Privacy Notice

This privacy notice applies to Exe Bookkeeping and Payroll Services, our website and the client services we provide. Throughout this policy, we refer to Exe Bookkeeping and Payroll Services as ‘Us’ and ‘We’.

We refer to persons using our website and services as ‘Clients’, ‘Individuals’, ‘Visitors’ or ‘Users’ and may refer to such persons using ‘they’, ‘their’, ‘you’, and ‘your’.

We use the word ‘Services’ to encompass all bookkeeping and payroll related assignments we undertake on behalf of our clients.

Compliance

We are Data Controller’s for the purpose of this privacy notice and commit to implementing and complying with the requirements of the Data Protection Act 2018 and General Data Protection Regulations (GDPR) 2017 as of 25th May 2018.

We have appointed Jaye Snell MICB PM. Dip, as our Data Protection Officer to ensure our continued compliance with these regulations and to administer our privacy notice and subject access requests.

We are registered with the Information Commissioner’s Office (ICO). Our registration reference is ZA333252, effective from 26/03/2018.

How we use your personal information

This privacy notice tells you what to expect when Exe Bookkeeping and Payroll Services collects personal information. It applies to information we collect about:

  • Users of our website and blog
  • Individuals contacting us via our website, email address and telephone number
  • Our prospective clients
  • Clients we provide our services to

We must inform individuals about:

  • The personal information we collect
  • How we collect this information
  • The lawful purpose for collecting the information
  • How we store personal information and for how long
  • Who this information is shared with
  • How we back up and securely destroy information held
  • How individuals can ‘Opt Out’ of the use of their personal information
  • How individuals can make a Subject Access Request
  • How individuals can make a complaint to the ICO

We must also inform individuals that they have the following rights:

  • The right to be informed
  • The right of access
  • The right of rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability (e.g. receive information in a transmittable form such as a PDF)
  • The right to object
  • The right not to be subject to automated decision making including profiling

Data we collect when you use our website and blog

Visitors to Our Website

When you visit www.exebookkeeping.com , our website service provider WordPress collects anonymous visitor data through a process called ‘traffic analysis’. View the WordPress (Automattic) privacy notice here. This anonymous processing collects information about:

  • the number of visitors to our site
  • the number of followers we receive
  • the number of times a page is viewed
  • our most popular search terms
  • the number of times our blog posts are ‘liked’
  • comments posted on our blog

 

wordpress-visitor-analysis

 

This information is also recorded in a visual map which provides information on visitor numbers per country.  

 

map-visitor-analysis

 

The information is collected and processed in a way which does not identify you, nor does it store any personally identifiable information.

You may at any time prevent this non-specific information from being stored by adjusting you cookie settings through the use of our cookie banner or by changing the cookie settings within your chosen web browser, see our Cookie Policy for more information.

If at any time personal information begins to be collected and stored, we will be transparent about this. We will provide suitable notification in advance of the processing and the ability for you to ‘opt out’ of such processing.

Blog visitors

Integrated within our WordPress website is a WordPress blog.

When you visit our blog or ‘like’ our posts, non-specific information is collected in the same way as our website.

You may at any time prevent this non-specific information from being stored by adjusting your cookie settings through the use of our cookie banner or by changing the cookie settings within your chosen web browser.

Leaving a comment

If you do not have a WordPress account and wish to post a comment on our blog, you are required to enter your name, email address and optionally, your website address, along with your comment in the boxes provided. You may also use the tick box to allow WordPress to remember these settings, as illustrated below.

Should you no longer wish for your details to be remembered when making comments, you can remove this option through the use of our cookie notice or by adjusting/clearing your cookie settings within your chosen web browser.  

 

 

comment-remember-me-box

 

If you do have a WordPress account you are not required to provide any personal details when leaving a comment. WordPress will recognise your computer through the use of a cookie and allow for a post to be submitted using your specified user account information, as show below.

