Privacy Policy

1. Who We Are

LOYALS Accountants & Business Consultants is an ICAEW-chartered accountancy firm based in London, providing premium accounting services, business mentoring, and growth support to businesses across all London boroughs and surrounding areas.

Under UK GDPR and the Data Protection Act 2018, LOYALS acts as a data controller for the personal data we collect from our clients, prospective clients, website visitors, and other individuals. We are also a data processor when handling personal data on behalf of our clients as part of our accounting services.

This Privacy Policy explains how we collect, use, store, and protect your personal data, and your rights regarding that data.

2. What Data We Collect

We collect and process different types of personal data depending on your relationship with us:

For Clients and Prospective Clients:

• Identity Data: Name, date of birth, National Insurance number, company registration details
• Contact Data: Address, email address, telephone numbers
• Financial Data: Bank account details, income information, expense receipts, invoices, VAT records, CIS deductions, payroll data, tax information
• Business Data: Company structure, directors, employees, business activities, turnover
• Communication Data: Records of conversations, emails, calls, meetings, and correspondence
• Engagement Data: Service agreements, instructions, authorizations, and consent forms

For Website Visitors:

• Technical Data: IP address, browser type, device information, operating system
• Usage Data: Pages visited, time spent on site, click patterns, referral source
• Cookie Data: Information collected through cookies and similar technologies (see Section 9)
• Form Data: Information you provide through contact forms, consultation booking forms, or newsletter sign-ups

For Business Contacts and Suppliers:

• Contact Information: Name, job title, company, email, phone number
• Business Relationship Data: Communications, contracts, invoices, payment details

3. How We Use Your Data

We use your personal data for the following purposes:

Accounting and Professional Services:

• Preparing and filing annual accounts, tax returns, VAT returns, CIS returns, and payroll
• Providing business mentoring, strategic advice, and growth support
• Managing invoices, tracking payments, and debt recovery services
• Complying with HMRC requirements and other regulatory obligations
• Liaising with HMRC, Companies House, and other authorities on your behalf

Client Relationship Management:

• Communicating with you about our services, your account, and important updates
• Responding to your queries and providing customer support
• Managing your service agreements and contracts
• Processing payments and maintaining financial records

Business Development and Marketing:

• Sending you information about our services that may interest you (only if you've consented)
• Connecting you with other businesses in our network for collaboration opportunities
• Requesting testimonials and reviews (with your permission)
• Improving our services based on feedback

Website and Analytics:

• Operating and improving our website
• Understanding how visitors use our site to enhance user experience
• Measuring the effectiveness of our marketing campaigns
• Detecting and preventing fraud or security issues

Legal and Compliance:

• Complying with legal and regulatory obligations
• Establishing, exercising, or defending legal claims
• Maintaining professional indemnity insurance
• Meeting anti-money laundering (AML) requirements

4. Lawful Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following lawful bases:

Lawful Basis	When We Use It
Contract Performance	When we process your data to fulfill our engagement letter and provide the accounting services you've contracted us for
Legal Obligation	When we must process your data to comply with HMRC requirements, Companies House filings, AML regulations, or other legal duties
Legitimate Interests	When processing is necessary for our legitimate business interests (e.g., managing client relationships, preventing fraud, improving services) and doesn't override your rights
Consent	When we send you marketing communications or process special category data (you can withdraw consent at any time)

5. Who We Share Data With

We may share your personal data with the following categories of recipients, always ensuring appropriate safeguards are in place:

Government and Regulatory Bodies:

• HMRC: Tax returns, VAT returns, CIS returns, payroll submissions
• Companies House: Annual accounts, confirmation statements, company registrations
• The Pensions Regulator: Auto-enrolment declarations and pension scheme information
• ICO (Information Commissioner's Office): Data protection registration renewals

Professional Service Providers:

• Cloud Accounting Software: Xero, QuickBooks, or similar platforms for bookkeeping and financial management
• Banking Institutions: For payment processing and financial transactions
• Legal Advisors: When providing integrated legal support as part of our Business Growth Programme
• Marketing Specialists: For clients in our Business Growth Programme (only with your explicit consent)

Professional Bodies and Insurers:

• ICAEW (Institute of Chartered Accountants in England and Wales): For regulatory compliance and professional standards
• Professional Indemnity Insurers: In the event of a claim

Technology and Service Providers:

• Email Providers: For secure communication (e.g., Microsoft 365, Google Workspace)
• Website Hosting: For maintaining our online presence
• IT Support and Security: For system maintenance and data protection
• Analytics Providers: Google Analytics for website usage analysis (anonymized where possible)

We will never sell your personal data to third parties. We only share data when necessary for the purposes outlined in this policy, and always with appropriate safeguards in place.

6. How Long We Keep Your Data

We only retain your personal data for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Client Data Retention Periods:

• Financial Records: Minimum 6 years from the end of the accounting period (as required by HMRC)
• Tax Returns and Supporting Documents: 6 years from the relevant tax year end
• Payroll Records: 6 years from the end of the tax year
• VAT and CIS Records: 6 years from the transaction date
• Company Formation Documents: Permanently (or 6 years after company dissolution)
• Engagement Letters and Contracts: 6 years after termination of services

Other Data Retention:

• Prospective Client Enquiries: 2 years (or until you request deletion)
• Marketing Consent Records: Until consent is withdrawn, plus 3 years for compliance records
• Website Analytics Data: 26 months (Google Analytics default)
• Business Contact Information: Until you request deletion or the relationship ends

7. Your Data Protection Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:

1. Right to Be Informed

You have the right to clear information about how we collect and use your personal data. This Privacy Policy fulfills that right.

