This Privacy Policy explains how TDAS Accountancy Service collects, uses and protects your personal data.
Who we are
TDAS Accountancy Service provides accountancy and tax services in the United Kingdom. We act as the data controller for the personal data we process in providing our services.
- Legal entity: Tom Duff Accountancy Services (TDAS)
- Professional body: Association of Accounting Technicians (AAT)
- Registered address: {{ companyAddress }}
- Telephone: {{ phoneNumber }}
- Contact: {{ emailAddress }}
- ICO registration number: {{ icoRegistrationNo }}
Where we act as a data processor on behalf of a client, for example in relation to payroll services, we provide additional information where required which should be read alongside this Privacy Policy.
Data we collect
- Identification and contact details
- Financial records and related information provided by you for our services
- Compliance information required by law, including anti-money laundering checks
- Technical data required for the security and operation of our website, such as IP address
- Messages sent through our forms, human verification process, or by email
Where we get your data
We collect personal data directly from you and, where relevant, from third parties such as:
- HMRC and other government bodies
- Companies House and public registers
- Referrers or your previous advisers, with your authority
- Credit reference, identity verification and fraud prevention providers for AML and KYC purposes
- Our website and IT service providers, including providers supporting security and technical operation
How we use your data and lawful bases
- To supply professional services to you as our client, contract
- To fulfil legal and regulatory obligations, including under the Money Laundering Regulations 2017, legal obligation
- To comply with professional obligations as an AAT member, legal obligation and legitimate interests
- To invoice for services and address any fee disputes, legitimate interests
- To investigate and defend complaints, disciplinary matters or legal proceedings, legitimate interests
- To protect our website, systems and services through essential security measures, legitimate interests
- To contact you about other services if you have consented, consent, which may be withdrawn at any time
Where we rely on legitimate interests, we ensure that those interests are balanced against your rights and freedoms.
It is a requirement of our contract that you provide the personal data needed for us to act. If you do not, we may be unable to provide services to you.
Special category and criminal offence data: Where required for identity verification, anti-money laundering purposes, or related regulatory checks, we may process special category or criminal offence data. We do so only where permitted by UK data protection law and subject to appropriate safeguards.
Sharing your data
We may share personal data with:
- HMRC
- Third parties you require or authorise us to correspond with
- An appointed alternate or continuity provider in the event of incapacity or death
- Tax insurance providers
- Professional indemnity insurers
- Our professional body, AAT, and relevant oversight bodies in relation to practice assurance and anti-money laundering requirements
- IT and security providers that support our website and systems
If the law allows or requires it, we may also share data with the police and law enforcement agencies, courts and tribunals, and the Information Commissioner’s Office.
We do not sell your personal data.
We require our processors to enter into contracts that protect your data and only allow processing on our documented instructions. We control and approve any sub-processing arrangements.
If you ask us not to share personal data that we are legally required to share, for example with HMRC or for anti-money laundering purposes, we may be unable to act for you.
International transfers
Your personal data is processed primarily in the UK and EEA. Some of our service providers that support website security, hosting or technical infrastructure may process data outside the UK or EEA.
Where personal data is transferred internationally, we ensure that appropriate safeguards are in place, such as adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses.
Retention
- Tax returns: retained for 6 years from the end of the tax year they relate to.
- Ad hoc advisory work: retained for 6 years from the date the business relationship ceased.
- Ongoing client relationship: data needed for multi-year compliance, such as CGT base costs and HMRC claims or elections, kept for the duration of the relationship and deleted 3 years after it ends, unless we are required or permitted to retain it for longer or you ask us to retain it for longer.
- Client due diligence and AML or KYC records: retained for the period required by law after the end of the business relationship.
Our contractual terms may also provide for destruction of documents after a defined retention period.
Your own record-keeping duties for your awareness:
- Individuals, trustees and partnerships with trading or rental income: keep records for 6 years after the end of the tax year.
- Other individuals: keep records for 6 years after the end of the tax year.
- Companies, LLPs and other corporate entities: keep records for 6 years from the end of the accounting period.
Where we act as a data processor, we will delete or return personal data at the end of the contract as agreed with the controller.
Your rights
You have rights under the UK GDPR and Data Protection Act 2018, including rights of access, rectification, erasure, restriction, portability and objection.
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects.
How to make a Subject Access Request (SAR)
Please make Subject Access Requests in writing, marked for the attention of Tom Duff. To help us locate your data and verify your identity, please include relevant details such as your date of birth, any previous names or addresses from the last five years, and any relevant references such as your National Insurance number, UTR, or VAT number.
If additional proof of identity is needed, we may ask for appropriate identification documents, for example a passport or driving licence and a recent utility bill.
We will normally respond within one month, although this may be extended by up to two further months for complex or multiple requests. We do not usually charge a fee for a Subject Access Request.
If a representative makes a request on your behalf, we will require your written authority before responding to them.
Withdraw consent
Where we rely on your consent, for example to send you information about other services, you can withdraw that consent at any time by emailing {{ emailAddress }}.
Withdrawing consent does not affect the lawfulness of processing carried out before consent was withdrawn, and we may continue to process your data where another lawful basis applies.
Right to data portability
This right applies to personal data you have provided to us where processing is based on consent or contract and is carried out by automated means. We will normally respond within one month, although this may be extended by up to two further months for complex or multiple requests.
To exercise any of your rights, please email {{ emailAddress }}. You also have the right to complain to the ICO.
Cookies
We only use strictly necessary cookies and similar technologies required for the secure operation and core functionality of our website. For further details, please see our Cookie Policy.
Complaints
If you are unhappy with how we have handled your data or a request you have made, please contact us first so that we can try to resolve the matter.
TDAS Accountancy Service
Contact: Tom Duff
Email: {{ emailAddress }}
Association of Accounting Technicians (AAT)
If you are not satisfied with our response, you may refer your complaint to our professional body, the Association of Accounting Technicians.
Website: www.aat.org.uk
Email: enquiries@aat.org.uk
Telephone: +44 (0)20 3735 2468
Address: 140 Aldersgate Street, London, EC1A 4HY
Information Commissioner’s Office (ICO)
You also have the right to lodge a complaint with the Information Commissioner’s Office, the UK supervisory authority for data protection issues.
Website: www.ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Contact
Email: {{ emailAddress }}
Address: {{ companyAddress }}
Telephone: {{ phoneNumber }}
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes to our services, legal requirements, or how we process personal data. Any updated version will be published on this page.