top of page
PRIVACY POLICY

​

We know that business finances can feel complicated, so we believe your data privacy shouldn't be. While you can read our full legal notice below, here are the three things we want you to know:  

​

  1. We only collect what we need: We gather your financial and contact details specifically to help run your bookkeeping or provide FD-level insights.  

  2. Your data is for your service, not for sale: We use your information to fulfil our contract with you and meet HMRC’s legal requirements—nothing more.  

  3. Security is our priority: As a finance-led business, we use secure, professional-grade platforms like Wix and cloud accounting software to keep your records safe.  

 

Why do we hold your data?  

​

To comply with the Anti-Money Laundering legislation, we retain copies of your photo identification on record.  Additionally, we hold publicly available copies of Companies House submissions e.g. filed statutory accounts and changes to directors.  

​

To provide you with the best possible service, our process involves organising your financial information, so it makes sense to you. This helps us create the management information reports, budgets or forecasts and analysis which we share with you to help support your business.  

​

How long do we keep it?  

​

Because we deal with tax and accounting, we usually keep your records for six years after we work together to make sure you stay compliant with UK law.  

 

1) PURPOSE OF THIS NOTICE  

​

This Privacy Notice explains how Hale Portfolio Limited collects, uses, stores, and protects personal data, in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any other applicable data protection laws and regulations in force in the United Kingdom from time to time (“Data Protection Legislation”).  

​

Please read this notice carefully to understand how we handle your personal data and your rights in relation to it.  

​

2) ABOUT US  

​

Hale Portfolio Limited (“Hale Portfolio”, “we”, “us”, “our”) is a business advisory and accounting firm.

 

We are registered in England and Wales under company number 10779981, and our registered office is:  

​

Sycamore House  
1 St Thomas’s Way  
Green Hammerton  
North Yorkshire  
YO26 8BE  

​

For the purposes of Data Protection Legislation, we are the data controller, meaning we are responsible for deciding how and why your personal data is processed.  

​

We have appointed a Data Protection Lead, who acts as our Data Protection Point of Contact for any queries relating to this Privacy Notice or our handling of personal data. Contact details are provided in Section 12 below.  

​

Our ICO reference number is: ZA537309 

​

3. HOW WE COLLECT PERSONAL DATA

 

We may collect personal data about you in several ways, including when:  

​

  • You request information or a proposal from us.  

  • You engage us to provide services, and during providing those services.  

  • You contact us by email, telephone, post, social media, via our website, in person, or by other means.  

  • We receive information from third parties or publicly available sources, such as Companies House, your employer, professional advisers, or referrals.  

  • Where we receive personal data from third parties, this may include identity verification providers, Companies House, professional advisers, referral partners, financial institutions, payroll providers, or other publicly available registers. 

 

Our website is hosted on the Wix.com platform.  We use Microsoft 365, which provides the online infrastructure through which we offer our services. Personal data may be stored through Microsoft 365’s secure data storage, databases, and applications.  

 

3A. COOKIES AND WEBSITE TRACKING 

​

Our website uses cookies and similar technologies to improve your browsing experience and understand how visitors use our site. 

​

Cookies we use include: 

​

  • Essential cookies: Required for the website to function properly. 

  • Analytics cookies: Help us understand how visitors interact with our website (e.g., Google Analytics). 

  • Preference cookies: Remember your settings and choices. 

 

You can control cookie preferences through your browser settings. Blocking certain cookies may affect website functionality. 

 

4. THE TYPES OF PERSONAL DATA WE HOLD  

​

Depending on our relationship with you, we may hold and process the following types of personal data:

 

  • Personal and contact details, such as name, address, email address, photo identification, and telephone number.  

  • Details of services provided or proposed. 

  • Correspondence and communications with you.  

  • Financial and transactional information relevant to the services we provide, including accounting, tax, advisory, and compliance-related data where applicable.  

  • Information relating to enquiries, complaints, or feedback.  

  • Information obtained through surveys, research, or marketing activities.  

  • Information received from third parties or publicly available sources.  

