Privacy Policy

Effective Date: April 7,2026
Last Updated: April 7, 2026

This Privacy Policy explains how Garfinkel Immigration Law Firm (“Garfinkel,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information. It also explains your choices and rights, including additional disclosures for individuals located in the European Economic Area (“EEA”), the United Kingdom (“UK”), and Switzerland.

This Privacy Policy applies to all personal data processed by the firm, whether we act as a data controller or data processor, including data relating to clients and prospective clients, individuals whose data we receive from clients in the course of providing legal services, website visitors, and business contacts.

This Privacy Policy applies to personal information collected:

• through this website and any online services that link to this Privacy Policy;
• through communications with us (email, phone, text, chat, or other channels);
• during prospective client inquiries and consultations;
• in the course of providing legal services and representation; and
• through authorized electronic and system‑to‑system connections used for immigration case processing, including interactions with USCIS and other government platforms where available and appropriate.

WHO WE ARE (CONTROLLER INFORMATION)

Garfinkel Immigration Law Firm is a U.S.-based law firm providing immigration legal services. For most matters and website interactions, Garfinkel acts as the data controller, meaning we determine the purposes and means of processing personal information. Where we process personal information on behalf of an organizational client under written instruction, we may act as a processor for that limited processing activity.

Contact Information
Garfinkel Immigration Law Firm
6100 Fairview Road, Suite 200
Charlotte, NC 28210
Phone: 704.442.8000

Data Protection Officer / Privacy Contact
Email: dpo@garfinkelimmigration.com

WHAT PERSONAL INFORMATION WE COLLECT

We collect personal information in several ways: (1) information you provide directly, (2) information collected automatically from your device or browser when you use our website, (3) information we receive from others involved in your matter (with appropriate authorization), and (4) information received from or transmitted to government systems as part of immigration representation.

A. Information You Provide Directly

Depending on your relationship with us (website visitor, prospective client, or client), you may provide:

• Contact information: name, email address, phone number, address, country/state, preferred language.
• Matter information: immigration history, employment/education history, family details, supporting documents, correspondence, and other information relevant to your immigration legal matter.
• Government identifiers: A‑Number, passport number, USCIS receipt numbers, and other identifiers required for filings and case processing.
• Payment and billing information: billing contact details and payment-related information (note that payments may be processed through third‑party providers).
• Communications: content of messages, emails, phone calls, chat communications, and scheduling details.

B. Website and Technical Information (Automatically Collected)

When you use our website, our systems may automatically collect:

• IP address;
• device identifiers and approximate location derived from IP address;
• browser type and settings;
• operating system information;
• pages visited, links clicked, time spent on pages, and referring/exit pages;
• date/time of visit; and
• certain searches conducted on our website.

This information helps us operate, maintain, protect, and improve our website and user experience.

C. Cookies and Similar Technologies

We may use cookies and similar technologies (such as local storage and pixels) to:

• enable core site functionality;
• remember preferences;
• understand website performance and usage; and
• help protect our website against abuse and security threats.

You can control cookies through your browser settings. If you disable cookies, some features may not function properly. Where required by law, we provide choices for non‑essential cookies.

D. Sensitive Information / Special Category Data (EEA/UK/Switzerland)

Immigration matters often require handling sensitive information. Where applicable under GDPR, we may process special category data (for example, health-related information, biometric identifiers in certain contexts, or information that may reveal racial or ethnic origin) only when necessary for immigration legal services and where a valid legal basis and special category condition applies.

Important: Please do not submit highly sensitive information through a general website contact form. If you need to transmit sensitive documents, we will provide secure submission methods where appropriate.

HOW WE USE PERSONAL INFORMATION (PURPOSES)

We use personal information to:

• respond to inquiries, consultation requests, and communications;
• provide legal services and representation, including case evaluation and strategy;
• prepare and submit immigration filings and supporting documents;
• communicate with you about your matter and required actions;
• coordinate with authorized third parties (e.g., translators, experts, co‑counsel) as needed for representation;
• process payments and manage billing and accounting;
• maintain internal records, conduct conflicts checks, and comply with professional responsibilities;
• operate, maintain, and secure our website, systems, and data;
• prevent fraud, misuse, and security incidents; and
• comply with legal obligations, lawful requests, and court orders where applicable.

We do not sell personal information, and we do not use client information for unrelated advertising, profiling, or AI model training.

LEGAL BASIS FOR PROCESSING (GDPR NOTICE)

If GDPR applies, we rely on one or more lawful basis under GDPR Article 6 depending on the context:

• Contract / steps prior to contract: processing necessary to provide legal services you request.
• Legal obligation: processing necessary to comply with applicable laws and professional duties.
• Legitimate interests: operating our practice, preventing fraud, and securing our systems, balanced against your rights.
• Consent: where required for certain optional communications or activities; you may withdraw consent at any time.

