Privacy Policy
How we collect, use and protect your personal data.
Last updated: April 2026
Data Controller: Finstem Limited (company number 16803940), trading as Finstem Accountants. ICO registered.
Data protection contact: Huw Davies, info@finstem.co.uk. For any questions about how we handle your personal data, please contact us at this address.
1. Who we are
Finstem Limited (company number 16803940), trading as Finstem Accountants (“we”, “us”, “our”), is a licensed accountancy practice. We are committed to protecting your personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What data we collect
We collect the following personal data when you use our website or engage our services:
- Contact information: Name, email address, phone number
- Business information: Business name, annual turnover, entity type, services of interest
- Enquiry details: Description of your needs, how you heard about us
- Technical data: Device type, page URL, referrer URL, UTM campaign parameters, form completion time
- Analytics data: Pages visited, session duration, approximate location (city/country level), device and browser type, traffic source — collected via Google Analytics (see section 11)
- Financial data: When you engage our services, we process financial records as required to deliver those services
3. How we use your data
We use your personal data for the following purposes:
- To respond to your enquiry and provide an initial assessment
- To deliver accountancy, tax compliance, financial modelling, or business valuation services
- To comply with our legal and regulatory obligations (HMRC, Companies House, our licensing body)
- To communicate with you about your account or our services
- To collect anonymous website analytics to improve our site
4. Legal basis for processing
We process your data under the following lawful bases:
- Legitimate interest: To respond to enquiries submitted through our website forms (Article 6(1)(f) UK GDPR). Our legitimate interest is in responding to prospective clients who contact us. You can object to this processing at any time
- Contract: To deliver services you have engaged us to provide (Article 6(1)(b))
- Legal obligation: To comply with tax, anti-money laundering, and regulatory requirements (Article 6(1)(c))
- Legitimate interest: To collect website analytics via Google Analytics to understand how visitors use our site and improve our services (Article 6(1)(f)). See section 11 for details
5. Client onboarding and AML data
When you onboard as a client, we collect the following additional data as required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017:
- Identity documents: Passport or driving licence (photo or scan)
- Proof of address: Utility bill, bank statement, or council tax bill (dated within 3 months)
- Business verification: Company name, number, and registered address (verified against Companies House)
- Engagement acceptance: Timestamp of your acceptance of our terms of engagement
This data is collected under our legal obligation to perform Customer Due Diligence (CDD) before establishing a business relationship. Identity documents are encrypted at rest (AES-256) and stored securely on AWS S3 in the UK (London region). Access is restricted to authorised personnel only.
Retention: AML/CDD records are retained for 5 years after the end of the business relationship, as required by regulation 40 of the Money Laundering Regulations 2017.
6. Data retention
- Enquiry data: Retained for 12 months from submission, then deleted
- Working papers and professional records: Retained for 7 years after the end of the engagement, in accordance with professional standards
- Tax records and financial data: Retained for 6 years after the end of the relevant tax year, as required by HMRC under Schedule 36 of the Finance Act 2008
- AML/CDD records: Retained for 5 years after the end of the business relationship, as required by the Money Laundering Regulations 2017
7. Data sharing and sub-processors
We will never sell your data to third parties. We may share your data with:
- HMRC, Companies House, or other regulatory bodies as required by law
- The sub-processors listed in the table below, who act as data processors under appropriate data processing agreements
- Professional indemnity insurers, where required
The following third-party sub-processors may process personal data on our behalf. We have assessed each against our data protection obligations and have appropriate agreements in place.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure, data storage, application hosting | UK (London, eu-west-2) | UK adequacy — no transfer |
| GoCardless | Direct Debit payment processing | UK and EU | UK adequacy; SCCs for EU transfers |
| FreeAgent | Cloud accounting software (client default) | UK and EU | UK adequacy; SCCs where required |
| Xero | Cloud accounting software (optional) | Australia | SCCs and UK IDTA |
| QuickBooks (Intuit) | Cloud accounting software (optional) | United States | SCCs and UK IDTA |
| Sage | Cloud accounting software (optional) | International | SCCs and UK IDTA |
| Brevo | Transactional and marketing email delivery | EU (France) | SCCs |
| SMTP2GO | Transactional email delivery (fallback) | Australia | SCCs and UK IDTA |
| Google LLC | Website analytics (Google Analytics 4) | United States | SCCs; EU-US Data Privacy Framework |
| OpenSanctions | Sanctions and PEP screening (AML compliance) | EU (Germany) | SCCs |
| FirmCheck | Identity verification (enhanced due diligence) | UK | UK adequacy — no transfer |
We will notify you of any material changes to our sub-processors. You may object to the addition of a new sub-processor; if we are unable to provide the services without that sub-processor, either party may terminate the engagement under the terms of the engagement letter.