Should you not wish for this information to be populated, you can log out of your account or adjust your cookie settings via our cookie bar, or via your web browser settings.  

 

registered-user-comment-box  

 

Liking our blog posts

You may ‘like’ our blog posts by selecting the ‘like’ button provided at the bottom of blog posts. ‘Likes’ are recognised by visitors IP addresses.  

 

like-blog-post-button

 

 

After you have ‘liked’ a post, an ‘unlike’ button will be shown:  

 

unlike-blog-post-button

 

 

You may click the unlike button to remove the ‘like’ and be forgotten by our plugin, WP U Like.  

 

blog-post-like-removed  

 

Sharing our blog posts

You can share our blog posts using the RSS icon or through the use of the social media buttons provided. You will be asked to grant permission for WordPress to access your social media account, in order to make the posting. You may accept or decline access to your social media accounts at any time. Declining access to WordPress will require you to manually share the post on your chosen social media account.

 

 

sharing-a-blog-post

 

Subscribing to our blog posts

You may wish to subscribe to our blog using the ‘subscribe to our blog’ box found on our blog pages.

We ask all subscribers to read the GDPR notice and provide an email address if they wish to receive updates about our latest blog posts directly into their e-mail inbox.  

 

 

signing-up-to-our-blog

 

 

When you have entered this information, you will receive a notification that an email has been sent to your inbox. This email provides you with the opportunity to confirm your blog subscription, amend you settings or do nothing at all. Your information will not be processed further until the subscription has been confirmed.  

 

 

confirming-blog-subscription

 

You can unsubscribe at any time using your original email, clicking on the 'unfollow' button.  

 

unfollow-blog

 

Personal Information you provided is collected, stored and processed by WordPress (Automattic).

Redirection to our website via our Google and Bing Ad campaigns

From time to time, we use Google AdWords and Bing Ad campaigns to drive traffic to our site. When you click on the links provided within the ads you will be directed to our website's specified page e.g. our home page.

Both Google AdWords and Bing Ads collect non-specific user information relating to:

  • the number of views the ad has received
  • number of times the ad has been clicked
  • the cost per click
  • the generic type of device used e.g. smartphone, tablet , computer
  • the source of the advert
  • the search phrase entered
  • the number of verified calls we have received
  • the number of google map actions relating to searches for our business

This non-specific user information is only available for the time that the ad is running.

Ads run for 30 days.

Google analytics

Google analytics is not used on our website.

Use of cookies

A cookie is a set of data which asks permission to be placed on an your computer hard drive.

When you agree to the use of cookies via a ‘cookie notice’, a small file is saved on your computer to help perform such functions as ‘remembering’ preferences and analysing non-specific information.

Cookies do not collect any personal information unless it is personal information which you have knowingly and explicitly consented to provide.

Cookies used on our website track non-specific visitor data, they are implemented and controlled by WordPress, Jetpack and other third parties with further information on the types of cookies in use and the type of information they track, found here.

You may choose to accept or decline the use of cookies on your computer by amending your settings using our GDPR cookie bar, powered by Cookiebot. View Cookiebot’s privacy policy here (Updated 24/10/2018)

The cookie bar can be found at the bottom of our web pages and allows  visitors to select specific categories of cookies to accept or decline. See our cookie policy for more information.

 

Web browser cookies

You may also amend cookie settings within your web browser using the following links for guidance:

Internet Explorer: - https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies 

Firefox - https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Chrome - https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en

Safari - https://support.apple.com/kb/ph21411?locale=en_GB https://support.apple.com/en-gb/HT201265

 

Incognito window

Our website can also be viewed using your chosen web browsers incognito window.  

 

google-incognito-window  

 

Website search engine 

Our internal website search engine is powered by WordPress.

E-newsletter

We do not collect information for the purpose of sending e-newsletters. Information collected about subscribers to our blog, hosted by WordPress, are governed by their privacy notice, found here.

