Legal

Privacy notice

How we collect, use and protect your personal data.

1. Who we are

This privacy notice is issued by FPC Accounting Limited (company number 16897560), trading as Compliance to Confidence Accounting. We are an AAT-regulated accountancy practice. For the purposes of UK data protection law, we are the data controller of personal data collected through this website and through our client engagements.

  • Trading name: Compliance to Confidence Accounting
  • Legal entity: FPC Accounting Limited, registered in England and Wales
  • Registered office: 195 London Road, Chippenham, United Kingdom, SN15 3AW
  • Email: info@compliancetoconfidence.co.uk
  • Phone: 01249 561 013
  • ICO registration number: ZC101610

2. What personal data we collect

Depending on how you interact with us, we may collect the following categories of personal data:

  • Enquiry data — your name, email address, phone number and business name when you submit an enquiry through our website contact form, book a call via Calendly, or email us directly.
  • Business information — entity type, turnover, sector and the nature of your enquiry, collected during initial calls and onboarding.
  • Client engagement data — for clients, the financial records, tax data, payroll information, bank statements, invoices, receipts, and identity-verification documents necessary to perform our services. This may include special category data where it appears in records you provide to us (for example, payroll data relating to statutory sick pay). Where we process special category data, we do so under Article 9(2)(b) (employment and social security obligations) and Article 9(2)(f) (establishment, exercise or defence of legal claims).
  • Anti-money-laundering data — identity documents (passport, driving licence), proof of address, and source-of-funds information collected to comply with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).
  • Technical data — limited browser, device and approximate-location information from third-party services we use (principally Calendly for scheduling and Formspree for contact form submissions). We do not currently use analytics or tracking cookies on our own website.

3. How we use your data and our legal basis

We process personal data only where we have a lawful basis to do so under UK GDPR. The bases we rely on are:

  • Performance of a contract (Article 6(1)(b)) — to deliver the accountancy, tax and advisory services agreed in your engagement letter, and to take steps at your request before entering into an engagement.
  • Legal obligation (Article 6(1)(c)) — to comply with statutory duties including HMRC reporting requirements, Companies House filings, anti-money-laundering checks under MLR 2017, and our regulatory obligations to the AAT.
  • Legitimate interests (Article 6(1)(f)) — to respond to enquiries, manage our practice, maintain our records, protect against fraud or misuse, and improve our services. We have assessed that these interests do not override your rights and freedoms.
  • Consent (Article 6(1)(a)) — where you have explicitly opted in, for example if we introduce marketing communications in future. We do not currently send marketing emails. Where consent is the basis, you may withdraw it at any time by contacting us.

4. Who we share your data with

We do not sell, rent or trade personal data. We share data only with the following categories of recipient, and only where necessary:

  • HMRC and Companies House — for statutory filings made on your behalf.
  • Cloud software providers — currently including Xero (accounting software), BrightPay (payroll), Ignition (engagement letters), and Microsoft 365 (email and document storage via SharePoint).
  • Calendly — for scheduling initial calls. Calendly's own privacy notice applies when you use their platform.
  • Formspree — for processing contact form submissions from our website.
  • Professional advisors and regulators — including the AAT (our regulator), our professional indemnity insurers, and any solicitor or specialist advisor we engage in connection with your affairs, only where lawfully required or with your consent.
  • Other parties — only where required by law, regulation, or court order, or with your explicit consent.

We require all third-party processors to handle your data in accordance with UK data protection law and to maintain appropriate security measures.

5. International transfers

Our primary data processing takes place within the United Kingdom. Some of our cloud software providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement or adequacy regulations.

6. How long we keep your data

We retain personal data only for as long as necessary for the purposes set out in this notice, or as required by law:

  • Enquiry data (non-clients) — retained for 12 months after your last contact with us. If you do not become a client, your data is securely deleted after this period.
  • Client engagement records — retained for a minimum of seven years after the end of the engagement, in line with HMRC requirements and AAT regulatory guidance.
  • Anti-money-laundering records — retained for a minimum of five years after the end of the business relationship, as required by Regulation 40 of MLR 2017.
  • Tax records and working papers — retained for a minimum of seven years after the end of the tax year to which they relate.

After the applicable retention period, data is securely deleted or anonymised.

7. Your rights

Under UK data protection law you have the following rights. Some rights are not absolute and may be subject to exemptions (for example, where we are required to retain records for regulatory or legal purposes):

  • Right to be informed — this notice fulfils that right.
  • Right of access — you may request a copy of the personal data we hold about you.
  • Right to rectification — you may ask us to correct inaccurate or incomplete data.
  • Right to erasure — you may ask us to delete personal data, subject to our legal and regulatory retention obligations.
  • Right to restrict processing — you may ask us to limit how we use your data in certain circumstances.
  • Right to data portability — you may request your data in a structured, commonly used format where processing is based on consent or contract and carried out by automated means.
  • Right to object — you may object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
  • Rights related to automated decision-making — we do not make decisions about you based solely on automated processing.

To exercise any of these rights, please contact us at info@compliancetoconfidence.co.uk. We will respond within one month.

8. Cookies and website tracking

This website uses Google Analytics to help us understand how visitors use the site. Google Analytics sets cookies on your device to collect anonymous information including the number of visitors, where visitors come from, and which pages are viewed.

Google Analytics cookies do not identify you personally. The data collected is aggregated and anonymous. We use this information only to improve the website. Google's privacy policy applies to the data they collect — see policies.google.com/privacy.

We do not use advertising cookies, remarketing, or any other tracking technologies beyond Google Analytics.

Under the Privacy and Electronic Communications Regulations (PECR), analytics cookies require your consent. By continuing to use this website, you consent to the use of Google Analytics cookies as described above. You can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on.

Third-party services we link to (principally Calendly) may set their own cookies when you visit them. Please refer to their privacy notices for details.

9. Security

We take appropriate technical and organisational measures to protect personal data, including:

  • Encrypted cloud storage via Microsoft 365 and SharePoint
  • Role-based access controls limiting data access to authorised personnel
  • Professional indemnity insurance covering data-related incidents
  • Regular review of our security practices as part of AAT practice assurance

No method of storage or transmission is completely secure. In the event of a personal data breach, we will notify the Information Commissioner's Office within 72 hours where required, and will inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms. If you believe your data has been compromised, please contact us immediately.

10. How to complain

If you are unhappy with how we handle your personal data, please contact us first at info@compliancetoconfidence.co.uk. We take all complaints seriously and will aim to resolve the issue promptly.

You also have the right to lodge a complaint with the UK supervisory authority:

  • Information Commissioner's Office (ICO)
  • Website: ico.org.uk
  • Helpline: 0303 123 1113

11. Changes to this notice

We may update this privacy notice from time to time to reflect changes in our practices, services or the law. The latest version will always be available on this page.

Last updated: 20 April 2026