Privacy and Data Protection Policy
Privacy and Data Protection Policy
Tax Done Limited | Company No. 09705632
Last Updated:
Important information and who we are
Purpose of this privacy notice
This privacy notice sets out the types of personal information we collect, how we collect and process that information, who we may share it with in relation to the services we provide, and certain rights and options you have in this respect.
This privacy notice applies to the following categories of individuals (collectively referred to as 'you' and 'your' in this privacy notice):
Website visitors
Prospective clients
Clients (including former clients)
Suppliers and contractors
All other people, including referrers and other business contacts
Controller
Tax Done Limited (referred to as 'Tax Done', 'we', 'us' or 'our' in this privacy notice) is the data controller and is responsible for your personal data.
Our registered address is: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Company registration number: 09705632
ICO Registration Number: ZA629302
How to contact us
Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to us at:
Email: hello@taxdone.co.uk
Our role as controller and processor
Depending on the circumstances, Tax Done may act as:
A data controller in respect of our own clients' personal data and our business operations (e.g. marketing, CRM, and our own administrative records); and
A data processor acting on behalf of our clients, where we process personal data (such as employee payroll data or business financial records) in order to provide services to those clients on their instruction.
Where Tax Done acts as a data processor on your behalf, a separate Data Processing Agreement may be entered into in accordance with Article 28 of the UK GDPR. Please contact us at hello@taxdone.co.uk for further information.
Third-party links
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
The data we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different categories of personal data about you, grouped as follows. The processing of each category will depend on your relationship with us. Please refer to Section 4 for further information.
Category | Description |
|---|---|
Anti-Money Laundering (AML) Data | PEP status, sanction status, proof of identity, evidence of source of funds, and other information required to satisfy our obligations under the Money Laundering Regulations 2017 |
Contact Data | Billing address, correspondence address, email address and telephone numbers |
Due Diligence Data | Passport, driving licence, utility bills and bank statements |
Financial Data | Bank account details, payment card details, and financial transaction records |
Identity Data | First name, last name, title, date of birth, job title, and National Insurance number where required |
Marketing and Communications Data | Your preferences in receiving marketing from us and your communication preferences |
Payroll and Employment Data | Employee names, addresses, National Insurance numbers, salary, tax codes, and other payroll-related information provided by clients for the purposes of payroll processing |
Tax and Accounting Data | VAT records, self-assessment information, company accounts, HMRC correspondence, bookkeeping records, and other financial and tax-related information provided by or on behalf of clients |
Technical Data | IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other technology data from devices used to access our website |
Usage Data | Information about how you use our website and services |
We do not knowingly collect any special category data (such as data about racial or ethnic origin, health, religious beliefs, or sexual orientation) unless you have volunteered it in the course of providing us with the information necessary to carry out your services. Where such data is provided, we will process it only to the extent necessary and on the basis of explicit consent or as required by law.
How your personal data is collected
We use different methods to collect data from and about you, including through:
Direct interactions. You may give us personal data by filling in forms or by corresponding with us by post, phone, email, or otherwise. This includes personal data you provide when you:
Visit and/or interact with our website at taxdone.co.uk
Complete our 'Get your quote' form or Letter of Engagement
Contact us via email, telephone, or live chat
Subscribe to our newsletter or service updates
Provide documents and information in connection with the services we carry out for you (e.g. HMRC filings, VAT returns, payroll processing, or company accounts)
Provide identity verification documentation as part of our client onboarding and AML due diligence process
Respond to our surveys or provide feedback
Third parties or publicly available sources. We may receive personal data about you from third parties and public sources, including:
Technical and analytics data from providers such as Google Analytics
Identity and contact data from publicly available sources such as Companies House, HMRC, and LinkedIn
AML and sanctions screening data from third-party due diligence providers
How we use your personal data
We will only use your personal data when the law allows us to. The lawful bases we rely on are:
Performance of a contract – where processing is necessary to perform a contract with you or to take steps at your request before entering into one
Legal obligation – where processing is necessary to comply with a legal or regulatory obligation
Legitimate interests – where processing is necessary for our legitimate interests or those of a third party, and your interests and fundamental rights do not override those interests
Consent – where you have given clear and informed consent to the processing
The tables below set out the specific purposes for which we use your personal data and the lawful basis we rely on, arranged by your relationship with us.
A. Website visitors
This section applies when you visit our website. Please also refer to our Cookies Notice for additional information.
