Privacy Notice

This privacy notice applies to Exe Bookkeeping and Payroll Services, our website and the client services we provide. Throughout this policy, we refer to Exe Bookkeeping and Payroll Services as ‘Us’ and ‘We’.

We refer to persons using our website and services as ‘Clients’, ‘Individuals’, ‘Visitors’ or ‘Users’ and may refer to such persons using ‘they’, ‘their’, ‘you’, and ‘your’.

We use the word ‘Services’ to encompass all bookkeeping and payroll related assignments we undertake on behalf of our clients.

Compliance

We are Data Controller’s for the purpose of this privacy notice and commit to implementing and complying with the requirements of the Data Protection Act 2018 and General Data Protection Regulations (GDPR) 2017 as of 25th May 2018.

We have appointed Jaye Snell MICB PM. Dip, as our Data Protection Officer to ensure our continued compliance with these regulations and to administer our privacy notice and subject access requests.

We are registered with the Information Commissioner’s Office (ICO). Our registration reference is ZA333252, effective from 26/03/2018.

How we use personal information

This privacy notice tells individuals what to expect when Exe Bookkeeping and Payroll Services collects personal information. It applies to information we collect about:

  • Users of our website and blog
  • Individuals contacting us via our website, email address and telephone number
  • Our prospective clients
  • Clients we provide our services to

We must inform individuals about:

  • The personal information we collect
  • How we collect this information
  • The lawful purpose for collecting the information
  • How we store personal information and for how long
  • Who this information is shared with
  • How we back up and securely destroy information held
  • How individuals can ‘Opt Out’ of the use of their personal information
  • How individuals can make a Subject Access Request
  • How individuals can make a complaint to the ICO

We must also inform individuals that they have the following rights:

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability (e.g. receive information in a transmittable form such as a PDF)
  • The right to object
  • The right not to be subject to automated decision making including profiling

Data We Collect About Users of our Website and Blog

Visitors to Our Website

When individuals visit www.exebookkeeping.com , our website service provider WordPress collects anonymous visitor data through a process called ‘traffic analysis’. View the WordPress (Automattic) privacy notice here. This anonymous processing collects information about:

  • the number of visitors to our site
  • the number of followers we receive
  • the number of times a page is viewed
  • our most popular search terms
  • the number of times our blog posts are ‘liked’
  • comments posted on our blog

wordpress-visitor-analysis

This information is also recorded in a visual map which provides information on visitor numbers per country.  

map-visitor-analysis

The information is collected and processed in a way which does not identify any individuals, nor does it store any personally identifiable information.

Individuals may at any time prevent this non-specific information from being stored by adjusting their cookie settings through the use of our cookie banner or by changing the cookie settings within their chosen web browser.

If at any time personal information begins to be collected and stored, we will be transparent about this. We will provide suitable notification in advance of the processing and the ability for individuals to ‘opt out’ of such processing.

Users of Our Blog

Integrated within our WordPress website is a WordPress blog.

When users visit our blog or ‘like’ our posts, non-specific information is collected in the same way as our website.

Individuals may at any time prevent this non-specific information from being stored by adjusting their cookie settings through the use of our cookie banner or by changing the cookie settings within their chosen web browser.

Leaving a Comment

Users without a WordPress account may wish to post a comment on our blog. In order to do this, they must enter their name, email address and optionally, their website address, along with their comment. They may also use the tick box provided to allow WordPress to remember these settings, as illustrated below.

Should users no longer wish for their details to be remembered when making comments, they can remove this option through the use of our cookie notice or by adjusting/clearing their cookie settings within their chosen web browser.  

comment-remember-me-box

Users with a WordPress account are not required to provide any personal details when leaving a comment. WordPress will recognise their computer through the use of a cookie and allow for a post to be submitted using their specified user account information, as show below.

