Introduction

This is the Privacy Notice for SmartBooksCo Ltd (“the Company”, “we”, “us”).

The purpose of this notice is to inform you about how and why your personal data is used so that we are as transparent as possible, and to ensure you are aware of your rights under UK data protection legislation (UK General Data Protection Regulation, Data Protection Act 2018).

The Company
SmartBooksCo Ltd is registered with Companies House under registration number 16469621 and with the Information Commissioner’s Office (ICO) under registration number ZB914007.

We are a data controller for the personal data we collect from you.

We have appointed Gabriela Chiscareanu/Director as our designated data protection contact.

You can contact us at info@smart-books.co.uk

The purpose for processing your data and our basis for doing so
We process personal data so we can provide commercial accounting related services (such as bookkeeping, tax returns, payroll, VAT, etc..) to clients and engage with prospective clients and partners. We will also use your data for complying with the UK anti-money laundering (AML) legislation and for marketing purposes.

In processing your data, we must establish our legal basis for doing so. The legal basis can be different depending on the circumstances. References to the basis of processing (e.g., “Article 6.1.f”) are references to the article of the UK GDPR under which we undertake the processing in question.

If you are a client
We may hold the following information about you:
- Full name
- Postal and correspondence addresses
- Email address
- Contact telephone numbers
- Alternative contact details
- Date of birth
- Government-issued identifiers (e.g. UTR, NI number, passport or driving licence for AML)
- Bank details or payment information
- Signature
- Copies of documents provided for AML due diligence

We process this information so we can provide you with services, invoice you, and maintain our communication with you. Our legal basis is Article 6.1.b – performance of a contract, as this is necessary to deliver our services.

We also process your data to enable us to perform AML checks both at the start of and during our commercial relationship. This is to comply with UK AML regulations. Our legal basis is Article 6.1.c – compliance with a legal obligation.

Where we require your data in pursuance of a contract, if you fail to provide it we may not be able to provide services or enter into a commercial agreement with you.

If you are a prospective client
We may process the following information about you:
- Full name
- Email address
- Contact telephone number
- Postal address
- Basic identity details for AML checks where required

We will process this information for the purposes of complying with UK AML regulations and to communicate with you regarding our services.

Marketing
If you represent a corporate entity, we may send you updates and information as a legitimate interest activity (Article 6.1.f).

If you are a sole trader or individual and we have had discussions about providing services, we may market to you under the Privacy and Electronic Communications Regulations 2003 (as amended).

You can opt out of marketing at any time.

Recipients of your data
As a general principle, we will not transfer your personal data to other recipients without your permission. Exceptions include:
- If you do not pay your bills, we may use a debt recovery agency (Article 6.1.f legitimate interest).
- If required by law, we may be compelled to disclose information (Article 6.1.c legal obligation).
- For AML compliance, we may be required to share data with our supervisory authority or law enforcement (Article 6.1.c).
- HMRC and Companies House will also receive some data as part of our legal obligations (Article 6.1.c).
- We may share data internally /with subcontractors to deliver services.

Data processed by third parties on our behalf
We use the services of trusted providers in processing your data. Examples include:
- Accounting software (e.g. Xero)
- Cloud storage and IT services (e.g. Microsoft 365, Wix)
- Credit checking services
- Payment processors
- Professional advisors (legal, insurance, regulatory)

All such providers are subject to data processing agreements under Article 28 UK GDPR, ensuring your data is protected.

Transferring your data outside the UK
Some of our cloud or IT providers may transfer data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as adequacy regulations or Standard Contractual Clauses.

Retention periods
We will retain your data only for as long as necessary for the purposes stated, or where we have a legal obligation or legitimate purpose.

- Client data: retained for 6 years after the end of the relationship (to comply with HMRC requirements).
- Personal data collected for the purpose of client due diligence retained for a minimum of 5 years after the relationship ends.
- Prospective clients: data retained for up to 2 years from last meaningful contact, unless you request otherwise.

Security
We implement technical and organisational measures to protect your data, including:
- Anti-virus and anti-malware protections
- Use of Transport Layer Security (TLS/SSL) for website communications
- Restricted access to client files on a need-to-know basis
- Secure password and authentication policies

Your rights
Under UK GDPR you have the following rights:
- To access and receive copies of your personal data
- To request correction of inaccurate or incomplete data
- To request erasure of data, or restriction of processing (subject to legal requirements)
- To object to processing based on legitimate interests
- To request data portability
- To lodge a complaint with the ICO (ico.org.uk)

If you wish to exercise any of these rights, please contact us using the details above.