Initial Accounting Solutions Logo
← Back to Home

PRIVACY NOTICE

Introduction

The Data Protection Act 2018 ("DPA 2018") and the UK General Data Protection Regulation ("UK GDPR") impose legal obligations on the collection and processing of personal data.

Initial Accounting Solutions is a data controller and, in certain circumstances, a data processor. This means that:

  • When acting as a data controller, we determine the purposes and means of processing your personal data (for example, preparing your accounts, tax returns, or bookkeeping services).
  • When acting as a data processor on your behalf (for example, processing payroll or other services under contract), we process personal data according to the instructions provided by the controller. In such cases, an additional schedule forms part of the engagement, and should be read alongside this privacy notice.

This privacy notice explains how we collect, use, store, and share personal information, and your rights regarding your data. It is based on guidance from the ICO and professional standards recommended by the AAT.

We may amend this privacy notice from time to time. The latest version is always available on our website: www.initial-accounting-solutions.co.uk, and you will be notified of any material updates where necessary.

Contact Details

For all privacy-related queries, including exercising your data protection rights, you can contact us:

What this notice covers

This notice explains:

  1. What information we collect, use, and why
  2. Our lawful bases and your data protection rights
  3. Where we get personal information from
  4. How long we keep information
  5. Who we share information with
  6. Transfers of information outside the UK
  7. How to complain

What information we collect, use, and why

We process personal data for a range of purposes in accordance with UK GDPR and professional standards. These purposes include:

1. To provide professional services

We collect and use personal information to enable us to supply professional accounting and bookkeeping services to you as our client. This includes:

  • Names and contact details
  • Addresses
  • Account information, including registration details
  • Purchase or service history
  • Identification documents and financial records for anti-money laundering checks
  • Information used for security purposes

2. To comply with legal obligations

We process personal data to fulfil our obligations under laws and regulations, including but not limited to:

  • The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017)
  • Tax legislation and reporting requirements
  • Professional obligations as a member of the AAT

The information used may include:

  • Names and contact details
  • Identification documents
  • Client account information
  • Any other personal information required to comply with legal obligations

3. To prevent, detect, investigate, or prosecute crime

We process personal data where necessary for fraud prevention, detection of financial crime, or other legal investigations. This may include:

  • Names and contact details
  • Client accounts and records
  • Video or audio recordings of public areas
  • Financial information
  • Location data

4. To handle queries, complaints, or disputes

We process personal information to investigate and respond to queries, complaints, or claims related to our services. This includes:

  • Names and contact details
  • Addresses
  • Payment details
  • Account and purchase/service history
  • Correspondence, photographs, and recordings relevant to investigations
  • Customer or client records and financial transaction information

5. To enable invoicing and address fee disputes

Personal information may also be used to issue invoices, reconcile accounts, and investigate any fee-related queries or disputes.

6. For marketing and additional services (where consented)

Where you have provided consent, we may use your personal information to contact you about other services we provide which may be of interest.

Lawful bases and data protection rights

Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. There is a list of possible lawful bases here in the UK GDPR. You can find out more about lawful bases on the ICO's website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO's website:

  • Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.
  • Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
  • Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.
  • Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
  • Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.
  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
  • Your right to withdraw consent - When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information for the operation of client or customer accounts are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
  • Legitimate interests – we're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

We have a legitimate interest in collecting and using personal information to manage client accounts effectively and provide accurate bookkeeping and accounting services. This processing is necessary to:

  • Maintain and update client financial records accurately and efficiently.
  • Communicate promptly and clearly with clients regarding their accounts, enquiries, and updates.
  • Detect and prevent fraud or financial crime, safeguarding both our clients and our business.
  • Comply with legal and regulatory requirements, including tax legislation and anti-money laundering rules.
  • Enhance our services by better understanding client needs and business operations.

We have carefully balanced our interests against your privacy rights and concluded that the benefits — such as fulfilling our contractual and legal obligations, protecting your financial interests, and delivering a high standard of service — clearly outweigh any potential risks. We take the security and confidentiality of your personal data seriously and only process it for legitimate purposes directly related to the services we provide.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for the prevention, detection, investigation or prosecution of crimes are:

  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
  • Legitimate interests – we're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

We have a legitimate interest in collecting and using personal information to prevent, detect, investigate, and support the prosecution of criminal activities, particularly fraud and financial crime. This processing is necessary to:

  • Protect our clients' financial interests and personal data from unlawful activities.
  • Safeguard the integrity and reputation of our business and the wider accounting profession.
  • Comply with relevant legal and regulatory requirements, such as anti-money laundering laws and tax regulations.
  • Assist law enforcement and regulatory authorities when required, ensuring lawful investigations and prosecutions.