Should WordPress account users not wish for this information to be populated, they can log out of their account or adjust their cookie settings via our cookie bar, or via their web browser settings.  

registered-user-comment-box  
Liking Our Blog Posts

Registered and unregistered users may ‘like’ our blog posts by selecting the ‘like’ button provided at the bottom of blog posts. ‘Likes’ are recognised by a user’s IP address.  

like-blog-post-button

After users have ‘liked’ a post, an ‘unlike’ button will be shown:  

unlike-blog-post-button

Users may click this button to remove their ‘like’ and be forgotten by our plugin, WP U Like.  

blog-post-like-removed  

Sharing Our Blog Posts

Both registered and unregistered users may share our posts by using the RSS icon or through the use of the social media buttons provided. Users will be asked to provide permission for WordPress to access their social media account, in order to make the posting. Users may accept or decline access to their social media accounts at any time. Declining access to WordPress will require users to manually share the post on their chosen social media account.
 

sharing-a-blog-post Users Who Wish to Subscribe to our Blog Posts

Both registered and unregistered users may use the ‘subscribe to our blog’ box found on our blog pages.

We ask users to read the GDPR notice and provide their email address, if they wish to receive updates about our latest blog posts directly into their e-mail inbox.  

signing-up-to-our-blog

When users have entered this information, they will receive a notification that an email has been sent to their inbox. This email provides the user with the opportunity to confirm their subscription, amend their settings or do nothing at all. Users information will not be processed further until the subscription has been confirmed.  

confirming-blog-subscription

Users can unsubscribe at any time via their original email, clicking on the 'unfollow' button.  

unfollow-blogPersonal Information provided by individuals is collected, stored and processed by WordPress (Automattic).

Users Redirected to our Website by our Google Ads and Bing Ad Campaigns

From time to time, we use Google AdWords and Bing Ad campaigns to drive traffic to our site. Individuals clicking on the links provided within the ads will be directed to our websites specified page e.g. our home page.

Both Google AdWords and Bing Ads collect non-specific user information relating to:

  • the number of views the ad has received
  • number of times the ad has been clicked
  • the cost per click
  • the generic type of device used e.g. smartphone, tablet , computer
  • the source of the advert
  • the search phrase entered
  • the number of verified calls we have received
  • the number of google map actions relating to searches for our business

This non-specific user information is only available for the time that the ad is running.

Ads run for 30 days.

Google Analytics

Google Analytics is not used on our website.

Use of Cookies

A cookie is a set of data which asks permission to be placed on an individual’s computer hard drive.

When individuals agree to the use of cookies via a ‘cookie notice’, a small file is saved on their computer to help perform such functions as ‘remembering’ preferences and analysing non-specific information.

Cookies do not collect any personal information unless it is personal information which individuals have knowingly and explicitly consented to provide.

Cookies used on our website track non-specific visitor data, they are implemented and controlled by WordPress and Jetpack with further information on the types of cookies in use and the type of information they track, found here.

Individuals may choose to accept or decline the use of cookies on their computer by amending their settings using our GDPR cookie Plugin, powered by Moove Agency. View Moove Agency’s privacy policy here

The cookie notice can be found at the bottom of our web pages and on clicking the settings link provided, users can view details regarding the cookies in use on our website.  

cookie-notice

This information is provided in sections – ‘Strictly Necessary Cookies’ and ‘Third Party Cookies’.  

cookie-information

On clicking on the relevant section, users can set their consent level by using the slider button to accept or decline the use of these cookies.  

decline-or-accept-cookies

Web Browser Cookies

Users of our website may also amend cookie settings within their web browser using the following links for guidance:

Internet Explorer: - https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies 

Firefox - https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Chrome - https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en

Safari - https://support.apple.com/kb/ph21411?locale=en_GB https://support.apple.com/en-gb/HT201265

Incognito Window

Visitors may also view our website through the use of their chosen web browsers incognito window.  

google-incognito-window  
Website Search Engine 

Our internal website search engine is powered by WordPress.