2. Right of Access

You can request a copy of the personal data we hold about you. This is known as a Subject Access Request (SAR). We will provide this information free of charge within one month of your request.

3. Right to Rectification

If any personal data we hold about you is inaccurate or incomplete, you can ask us to correct it. We want to ensure our records are accurate, so please let us know if anything needs updating.

4. Right to Erasure ("Right to be Forgotten")

In certain circumstances, you can ask us to delete your personal data. However, this right is limited when we have a legal obligation to retain data (e.g., HMRC's 6-year requirement for financial records). We will always explain if we cannot delete certain data and why.

5. Right to Restrict Processing

You can ask us to restrict how we use your personal data in certain situations, such as if you contest the accuracy of the data or object to processing based on legitimate interests.

6. Right to Data Portability

You can request that we transfer certain personal data to you or another service provider in a commonly used, machine-readable format. This applies to data you've provided to us based on consent or contract.

7. Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your rights.

8. Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects. All decisions about your accounting and business matters involve human review and judgment.

8. How We Protect Your Data

We take data security seriously and implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

Technical Security Measures:

• Encryption: All data transmitted to and from our systems is encrypted using industry-standard SSL/TLS protocols (HTTPS)
• Secure Cloud Storage: Client data is stored on secure, UK-based cloud servers with encryption at rest
• Multi-Factor Authentication (MFA): Required for all staff accessing client systems
• Firewall Protection: Network-level security to prevent unauthorized access
• Regular Backups: Data is backed up daily to secure offsite locations
• Antivirus and Malware Protection: All devices are protected with up-to-date security software
• Email Encryption: Sensitive documents are sent via encrypted email or secure client portals

Organizational Security Measures:

• Staff Training: All team members receive regular GDPR and data security training
• Access Controls: Role-based access ensures staff only see data necessary for their duties
• Clear Desk Policy: Physical documents are securely stored when not in use
• Secure Disposal: Paper records are cross-cut shredded; digital devices are securely wiped
• Data Processing Agreements: All third-party processors must meet our security standards
• Incident Response Plan: Procedures in place to detect, report, and respond to data breaches

What Happens in the Event of a Data Breach?

Despite our best efforts, no system is 100% secure. If we discover a data breach that poses a risk to your rights and freedoms, we will:

• Report it to the ICO within 72 hours (as required by law)
• Notify affected individuals without undue delay if there is a high risk to you
• Take immediate action to contain the breach and prevent further damage
• Investigate the cause and implement measures to prevent recurrence

9. Cookies and Website Analytics

Our website uses cookies and similar technologies to improve your browsing experience and help us understand how visitors use our site.

What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences and provide useful information to site owners.

Cookies We Use:

Cookie Type	Purpose	Duration
Essential Cookies	Required for website functionality (e.g., remembering your cookie preferences, maintaining secure sessions)	Session or up to 1 year
Analytics Cookies	Google Analytics to understand how visitors use our site (anonymized where possible)	Up to 2 years
Marketing Cookies	Track effectiveness of our advertising and remarketing campaigns (only if you consent)	Up to 90 days

Google Analytics

We use Google Analytics to analyze website traffic and improve user experience. Google Analytics collects information such as:

• Pages visited and time spent on each page
• Referring websites and search terms used
• Browser type, device type, and screen resolution
• Geographic location (country and city level only)

This data is processed by Google and shared with us in anonymized, aggregated form. We use this information to understand which content is most useful to visitors and to improve our website accordingly.

For more information about how Google uses data, please see Google's Privacy Policy.

Managing Cookies

Most web browsers automatically accept cookies, but you can modify your browser settings to decline cookies if you prefer. However, this may prevent you from taking full advantage of our website.

How to disable cookies:

• Chrome: Settings → Privacy and security → Cookies and other site data
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Block all cookies
• Edge: Settings → Privacy, search and services → Cookies and site permissions

You can also opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

10. International Data Transfers

LOYALS is based in the UK and primarily processes data within the United Kingdom. However, some of our service providers may process data outside the UK and EEA (European Economic Area).

Where We Transfer Data:

In limited circumstances, your personal data may be transferred to:

• USA: Some cloud service providers (e.g., Google, Microsoft) store data on servers in the United States
• Other Countries: Certain IT support or software providers may have international operations

How We Protect International Transfers:

When we transfer data outside the UK, we ensure it is protected by:

• Adequacy Decisions: Transferring to countries deemed to have adequate data protection by the UK government
• Standard Contractual Clauses (SCCs): Using UK-approved contracts that require the recipient to protect your data
• Binding Corporate Rules: Working with companies that have internal data protection standards approved by regulators
• International Data Transfer Agreements (IDTAs): Using the UK government's approved transfer mechanism

All international data transfers comply with UK GDPR requirements. If you would like more information about specific transfers, please contact us.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

When we make significant changes:

• We will update the "Last Updated" date at the top of this page
• For clients, we will notify you by email or through our client portal
• For material changes that affect your rights, we may seek your renewed consent where required

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

Previous versions: If you would like to see a previous version of this Privacy Policy, please contact us and we can provide historical copies.