We have carefully balanced these interests against individuals' rights and privacy, ensuring that the benefits of preventing and addressing criminal conduct — which protects both clients and the public — clearly outweigh any potential risks or impacts on privacy. We only process the information necessary for these purposes and handle all data with strict confidentiality and security.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information to comply with legal requirements:

  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
  • Legitimate interests – we're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

We have a legitimate interest in collecting and using personal information to efficiently manage and resolve client queries, complaints, and claims. This processing is necessary to:

  • Address and investigate concerns fairly and promptly.
  • Maintain accurate records of communications and outcomes to ensure transparency and accountability.
  • Improve the quality of our services based on feedback and issue resolution.
  • Protect our business and clients by resolving disputes in a timely manner.

We have carefully weighed our interests against individuals' privacy rights and concluded that the benefits — including effective communication, improved client satisfaction, and maintaining trust — clearly outweigh any potential risks or impact on privacy. We handle all personal information with strict confidentiality and only use it for purposes directly related to resolving issues.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Where we get personal information from

  • Directly from you
  • Regulatory authorities
  • Legal bodies or professionals (such as courts or solicitors)
  • Publicly available sources
  • Suppliers and service providers
  • Third parties: Accountants, bookkeepers, payroll providers, financial advisers, and other professionals authorised by our clients to share their information with us.

Retention of Personal Data

When acting as a data controller, and in accordance with recognised good practice within the tax and accountancy sector, we will retain all records relating to you as follows:

  • Tax returns – it is our policy to retain information for 7 years from the end of the tax year to which the information relates, in line with HMRC requirements.
  • Ad hoc advisory work – information is retained for 3 years from the date the business relationship ceased, unless otherwise agreed.
  • Ongoing client relationships – data needed for more than one year's tax compliance (e.g., capital gains base costs, claims, and elections submitted to HMRC) is retained throughout the period of the relationship, but will be deleted 7 years after the end of the business relationship unless you request us to retain it longer.

Our contractual terms provide for the destruction of documents after 7 years, and therefore agreement to the contractual terms is taken as agreement to the retention of records for this period and their destruction thereafter. You are responsible for retaining information we send to you (including details of capital gains base costs and claims and elections submitted), which will be supplied in the agreed form.

Documents and records relevant to your tax affairs are required by law to be retained as follows:

  • Individuals, trustees, and partnerships
    • With trading or rental income: 5 years and 10 months after the end of the tax year
    • Otherwise: 22 months after the end of the tax year
  • Companies, LLPs, and other corporate entities
    • 6 years from the end of the accounting period

Retention Schedule for Personal Information

Type of Personal InformationRetention PeriodReason / Legal Requirement
Client contact details (name, address, email, phone)6 years after the end of the client relationshipTo comply with HMRC accounting and tax record-keeping requirements and GDPR storage limitation principle
Financial records (invoices, receipts, bank statements)6 years from the end of the financial yearRequired by HMRC for tax audits and accounting purposes
Payroll and employee records6 years after employment endsTo comply with employment law and tax regulations
Contracts and agreements6 years after contract expiryLimitation period for contractual disputes and legal compliance
Correspondence related to queries, complaints, or claims3 years after resolutionTo manage disputes, complaints, and maintain records for potential investigations
Identification documents (e.g., client onboarding, AML checks)5 years after end of relationshipTo comply with UK Anti-Money Laundering (AML) regulations
Marketing data and preferencesUntil consent is withdrawn or for 3 years after last contactTo comply with GDPR consent requirements and respect individual preferences
CCTV or dashcam footageUp to 30 days unless required for investigationTo comply with data protection principles and investigation needs

Data Retention Practices

We keep your personal information only as long as necessary to provide our services, meet legal obligations, and resolve any queries or complaints. After the relevant retention period has ended, your information will be securely deleted or anonymised to protect your privacy.

Where we act as a data processor as defined in the DPA 2018, we will delete or return all personal data to the data controller as agreed with the controller (e.g., monthly, annually, or at the termination of the contract).

If you have any questions about how long we keep your personal data or wish to request its deletion, please contact us using the details at the top of this privacy notice.