E-Newsletter

We do not collect information for the purpose of sending e-newsletters. Individuals who subscribe to our blog, hosted by WordPress, are governed by their privacy notice, found here.

Security and Performance

Our website is secured by Let’s Encrypt SSL and HTTPS encryption, further details on how users information is protected can be found here.

We also use Jetpack, a WordPress plugin, to prevent malicious log in attempts to our website, their privacy policy can be found here.

Update: We protect our own computer systems using Panda Security anti-virus software, Malwarebytes anti-malware software and McAfee Web Advisor, view their privacy policy here. We have the ability to encrypt and shred data files held on our system, back up data and scan USBs for any potential threats.

We automatically sync and update all data held on our system using Google Cloud integration in line with HMRC record keeping requirements, anti-money laundering legislation and civil retention policies imposed by our professional body, the Institute of Certified Bookkeepers (ICB). Google’s privacy notice can be viewed here.

Update: We also make use of Dropbox to store client files including accounting records such as invoices and receipts, and to share relevant files with clients and their employees where requested. Dropbox’s privacy policy can be viewed here

Links to Other Websites 

Our website may contain links to other website’s we feel our visitors my find useful. In using these links, individuals are transferred to the named website and our privacy notice no longer applies. Individuals will be governed by the linked websites privacy notices and their use of cookies.

Individuals should make themselves aware of these notices and should they disagree with the way in which their data is being used, they should stop using the site immediately and remove any cookies which may have been placed on their computer by following the links provided in the ‘Use of Cookies’ section contained within this privacy policy.

Social Media

Individuals who follow the social media links provided on our website will be governed by the policies of such social media providers. Individuals are responsible for ensuring they read the privacy policies for each site visited, links to these policies can be found below:

Twitter - https://twitter.com/en/privacy#update
Facebook – https://www.facebook.com/privacy/explanation
LinkedIn – https://www.linkedin.com/legal/privacy-policy
Google+ - https://policies.google.com/privacy/update?hl=en

Data We Collect About Users of our ‘Contact’ Page

We collect the following personal information:

Visitors to our website who wish to contact us for further information have the option to use our contact form. We require users to provide their name, email address and telephone number, as well as a summary of their enquiry.    

contact-us-box

The lawful basis for this activity is:

This information is collected to help us provide a suitable reply to your enquiry.

This information is shared with the following third parties:

This process is managed by WP Forms via WordPress and our webhost SiteGround. WP Forms privacy policy can be viewed here and SiteGround’s privacy policy here.

Update: The information provided within the contact form is converted into an email which is forwarded to our Mozilla Thunderbird inbox, info@exebookkeeping.com. This inbox is governed by Mozilla’s privacy statement, which can be viewed here.

We will retain this information for:

Email enquiries will be held for a period of 3 months to help with any follow up questions. After this time period has passed, all data held will be deleted.

Personal information provided by individuals who subsequently become clients of ours, will be held on file for the duration of the business relationship and a further 6 years in line with legal and civil requirements.

Data We Collect About Users of our E-mail Address

We collect the following personal information:

Individuals may wish to contact us directly via our email address info@exebookkeeping.com.

Any personal details provided within such emails will only be used for the purpose of sending a response.

The lawful basis for this activity is:

This information is collected to help us provide a suitable reply to your enquiry.

This information is shared with the following third parties:

Update: Our e-mail service provider is Mozilla Thunderbird, who are responsible for the collection of personal information received in this way.

Our communications are monitored by our anti-virus software supplier, Panda Security who use a 256-bit encryption to review and protect the information we send and receive. View Panda Security's privacy notice here

We also use Malwarebytes to add an additional layer of security against attacks of damaging malware. View Malwarebytes privacy policy here.

We will retain this information for:

Email enquiries will be held for a period of 3 months to help with any follow up questions. After this time period has passed, all data held will be deleted.

