Privacy Policy

Last updated: 6 April 2026

Introduction:

This Privacy Policy describes how Apex Accountants & Tax Advisors LTD (“Apex Accountants”, “we”, “us”, “our”) collects, uses, stores, shares and protects personal information when delivering professional services and when operating our website. It also explains your data protection rights under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR). Please read this notice carefully. By interacting with us online or in person, you acknowledge that you have read this policy. You are not obliged to provide personal data, but some services cannot be delivered without it; if you have questions, please contact us.

Who we are and how to contact us

Apex Accountants & Tax Advisors LTD is a UK-based accountancy and consultancy practice providing tax planning, corporate finance, business advisory, VAT, payroll services, HMRC compliance and investigation support, and related professional services to businesses and individuals.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Apex Accountants & Tax Advisors LTD acts as the Data Controller, meaning we determine how and why personal data is processed within our firm.

We are registered with the Information Commissioner’s Office (ICO) under registration reference ZA300746.

Our registered office is:
Apex Accountants & Tax Advisors LTD
84a Queen’s Rd, Buckhurst Hill, IG9 5BS, United Kingdom

Website: https://apexaccountants.tax/
Email: [email protected]
Telephone: 0203 883 4777

We have appointed a Data Protection Lead responsible for overseeing privacy and data protection matters.

Mr Rana Zubair
Data Protection Lead
Email: [email protected]

If you have any questions about this privacy notice or how we handle personal data, please contact us using the details above and mark your enquiry “For the attention of the Data Protection Lead".

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection.

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: https://ico.org.uk
Complaint portal: https://ico.org.uk/make-a-complaint/

Scope of this policy

  • “Personal data” means any information that identifies, or can reasonably identify, a living person.
  • “Processing” means anything done with personal data, including collecting, recording, organising, storing, sharing or deleting it.
  • “Special category data” refers to sensitive information—such as health information, racial or ethnic origin or trade‑union membership—that receives extra legal protection.
  • “Controller” refers to the organisation (in this case Apex Accountants) that decides how and why personal data are processed. A “processor” is a third‑party organisation that processes personal data on behalf of the controller.

What information we collect

The information we collect depends on who you are and how you interact with us. In most cases we collect data directly from you. The personal data we process may include:

  • Identity information: Full name, title, date of birth and government identifiers, such as your National Insurance number or Unique Taxpayer Reference.
  • Contact details: A postal address, email addresses, and telephone numbers so that we can communicate with you.
  • Financial and tax details: For clients, we may process financial and tax information, such as bank details, income and expenditure records, payroll data, and tax references, but only when necessary to provide the requested services.
  • Due diligence information: Information required to meet anti‑money‑laundering requirements, including identification documents and verification reports from third‑party providers.
  • Health or other special category data: Only where necessary for payroll or pension administration and processed with your explicit consent or another legal basis recognised by the UK GDPR.
  • Technical and usage data: IP address, browser type, operating system, time zone settings, pages visited and interactions with our website and marketing materials.
  • Marketing preferences: Records of how and whether you wish to receive marketing communications.

When you provide information about other individuals (e.g., directors, partners, employees or dependants), you must ensure that you have authority to share their data, and you should direct them to this privacy policy. Certain information is required by law; if you do not provide it, we might be unable to deliver services or may need to cease acting for you.

How we collect information

We collect personal data in the following ways:

  • Directly from you: 

When you enquire about our services, complete onboarding forms, provide documents or information, attend meetings or communicate with us by email, phone or post.

  • Automatically: 

When you use our website, cookies and similar technologies collect technical data about your device and browsing behaviour (see the 'Cookies' section below).

  • From third parties: 

When necessary for professional services, we may receive information from trusted sources, including HMRC, Companies House, electronic ID verification providers, credit reference agencies, and publicly available records. We may also receive data from previous accountants or advisers (with your permission), banks, and payment services for transaction-related information.

Why we process personal data and our legal bases

We only process personal data when there is a lawful basis under the UK GDPR. The main purposes and lawful bases are:

  • Performance of a contract: We use your data to provide accountancy, tax, payroll, VAT and advisory services; prepare and file accounts and returns; liaise with HMRC and regulators; manage engagements; provide secure client portals; and issue invoices and statements. We cannot deliver these services without processing your data.
  • Compliance with legal obligations: As a regulated accountancy practice, we must carry out client due diligence and identity checks, screen clients against sanctions lists, keep proper records for anti‑money‑laundering and tax purposes and respond to lawful requests from courts or regulators.
  • Legitimate interests: We use personal data to run and protect our business (e.g., IT support, network security, training and quality control), improve our services, manage client relationships, prevent fraud and misuse, recover debts and defend or establish legal claims. When relying on legitimate interests, we carefully balance our interests against your rights and only process what is necessary.
  • Consent: We use your contact details to send marketing communications to individual subscribers only where you have given consent or where a “soft opt‑out” applies under PECR. You can withdraw consent at any time, and we will stop sending marketing messages.
  • Special category data: When we process health or other sensitive data (e.g., for payroll or pension purposes), we rely on your explicit consent or another applicable legal condition under the UK GDPR. We do not use automated decision‑making that produces legal or similarly significant effects.