Persons/organisations to whom we may give personal data

We may share your personal data with the following persons or organisations:

  • HM Revenue & Customs (HMRC) and other regulatory authorities.
  • Third parties with whom you require or permit us to correspond, including accountants, bookkeepers, payroll providers, financial advisers, and other professionals authorised by our clients to share information with us.
  • Suppliers and service providers, such as IT providers, cloud accounting software, email platforms, or other contractors that support our business operations.
  • Subcontractors and other parties assisting us in providing our services.
  • An alternate appointed by us in the event of incapacity or death.
  • Tax insurance providers and professional indemnity insurers.
  • Our professional body The Association of Accounting Technicians (AAT) and/or the Office of Professional Body Anti-Money Laundering Supervisors (OPBAS), in relation to practice assurance and/or compliance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) or any similar legislation.

Where the law allows or requires, we may also share your personal data with:

  • Police and law enforcement agencies
  • Courts and tribunals
  • The Information Commissioner's Office (ICO)

We may need to share your personal data with the third parties identified above to comply with our legal obligations, including obligations to you. If you ask us not to share your personal data with such third parties, we may be unable to continue acting for you.

Who we share information with

Data processors

We use data processors such as cloud accounting and payroll software providers, email and communication platforms, IT hosting services, payment processors. This data processor does the following activities for us:

  • Accounting software providers process and store our clients' financial data and bookkeeping records securely.
  • Payroll service providers manage payroll processing and employee tax calculations on our behalf.
  • Email and communication platforms handle our business email and marketing communications.
  • IT and data hosting providers maintain and secure our IT infrastructure and data storage systems.
  • Payment processors facilitate online payment transactions from our clients.

Others we share personal information with

  • Other financial or fraud investigation authorities
  • Regulatory authorities
  • External auditors
  • Organisations we're legally obliged to share personal information with
  • Suppliers and service providers

Third parties we may share your personal information with to enable us to provide our services, comply with legal obligations, or protect your interests include:

  • Regulatory authorities such as HM Revenue & Customs (HMRC) and the Financial Conduct Authority (FCA) for compliance and reporting purposes.
  • External auditors who review our financial records and compliance processes.
  • Professional or legal advisors including solicitors and accountants who assist us in providing expert advice.
  • Suppliers and service providers who support our business operations, such as IT support companies.
  • Organisations we're legally obliged to share information with, including courts and law enforcement agencies.
  • Banks or credit reference agencies where necessary for client creditworthiness checks or payment processing.

We ensure that all third parties we share data with are obliged to protect your personal information and only use it for specified purposes.

Transfers of personal data outside the UK and EEA

We primarily process your personal data within the United Kingdom (UK) and the European Economic Area (EEA). However, where necessary, we may transfer personal information outside of the UK and EEA.

When doing so, we comply with the UK GDPR and ensure appropriate safeguards are in place to protect your information.

For further information, or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

Organisation nameCategory of recipientCountry the personal information is sent toHow the transfer complies with UK data protection law
IONOSWeb hosting, email and cloud services providerGermany (EU)The country or sector has been assessed as providing adequate protection to data subjects (Adequacy Regulations / UK data bridge).
XeroCloud accounting software providerUnited Kingdom / Ireland / United StatesAddendum to the EU Standard Contractual Clauses (SCCs).
SageCloud accounting software providerUnited Kingdom / EEA / United States (limited transfers)Addendum to the EU Standard Contractual Clauses (SCCs).
Microsoft (Outlook, OneDrive, Microsoft 365)Cloud services provider – email, document storage, productivity toolsUnited Kingdom / EEA / United States (and other global data centres)Addendum to the EU Standard Contractual Clauses (SCCs).
Google LLC (Gmail, Google Drive, Google Workspace)Cloud services provider – email, document storage, and collaboration toolsUnited States and other countries where Google or its subprocessors operateAddendum to the EU Standard Contractual Clauses (SCCs) with UK Addendum.
Vercel Inc. (includes V0 by Vercel)Web hosting and deployment platform (includes cookie and analytics handling)United StatesAddendum to the EU Standard Contractual Clauses (SCCs).
Resend, Inc.Email delivery and transactional messaging service (used for website contact form submissions)United StatesAddendum to the EU Standard Contractual Clauses (SCCs) with UK Addendum.
PayPalOnline payment processing serviceUnited StatesAddendum to the EU Standard Contractual Clauses (SCCs).
WhatsApp Inc. (Meta Platforms, Inc.)Messaging and communication service providerUnited StatesAddendum to the EU Standard Contractual Clauses (SCCs).
Dropbox, Inc.Cloud storage and file sharing service providerUnited StatesAddendum to the EU Standard Contractual Clauses (SCCs).
Meta Platforms, Inc. (Facebook, Instagram)Social media and online advertising platformUnited StatesAddendum to the EU Standard Contractual Clauses (SCCs).
LinkedIn CorporationProfessional networking and marketing platformUnited StatesAddendum to the EU Standard Contractual Clauses (SCCs).
StripeOnline payment processing providerUnited States / EEAAddendum to the EU Standard Contractual Clauses (SCCs).
GoCardlessDirect debit payment processing providerUnited Kingdom / EEA / United StatesAddendum to the EU Standard Contractual Clauses (SCCs) and Adequacy Regulations (UK data bridge).
Google Analytics 4Website analytics service to track and report website traffic, with IP anonymisation enabledUnited States and other countries where Google or its subprocessors operateAddendum to the EU Standard Contractual Clauses (SCCs).
  • The recipient country has been deemed to provide an adequate level of protection for personal data by the UK Government; or
  • We have implemented appropriate safeguards, such as the UK Addendum to the EU Standard Contractual Clauses (SCCs); or
  • You have provided explicit consent to the transfer after being informed of possible risks.

