Beyond Figures Ltd Privacy Notice
Version 2.0 – effective 20 July 2025, supersedes all previous versions
1 Who we are
Beyond Figures Ltd (“we”, “us”, “our”) is a bookkeeping and advisory practice licensed and supervised by the Institute of Certified Bookkeepers (ICB). We are the data controller for the personal information described in this notice. Our registered office is 124 City Road, London EC1V 2NX. You can reach our Data‑Protection Lead at privacy@beyondfigures.co.uk or +44 (0)20 1234 5678.
2 Why we collect your data – lawful bases
| Purpose | Typical information | Lawful basis (UK GDPR Art.) |
|---|---|---|
| Client onboarding & anti‑money‑laundering checks AML/KYC screening via Xama | ID documents, proof of address, date of birth Identity data, sanctions‑list matches | Legal obligation – Money Laundering Regulations 2017 |
| Bookkeeping, payroll, tax & advisory services | Financial records, payroll data, invoices, director/shareholder details | Contract (to deliver services) |
| Regulatory supervision by ICB | Name, contact details, relevant working papers | Legal obligation + Legitimate interests (quality assurance) |
| Software provisioning (Xero licences, Client Engager portal) | Name, email, contact preferences | Contract |
| Marketing emails (newsletters, event invites) | Name, email | Consent – you may withdraw at any time |
| Well‑being metrics for Abundance Flow clients | Voluntary “stress index” score | Explicit consent |
We do not carry out automated decision‑making that produces legal or similarly significant effects.
3 What we collect & where it comes from
-
Direct from you – onboarding forms, phone calls, meetings, website contact forms.
-
Third parties – HMRC, Companies House, Banks (via Open‑Banking feeds), software such as Xero, Dext, Hubdoc and GoCardless.
-
Public sources – company registers and sanctions lists for AML screening.
4 Who we share data with
-
ICB (our supervisory body) for regulatory inspections and complaint resolution.
-
Independent quality‑assurance reviewer bound by NDA for periodic file reviews.
-
Continuity partner Athena Accountancy Ltd if we are unexpectedly unable to act.
-
Cloud software suppliers: Proton Mail, Xero, Client Engager, Google Workspace (document storage), Xama (AML/KYC).
-
HMRC, Companies House and other authorities when required by law.
-
Professional advisers & insurers (HCC International) in connection with risk management or legal claims.
We never sell, or rent, your information.
5 International transfers
Our core systems store data in the UK or EEA. Where suppliers host data in the USA we rely on ICO‑approved standard contractual clauses.
E‑mail data is hosted in Switzerland, which the UK has recognised as providing an adequate level of protection for personal data.
6 Marketing & cookies
We use a soft opt‑in for existing clients; everyone else must actively tick “Yes, please” before marketing begins. You can unsubscribe at any time via the link in each email or by emailing privacy@beyondfigures.co.uk. Our website currently sets no non‑essential cookies – see separate Cookie Policy for details.
7 Retention schedule
| Record type | Standard retention |
|---|---|
| Accounting & tax working papers (companies) | 6 years from accounting period end |
| Sole‑trader & partnership records | 5 years 10 months from tax year end |
| AML due‑diligence documents | 5 years from end of client relationship |
| Marketing consent logs | Until opt‑out + 2 years |
| After these periods data is securely deleted or anonymised. |
8 Your rights
You have the right to access, rectify, erase, restrict or object to processing, to data portability, and to withdraw consent at any time (this does not affect past processing). We normally respond within one month and may extend by two months for complex requests. Requests are free unless manifestly unfounded or excessive.
9 Security measures
We use encryption in transit and at rest, multi‑factor authentication, role‑based access controls and annual penetration testing. Staff receive GDPR & AML training at induction and annually thereafter.
10 Complaints
If you have concerns, please contact our Data‑Protection Lead first. If we cannot resolve your issue, you may complain to the Information Commissioner’s Office (ico.org.uk / 0303 123 1113).
11 Changes to this notice
We review this notice annually or when significant changes occur. We will notify clients by email and via the Client Engager portal.
Last reviewed: 20 July 2025 – next scheduled review 1 August 2026.