For special category data, we process it only when a GDPR Article 9 condition applies — commonly when necessary for the establishment, exercise, or defense of legal claims, or when another lawful Article 9 condition applies as appropriate.

USCIS & GOVERNMENT SYSTEM INTERACTIONS (INCLUDING API CONNECTIONS)

As part of immigration legal services, we may interact with systems operated by U.S. Citizenship and Immigration Services (USCIS) and other authorized government agencies, including through electronic submission methods and, where available and appropriate, secure system‑to‑system connections (including APIs). USCIS production API access programs require that participating applications be covered by a suitable privacy policy and comply with USCIS terms and security expectations.

What Data Is Exchanged

Information exchanged may include identifying and case-related information required to submit filings, requests, or inquiries and to receive responses relevant to your matter. We limit data exchange to what is necessary for the intended case function.

Purpose Limitation

Information transmitted to or received from government systems is used solely for authorized case-related purposes and is not used for unrelated marketing, profiling, or AI training.

Security & Credential Controls

We apply safeguards designed to protect government-related data and any API credentials, including restricted access and credential management practices consistent with USCIS API key management expectations (including appropriate rotation and non‑sharing).

THIRD PARTY TRANSFERS-HOW WE SHARE PERSONAL INFORMATION

We do not sell personal information. We may share personal information only in the following circumstances:

1. Service providers (processors): with vendors and contractors who provide services on our behalf (e.g., secure email, document management, case management systems, analytics limited to site performance, payment processing, hosting, IT/security support). These providers are required to protect the information and use it only for authorized purposes.
2. Government agencies: with USCIS and other government entities as necessary for immigration filings, case processing, and representation.
3. Referrals (when authorized): if we cannot assist, we may refer you to another attorney or firm and share information you provided, consistent with your expectations and applicable confidentiality requirements.
4. Legal and safety purposes: as required by law, court order, or lawful process; to protect rights, safety, and security; or to prevent fraud and abuse.

Where GDPR applies, we disclose recipients or categories of recipients as required by GDPR Articles 13 and 14.

INTERNATIONAL TRANSFERS (EEA/UK/SWITZERLAND)

If you are located in the EEA/UK/Switzerland, your personal data may be transferred to and processed in the United States and other countries where we or our service providers operate. Where GDPR applies, we use recognized transfer mechanisms such as an adequacy decision (where applicable), Standard Contractual Clauses or other appropriate safeguards, and/or transfers to organizations certified under an approved framework (where applicable).

You may request information about applicable safeguards and how to obtain a copy where appropriate.

SECURITY OF PERSONAL INFORMATION

We maintain administrative, technical, and physical safeguards designed to protect personal information against loss, misuse, unauthorized access, disclosure, alteration, and destruction. Our safeguards include access controls, encryption in transit where appropriate, secure credential management, monitoring, and incident response practices.

ISO/IEC 27001 Certification: Garfinkel maintains an Information Security Management System (ISMS) that is certified to ISO/IEC 27001, reflecting a risk‑based approach to protecting information assets.

ISO/IEC 27701 Implementation: We implement a Privacy Information Management System (PIMS) aligned with ISO/IEC 27701 to strengthen privacy governance and operational controls for personal data.

No system can be guaranteed 100% secure; however, we continuously work to maintain and improve our safeguards.

DATA RETENTION

We retain personal information only for as long as necessary to:

• provide legal services,
• maintain client files and records consistent with professional responsibilities,
• comply with legal and regulatory requirements, and
• resolve disputes and enforce agreements.

Retention periods vary based on the nature of the matter and applicable obligations. We securely dispose of information when it is no longer required.

YOUR RIGHTS AND CHOICES

A. General Choices

You may choose not to provide certain information; however, this may limit our ability to respond or provide services. You can also control certain website tracking technologies through your browser and device settings.

B. GDPR Rights (EEA/UK/Switzerland)

If GDPR applies, you may have the right to:

• request access to your personal data;
• request correction of inaccurate or incomplete data;
• request deletion (in certain circumstances);
• request restriction of processing (in certain circumstances);
• object to processing (in certain circumstances);
• request data portability (in certain circumstances);
• withdraw consent where processing is based on consent; and
• lodge a complaint with a supervisory authority.

Some rights are not absolute and may be limited where we must retain or process information to comply with legal obligations or for the establishment, exercise, or defense of legal claims.

C. How to Exercise Rights

To submit a request, contact dpo@garfinkelimmigration.com. We may need to verify your identity before responding.

COMMUNICATIONS PREFERENCES

If we send non‑essential communications, you may opt out at any time by using unsubscribe mechanisms provided in the message or by contacting us at dpo@garfinkelimmigration.com.

