It is in our legitimate interests to administer and protect the Davis Graham Sites, enforce applicable terms, and communicate necessary information. We consider this use to be necessary for our legitimate interests and proportionate. |
| Education information Professional information | To register you for, or invite you to, seminars, webinars, events, or other similar activities we believe may be of interest to you. | It is in our legitimate interests to promote our professional services and events. We consider this use to be proportionate and will not be prejudicial or detrimental to you. Where required by applicable law, we will obtain consent before sending electronic communications to new contacts. You can always opt-out of receiving marketing-related email communications by using the “unsubscribe” link provided in our marketing communications. |
| Geolocation data Identifiers Usage data | To administer, analyze, and improve the Davis Graham Sites; To conduct analytics, testing, research, and statistical analysis; To manage alumni networks or portals; To ensure the security and integrity of the Sites. | It is in our legitimate interests to monitor, maintain, and improve our Sites and to ensure network and information security. We consider this use to be necessary for our legitimate interests and will not be prejudicial or detrimental to you. Where required by law, non-essential cookies and analytics will only be set after you provide consent via our cookie banner or controls. |
Use of Personal Information in Connection with Client Services
| Categories of Personal Information | Purposes for Processing Personal Information | Legal Basis for Processing Personal Information |
| Commercial information Customer records Identifiers Professional information Protected classifications | To provide legal advice and representation and otherwise carry out Client Services; To communicate with you regarding your matters; To perform matter administration, billing, accounting, and credit management; To comply with internal policies and professional obligations. | Processing is necessary for the performance of our engagement with you or to take steps at your request prior to entering into an engagement. Processing is also necessary to comply with legal and regulatory obligations and to pursue our legitimate interests in managing matters, fees, and operations. |
| Commercial information Customer records Identifiers Professional information Protected classifications | To comply with applicable anti-money laundering, sanctions, conflict-checking, and other legal, regulatory, and professional obligations. | Processing is necessary to comply with legal and regulatory obligations and professional responsibilities. |
| Commercial information Customer records Identifiers Professional information Protected classifications | To conduct internal and external audits, quality assurance reviews, certifications, and compliance checks. | It is in our legitimate interests to maintain professional standards and accreditations and to comply with legal and regulatory obligations. We consider this use to be proportionate and will not be prejudicial or detrimental to you. |
| Commercial information Customer records Identifiers | To inform clients and contacts about legal developments, publications, events, or services that may be of interest. | It is in our legitimate interests to market our services to existing professional contacts. We consider this use to be proportionate and will not be prejudicial or detrimental to you. Where required by applicable law, we will obtain consent before sending electronic marketing communications to new contacts. You can always opt-out of receiving direct marketing-related email communications by using the “unsubscribe” link provided in our marketing communications. |
| Geolocation data Identifiers Usage data | To protect the rights, property, or safety of Davis Graham, our clients, or others; To improve cybersecurity, maintain IT systems, and prevent fraud or misuse. | Processing is necessary for our legitimate interests in maintaining security and to comply with applicable legal obligations. |
Use of Personal Information in Connection with Recruiting
| Categories of Personal Information | Purposes for Processing Personal Information | Legal Basis for Processing Personal Information |
| Identifiers Professional information Education information Job candidate information | To evaluate and process job applications and recruiting inquiries; To communicate with candidates regarding employment opportunities; To conduct reference checks, background checks, and other pre-employment screening, where permitted by applicable law; and To manage hiring decisions and related administrative processes. | Processing is necessary to take steps at your request prior to entering into an employment relationship, for the performance of an employment contract, to comply with legal and regulatory obligations, and/or for our legitimate interests in recruiting and workforce management, except where such interests are overridden by your interests or fundamental rights and freedoms. |
How We Disclose Personal Information
We disclose Personal Information only as described in this Policy.
Where Personal Information is processed on our behalf by third-party service providers acting as Data Processors, those providers are subject to contractual security and confidentiality obligations and may process Personal Information only for specified purposes, in accordance with our instructions, and solely to provide services to us. We require such service providers to implement appropriate technical and organizational measures to protect Personal Information. In the preceding twelve (12) months, we have disclosed the categories of Personal Information described in this Policy to the categories of recipients identified in this section for business purposes.