If you ask us not to share your personal data with such third parties, we may need to cease to act.

Your Data Protection Rights

You have a number of rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 regarding your personal data. This section explains how you can exercise these rights and how we will respond.

Accessing the personal data we hold about you (Subject Access Requests)

You have the right to request access to the personal data we hold about you. These are known as Subject Access Requests (SARs).

Please make your request in writing, marked for the attention of the Data Protection Contact at:
📧 contact@initial-accounting-solutions.co.uk

To help us locate your data and respond quickly, please include enough details to verify your identity and identify the relevant information. For example:

  • your full name and date of birth
  • any previous names or addresses used in the past five years
  • any personal reference numbers (such as your National Insurance number, tax reference, or VAT number)
  • the type of information you would like to access

If you do not have a National Insurance number, please include a copy of:

  • the back page of your passport or your driving licence, and
  • a recent utility bill or bank statement showing your current address.

We are required to respond promptly and in any event within one month of receiving your request. There are limited circumstances where the law allows us to refuse access (for example, if a similar request was made recently and there has been no material change). We will not charge for responding to a SAR unless the request is clearly unfounded or excessive.

If you would like someone else to make a SAR on your behalf (for example, a solicitor or relative), we must receive your signed written authority allowing us to respond to that person.

Where we act as a data processor on behalf of a client who is the data controller (for example, when processing payroll), we will assist that controller in responding to SARs in line with the terms of our engagement.

Correcting your information (Right to Rectification)

You have the right to have any inaccurate or incomplete personal data corrected or completed. If you believe that any information we hold about you is inaccurate, please contact us immediately so we can update it.

Deleting your information (Right to Erasure)

In certain circumstances, you have the right to have your personal data deleted. If you would like your data erased, please contact us. We will review your request in line with legal and regulatory obligations and inform you if we are unable to delete specific records (for example, where we must retain information for HMRC or anti-money laundering purposes).

Further information about this right is available from the Information Commissioner's Office (ICO) at www.ico.org.uk.

Restricting or Objecting to Processing

In certain cases, you may have the right to restrict how your personal data is used or to object to its processing. If you wish to exercise these rights, please contact us. We will review your request and confirm whether the restriction or objection can be applied in accordance with data protection law.

Transferring your data (Right to Data Portability)

You have the right, in some circumstances, to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format. This enables you to transfer it to another professional adviser or service provider. This right applies only where:

  • the processing is based on your consent or a contract, and
  • the processing is carried out by automated means.

We will respond to any portability request within one month, though this period may be extended by up to two months for complex or multiple requests (we will notify you if that happens).

Withdrawing Consent

Where we rely on your consent to process your personal data, you may withdraw that consent at any time. Please note:

  • withdrawal does not affect the lawfulness of processing before consent was withdrawn;
  • if you withdraw consent, we may not be able to continue providing certain services; and
  • even after withdrawal, we may still process data on other lawful bases (e.g. where we are legally required to retain it).

Automated Decision-Making

Initial Accounting Solutions does not use automated decision-making or profiling in connection with your personal data.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice. If you remain unhappy with how we've used your data after raising a complaint with us, you can also complain to the ICO.

The ICO's address:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint