Data Protection Policy

Effective Date: 1 July 2025

Introduction

Zen Bookkeeping & Advisory (“we”, “our”, “us”) is committed to ensuring the privacy and protection of all personal data that we handle. This policy outlines how we collect, use, store, share, and protect personal information in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We operate as a remote-first business, providing digital bookkeeping, payroll, and financial advisory services to UK-based and international clients.

Scope of this Policy

This policy applies to:

  • All personal data processed by Zen Bookkeeping & Advisory
  • All staff, contractors, and third-party service providers
  • All processing activities, whether digital or paper-based
  • Clients, employees, suppliers, and any third parties whose data we may handle

Key Definitions

Term Definition

Personal Data Any information relating to an identifiable natural person

Special Category Data Sensitive data requiring higher protection (e.g., health data, racial origin, etc.)

Data Subject An individual whose personal data is being processed

Processing Any operation involving personal data, including collection, storage, use, or destruction

Data Controller The person or organisation that determines the purposes and means of processing

Data Processor A third party that processes data on behalf of the controller

Zen Bookkeeping & Advisory acts as a Data Controller in most instances and as a Data Processor when handling client-supplied data under contract.

Lawful Basis for Processing

We process personal data only where there is a lawful basis, as defined by Article 6 of the UK GDPR:

  • Consent – freely given, clear, and informed
  • Contract – processing is necessary for a service agreement
  • Legal obligation – e.g. HMRC reporting
  • Legitimate interests – e.g. internal operations and security
  • Vital interests – rare, e.g., safeguarding life
  • Public task – not generally applicable to our business

Data We Collect

Client Data:

  • Name, email, phone number, business address
  • Company registration details (Companies House, VAT number)
  • Bank account details
  • Financial records, invoices, receipts, payroll
  • Tax information (e.g., UTR, NI numbers)

Employee & Contractor Data:

  • Contact information and emergency contacts
  • Bank details for payroll
  • Tax, pension, and HR records
  • Background checks (if applicable)

Website and Communications Data:

  • IP address, browser type, device identifiers
  • Contact form submissions
  • Emails and call recordings (if used)
  • Cookies (see Section 13)

How We Collect Data

We collect personal data through:

  • Website contact and onboarding forms
  • Secure client portals (e.g., Xero, Dext, QuickBooks)
  • Email, phone, and messaging apps
  • Referrals or third-party instructions
  • Remote working tools (e.g., Zoom, Teams, Slack)

How We Use Personal Data

We process data only for specific, explicit, and legitimate purposes:

  • To deliver bookkeeping, payroll, and financial advisory services
  • To comply with legal obligations (e.g., tax filings)
  • To manage client relationships and billing
  • For employee and contractor administration
  • To respond to enquiries and support requests
  • To conduct internal business reporting and analytics

We do not use data for marketing without explicit consent.

Data Sharing

We only share personal data where:

  • You have given consent
  • It is necessary to perform the contract
  • Required by law (e.g., HMRC, Companies House)
  • We use trusted third-party providers under data processing agreements

Typical Third Parties:

  • Cloud accounting platforms (Xero, QuickBooks, FreeAgent)
  • Payroll providers (e.g., BrightPay, Sage Payroll)
  • Secure document storage (Google Workspace, Microsoft 365)
  • HMRC and other UK regulators
  • Legal and professional advisers

All third-party services are vetted for UK GDPR compliance and use secure servers.

International Data Transfers

Where we use cloud tools based outside the UK (e.g., US-based platforms), we ensure:

  • Adequate safeguards such as Standard Contractual Clauses (SCCs)
  • Data remains encrypted in transit and at rest
  • UK GDPR-compliant data processing agreements are in place

We regularly audit these services to ensure ongoing compliance.

Data Security

We implement appropriate technical and organisational security measures to protect your personal data from loss, misuse, or unauthorised access.

Measures Include:

  • End-to-end encryption (AES-256, TLS)
  • Role-based access control
  • Multi-factor authentication (2FA)
  • Regular backups and recovery procedures
  • Remote device management (laptops, phones)
  • Cybersecurity awareness training for staff

As a remote-first firm, all staff are required to:

  • Use VPNs on public Wi-Fi
  • Keep devices updated with antivirus and firewalls
  • Store files only in approved cloud environments

Data Retention

We retain data only as long as necessary for:

  • Legal and regulatory compliance (e.g., 6+ years for tax records)
  • Service delivery
  • Legitimate business interests

After the retention period:

  • Digital data is permanently deleted using secure erasure tools
  • Paper files are shredded and disposed of securely

Your Data Rights

Under the UK GDPR, you have the following rights:

  • Right Description
  • Access Request a copy of your personal data
  • Rectification Request correction of incorrect/incomplete data
  • Erasure Request deletion (“right to be forgotten”)
  • Restriction Request restricted processing in certain circumstances
  • Portability Receive your data in a structured, machine-readable format
  • Objection Object to processing for direct marketing or legitimate interests
  • Withdraw consent Where processing is based on consent

To exercise your rights, contact:

📧 info@zenbookkeepingandadvisory.co.uk

📞 01752 42 72 80

We aim to respond to requests within one month.

LinkedInFacebookInstagram
Privacy Policy
Cookie Policy
Data Protection Policy