Davis Graham may disclose your Personal Information:
- To our partners, attorneys, employees, and consultants, as necessary to carry out the purposes for which your Personal Information was collected or supplied to us, including to provide Client Services or operate our business;
- To other professional advisors, expert witnesses, or service providers in accordance with your instructions;
- To insurers, auditors, legal counsel, risk advisors, or financial institutions;
- Where required by law, court order, or the rules of applicable regulatory or professional bodies; and
- To legal directories for reference purposes, using corporate contact information and, where appropriate, with your confirmation.
Should we be requested by certain authorities to provide access to your Personal Information in connection with Client Services we have provided, or are providing, for you, we will comply with that request only to the extent that we are bound by law to do so and, in so far as it is allowed, we will notify you of that request or provision of information.
Davis Graham may also disclose personal information:
- To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Davis Graham’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Davis Graham is among the assets transferred;
- If we are under a duty to disclose or share your Personal Information in order to comply with any legal, regulatory or professional obligation;
- With organizations we may collaborate with on various activities or events, such as other firms or businesses for co-sponsored events or programs. These participating organizations act as independent Data Controllers of the Personal Information they receive;
- If necessary to protect the vital interests of an individual; and
- To enforce or apply our Terms of Use or other terms and conditions, or to establish, exercise or defend the rights of Davis Graham, our personnel, customers, or others.
International Data Transfers
We may transfer Personal Information to jurisdictions outside the European Economic Area (“EEA”) or the UK, including to countries that have not been determined to provide an adequate level of protection under applicable privacy and data protection law. Where Personal Information subject to EU or UK privacy and data protection law is transferred to a country that has not received an adequacy decision from the European Commission (for transfers from the EU) or the UK Government (for transfers from the UK), we implement appropriate safeguards to protect such Personal Information.
These safeguards may include entering into standard contractual clauses approved by the European Commission or the UK Government (as applicable), together with any supplementary measures required under applicable law. We take reasonable steps to ensure that Personal Information transferred internationally is afforded a level of protection that is essentially equivalent to that required under EU and UK privacy and data protection law. These transfer safeguards apply when Personal Information from the EU and/or UK are transferred to countries without an adequacy decision.
Security of Personal Information
Davis Graham maintains reasonable and appropriate administrative, technical, physical, and organizational safeguards designed to protect Personal Information against unauthorized access, disclosure, alteration, loss, or destruction throughout its lifecycle, from collection through disposal.
These safeguards are risk-based and take into account the nature of the Personal Information, the purposes for which it is processed, and the risks presented by processing activities. Measures may include, as appropriate:
- Protecting the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Protecting the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident;
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of collection and processing activities;
- User identification and authorization;
- Technical protections for Personal Information during storage and transmission, including encryption where appropriate;
- Protecting physical security of locations where Personal Information is processed or stored;
- Events logging and system configuration, including default configuration;
- Internal IT and IT security governance and management;
- Firewalls, access controls, policies, and procedures designed to prevent unauthorized access; and
- Application of least-privilege and “need-to-know” access principles.
Where Personal Information is processed on our behalf by third-party Data Processors, we require that these Data Processors implement appropriate security measures and protect Personal Information in accordance with contractual confidentiality, privacy, and data protection obligations.
Despite these safeguards, no method of transmission or storage of information, whether electronic or physical, is completely secure. Accordingly, while we take reasonable steps to protect Personal Information, we cannot guarantee the absolute security of information transmitted to us by mail, courier, email, or over the internet, and any such transmission is at your own risk.
Retention
We retain Personal Information only for as long as is reasonably necessary to fulfill the purposes for which it was collected and processed, including to comply with applicable legal, regulatory, tax, accounting, professional responsibility, and reporting requirements.
In the context of Client Services, retention periods may also be governed by applicable professional rules, client instructions, engagement terms, and our internal records management policies.
