Privacy Policy

Last updated: March 2026

Data Controller: Huw Davies, trading as Finstem Accountants. ICO registered.

Data protection contact: Huw Davies, info@finstem.co.uk. For any questions about how we handle your personal data, please contact us at this address.

1. Who we are

Huw Davies, trading as Finstem Accountants (“we”, “us”, “our”), is a licensed accountancy practice. We are committed to protecting your personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What data we collect

We collect the following personal data when you use our website or engage our services:

• Contact information: Name, email address, phone number
• Business information: Business name, annual turnover, entity type, services of interest
• Enquiry details: Description of your needs, how you heard about us
• Technical data: Device type, page URL, referrer URL, UTM campaign parameters, form completion time
• Analytics data: Pages visited, session duration, approximate location (city/country level), device and browser type, traffic source — collected via Google Analytics (see section 11)
• Financial data: When you engage our services, we process financial records as required to deliver those services

3. How we use your data

We use your personal data for the following purposes:

• To respond to your enquiry and provide an initial assessment
• To deliver accountancy, tax compliance, financial modelling, or business valuation services
• To comply with our legal and regulatory obligations (HMRC, Companies House, our licensing body)
• To communicate with you about your account or our services
• To collect anonymous website analytics to improve our site

4. Legal basis for processing

We process your data under the following lawful bases:

• Legitimate interest: To respond to enquiries submitted through our website forms (Article 6(1)(f) UK GDPR). Our legitimate interest is in responding to prospective clients who contact us. You can object to this processing at any time
• Contract: To deliver services you have engaged us to provide (Article 6(1)(b))
• Legal obligation: To comply with tax, anti-money laundering, and regulatory requirements (Article 6(1)(c))
• Legitimate interest: To collect website analytics via Google Analytics to understand how visitors use our site and improve our services (Article 6(1)(f)). See section 11 for details

5. Client onboarding and AML data

When you onboard as a client, we collect the following additional data as required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017:

• Identity documents: Passport or driving licence (photo or scan)
• Proof of address: Utility bill, bank statement, or council tax bill (dated within 3 months)
• Business verification: Company name, number, and registered address (verified against Companies House)
• Engagement acceptance: Timestamp of your acceptance of our terms of engagement

This data is collected under our legal obligation to perform Customer Due Diligence (CDD) before establishing a business relationship. Identity documents are encrypted at rest (AES-256) and stored securely on AWS S3 in the UK (London region). Access is restricted to authorised personnel only.

Retention: AML/CDD records are retained for 5 years after the end of the business relationship, as required by regulation 40 of the Money Laundering Regulations 2017.

6. Data retention

• Enquiry data: Retained for 12 months from submission, then deleted
• Working papers and professional records: Retained for 7 years after the end of the engagement, in accordance with professional standards
• Tax records and financial data: Retained for 6 years after the end of the relevant tax year, as required by HMRC under Schedule 36 of the Finance Act 2008
• AML/CDD records: Retained for 5 years after the end of the business relationship, as required by the Money Laundering Regulations 2017

7. Data sharing

We will never sell your data to third parties. We may share your data with:

• HMRC, Companies House, or other regulatory bodies as required by law
• Amazon Web Services (AWS), who host our website and process form submissions on our behalf under appropriate data processing agreements. Data is processed in the UK (London region)
• Cloud software providers used to deliver our services (e.g. Xero, QuickBooks, Sage, FreeAgent), who act as data processors under appropriate agreements
• Google LLC (Google Analytics), who provide website analytics on our behalf under appropriate data processing terms. See section 11 for details
• Stripe, who process payments on our behalf. Your payment card details are handled entirely by Stripe and never touch our servers. Stripe’s privacy policy applies to payment processing
• Professional indemnity insurers, where required

8. International data transfers

Some of our sub-processors transfer personal data outside the UK:

• Xero: Data may be transferred to Australia and other jurisdictions. Xero relies on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) as safeguards
• Stripe: Data may be transferred to the United States. Stripe relies on SCCs, the UK IDTA, and the EU-US Data Privacy Framework as safeguards
• QuickBooks (Intuit): Data may be transferred to the United States. Intuit relies on SCCs and the UK IDTA as safeguards
• Google (Analytics): Data may be transferred to the United States. Google relies on SCCs and the EU-US Data Privacy Framework as safeguards
• Sage: Data may be transferred to international jurisdictions. Sage relies on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) as safeguards
• FreeAgent: Data is primarily processed in the UK and EU. FreeAgent relies on Standard Contractual Clauses (SCCs) as safeguards where required

All international transfers are made in compliance with Chapter V of the UK GDPR, with appropriate safeguards in place to protect your data.

9. Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you (Subject Access Request)
• Rectify inaccurate data
• Request erasure of your data (subject to legal retention requirements)
• Restrict or object to processing
• Data portability
• Withdraw consent at any time (where consent is the lawful basis)

To exercise any of these rights, email us at info@finstem.co.uk. We will respond to all requests within one calendar month of receipt, as required by Article 12(3) UK GDPR.

10. Automated decision-making

We do not use automated decision-making or profiling as defined by Article 22 of the UK GDPR. All decisions relating to your engagement, services, or account are made by a human.

11. Cookies and tracking

This website uses Google Analytics 4 (provided by Google LLC) to understand how visitors use our site. Google Analytics uses first-party cookies (e.g. _ga, _ga_*) to distinguish unique visitors and track session information. These cookies are set automatically when you visit our site.

What Google Analytics collects: pages visited, session duration, approximate geographic location (city/country level), device type, browser type, operating system, screen resolution, traffic source (e.g. search engine, direct, referral), and language preference. Google Analytics does not collect your name, email address, or other personally identifiable information unless you submit it through a form.

Data processing: Analytics data is processed by Google on servers that may be located outside the UK, including in the United States. Google operates as a data processor under our instructions and processes data in accordance with their privacy policy. Google relies on Standard Contractual Clauses (SCCs) for international transfers.

IP anonymisation: Google Analytics 4 does not log or store full IP addresses.

Opting out: You can prevent Google Analytics from collecting data by installing the Google Analytics Opt-out Browser Add-on, or by adjusting your browser’s cookie settings to block cookies from googletagmanager.com.

We also collect anonymous page view analytics via our own lightweight system for basic traffic monitoring. This includes: page URL, device type, browser type, country (derived from request headers), and referrer URL. No cookies are set by this system, no personal data is stored, and no individual visitors can be identified. If your browser sends a Do Not Track (DNT) signal, no data is collected by this system.

This processing is based on our legitimate interest in understanding site usage and improving our services (Article 6(1)(f) UK GDPR).

The only personally identifiable data collected beyond analytics is what you voluntarily submit through our forms, plus the technical metadata listed in section 2 which is captured automatically when you submit a form.

12. Data security

We take appropriate technical and organisational measures to protect your data, including:

• Secure, encrypted communication channels
• Access controls limiting data access to authorised personnel only
• Regular security reviews of our systems and processes
• Identity documents encrypted at rest using AES-256 on AWS S3
• Presigned, time-limited upload URLs (documents are never transmitted through our application servers)

13. Data breaches

In the event of a personal data breach, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to your rights and freedoms (Article 33 UK GDPR). Where a breach is likely to result in a high risk to your rights, we will also notify you without undue delay (Article 34 UK GDPR).

14. Complaints

If you believe we have not handled your data correctly, you can contact us at info@finstem.co.uk. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.

15. Changes to this policy

We may update this policy from time to time. Any changes will be posted on this page with an updated “Last updated” date.