How we use personal data in practice

We use personal data to:

  • Verify identity and suitability during onboarding and client diligence.
  • Plan and deliver accountancy, tax, payroll, VAT and advisory work and prepare filings and reports;
  • Maintain accurate records of services provided and fees charged and operate secure client portals and communication channels;
  • Allocate tasks within our team, train staff, and monitor service quality.
  • Manage credit control, resolve queries and handle complaints;
  • Communicate regulatory, legal or service updates;
  • Analyse aggregated and anonymised website usage to improve content and diagnose technical issues; and coordinate with other professional advisers (e.g., solicitors, auditors, lenders) where you ask us to do so, sharing only information necessary to fulfil your instructions.

We do not sell your personal data or use it for automated decision‑making or profiling.

Sharing personal data

We do not sell your personal data. We may share information in the following circumstances:

  • Public authorities and regulators: HMRC, Companies House, courts, tribunals, our professional and supervisory bodies and other public authorities when the law requires it or when acting on your instructions.
  • Professional advisers: Solicitors, counsel, auditors, insurers, insurance brokers, consultants and expert witnesses who support our practice. They are subject to strict confidentiality obligations.
  • Service providers (processors): Suppliers that host our IT systems, accounting and payroll platforms, document management tools, secure client portals, email and productivity systems, CRM platforms, website hosting, analytics services, telephony and call‑tracking services. We select reputable providers and require them to process data only on our instructions, keep it secure and help us comply with the law.
  • Debt recovery and legal matters: If we need to recover unpaid fees, we may share relevant data with debt‑recovery agencies or legal representatives. We only share the minimum information needed.
  • Corporate transactions: If we pursue a merger, acquisition or corporate restructure, we may disclose relevant information under strict confidentiality.
  • Your instructions: We will liaise with your bank, lender, new accountant or other adviser when you ask us to do so.

Some third‑party analytics and advertising providers (e.g., Google, Meta and YouTube) act as independent controllers when they set cookies on our site; see the Cookies section for details.

International transfers

Some of our service providers and their data centres are located outside the United Kingdom or use global content delivery networks. When personal data is transferred internationally, we assess the risk and apply appropriate safeguards, such as the following:

  • Transfers to countries recognised by the UK Government as providing an adequate level of protection; and/or
  • The UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs) or other contractual clauses approved for cross‑border transfers; and
  • Technical and organisational measures, such as encryption in transit and at rest.

You may contact us to obtain further information or a copy of the relevant safeguards used for your data.

Security of your information

We take security seriously and operate layered technical and organisational controls to prevent unauthorised access, alteration, disclosure or loss of data. These include role‑based access controls, strong password and authentication standards, encryption of data in transit and at rest, secure configuration and patch management, anti‑malware and threat detection tools, audit logging and monitoring, regular backups and recovery testing, supplier due diligence and mandatory staff training on confidentiality and data protection. Although no system can guarantee absolute security, we use Transport Layer Security (TLS) for our website and client portals, and we regularly review our security measures. If a data breach occurs that presents a risk to individuals, we will notify the ICO and affected individuals as required by law.

Retention of personal data

We keep personal data only for as long as needed for the purposes described in this policy and to meet legal, accounting, and regulatory requirements. In deciding how long to retain data, we consider factors such as the type of data, the purposes for which it was collected, statutory and regulatory obligations, limitation periods for legal claims, and our professional obligations. In general:

  • Client records (e.g., tax returns, accounts, and related documents) are retained for up to five years after the end of the engagement, or longer if required to defend or pursue legal claims.
  • Anti-money-laundering due diligence records are kept for at least five years after the business relationship ends or from the date of a single transaction and may be retained longer if justified by risk.
  • Prospective client records are retained for up to six years from the last contact to manage enquiries and conflicts of interest.
  • Website analytics data and cookies are retained in line with the provider’s settings and as described in the Cookies section.

If you exercise your right to erasure, we will assess whether we must retain certain information to meet legal obligations, and, if so, we will minimise the data kept and the duration of retention.