We may retain Personal Information for longer periods where there is a legitimate business or legal need to do so, including, for example, to address complaints, to comply with litigation holds, or where we reasonably anticipate or are engaged in litigation, investigations, or regulatory inquiries.
In determining appropriate retention periods, we consider multiple factors, including:
- The amount, nature, and sensitivity of the Personal Information;
- The risk of harm from unauthorized use or disclosure;
- The purposes for which the Personal Information is processed and whether those purposes can be achieved through other means; and
- Applicable legal, regulatory, tax, accounting, contractual, or professional obligations.
Where appropriate, we may anonymize or de-identify Personal Information so that it can no longer be associated with an identifiable individual. Anonymized or de-identified information may be retained and used for research, statistical, or internal business purposes without further notice.
Your Privacy Rights
Depending on your geographical location and applicable privacy and data protection law, you may have specific privacy rights with respect to your Personal Information. These rights are not absolute, and Davis Graham may be entitled to refuse requests, in whole or in part, subject to applicable law. For example, we may refuse a request for erasure of Personal Information where the processing is necessary to comply with a legal obligation or necessary for the establishment, exercise, or defense of legal claims. We may refuse to comply with a request for restriction if the request is manifestly unfounded or excessive.
Your rights may include those listed below:
- Opt Out of the “Sale” or “Sharing” of Personal Information. Davis Graham does not sell Personal Information and has not sold or shared Personal Information in the preceding 12 months. For purposes of applicable US privacy and data protection law: (i) “sale”, “sell”, and “sold” mean the exchange of Personal Information for monetary or other valuable consideration by a Data Controller to a third party; and (ii) “sharing”, “share”, and “shared” means the disclosure of Personal Information for cross-context behavioral advertising, which we do not engage in. If and to the extent we engage in any activity that constitutes “sale” or “sharing”, we will honor legally recognized universal opt-out mechanisms, as required by applicable law.
- Right of Access. You may have the right to confirm whether we process Personal Information about you and/or to access Personal Information which we may collect or retain about you. If requested, we will provide you with a copy of your Personal Information which we collect from you, as required by applicable privacy and data protection law.
- Right to Correction. You may request that we correct or update inaccurate Personal Information. We may decline to make requested changes where doing so would violate legal or professional obligations or result in inaccurate records.
- Right to Data Portability. You may have the right to receive your Personal Information in a structured and commonly used format so that it can be transferred to another entity or Data Controller. The right to portability only applies where your Personal Information is processed by us with your consent or for the performance of a contract, and when processing is carried out by automated means.
- Right to Deletion. In certain circumstances, you may have the right to request the deletion of your Personal Information. Upon verifying the validity of a deletion request, we will delete your Personal Information from our records and instruct any service providers or third parties to delete your Personal Information, when applicable. Important exceptions to this right to deletion may apply.
- Right to Be Informed. You may have the right to request information about our Personal Information practices, including the categories of Personal Information collected, sources of Personal Information, purposes of processing, categories of disclosures, and categories of third parties with whom Personal Information is shared, as described in this Policy.
- Right to Object. You may object at any time to the processing of your Personal Information for direct marketing purposes. You may also object to processing based on legitimate interests where permitted by applicable law, in which case we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests or the processing is required for legal claims.
- Right to Restrict Processing. You may have the right to restrict the processing of your Personal Information if you have contested to the accuracy of the data we hold about you and we are verifying the accuracy of your Personal Information, or you have exercised your right to object and we are considering whether our legitimate grounds for processing override your interests.
- Right to Withdraw Consent. Where we are processing your Personal Information on the basis of your consent, you can withdraw that consent at any time.
- Right to Appeal. You may have the right to appeal our decision if we decline to take action on your privacy rights request. You may submit an appeal by contacting us using the information provided in the Contact Us section of this Policy and clearly stating that you are submitting an appeal of a privacy rights decision. Please include sufficient information to allow us to identify your original request and our response. We will endeavor to respond to your appeal within forty-five (45) days or as otherwise required by applicable law. If we deny your appeal, our response will include a written explanation of the reasons for the denial. If your appeal is denied, you may submit a complaint to the Colorado Attorney General.