Security and performance

Our website is secured by Let’s Encrypt SSL and HTTPS encryption, further details on how your information is protected can be found here.

We also use Jetpack, a WordPress plugin, to prevent malicious log in attempts on our website, their privacy policy can be found here.

We protect our own computer systems using Panda Security anti-virus software, Malwarebytes anti-malware software and McAfee Web Advisor, view McAfee's privacy policy here. We have the ability to encrypt and shred data files held on our system, back up data and scan USBs for any potential threats. (Updated 09/09/2018)

We automatically sync and update all data held on our system using Microsoft OneDrive integration in line with HMRC record keeping requirements, anti-money laundering legislation and civil retention policies imposed by our professional body, the Institute of Certified Bookkeepers (ICB). Microsoft's privacy notice can be viewed here.

We also make use of Dropbox to store client files including accounting records such as invoices and receipts, and to share relevant files with clients and their employees where requested. Dropbox’s privacy policy can be viewed here (Updated 09/09/2018)

Within our practice we use software apps to record and transfer accounting records into your bookkeeping software. We specifically use AutoEntry to capture an image of your bookkeeping documents, which is processed and manually approved. This process allows us to assist your business to maintain good recording keeping practices which meet statutory requirements expected by HMRC. Read  AutoEntry's privacy policy here.

Links to other websites 

Our website may contain links to other website’s we feel you my find useful. In using these links, you will be transferred to the named website and our privacy notice no longer applies, you will be governed by the linked websites privacy notices and their use of cookies.

You should make yourself aware of these notices and should you disagree with the way in which your data is being used, you should stop using the site immediately and remove any cookies which may have been placed on your computer by following the links provided in the ‘Use of Cookies’ section contained within this privacy policy.

Use of social media

We provide social media links on or website and should you make use of such links, you will be governed by the policies of such social media providers. You are responsible for ensuring you read the privacy policies for each site visited, links to these policies can be found below:

Twitter - https://twitter.com/en/privacy#update
Facebook – https://www.facebook.com/privacy/explanation
LinkedIn – https://www.linkedin.com/legal/privacy-policy
Google+ - https://policies.google.com/privacy/update?hl=en
Youtube - https://policies.google.com/privacy?hl=en

Data we collect when you use our ‘contact us’ page

We collect the following personal information:

You may wish to contact us for further information and we provide a contact form to facilitate this. We ask you to provide your name, email address and telephone number, as well as a summary of your enquiry.    

 

 

contact-us-box

 

 

The lawful basis for this activity is:

This information is collected to help us provide a suitable reply to your enquiry.

This information is shared with the following third parties:

This process is managed by WP Forms via WordPress and our webhost SiteGround. WP Forms privacy policy can be viewed here and SiteGround’s privacy policy here.

The information provided within the contact form is converted into an email which is forwarded to our Mozilla Thunderbird inbox, info@exebookkeeping.com. This inbox is governed by Mozilla’s privacy statement, which can be viewed here. (Updated: 09/09/2018)

We will retain this information for:

Email enquiries will be held for a period of 3 months to help with any follow up questions. After this time period has passed, all data held will be deleted.

Personal information provided by persons who subsequently become clients of ours, will be held on file for the duration of the business relationship and a further 6 years in line with legal and civil requirements.

Data we collect when you e-mail us

We collect the following personal information:

You may wish to contact us directly via our email address info@exebookkeeping.com.

Any personal details provided within such emails will only be used for the purpose of sending a response.

The lawful basis for this activity is:

This information is collected to help us provide a suitable reply to your enquiry.

This information is shared with the following third parties:

Our e-mail service provider is Mozilla Thunderbird, who are responsible for the collection of personal information received in this way. (Updated: 09/09/2018)

Our communications are monitored by our anti-virus software supplier, Panda Security who use a 256-bit encryption to review and protect the information we send and receive. View Panda Security's privacy notice here

We also use Malwarebytes to add an additional layer of security against attacks of damaging malware. View Malwarebytes privacy policy here.