Personal information provided by individuals who subsequently become clients of ours, will be held on file for the duration of the business relationship and a further 6 years in line with legal and civil requirements.

Data We Collect About Users Contacting us by Telephone

We collect the following personal information:

Individuals may wish to contact us directly via telephone on 01395 320316. When contacting us we will use an enquiry form to collect certain details about your businesses:

  • name
  • address
  • telephone number
  • e-mail address
  • contact name
  • any details regarding services or queries including number of employees, frequency and location in which the service will be provided

The lawful basis for this activity is:

We collect this information to provide an appropriate quotation or to answer individuals queries.

This information is shared with the following third parties:

We use a VOIP system supplied by The Telephone Number Company (TTNC) to collect Calling Line Identification (CLI) Information to communicate with individuals with regards to their queries. TTNC also record answerphone messages on our behalf which are converted to a .WAV file and sent via e-mail to our Mozilla Thunderbird inbox.

We will retain this information for:

This information is available to us for 90 days after which, it is archived by TTNC for two years in line with TTNC’s privacy statement, found here. We delete e-mails as soon as possible after reviewing our answer phone messages, unless they are required to be held in line with civil or legal proceedings.

Data We Collect About Our Prospective Clients

We collect the following personal information:

Specific personal information about individuals, their businesses and their financial situations such as their name, address, business entity, VAT registration number and year end date.

We collect this information through the use of the following documents:

  • Client Enquiry Form
  • Client Information Questionnaire

The lawful basis for this activity is:

As a service provider within the ‘Regulated Sector’ undertaking bookkeeping and payroll assignments, we have a legal obligation to perform anti-money laundering checks and to assess the risk of acting for prospective clients.

We perform these tasks in line with the requirements of the Money Laundering Regulations 2017 and the Professional Conduct Regulations imposed by our Money Laundering Supervisor, The Institute of Certified Bookkeepers (ICB), who can be contacted via email at professional.standards@bookkeepers.org.uk

This information is shared with the following third parties:

The Institute of Certified Bookkeepers (ICB) via their Anti Money Laundering Online System, for the purpose of assessing the risk of acting for a client.

It may also be shared with:

  • Credit Reference Agencies and The Insolvency Service, for the purpose of confirming a prospective clients identity and whether their business is solvent
  • HMRC for the purpose of registering clients for specific services and acting on their behalf
  • National Crime Agency (NCA),  for the purpose of submitting a Suspicious Activity Report (SAR)
  • QDOS Consulting, our Professional Indemnity Insurance Company, for the purpose of mounting a defence against negligence claims brought against us
  • Third party Software Suppliers, for the purpose of meeting legal record keeping requirements
  • Other Professionals, for the purpose of verifying prospective clients identities

We will retain this information for:

Individuals who choose not to appoint us: 3 months with explicit consent

Individuals with who we enter a business relationship as a client: 6 years from 31st January relating to the tax year in which the business relationship ceases*

*E.g. End of Tax Year 5th April 2017, Self-Assessment Filing Date 31st January 2018, Six years from this date will be 31st January 2024

Data We Require From Clients We Provide Services To

We collect the following personal information:

Specific personal information about individuals, their business and their financial situations such as their name, address, business entity, VAT registration number and year end date. Information about our client’s staff, employees and business associates.

We collect this information through the use of the following documents:

  • Client Enquiry Form
  • Client Information Questionnaire
  • Employee Forms and Payroll Spreadsheets
  • HMRC New Business Registration / Tax Registration Forms
  • HMRC Agent Authorisation Forms: 64-8 and FBI 2
  • Self- Assessment Tax Returns, VAT Returns, Payroll Returns, CIS Returns
  • Workplace Pension Scheme Sign Up Forms / Assessment Forms

The lawful basis for this activity is:

In order to provide certain services, we are legally obliged to collect personal information for fraud prevention and record keeping purposes as required by HMRC and our supervising body, the ICB. We also collect such information as a necessary requirement of fulfilling our service contracts in relation to providing Income Tax, PAYE/CIS, Auto Enrolment and VAT services.