- Right to Lodge a Complaint. Where applicable, EU and UK privacy and data protection laws may also provide you with the right to lodge a complaint with a supervisory authority, including in the EEA or UK jurisdiction where you reside or where the alleged infringement occurred.
How to Exercise Your Rights
You may exercise your rights by contacting us using the information provided in the Contact Us section of this Policy. We will not discriminate against you for exercising your rights.
Except where permitted by law, we do not charge a fee to respond to privacy rights requests. However, where requests are manifestly unfounded or excessive, we may refuse the request or charge a reasonable fee to cover administrative costs.
To protect your information, we may need to verify your identity before responding to a request and may request additional information to do so. If you submit a request on behalf of another individual, we will require verification of your authority to act on that person’s behalf.
We endeavor to respond to verifiable rights requests within 45 days of receipt. If we require more time (which may be up to ninety (90) days), we will inform you of the reason and extension period in writing.
Marketing Communications
You may receive marketing communications from us if, for example, you are an existing client or professional contact, you request information from us, you attend or register for a Davis Graham-hosted or sponsored event, you subscribe to publications, or you register to use the Davis Graham Sites.
Where required by law, we obtain your consent before sending electronic marketing communications. You may opt out of marketing communications at any time by using the unsubscribe or opt-out link included in our communications or contacting us as described in the Contact Us section.
Profiling and Automated Decision-Making
For purposes of this Section, “Profiling” means any form of automated processing of Personal Information to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Davis Graham does not engage in Profiling in furtherance of decisions that produce legal or similarly significant effects concerning employees, job applicants, or other consumers. Employment-related decisions, including hiring, promotion, compensation, discipline, and termination, are not based solely on automated processing and involve meaningful human review.
Cookies
If you do not want information collected through cookies, you may adjust your browser settings to block or delete cookies. You may also withdraw consent for cookies that are not strictly necessary by contacting us with sufficient information to verify your request.
Please note that disabling cookies may affect the functionality of the Davis Graham Sites.
For more information about our use of cookies and other tracking technologies, please see our Cookie Policy.
Children’s Online Privacy
The Davis Graham Sites are not directed to, and are not intended for use by, children under the age of thirteen. No individual under the age of thirteen may provide Personal Information through our Sites. Davis Graham does not knowingly collect Personal Information from children under thirteen.
If you are under thirteen, do not use the Davis Graham Sites or submit any information through the Sites, including through any interactive features, registration forms, or public comment areas.
If we become aware that we have collected Personal Information from a child under the age of thirteen without verifiable parental consent, we will take reasonable steps to delete such information. If you believe that we may have collected information from or about a child under thirteen, please contact us at info@davisgraham.com.
Third Parties
The Davis Graham Sites may contain links to third-party websites or services that are not owned or controlled by Davis Graham. In addition, certain third-party service providers may provide functionality or services in connection with the Davis Graham Sites.
This Policy does not apply to third-party websites, services, or information practices, including information collected by third parties through content, links, or services accessible from the Davis Graham Sites. Davis Graham is not responsible for the privacy practices, security, or content of third parties. We encourage you to review the privacy policies of any third-party websites or services you access.
In some circumstances, events, programs, or similar activities may be hosted or co-sponsored with other firms or organizations. If you choose to register for or submit information in connection with such activities, the participating organizations may act as independent controllers of the Personal Information they receive, and their privacy practices will govern their use of such information. To opt out of communications from those third parties, please follow their applicable opt-out instructions.
Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. Any updates will be posted on this page with a revised “Last modified” date.
If we make material changes to this Policy, we will provide notice through the Davis Graham Sites, as required by applicable law, before the changes become effective. We review this Policy periodically and update it as appropriate.
Your continued use of the Davis Graham Sites following the posting of changes constitutes acceptance of those changes. We encourage you to review this Policy periodically for updates.
Contact Us
Questions, comments, and requests regarding this Policy and our privacy practices are welcomed and should be addressed to info@davisgraham.com. You may also submit requests by calling us toll-free at 303.892.9400.