We will retain this information for:

Email enquiries will be held for a period of 3 months to help with any follow up questions. After this time period has passed, all data held will be deleted.

Personal information provided by persons who subsequently become clients of ours, will be held on file for the duration of the business relationship and a further 6 years in line with legal and civil requirements.

Data we collect when you contact us by telephone

We collect the following personal information:

You  may wish to contact us directly via telephone on 01395 320316. When contacting us we will use an enquiry form to collect certain details about your businesses:

  • name
  • address
  • telephone number
  • e-mail address
  • contact name
  • any details regarding services or queries including number of employees, frequency and location in which the service will be provided

The lawful basis for this activity is:

We collect this information to provide an appropriate quotation or to answer you queries.

This information is shared with the following third parties:

We use a VOIP system supplied by The Telephone Number Company (TTNC) to collect Calling Line Identification (CLI) Information to communicate with individuals with regards to their queries. TTNC also record answerphone messages on our behalf which are converted to a .WAV file and sent via e-mail to our Mozilla Thunderbird inbox.

We will retain this information for:

This information is available to us for 90 days after which, it is archived by TTNC for two years in line with TTNC’s privacy statement, found here. We delete e-mails as soon as possible after reviewing our answer phone messages, unless they are required to be held in line with civil or legal proceedings.

Data we collect about our prospective clients

We collect the following personal information:

Specific personal information about you, your business and your financial situations such as your name, address, business entity, VAT registration number and year end date.

We collect this information through the use of the following documents:

  • Client Enquiry Form
  • Client Information Questionnaire

The lawful basis for this activity is:

As a service provider within the ‘Regulated Sector’ undertaking bookkeeping and payroll assignments, we have a legal obligation to perform anti-money laundering checks and to assess the risk of acting for prospective clients.

We perform these tasks in line with the requirements of the Money Laundering Regulations 2017 and the Professional Conduct Regulations imposed by our Money Laundering Supervisor, The Institute of Certified Bookkeepers (ICB), who can be contacted via email at professional.standards@bookkeepers.org.uk

This information is shared with the following third parties:

The Institute of Certified Bookkeepers (ICB) via their Anti Money Laundering Online System, for the purpose of assessing the risk of acting for a client.

It may also be shared with:

  • Credit Reference Agencies and The Insolvency Service, for the purpose of confirming a prospective clients identity and whether their business is solvent
  • HMRC for the purpose of registering clients for specific services and acting on their behalf
  • National Crime Agency (NCA),  for the purpose of submitting a Suspicious Activity Report (SAR)
  • QDOS Consulting, our Professional Indemnity Insurance Company, for the purpose of mounting a defence against negligence claims brought against us
  • Third party Software Suppliers, for the purpose of meeting legal record keeping requirements
  • Other Professionals, for the purpose of verifying prospective clients identities

We will retain this information for:

If you do not appoint us: 3 months with explicit consent

If we enter into a business relationship with you as a client: 6 years from 31st January relating to the tax year in which the business relationship ceases*

*E.g. End of Tax Year 5th April 2017, Self-Assessment Filing Date 31st January 2018, Six years from this date will be 31st January 2024

Data we require from clients we provide services to

We collect the following personal information:

Specific personal information about you, your business and your financial situations such as your name, address, business entity, VAT registration number and year end date. Information about your  staff, employees and business associates.

We collect this information through the use of the following documents:

  • Client Enquiry Form
  • Client Information Questionnaire
  • Employee Forms and Payroll Spreadsheets
  • HMRC New Business Registration / Tax Registration Forms
  • HMRC Agent Authorisation Forms: 64-8 and FBI 2
  • Self- Assessment Tax Returns, VAT Returns, Payroll Returns, CIS Returns
  • Workplace Pension Scheme Sign Up Forms / Assessment Forms

The lawful basis for this activity is:

In order to provide certain services, we are legally obliged to collect personal information for fraud prevention and record keeping purposes as required by HMRC and our supervising body, the ICB. We also collect such information as a necessary requirement of fulfilling our service contracts in relation to providing Income Tax, PAYE/CIS, Auto Enrolment and VAT services.