This information is shared with the following third parties:

  • HMRC, for compliance purposes
  • The Pension Regulator, for confirmation of pension compliance
  • Third Party Pension Provider, for the purposes of providing legally required workplace pension
  • Third Party Software Suppliers, for the purpose of meeting HMRC record keeping requirements and submitting pension information
  • The Clients Prior Accountant, for the purpose of continuation of service

It may also be shared with:

  • The Institute of Certified Bookkeepers (ICB), for the purpose of completing continued client due diligence and risk assessments
  • Department for Work and Pensions (DWP), for statutory tax credit claim purposes
  • National Crime Agency (NCA), for the purpose of submitting a Suspicious Activity Report (SAR)
  • QDOS Consulting – Our Professional Indemnity Insurance Company, for the purpose of defence against negligence claims brought against us
  • Other Professionals, for the purpose of providing services outside of our knowledge/experience/qualifications or in seeking external advice and guidance

We will retain this information for:

6 years from 31st January relating to the tax year in which the business relationship ceases*

*E.g. End of Tax Year 5th April 2017, Self-Assessment Filing Date 31st January 2018, Six years from this date will be 31st January 2024

International Transmission of Data

As part of our service portfolio we provide our clients with the option of signing up with one of four, third party software suppliers for the purpose of keeping digital records; pre-empting the requirements of the Making Tax Digital reforms being implemented by HMRC in April 2019.

In order to provide these services, we are required to collect certain specific personal information for the purpose of signing our clients up with the software provider and entering into a contract for payment of the monthly software subscription fees. Financial information about the client’s business is also collected and entered into the software, governed by each supplier’s privacy notice’s, which are available to view via the links provided below:

Pandle - https://www.pandle.co.uk/privacy-policy/
Quickbooks - https://quickbooks.intuit.com/uk/privacy-policy/
Sage - https://www.sage.com/en-gb/legal/privacy-and-cookies/
Xero - https://www.xero.com/uk/about/terms/privacy/

As QuickBooks and Xero are non-uk suppliers with worldwide subsidiaries, their privacy notices provide scope for the transfer and storage of UK personal data to servers held in the United States and New Zealand. The transfer of such data complies with specific EU requirements for cross country data sharing.

As a business, Exe Bookkeeping and Payroll Services itself does not transfer data collected or held, to any other international third parties other than in the provisions detailed above. If individuals do not wish for their personal information to be used in the ways described above, they must advise us and we will provide a UK based software supplier to meet their requirements.

Personal information collected by us will be held for 6 years from 31st January relating to the tax year in which the business relationship ceases*

*E.g. End of Tax Year 5th April 2017, Self-Assessment Filing Date 31st January 2018, Six years from this date will be 31st January 2024

Rights of Individuals

‘Opting Out’ Of Processing

Should individuals wish to exercise their right to opt out of processing, this can be requested via email using the subject header ‘Opt Out Notification’, and forwarded to info@exebookkeeping.com

On receipt of such ‘opt out’ requests, where there is no lawful reason for us to continue to collect and hold your information, we will securely destroy all relevant records as soon as possible.

Subject Access Requests

Individuals have a right to make a Subject Access Request to obtain details of the information an organisation holds about them.

To make a request, please contact our Data Protection Officer at info@exebookkeeping.com, or write to us using our company address:

FAO Jaye Snell MICB PM.Dip, Exe Bookkeeping and Payroll Services, 12 Moorfield Close, Exmouth, Devon, EX8 3QS.

We will not charge for providing this information and in line with GDPR requirements, we will respond to requests within one month of the date in which such requests are received.

We will explain our lawful basis for processing the data and advise individuals of their right to make a complaint to the ICO and/or seek judicial remedy if they are unsatisfied with the reasons provided or the way in which we process this information.

