Privacy Notice

Last updated: 14 June 2025

Initial Accounting Solutions customer privacy notice

This privacy notice tells you what to expect us to do with your personal information.

Contact details
What information we collect, use, and why
Lawful bases and data protection rights
Where we get personal information from
How long we keep information
Who we share information with
Sharing information outside the UK
How to complain

Contact details

Email: contact@initial-accounting-solutions.co.uk

What information we collect, use, and why

We collect or use the following personal information for the operation of client or customer accounts:

Names and contact details
Addresses
Purchase or service history
Account information, including registration details
Information used for security purposes
Identification documents and financial records for anti-money laundering checks

We collect or use the following personal information for the prevention, detection, investigation or prosecution of crimes:

Names and contact information
Client accounts and records
Video recordings of public areas
Audio recordings of public areas
Financial information eg for fraud prevention or detection
Location data

We collect or use the following personal information to comply with legal requirements:

Name
Contact information
Identification documents
Client account information
Any other personal information required to comply with legal obligations

We collect or use the following personal information for dealing with queries, complaints or claims:

Names and contact details
Addresses
Payment details
Account information
Purchase or service history
Video recordings of public areas
Audio recordings of public areas
Call recordings
Photographs
Relevant information from previous investigations
Customer or client accounts and records
Financial transaction information
Correspondence
Location data

Lawful bases and data protection rights

Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. There is a list of possible lawful bases here in the UK GDPR. You can find out more about lawful bases on the ICO's website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO's website:

Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.
Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.
Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information for the operation of client or customer accounts are:

Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
Legitimate interests – we're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

We have a legitimate interest in collecting and using personal information to manage client accounts effectively and provide accurate bookkeeping and accounting services. This processing is necessary to:

Maintain and update client financial records accurately and efficiently.
Communicate promptly and clearly with clients regarding their accounts, enquiries, and updates.
Detect and prevent fraud or financial crime, safeguarding both our clients and our business.
Comply with legal and regulatory requirements, including tax legislation and anti-money laundering rules.
Enhance our services by better understanding client needs and business operations.

We have carefully balanced our interests against your privacy rights and concluded that the benefits — such as fulfilling our contractual and legal obligations, protecting your financial interests, and delivering a high standard of service — clearly outweigh any potential risks. We take the security and confidentiality of your personal data seriously and only process it for legitimate purposes directly related to the services we provide.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for the prevention, detection, investigation or prosecution of crimes are:

Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
Legitimate interests – we're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

We have a legitimate interest in collecting and using personal information to prevent, detect, investigate, and support the prosecution of criminal activities, particularly fraud and financial crime. This processing is necessary to:

Protect our clients' financial interests and personal data from unlawful activities.
Safeguard the integrity and reputation of our business and the wider accounting profession.
Comply with relevant legal and regulatory requirements, such as anti-money laundering laws and tax regulations.
Assist law enforcement and regulatory authorities when required, ensuring lawful investigations and prosecutions.

We have carefully balanced these interests against individuals' rights and privacy, ensuring that the benefits of preventing and addressing criminal conduct — which protects both clients and the public — clearly outweigh any potential risks or impacts on privacy. We only process the information necessary for these purposes and handle all data with strict confidentiality and security.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information to comply with legal requirements:

Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
Legitimate interests – we're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

We have a legitimate interest in collecting and using personal information to efficiently manage and resolve client queries, complaints, and claims. This processing is necessary to:

Address and investigate concerns fairly and promptly.
Maintain accurate records of communications and outcomes to ensure transparency and accountability.
Improve the quality of our services based on feedback and issue resolution.
Protect our business and clients by resolving disputes in a timely manner.

We have carefully weighed our interests against individuals' privacy rights and concluded that the benefits — including effective communication, improved client satisfaction, and maintaining trust — clearly outweigh any potential risks or impact on privacy. We handle all personal information with strict confidentiality and only use it for purposes directly related to resolving issues.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Where we get personal information from

Directly from you
Regulatory authorities
Legal bodies or professionals (such as courts or solicitors)
Publicly available sources
Suppliers and service providers
Third parties: Accountants, bookkeepers, payroll providers, financial advisers, and other professionals authorised by our clients to share their information with us.

How long we keep information

For more information on how long we store your personal information or the criteria we use to determine this please contact us using the details provided above.