Your rights

Under the UK GDPR you have several rights regarding your personal data:

  • Right of access: 

You can request a copy of the personal data we hold about you and information about how we process it. Please provide enough detail to help us verify your identity and locate the data (e.g., date of birth, previous addresses). We will respond within one month. We do not normally charge a fee but may do so if a request is unfounded or excessive.

  • Right to rectification:

You can ask us to correct inaccurate or incomplete personal data.

  • Right to erasure

In certain circumstances you can ask us to delete your personal data. We will consider your request and explain if we cannot comply (e.g., because we must keep records to meet legal obligations).

  • Right to restrict processing:

You can ask us to suspend processing of your data in certain circumstances (e.g., while we verify its accuracy).

  • Right to object:

You may object to our processing where we rely on legitimate interests or direct marketing. We will stop processing unless we have compelling legitimate grounds to continue.

  • Right to data portability:

You may request a copy of your data in a structured, commonly used format and ask us to transfer it to another controller where technically feasible and where the lawful basis is consent or contract.

  • Right to withdraw consent:

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us using the details above and describe your request. We may need to verify your identity and may ask for additional information. You can also ask someone else, e.g., a friend or solicitor, to make a request on your behalf if you provide written authorisation.

Cookies, similar technologies and online identifiers

Our website uses cookies and similar technologies to operate, remember your preferences, measure performance and support limited marketing. When you first visit the site, you will see a banner explaining the types of cookies we use and inviting you to choose whether to allow non‑essential cookies. You can adjust your cookie choices at any time via the banner or your browser settings.

  • Essential cookies:

These are necessary for the website to function and include session identifiers that keep you logged in and maintain security. They expire when you close your browser and do not personally identify you.

  • Analytics cookies:

We use Google Analytics to understand how visitors use our site. These cookies collect aggregated information about page views, navigation paths and device types. They do not identify you by name and typically last from one day to a year. You can opt out via our cookie banner or by disabling analytics in your browser.

  • Marketing and tracking cookies:

We use limited marketing technologies (e.g., Meta pixel or CallTrackingMetrics) to measure the effectiveness of our advertising. These cookies recognise browsers but are not used to profile individuals for unrelated purposes. We only set these cookies with your consent.

  • Embedded videos:

Pages that embed YouTube videos may set cookies to operate the player and remember preferences. YouTube acts as a separate controller. If you do not want these cookies, do not play embedded videos or block them via your cookie settings.

We do not control the lifespan of third‑party cookies; details may vary. You can delete cookies at any time using your browser controls. If you block essential cookies some parts of our site may not work properly.

Marketing choices

We want our communications to be useful. If you receive marketing from us, you can opt out at any time by using the unsubscribe link in our emails or by contacting us. If you are a corporate subscriber, we may send occasional updates that are relevant to your role based on our legitimate interests; if you are an individual subscriber, we will rely on consent or the  “opt‑out” where the law allows it. Opting out of marketing will not affect service emails that we need to send to deliver engagements or meet legal duties.

Where we obtain data and who we receive it from

You provide most of the information we process. For regulated work we may also obtain identity and verification data from trusted third‑party providers (e.g., electronic ID verification services) to comply with anti‑money‑laundering regulations. When you transfer work from another adviser, we receive the records with your permission. HMRC and Companies House may provide information or require us to verify details. Credit reference agencies may supply data as part of onboarding or credit control; banks and payment services may provide payment information; and we may consult public registers and professional networking platforms to confirm business details. See “How we collect information” for more about data sources.

Payment information, credit control and refunds

When you pay our fees, the payment service provider processes card or bank details directly; we do not store full card details on our systems. We keep transaction records, invoices, and remittance information for accounting and tax purposes. Where payments are recalled by a bank or card provider after work has been performed, we will retain and process the records necessary to establish the work done and to recover unpaid sums. If you request a refund for a duplicate or cancelled payment relating to ancillary services, we will use the information in our accounting records to validate and process the request, and we will keep a record of the outcome for audit and compliance.

Children’s data

Our services are designed for adults. We do not knowingly collect personal information from anyone under the age of 18. If you believe a child has provided us with personal information, please contact us so that we can delete it where appropriate.

Social media, external links, and third‑party websites

Our website and communications may include links to external sites or embedded content from third parties. We are not responsible for the privacy practices of those providers. When you follow a link or play embedded media, the third party may collect data in accordance with its own policies. You should review their privacy information before interacting with those services.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in law, guidance, technology, our services, or our internal practices. The version posted on our website will include the effective date at the top. Substantive changes may be highlighted on our website or notified to clients where appropriate.

Book a Free Consultation