Processing activity | Categories of data | Lawful basis |
|---|---|---|
Responding to enquiries submitted through our website or contact forms | Contact | Legitimate interests, Performance of a contract |
Delivering relevant content and measuring the effectiveness of our marketing | Identity, Contact, Usage, Marketing, Technical | Consent, Legitimate interests |
Using analytics to improve our website, services and user experience | Technical, Usage | Consent, Legitimate interests |
Subscribing to our newsletter and service updates | Contact | Consent, Legitimate interests |
B. Prospective clients
This section applies if you have made an enquiry about our services or have begun the process of engaging us.
Processing activity | Categories of data | Lawful basis |
|---|---|---|
Responding to and managing enquiries | Identity, Contact | Legitimate interests, Performance of a contract |
Sending marketing communications about our services | Identity, Contact | Consent, Legitimate interests |
Client due diligence prior to formal engagement | AML Data, Identity, Due Diligence | Legal obligation, Legitimate interests |
C. Clients (including former clients)
This section applies where you are a client of ours, or an employee, officer, or representative of an organisation that is a client of ours. It also applies to former clients.
Processing activity | Categories of data | Lawful basis |
|---|---|---|
Anti-money laundering checks and onboarding you or your organisation as a client | AML Data, Due Diligence, Identity, Contact | Performance of a contract, Legal obligation, Legitimate interests |
Providing our services to you, including bookkeeping, VAT returns, self-assessment, payroll, and company accounts administration | Identity, Contact, Tax and Accounting Data, Financial Data, Payroll and Employment Data | Performance of a contract, Legal obligation |
Submitting information to HMRC, Companies House, and other authorities on your behalf | Identity, Contact, Tax and Accounting Data, Payroll and Employment Data | Performance of a contract, Legal obligation |
Managing all fees, invoicing, payments and financial disputes | Identity, Contact, Financial Data | Performance of a contract |
Client communications and maintaining your client relationship | Identity, Contact, Tax and Accounting Data | Performance of a contract, Legitimate interests |
Complying with our legal and regulatory obligations, including reporting obligations to HMRC and the National Crime Agency | AML Data, Identity, Contact, Tax and Accounting Data | Legal obligation |
Feedback and client satisfaction | Identity, Contact | Legitimate interests |
D. Suppliers and contractors
Processing activity | Categories of data | Lawful basis |
|---|---|---|
Managing contracts, fees, payments and financial disputes | Contact, Identity, Financial Data | Performance of a contract |
E. All other people, including referrers and business contacts
Processing activity | Categories of data | Lawful basis |
|---|---|---|
Managing referral relationships and rewards | Identity, Contact | Legitimate interests, Performance of a contract |
General business correspondence and contact management | Identity, Contact | Legitimate interests |
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.
Call and communication recording
We may record telephone calls and video calls hosted via platforms such as Microsoft Teams or Zoom. Recordings may be made to keep a record of instructions, protect both parties in the event of a dispute, and to support the quality and continuity of our services.
Where we intend to record a video call, we will inform you of this at the start of the call and give you the opportunity to object. We process personal information comprised in call recordings on the basis of legitimate interests or, where we have a contract with you, performance of that contract.
Cookies
For full information about how we use cookies on our website, please read our Cookies Notice [link to cookie notice]. You can also manage your cookie preferences via the cookie settings on our website.
Disclosures of your personal data
We may share your personal data with the following categories of third parties for the purposes set out in this notice. We require all third parties to respect the security of your personal data and to treat it in accordance with applicable data protection law. We do not permit third-party service providers to use your personal data for their own purposes.
Our staff, subcontractors and affiliates – for the purpose of carrying out our services to you
HM Revenue & Customs (HMRC) – where we submit tax returns, VAT returns, payroll submissions, and other filings on your behalf, or where we are required by law to report information
Companies House – where required in connection with company administration services
Cloud accounting and payroll software providers – specifically Xero (accounting platform) and Staffology (payroll platform), which process data on our behalf under Data Processing Agreements
Payment processors – for the purpose of processing invoices and payments
Anti-money laundering and identity verification providers — for the purposes of carrying out required client due diligence checks
IT service providers – including hosting, email, and support providers, who process data strictly on our instructions
Professional advisers – including our accountants, insurers and legal advisers, subject to confidentiality obligations
HMRC, the National Crime Agency (NCA), and other regulatory or government authorities – where we are required by law to make a disclosure, including under the Money Laundering Regulations 2017. Please note that in certain circumstances, we may be legally prohibited from informing you that such a disclosure has been made
Successor entities – if Tax Done's business or assets are sold, transferred or merged, your personal data may be transferred to the new owner as part of that transaction, subject to this privacy notice
International transfers
When we use third-party cloud service providers – such as Xero or other SaaS platforms – your data may be stored or processed in locations outside the UK. Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is in place:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection under UK law
Where we use certain service providers, we may use contracts approved for use in the UK (such as the International Data Transfer Agreement, or IDTA) which give personal data the same protection it has in the UK.