This information is shared with the following third parties:

  • HMRC, for compliance purposes
  • The Pension Regulator, for confirmation of pension compliance
  • Third Party Pension Provider, for the purposes of providing legally required workplace pension
  • Third Party Software Suppliers, for the purpose of meeting HMRC record keeping requirements and submitting pension information
  • The Clients Prior Accountant, for the purpose of continuation of service

It may also be shared with:

  • The Institute of Certified Bookkeepers (ICB), for the purpose of completing continued client due diligence and risk assessments
  • Department for Work and Pensions (DWP), for statutory tax credit claim purposes
  • National Crime Agency (NCA), for the purpose of submitting a Suspicious Activity Report (SAR)
  • QDOS Consulting – Our Professional Indemnity Insurance Company, for the purpose of defence against negligence claims brought against us
  • Other Professionals, for the purpose of providing services outside of our knowledge/experience/qualifications or in seeking external advice and guidance

We will retain this information for:

6 years from 31st January relating to the tax year in which the business relationship ceases*

*E.g. End of Tax Year 5th April 2017, Self-Assessment Filing Date 31st January 2018, Six years from this date will be 31st January 2024

International transmission of data

As part of our service portfolio we provide you with the option of signing up with one of four, third party software suppliers for the purpose of keeping digital records; pre-empting the requirements of the Making Tax Digital reforms being implemented by HMRC in April 2019.

In order to provide these services, we are required to collect certain specific personal information for the purpose of signing you up with the software provider and entering into a contract for payment of the monthly software subscription fees. Financial information about the your business is also collected and entered into the software, governed by each supplier’s privacy notice’s, which are available to view via the links provided below:

Pandle - https://www.pandle.co.uk/privacy-policy/
Quickbooks - https://quickbooks.intuit.com/uk/privacy-policy/
Sage - https://www.sage.com/en-gb/legal/privacy-and-cookies/
Xero - https://www.xero.com/uk/about/terms/privacy/

As QuickBooks and Xero are non-uk suppliers with worldwide subsidiaries, their privacy notices provide scope for the transfer and storage of UK personal data to servers held in the United States and New Zealand. The transfer of such data complies with specific EU requirements for cross country data sharing.

As a business, Exe Bookkeeping and Payroll Services itself does not transfer data collected or held, to any other international third parties other than in the provisions detailed above. If you do not wish your personal information to be used in the ways described above, you must advise us and we will provide a UK based software supplier to meet your requirements.

Personal information collected by us will be held for 6 years from 31st January relating to the tax year in which the business relationship ceases*

*E.g. End of Tax Year 5th April 2017, Self-Assessment Filing Date 31st January 2018, Six years from this date will be 31st January 2024

Your rights

Opting out of processing

Should you wish to exercise your right to opt out of processing, this can be requested via email using the subject header ‘Opt Out Notification’, and forwarded to info@exebookkeeping.com

On receipt of such ‘opt out’ requests, where there is no lawful reason for us to continue to collect and hold your information, we will securely destroy all relevant records as soon as possible.

Subject access requests

You have a right to make a Subject Access Request to obtain details of the information an organisation holds about them.

To make a request, please contact our Data Protection Officer at info@exebookkeeping.com, or write to us using our company address:

FAO Jaye Snell MICB PM.Dip, Exe Bookkeeping and Payroll Services, 12 Moorfield Close, Exmouth, Devon, EX8 3QS.

We will not charge for providing this information and in line with GDPR requirements, we will respond to requests within one month of the date in which such requests are received.

We will explain our lawful basis for processing the data and advise individuals of their right to make a complaint to the ICO and/or seek judicial remedy if you are unsatisfied with the reasons provided or the way in which we process this information.