There may be exceptions when we will be obliged to make a charge for requests such as where we feel they are manifestly unfounded or excessive. Should a charge apply, we will provide this information in a transparent format.

We may also be required to refuse some requests which relate to information we have a right to withhold or are not permitted to share by law, such as information used in criminal proceedings.

We will always inform individuals of the reason(s) for our refusal and advise individuals of their right to make a complaint to the ICO and seek judicial remedy. Subject access requests can be provided in paper based or electronic format such as a PDF or spreadsheet.

Disclosure of Personal Information

As a service provider within the ‘Regulated Sector’ we are obliged to balance the legal obligations our industry places on us with the ethical and lawful requirements of the data protection acts. We seek to gain explicit consent for the use of all personal data we collect and provide clear options for requests to ‘opt out’ of processing.

In some circumstances we may be legally obliged to share personal information about individuals such as in:

  • The processing of client payroll
  • Submitting a client’s Tax/VAT Returns
  • Verifying sub-contractors
  • Requesting authorisation to act on a client’s behalf
  • Collecting payments using agreed methods
  • Completing money laundering due diligence and risk assessments
  • Verifying a client’s identity
  • Reporting an individual of suspected money laundering offences

We are permitted to share personal information in this way to perform specific tasks in the public’s interest that are set out in UK law and governed by:

  • HMRC
  • The National Crime Agency (NCA)
  • The Institute of Certified Bookkeepers (ICB)
  • The Money Laundering Regulations 2017
  • The UK Banking System

Secure Destruction and Transmission of Personal Information

We delete all personal information in line with the retention periods laid out in this privacy notice unless:

  • The business is required to retain such information under a statutory obligation;
  • The business is required to keep it for legal proceedings;
  • The data subject has consented to the retention

In all cases, we are not required to keep any records for more than 10 years. We securely share and transmit personal information in the following common formats:

  • PDF
  • Excel Spreadsheets
  • Email

Electronic files containing personal information are deleted using ‘data shredding’ provided by Panda Security. Paper based records are securely stored offline in a lockable filing cabinet and shredded by hand before being securely recycled.

Detecting, Reporting and Investigation Breaches

We use a third party anti-virus software programme to monitor and detect any security breaches or attempts to steal personal data. The ICO recommends adopting ‘good practice’ in reporting serious breaches including:

  • The loss of a USB stick holding personal information
  • The destruction of personal data in error
  • Data being provided to the wrong person
  • The theft of a mobile device such as a laptop
  • Instances of computer hacking

From 25th May 2018, the Data Protection Act and GDPR legislation place a mandatory requirement on us to report personal data breaches within 72 hours of the breach occurring. If the breach is likely to affect individual’s rights and freedoms, we are required to inform these individuals.

We record details of all breaches that occur, even if these are not reportable under current Data Protection requirements. This allows us to consider our current systems, their identified weaknesses and the ways in which we can improve our protection systems, to help us prevent breaches in the future.

Our reports may include details of individuals we have been obliged to contact about such breaches, including the use of specific personal information. These reports will be held for a maximum of three years from the date that the breach occurs, and we will notify individuals and request explicit consent to store these reports for the specified timescale.

Exclusions

We have excluded notices relating to the following requirements:

  • Parental Guidance
  • Information on Recruitment and Retention Policies

We do not envisage providing our services to individuals below the age in which parental consent is required. We have also excluded information on recruitment and retention policies as we do not employ any staff at this time.

At such time that we begin to collect personal information relating to the above, we will update our privacy notice accordingly.

Changes to this Privacy Notice

Exe Bookkeeping and Payroll Services may change this policy from time to time by updating this page and will at all times comply with the legislative requirements of both the Data Protection Act 2018 and General Data Protection Regulations (GDPR) 2017.Individuals should check this page regularly to ensure that they are happy with any changes. Further information can be found on the Information Commissioners Office (ICO) website here

This update privacy policy is effective from 09/09/2018.