DO NOT TRACK (DNT)

Some browsers offer “Do Not Track” settings. Because there is not a consistent industry standard for responding to DNT signals, our website may not respond to DNT signals. We continue to apply security and privacy controls described in this Privacy Policy.

CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. The “Last Updated” date shows when changes were made.

CONTACT US

If you have questions, concerns, or requests related to privacy or this Privacy Policy, contact:

Data Protection Officer / Privacy Contact
Email: dpo@garfinkelimmigration.com

Garfinkel Immigration Law Firm
6100 Fairview Road, Suite 200
Charlotte, NC 28210
Phone: 704.442.8000

EU‑U.S. DATA PRIVACY FRAMEWORK NOTICE

EU‑U.S. Data Privacy Framework Notice (Hold for Publication Until Certification Is Approved)

Garfinkel Immigration Law Firm complies with the EU‑U.S. Data Privacy Framework (EU‑U.S. DPF), as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal information transferred from the European Economic Area (“EEA”) to the United States in reliance on the EU‑U.S. DPF. Garfinkel has certified to the U.S. Department of Commerce that it adheres to the EU‑U.S. DPF Principles: Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse/Enforcement/Liability. If there is any conflict between the terms in this Privacy Policy and the EU‑U.S. DPF Principles, the EU‑U.S. DPF Principles govern.

To learn more about the EU‑U.S. Data Privacy Framework program and to view participating organizations, visit: https://www.dataprivacyframework.gov/

Scope

This EU‑U.S. DPF Notice applies to personal information transferred from the EEA to the United States in reliance on the EU‑U.S. DPF.

Personal Information Covered

Depending on the relationship and services provided, personal information covered by this EU‑U.S. DPF Notice may include:

• identifiers and contact details (such as name, email, phone number, and address);
• case‑related information necessary for immigration legal services and representation;
• communications and correspondence; and
• other information provided in connection with legal services.

Purposes of Processing

We use personal information covered by this EU‑U.S. DPF Notice to:

• provide immigration legal services and representation;
• communicate with you and manage your matter;
• submit filings and interact with government agencies where necessary for representation;
• secure our systems, prevent fraud, and maintain service integrity; and
• comply with legal and professional obligations.

Choice

We provide individuals with choices consistent with the EU‑U.S. DPF Principles:

• We do not use personal information for materially different purposes than those described without providing appropriate notice and choice.
• Where required, we offer an opt‑out choice for certain non‑essential uses and disclosures.
• For sensitive information, where the EU‑U.S. DPF Principles require it, we obtain affirmative express consent (opt‑in) for certain uses or disclosures.

To submit a request, contact dpo@garfinkelimmigration.com. We may need to verify your identity before responding.

Accountability for Onward Transfer

If we transfer personal information covered by this EU‑U.S. DPF Notice to a third party acting as our agent/service provider, we:

• transfer such information only for limited and specified purposes;
• contractually require the recipient to provide at least the same level of protection required by the EU‑U.S. DPF Principles;
• remain responsible under the EU‑U.S. DPF Principles if the agent processes the personal information in a manner inconsistent with the EU‑U.S. DPF Principles, unless we prove we are not responsible for the event giving rise to the damage.

Security

We take reasonable and appropriate measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, consistent with the EU‑U.S. DPF Security Principle.

Data Integrity and Purpose Limitation

We limit personal information to what is relevant for the purposes of processing, use it in a manner compatible with those purposes, and take reasonable steps to ensure it is reliable for its intended use, accurate, complete, and current, consistent with the EU‑U.S. DPF Data Integrity and Purpose Limitation Principle.

Access

Individuals may request access to their personal information covered by this EU‑U.S. DPF Notice and may request correction, amendment, or deletion of information that is inaccurate or processed in violation of the EU‑U.S. DPF Principles, subject to reasonable limitations and verification.

To submit an access request, contact: dpo@garfinkelimmigration.com.

Recourse, Enforcement, and Liability

If you have questions or complaints regarding our handling of personal information under the EU‑U.S. DPF, please contact us first at: dpo@garfinkelimmigration.com.

If we do not resolve your complaint, you may pursue independent recourse at no cost to you through our designated independent dispute resolution provider:

Independent Recourse Mechanism
EU Data Protection Authorities (DPAs)

In compliance with the EU-U.S. DPF, Garfinkel Immigration law Firm commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF.

We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC), as applicable.

Under certain conditions, you may invoke binding arbitration as described in Annex I of the EU‑U.S. DPF Principles after other dispute resolution options have been exhausted.

U.S. Public Authorities

Personal information transferred under the EU‑U.S. DPF may be subject to lawful requests by U.S. public authorities, including to meet national security or law enforcement requirements, consistent with the EU‑U.S. DPF framework.