If you would like to find out more about the safeguards we rely on to transfer your personal data outside of the UK, please contact us at hello@taxdone.co.uk.
Data security
We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered or disclosed. These measures include data encryption, password-protected access controls, and restricted access to sensitive data on a need-to-know basis.
We have procedures in place to deal with any suspected personal data breach and will notify you and the Information Commissioner's Office (ICO) of a breach where we are legally required to do so (generally within 72 hours of becoming aware of it).
Whilst we take these obligations seriously, no method of electronic transmission or storage is completely secure. To report a suspected data security incident, please contact us immediately at hello@taxdone.co.uk.
Data retention
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting or reporting requirements.
To determine the appropriate retention period, we consider the nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we hold it, and whether we can achieve those purposes through other means.
The following minimum retention periods apply:
Data type | Minimum retention period | Legal basis |
|---|---|---|
Tax and accounting records (VAT, self-assessment, company accounts) | 6 years from the end of the relevant tax year | HMRC requirements |
Payroll records | 6 years from the end of the tax year to which they relate | HMRC / Employer obligations |
AML and client due diligence records | 5 years from the end of the business relationship | Money Laundering Regulations 2017 |
Contract and engagement records | 6 years from the end of the engagement | Limitation Act 1980 |
Marketing data (where consent based) | Until consent is withdrawn or 2 years of inactivity, whichever is sooner | Consent |
In some circumstances, we may anonymise your personal data so that it can no longer be associated with you. In that case we may retain and use such anonymised data without further notice.
Use of Artificial Intelligence
We may use artificial intelligence (AI) tools to support the administration and delivery of our services, including for drafting correspondence and internal administrative functions. Any such tools are used solely to assist our team and do not make automated decisions about individuals with legal or similarly significant effect.
Where we use third-party AI tools that involve the processing of personal data, we ensure appropriate data processing agreements and safeguards are in place before any such use.
Your legal rights
Under UK data protection law, you have the following rights in relation to your personal data:
Right of access – You may request a copy of the personal data we hold about you (commonly known as a Subject Access Request). This enables you to check that we are lawfully processing it.
Right to rectification – You may ask us to correct any inaccurate or incomplete personal data we hold about you.
Right to erasure – You may ask us to delete your personal data where there is no good reason for us to continue processing it, where you have successfully exercised your right to object, where we may have processed your data unlawfully, or where we are required to erase it by law. Note that we may not always be able to comply – for example, where we are required to retain data by HMRC or under the Money Laundering Regulations.
Right to object – You may object to processing where we rely on legitimate interests, or where we process your data for direct marketing purposes.
Right to restriction – You may ask us to suspend processing of your personal data in certain circumstances, for example where you contest its accuracy.
Right to data portability – You may request that we provide your personal data to you, or to a third party, in a structured, commonly used, machine-readable format.
Right to withdraw consent – Where we rely on your consent to process personal data, you may withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before withdrawal. Please note that withdrawal of consent may affect our ability to provide certain services.
How to exercise your rights
To exercise any of the rights above, please contact us at hello@taxdone.co.uk. You will not normally be charged a fee, although we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. We may need to verify your identity before processing your request. We will aim to respond to all legitimate requests within one month. If your request is complex, we may take up to three months and will notify you accordingly.
Right to complain
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues:
Website: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113
We would, however, appreciate the opportunity to address any concerns you have before you approach the ICO. Please contact us in the first instance at hello@taxdone.co.uk.
Changes to this privacy notice
Where we make material changes to this privacy notice, we will notify you by email or by posting a prominent notice on our website. It is important that the personal data we hold about you is accurate and current – please keep us informed if your personal data changes during your relationship with us.