  

5. HOW WE USE YOUR PERSONAL DATA AND OUR LAWFUL BASES  

​

We process personal data only where permitted by law. Most commonly, this will be where processing is:  

​

  • Necessary for the performance of a contract with you or to take steps at your request before entering into a contract.  

  • Necessary to comply with a legal or regulatory obligation, including tax, accounting, and anti-money laundering requirements.  

  • Necessary for our legitimate interests, provided those interests do not override your rights and freedoms; or  

  • Based on your consent, where this is required by law (for example, certain marketing communications).  

 

In particular:  

​

  • Service delivery and client management rely on contractual necessity.  

  • Regulatory, compliance, and record-keeping activities rely on legal obligation.  

  • Business administration, service improvement, and limited marketing rely on legitimate interests; and  

  • Direct marketing, where required, relies on consent, which can be withdrawn at any time.  

 

Where we rely on legitimate interests as a lawful basis, these interests include managing and developing our business, maintaining client relationships, improving our services, ensuring network and information security, preventing fraud, and maintaining regulatory compliance. We carefully balance our legitimate interests against your rights and freedoms before processing your personal data on this basis. 

 

We may process personal data for more than one lawful basis depending on the specific purpose.  

​

In certain circumstances, such as payroll processing or financial administration services provided on behalf of clients, we may act as a data processor. In such cases, we process personal data strictly in accordance with our client’s documented instructions and applicable data processing agreements. 

​

 Situations in which we may use your personal data include:  

​

  • Providing services under agreements entered into between you and us.  

  • Providing services to our clients where you are an employee, subcontractor, supplier, or customer of that client.  

  • Responding to enquiries and requests for information.  

  • Sending service-related communications and updates.  

  • Sending marketing communications where permitted by law.  

  • Requesting feedback on our services.  

  • Complying with legal, regulatory, and professional obligations.  

 

Where possible, we may anonymise or pseudonymise personal data so it can no longer be associated with you.  

​

If you do not provide personal data when requested, we may be unable to provide services or comply with legal obligations.  

​

 6. DATA RETENTION  

​

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for legal, regulatory, accounting, and reporting requirements.  

In practice, we typically retain:  

​

  • Client files and related financial records for at least six years after the end of the client relationship.  

  • Accounting and tax records for six to seven years, in line with statutory requirements.  

  • Marketing and business development records for up to 2 years from the date of the last meaningful contact, unless consent is withdrawn earlier.  

 

Retention periods may be extended where required to establish, exercise, or defend legal claims, or to comply with regulatory obligations.  

​

You may request early deletion of your personal data, subject to our legal and regulatory obligations. Where we are required by law to retain records, we will securely restrict access to your data rather than delete it. 

​

In accordance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended), certain client due diligence and identity verification records must be retained for five years following the end of the business relationship. 

​

7. DATA SHARING  

​

We may share personal data with third parties where this is necessary to provide our services, administer our business, comply with the law, or pursue our legitimate interests.  

​

Third-party service providers may include:  

​

  • IT and cloud service providers.  

  • Website hosting and communication platforms. 

  • Customer relationship management (CRM) systems.  

  • Accounting, document management, and compliance software.  

  • Professional advisers and banking service providers.  

 

All third parties are required to implement appropriate security measures and may process personal data only in accordance with our instructions.  

​

We may also share personal data with regulators, law enforcement authorities, or in connection with a business sale or restructuring where legally permitted.  

​

Our current third-party service providers include: 

​

  • Wix.com (website hosting) 

  • Microsoft 365 (email, cloud storage, and productivity tools) 

  • Accounting software, including Xero, Sage, Spotlight Reporting, and ApprovalMax 

 

This list may change from time to time. An up-to-date list of key service providers is available on request. 

​

8. INTERNATIONAL TRANSFERS OF PERSONAL DATA  

​

Personal data may be transferred outside the United Kingdom where necessary for service delivery or business operations, including where cloud-based systems or third-party providers are used.  

​

Where such transfers occur, we ensure appropriate safeguards are in place, including:  

​

  • Transfers to countries recognised by the UK government as providing an adequate level of protection; or 

  • The use of approved international data transfer agreements or other lawful safeguards.  