There may be exceptions when we will be obliged to make a charge for requests such as where we feel they are manifestly unfounded or excessive. Should a charge apply, we will provide this information in a transparent format.

We may also be required to refuse some requests which relate to information we have a right to withhold or are not permitted to share by law, such as information used in criminal proceedings.

We will always inform you of the reason(s) for our refusal and advise you of your right to make a complaint to the ICO and seek judicial remedy. Subject access requests can be provided in paper based or electronic format such as a PDF or spreadsheet.

Disclosure of personal information

As a service provider within the ‘Regulated Sector’ we are obliged to balance the legal obligations our industry places on us with the ethical and lawful requirements of the data protection acts. We seek to gain explicit consent for the use of all personal data we collect and provide clear options for requests to ‘opt out’ of processing.

In some circumstances we may be legally obliged to share personal information about you such as in:

  • The processing of client payroll
  • Submitting a client’s Tax/VAT Returns
  • Verifying sub-contractors
  • Requesting authorisation to act on a client’s behalf
  • Collecting payments using agreed methods
  • Completing money laundering due diligence and risk assessments
  • Verifying a client’s identity
  • Reporting an individual of suspected money laundering offences

We are permitted to share personal information in this way to perform specific tasks in the public’s interest that are set out in UK law and governed by:

  • HMRC
  • The National Crime Agency (NCA)
  • The Institute of Certified Bookkeepers (ICB)
  • The Money Laundering Regulations 2017
  • The UK Banking System

Secure destruction and transmission of personal information

We delete all personal information in line with the retention periods laid out in this privacy notice unless:

  • The business is required to retain such information under a statutory obligation;
  • The business is required to keep it for legal proceedings;
  • The data subject has consented to the retention

In all cases, we are not required to keep any records for more than 10 years. We securely share and transmit personal information in the following common formats:

  • PDF
  • Excel Spreadsheets
  • Email

Electronic files containing personal information are deleted using ‘data shredding’ provided by Panda Security. Paper based records are securely stored offline in a lockable filing cabinet and shredded by hand before being securely recycled.

Detecting, reporting and investigation breaches

We use a third party anti-virus software programme to monitor and detect any security breaches or attempts to steal personal data. The ICO recommends adopting ‘good practice’ in reporting serious breaches including:

  • The loss of a USB stick holding personal information
  • The destruction of personal data in error
  • Data being provided to the wrong person
  • The theft of a mobile device such as a laptop
  • Instances of computer hacking

From 25th May 2018, the Data Protection Act and GDPR legislation place a mandatory requirement on us to report personal data breaches within 72 hours of the breach occurring. If the breach is likely to affect your rights and freedoms, we are required to inform you.

We record details of all breaches that occur, even if these are not reportable under current Data Protection requirements. This allows us to consider our current systems, their identified weaknesses and the ways in which we can improve our protection systems, to help us prevent breaches in the future.

Our reports may include information about you that we have been obliged to contact about such breaches, including the use of specific personal information. These reports will be held for a maximum of three years from the date that the breach occurs, and we will notify you and request explicit consent to store these reports for the specified timescale.

Exclusions

We have excluded notices relating to the following requirements:

  • Parental Guidance
  • Information on Recruitment and Retention Policies

We do not envisage providing our services to persons below the age in which parental consent is required. We have also excluded information on recruitment and retention policies as we do not employ any staff at this time.

At such time that we begin to collect personal information relating to the above, we will update our privacy notice accordingly.

Changes to this privacy notice

Exe Bookkeeping and Payroll Services may change this policy from time to time by updating this page and will at all times comply with the legislative requirements of both the Data Protection Act 2018 and General Data Protection Regulations (GDPR) 2017.Individuals should check this page regularly to ensure that they are happy with any changes. Further information can be found on the Information Commissioners Office (ICO) website here

This updated privacy policy is effective from 24/10/2018.