Retention Schedule for Personal Information

Type of Personal Information	Retention Period	Reason / Legal Requirement
Client contact details (name, address, email, phone)	6 years after the end of the client relationship	To comply with HMRC accounting and tax record-keeping requirements and GDPR storage limitation principle
Financial records (invoices, receipts, bank statements)	6 years from the end of the financial year	Required by HMRC for tax audits and accounting purposes
Payroll and employee records	6 years after employment ends	To comply with employment law and tax regulations
Contracts and agreements	6 years after contract expiry	Limitation period for contractual disputes and legal compliance
Correspondence related to queries, complaints, or claims	3 years after resolution	To manage disputes, complaints, and maintain records for potential investigations
Identification documents (e.g., for client onboarding, AML checks)	5 years after end of relationship	To comply with UK Anti-Money Laundering (AML) regulations
Marketing data and preferences	Until consent is withdrawn or for 3 years after last contact	To comply with GDPR consent requirements and respect individual preferences
CCTV or dashcam footage	Up to 30 days unless required for investigation	To comply with data protection principles and investigation needs

Data Retention
We keep your personal information only for as long as necessary to provide our services, meet legal obligations, and resolve any queries or complaints. Our retention periods comply with UK data protection laws (including the UK GDPR) and relevant accounting and tax regulations. After the relevant retention period has ended, your information will be securely deleted or anonymised to protect your privacy. If you have any questions about how long we keep your personal data or wish to request its deletion, please contact us.

Who we share information with

Data processors

We use data processors such as cloud accounting and payroll software providers, email and communication platforms, IT hosting services, payment processors. This data processor does the following activities for us:

Accounting software providers process and store our clients' financial data and bookkeeping records securely.
Payroll service providers manage payroll processing and employee tax calculations on our behalf.
Email and communication platforms handle our business email and marketing communications.
IT and data hosting providers maintain and secure our IT infrastructure and data storage systems.
Payment processors facilitate online payment transactions from our clients.

Others we share personal information with

Other financial or fraud investigation authorities
Regulatory authorities
External auditors
Organisations we're legally obliged to share personal information with
Suppliers and service providers
Third parties:

We may share your personal information with the following third parties to enable us to provide our services, comply with legal obligations, or protect your interests:

Regulatory authorities such as HM Revenue & Customs (HMRC) and the Financial Conduct Authority (FCA) for compliance and reporting purposes.
External auditors who review our financial records and compliance processes.
Professional or legal advisors including solicitors and accountants who assist us in providing expert advice.
Suppliers and service providers who support our business operations, such as IT support companies.
Organisations we're legally obliged to share information with, including courts and law enforcement agencies.
Banks or credit reference agencies where necessary for client creditworthiness checks or payment processing.

We ensure that all third parties we share data with are obliged to protect your personal information and only use it for specified purposes.

Sharing information outside the UK

Where necessary, we may transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

Organisation name	Category of recipient	Country the personal information is sent to	How the transfer complies with UK data protection law
IONOS	Web hosting, email and cloud services provider	Germany (EU)	The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge).
Xero	Cloud accounting software provider	United Kingdom / Ireland / United States	Addendum to the EU Standard Contractual Clauses (SCCs)
Sage	Cloud accounting software provider	Primarily United Kingdom and European Economic Area (EEA); some services may involve limited transfer to the United States	Addendum to the EU Standard Contractual Clauses (SCCs)
Microsoft (e.g. Outlook, OneDrive, Microsoft 365)	Cloud services provider – email, document storage, productivity tools	United Kingdom / European Economic Area (EEA) / United States (and other global data centres)	Addendum to the EU Standard Contractual Clauses (SCCs)
Vercel Inc. (includes V0 by Vercel)	Web hosting and deployment platform (includes cookie and analytics handling)	United States	Addendum to the EU Standard Contractual Clauses (SCCs)
Paypal	Online payment processing service	United States	Addendum to the EU Standard Contractual Clauses (SCCs)
WhatsApp Inc. (owned by Meta Platforms, Inc.)	Messaging and communication service provider	United States	Addendum to the EU Standard Contractual Clauses (SCCs)
Dropbox, Inc.	Cloud storage and file sharing service provider	United States	Addendum to the EU Standard Contractual Clauses (SCCs)
Meta Platforms, Inc. (Facebook, Instagram)	Social media and online advertising platform	United States	Addendum to the EU Standard Contractual Clauses (SCCs)
LinkedIn Corporation	Professional networking and marketing platform	United States	Addendum to the EU Standard Contractual Clauses (SCCs)
Stripe	Online payment processing provider	United States (with some operations in EU countries)	Addendum to the EU Standard Contractual Clauses (SCCs)
GoCardless	Direct debit payment processing provider	United Kingdom, European Economic Area (EEA), and United States	Addendum to the EU Standard Contractual Clauses (SCCs); The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we've used your data after raising a complaint with us, you can also complain to the ICO.

The ICO's address:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint