Privacy Policy

The short version

We are an AAT licensed bookkeeping firm based in East Sussex. We collect personal data so we can do our job (such as preparing your accounts or replying to your enquiry), keep it secure, and never sell or share it for marketing. You can ask to see, correct, or delete your data at any time. Contact us at karam@smartflowfinance.com.

1. Who we are

SmartFlow Finance Ltd is a limited company registered in England and Wales, providing bookkeeping, payroll, VAT, year end accounts, and fractional finance services to UK businesses. We are based in East Sussex and we are licensed by the Association of Accounting Technicians (AAT).

For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), SmartFlow Finance Ltd is the data controller of the personal information we hold about you. This means we decide how and why your information is processed.

We are registered with the Information Commissioner's Office (ICO) under registration number [ICO registration number to be added].

2. What we collect

The personal information we collect depends on how you interact with us. We have set out the categories below.

If you visit our website

Technical data

IP address (in anonymised form), browser type, device type, the pages you visit, and how you arrived at our site. This is collected through privacy friendly analytics (see section 8).

If you contact us through the website

Contact form

Your name, email address, the message you send us, and the date and time of submission.

Newsletter signup

Your email address, plus the date and time you subscribed and the IP address used (kept as proof of consent).

Booking a call

When you book a call through Calendly, you provide your name, email address, and any optional information you choose to share about your business. Calendly is the data processor for this; see section 5.

If you become a client

Identity and contact

Your full name, business name, trading address, registered address, phone number, and email address.

AML verification

Identity documents (such as a passport or driving licence), proof of address, and the results of any sanctions or PEP checks. This is required by law for anti money laundering (AML) compliance.

Financial records

Your business bank statements, sales and purchase invoices, payroll information, VAT records, and any other accounting documents you provide so we can do the work you have engaged us for.

HMRC and Companies House data

Your UTR, NI number, PAYE references, VAT number, and Companies House filings, where these are needed for the services we provide.

3. How we use it

We use your personal information for the following purposes:

To deliver our services (preparing accounts, filing returns, running payroll, providing advice).
To communicate with you about your engagement, send invoices, and answer questions.
To meet our legal and regulatory obligations, including AML checks, HMRC filings, AAT regulatory requirements, and record keeping rules.
To respond to enquiries sent through the website or by email.
To send our newsletter if you have specifically subscribed (one short email roughly every fortnight, with a one click unsubscribe in every email).
To improve our website using anonymised analytics, so we can understand which guides are useful and where the site can be made better.

We will never sell your data, and we do not use it for behavioural advertising.

4. Lawful basis for processing

UK GDPR requires us to identify a lawful basis for each type of processing. Ours are as follows:

Contract: processing your data to deliver the services we have agreed to provide (for example, preparing your year end accounts).
Legal obligation: AML checks, HMRC filings, statutory record keeping, and AAT regulatory reporting.
Legitimate interests: responding to your enquiry, improving our website with anonymised analytics, and protecting our business from fraud or misuse. We have balanced these interests against your rights and freedoms and concluded that the processing is proportionate.
Consent: sending you our newsletter. You can withdraw consent at any time using the unsubscribe link in every email, or by emailing us.

We only share your personal data where it is necessary to provide our services or where the law requires us to. The categories of recipient are:

HMRC and Companies House: for tax filings, payroll submissions, and statutory accounts.
Bookkeeping software providers we use on your behalf, such as Xero, QuickBooks, or FreeAgent. These providers act as data processors under contract.
Calendly: when you book a discovery call, your name, email, and any notes you add are processed by Calendly Inc. on our behalf.
Email and hosting providers (such as our email service and our website host, Netlify) which process data strictly for the technical operation of our communications and site.
Professional advisers (such as our own accountant, legal advisers, or insurers) where we need advice or where we have a legal duty to disclose.
Regulators and law enforcement where we are legally required to disclose information.

All processors who handle your data on our behalf are bound by written agreements requiring them to keep it secure and to use it only for the purposes we have specified.

6. How long we keep it

We keep your personal data only for as long as we need it. Specific retention periods are:

Client accounting records: at least 6 years from the end of the relevant tax year, in line with HMRC and Companies House requirements.
AML verification records: 5 years from the end of our business relationship, as required by the Money Laundering Regulations 2017.
Enquiries that do not lead to engagement: 12 months, then deleted.
Newsletter subscriber data: until you unsubscribe, after which we keep a minimal record of the unsubscribe to honour your request.
Website analytics data: aggregated and anonymised; retained no longer than 24 months.

7. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

Right of access (to ask for a copy of the data we hold about you).
Right to rectification (to ask us to correct inaccurate data).
Right to erasure (to ask us to delete data, subject to legal retention requirements).
Right to restrict processing in certain circumstances.
Right to data portability for data you provided to us.
Right to object to processing based on legitimate interests, including direct marketing.
Right to withdraw consent where we are processing on the basis of consent.

To exercise any of these rights, email karam@smartflowfinance.com. We will respond within one calendar month.

If you are not happy with how we have handled your data or your request, you have the right to complain to the Information Commissioner's Office (ICO). Their website is ico.org.uk and their helpline is 0303 123 1113. We would, however, appreciate the chance to address your concerns first.

8. Cookies and analytics

This website uses very few cookies. We do not use advertising or tracking cookies.

Strictly necessary

None of our pages set strictly necessary cookies of their own. The site is a static website that does not require login or session cookies.

Analytics

We use a privacy friendly analytics tool to understand how visitors use the site (which pages are popular, which guides are read most). The analytics provider does not set tracking cookies, does not use your IP address to identify you, and does not share data with third parties. No personal data is collected.

Third party services

If you click a "Book a call" link on our site, you will be taken to Calendly. Calendly's own cookie policy applies on their pages; you can read it at calendly.com/legal/privacy-notice.

9. International transfers

Some of the third party services we use (notably Calendly and certain email and hosting providers) are based in or transfer data to the United States. Where this happens, transfers are protected by either the UK Extension to the EU US Data Privacy Framework, the UK International Data Transfer Agreement, or Standard Contractual Clauses, in line with UK GDPR requirements.

If you would like more information on how a specific transfer is protected, contact us at karam@smartflowfinance.com.

10. How we keep data secure

We take security seriously and apply both technical and organisational measures to protect your information:

Client data is held in encrypted bookkeeping software platforms with multi factor authentication enabled.
Access to client data is limited to people who need it to do their job.
Devices used to access client data are encrypted and password protected.
We use secure email and document sharing for sensitive material; we never ask for sensitive documents by unencrypted SMS or via social media.
Paper records, where they exist, are stored securely and shredded when no longer needed.
Our software providers (such as Xero, QuickBooks, and FreeAgent) are themselves ISO 27001 certified or operate to equivalent security standards.

If we ever became aware of a personal data breach that posed a risk to your rights and freedoms, we would notify the ICO within 72 hours and inform affected individuals without undue delay.

11. Changes to this policy

We may update this privacy policy from time to time, for example if we change the services we offer, the tools we use, or the legal requirements that apply to us. The "Last updated" date at the top of the page will always reflect the most recent revision. Material changes that affect how we use your data will be notified to existing clients by email.

12. How to contact us

For any questions about this privacy policy, the data we hold about you, or to exercise any of your rights, please contact us at:

Email: karam@smartflowfinance.com
Phone: +44 7597 968525
Post: SmartFlow Finance Ltd, East Sussex, United Kingdom (full postal address available on request)

Questions about your data?

Email me directly. I read every message myself and aim to respond within two working days.

Get in touch