 

Personal data may be transferred outside the United Kingdom in the following circumstances: 

​

  • Our website hosting provider, Wix.com, operates servers that may be located in the European Economic Area, the United States, and other jurisdictions. 

  • Our IT infrastructure provider, Microsoft 365, may process and store data in the United States and other countries. 

  • Cloud-based accounting software providers may store data on servers outside the UK. 

 

Where such transfers occur to countries not recognised by the UK government as providing adequate protection, we ensure appropriate safeguards are in place, including: 

​

  • Standard Contractual Clauses (SCCs) approved by the UK government 

  • Verification that service providers implement appropriate safeguards recognised under UK data protection law, including approved international data transfer agreements where required. 

  • Additional technical and organisational security measures. 

 

A list of current international transfer arrangements and applicable safeguards is available on request by contacting our Data Protection Lead. 

​

9. DATA SECURITY  

​

We have implemented appropriate technical and organisational security measures to protect personal data against accidental loss, unauthorised access, alteration, or disclosure.  

 

Access to personal data is restricted to employees, contractors, and third parties who have a legitimate business need to know and who are subject to confidentiality obligations.  

 

We take reasonable steps to ensure personal data is accurate, complete, and kept up to date. You are encouraged to notify us of any changes to your personal data. 

 

We have procedures in place to deal with suspected data breaches and will notify affected individuals and the Information Commissioner’s Office where legally required.  

 

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and provide information about: 

​

  • The nature of the breach 

  • The likely consequences 

  • Measures we have taken or propose to take to address the breach and mitigate potential adverse effects. 

 

10. AI AND AUTOMATED DECISION-MAKING  

​

As a UK-based accountancy firm, we are committed to using AI responsibly, ethically, and transparently, while maintaining the high professional standards expected by our clients, regulators, and professional bodies.    

 

We may use AI-powered tools to support our work in the following ways: 

​

  • Document processing and data extraction from receipts, invoices, and financial records 

  • Automated categorisation and coding of transactions 

  • Assistance with drafting correspondence, reports, and analysis 

  • Identifying patterns or anomalies in financial data for review. 

 

All AI-assisted outputs are subject to professional review and oversight by qualified accountants. We do not carry out solely automated decision-making, including profiling, which produces legal or similarly significant effects concerning you, without meaningful human review. 

​

Where AI tools process your personal data, we ensure appropriate safeguards are in place, including data processing agreements with AI service providers and adherence to our data security standards. 

​

Our AI policy is available to view on request.  

​

11. YOUR DATA PROTECTION RIGHTS  

​

Under Data Protection Legislation, you have the right to:  

​

  • Request access to your personal data 

  • Request correction of inaccurate or incomplete data 

  • Request erasure of your personal data in certain circumstances 

  • Object to processing based on legitimate interests or for direct marketing 

  • Request restriction of processing in certain circumstances 

  • Request the transfer of your personal data where applicable 

  • Withdraw consent at any time where processing is based on consent 

 

To exercise any of these rights, please contact us using the details below.  

 

You will not usually be required to pay a fee, although we may charge a reasonable fee or refuse a request where it is manifestly unfounded or excessive.  

 

We will respond to requests to exercise your rights within one month of receipt. In complex cases, this may be extended by up to two months, and we will inform you of any delay. 

​

12. CHILDREN’S DATA  

​

Our services are not intended for children, and we do not knowingly collect personal data relating to children. If we become aware that personal data relating to a child has been collected inadvertently, we will take appropriate steps to delete it.

 

13. CHANGES TO THIS NOTICE  

​

We may update this Privacy Notice from time to time. Any changes will be published on our website at https://haleportfolio.co.uk.  

​

14. CONTACT US  

​

If you have any questions about this Privacy Notice or how we process personal data, please contact our Data Protection Lead at:  

​

Email: enquiries@haleportfolio.co.uk  

​

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):  

 

Information Commissioner’s Office  
Wycliffe House  
Water Lane  
Wilmslow  
Cheshire  
SK9 5AF  

Subscribe Form

Thanks for submitting

  • LinkedIn

©2021 by Hale Portfolio.

bottom of page