8. International data transfers
Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in compliance with Chapter V of the UK GDPR. The transfers and safeguards for each sub-processor are set out in the table in section 7 above. No data is transferred to a country without either UK adequacy regulations applying, or Standard Contractual Clauses (SCCs) and/or a UK International Data Transfer Agreement (IDTA) in place.
9. Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you (Subject Access Request)
- Rectify inaccurate data
- Request erasure of your data (subject to legal retention requirements)
- Restrict or object to processing
- Data portability
- Withdraw consent at any time (where consent is the lawful basis)
To exercise any of these rights, email us at info@finstem.co.uk. We will respond to all requests within one calendar month of receipt, as required by Article 12(3) UK GDPR.
10. Automated decision-making
We do not use automated decision-making or profiling as defined by Article 22 of the UK GDPR. All decisions relating to your engagement, services, or account are made by a human.
11. Cookies and tracking
This website uses Google Analytics 4 (provided by Google LLC) to understand how visitors use our site. Google Analytics uses first-party cookies (e.g. _ga, _ga_*) to distinguish unique visitors and track session information. These cookies are set automatically when you visit our site.
What Google Analytics collects: pages visited, session duration, approximate geographic location (city/country level), device type, browser type, operating system, screen resolution, traffic source (e.g. search engine, direct, referral), and language preference. Google Analytics does not collect your name, email address, or other personally identifiable information unless you submit it through a form.
Data processing: Analytics data is processed by Google on servers that may be located outside the UK, including in the United States. Google operates as a data processor under our instructions and processes data in accordance with their privacy policy. Google relies on Standard Contractual Clauses (SCCs) for international transfers.
IP anonymisation: Google Analytics 4 does not log or store full IP addresses.
Opting out: You can prevent Google Analytics from collecting data by installing the Google Analytics Opt-out Browser Add-on, or by adjusting your browser’s cookie settings to block cookies from googletagmanager.com.
We also collect anonymous page view analytics via our own lightweight system for basic traffic monitoring. This includes: page URL, device type, browser type, country (derived from request headers), and referrer URL. No cookies are set by this system, no personal data is stored, and no individual visitors can be identified. If your browser sends a Do Not Track (DNT) signal, no data is collected by this system.
This processing is based on our legitimate interest in understanding site usage and improving our services (Article 6(1)(f) UK GDPR).
The only personally identifiable data collected beyond analytics is what you voluntarily submit through our forms, plus the technical metadata listed in section 2 which is captured automatically when you submit a form.
12. Data security
We take appropriate technical and organisational measures to protect your data, including:
- Secure, encrypted communication channels
- Access controls limiting data access to authorised personnel only
- Regular security reviews of our systems and processes
- Identity documents encrypted at rest using AES-256 on AWS S3
- Presigned, time-limited upload URLs (documents are never transmitted through our application servers)
13. Data breaches
In the event of a personal data breach, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to your rights and freedoms (Article 33 UK GDPR). Where a breach is likely to result in a high risk to your rights, we will also notify you without undue delay (Article 34 UK GDPR).
14. Complaints
If you believe we have not handled your data correctly, you can contact us at info@finstem.co.uk. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.
15. Changes to this policy
We may update this policy from time to time. Any changes will be posted on this page with an updated “Last updated” date.