Ascendant Accountants Privacy Policy

This notice explains how Ascendant Accountants Limited (“we”, “us” or “our”) uses personal information. It is written to be clear and practical, while meeting the transparency requirements in UK data protection law.

Key points

We collect and use personal information so we can provide professional services, run our business, meet legal and regulatory obligations (including anti-money laundering checks), and communicate with you.
We handle personal information in line with the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and amendments made by the Data (Use and Access) Act 2025.
You have rights over your personal information, including the right to access it and the right to object to certain uses such as direct marketing.
To contact us about privacy or to exercise your rights, email [email protected] (for the attention of the Data Protection Officer).

Who we are

Ascendant Accountants Limited is the controller for the personal information described in this notice, meaning we decide why and how it is used. We operate as a UK professional services group and may trade under different brand or trading names from time to time. This notice applies whenever you interact with us or with a website, product, portal or service operated by (or on behalf of) Ascendant Accountants Limited, unless you are provided with a more specific privacy notice for a particular activity.

We are regulated by the Institute of Chartered Accountants in England and Wales (ICAEW) and are required to follow professional standards and legal obligations relevant to the services we provide.

How to contact us

If you have questions about this notice or how we use your personal information, or you want to exercise your rights, please contact our Data Protection Officer via:

Email: [email protected] (for the attention of the Data Protection Officer)

If you need to contact us by post, please request our current registered office address via the email above or refer to the Legal Information page on the relevant Ascendant website (or the Companies House register).

Who this notice covers

This notice may apply to individuals whose personal information we handle, including:

people who visit our websites, portals or apps;
prospective clients and people who contact us;
clients who are individuals, and people associated with our clients (such as directors, shareholders, trustees, employees, and authorised users);
supplier and partner contacts;
attendees at events, webinars or meetings; and
people who receive our marketing or communications.

Employee and worker personal information is handled under separate internal notices and policies. Recruitment activities may be covered by a separate recruitment privacy notice where provided.

Personal information we collect

The personal information we collect and use will depend on how you interact with us. It may include:

Identity and contact details (for example name, job title, employer, postal address, email address, telephone number).
Client onboarding and compliance information (for example copies or references to identity documents, proof of address, date of birth, information needed for customer due diligence and screening, and records of checks performed).
Professional services information (for example information contained in books and records, payroll information, tax and financial information, correspondence, and information provided to us to deliver services).
Account and access information (for example usernames, authentication information, and audit logs for portals and tools).
Communications (for example emails, call recordings where permitted, meeting notes, and support requests).
Website and device information (for example IP address, device identifiers, browser type, pages visited, and cookie identifiers).
Event and marketing preferences (for example your preferences, subscription choices, and interaction history).
Due diligence, risk and security information (for example fraud prevention data, incident logs, and information required to comply with legal obligations).

We do not knowingly collect information about children through our services. If you believe a child has provided personal information to us, please contact us so we can take appropriate steps.

Special category and criminal convictions information

Some personal information is treated as more sensitive under data protection law. This includes “special category” information (such as information about health) and information relating to criminal convictions and offences. We generally do not need special category information to provide standard accountancy services, but it may arise in limited situations (for example where relevant to employment, benefits, litigation or specific advisory work). We may also process information relating to criminal convictions and offences where required or permitted, including for anti-money laundering checks, fraud prevention and compliance.

Where we process this type of information, we do so only where the law allows, we apply appropriate safeguards, and we limit access on a need-to-know basis.

Where we get personal information from

We collect personal information from a range of sources, including:

directly from you (for example when you contact us, sign engagement documents, or use our portals);
from your employer or the organisation you represent;
from clients, advisers or other parties involved in an engagement (for example legal advisers, lenders, insurers, or counterparties);
from public sources (for example Companies House and other public registers) where relevant;
from screening, identity verification and due diligence providers used to meet legal and regulatory obligations; and
from technology and security systems (for example access logs and monitoring tools).

How we use personal information and our lawful bases

UK data protection law requires us to have a lawful basis for using personal information. The main reasons we use personal information, and the lawful bases we rely on, are set out below. In some cases more than one basis may apply, depending on the context.

Legitimate interests; legal
obligation; and/or legal claims.

Purpose (why we use it)	Examples of what we use	Lawful basis (UK GDPR)
Respond to enquiries and manage relationships	Contact details, correspondence, meeting notes.	Legitimate interests (running our business and responding to enquiries); and/or taking steps prior to entering a contract.
Provide professional services	Client records, financial/tax information, payroll data where relevant, communications, portal account data.	Performance of a contract; legitimate interests; and/or legal obligation (depending on the service).
Client onboarding, due diligence and compliance	Identity documents, proof of address, screening results, beneficial ownership information, risk assessments.	Legal obligation; and/or legitimate interests (preventing fraud and protecting our business).
Meet legal and regulatory obligations	Records needed for compliance, filings and reporting, audit trails, professional standards evidence.	Legal obligation; and/or legitimate interests (compliance and risk management).
Operate, secure and improve our websites, portals and systems	Login data, audit logs, device and usage data, security logs, cookie identifiers.	Legitimate interests (IT administration and security). Some cookies and similar technologies may require consent under PECR.
Marketing and business development	Contact details, marketing preferences, interaction history.	Legitimate interests and/or consent (particularly for electronic marketing where required by PECR). You can opt out at any time.
Events and communications	Registration details, accessibility requirements you choose to share, communications.	Contract (where applicable); legitimate interests; and/or consent (where applicable).
Protect our rights, manage disputes and enforce agreements	Correspondence, engagement documents, file notes, claim- related information.

If we rely on consent (for example where required for certain electronic marketing or cookies), you can withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing before you withdrew it.

When we act as a controller or processor

In many cases, we act as a controller when providing professional services because we determine the purposes and means of processing (for example, how we deliver services, keep professional records, and meet regulatory obligations). In some engagements, we may act as a processor on our client’s instructions (for example where we process personal information solely on behalf of a client using their systems or where we provide outsourced processing services). Where we act as a processor, we process personal information under a written contract that sets out our instructions and obligations.

Who we share personal information with

We may share personal information where necessary for the purposes described above, including with:

our group companies, trading brands, and offices where relevant to delivering services and operating the business;
professional advisers (such as lawyers, auditors, insurers, and consultants);
technology and service providers who support our business operations (such as hosting, IT support, communications, document management, e-signature, and practice management);
banks, payment service providers and finance partners where relevant to payments or services;
identity verification, screening and due diligence providers used for compliance;
regulators, supervisory bodies and law enforcement where required or permitted (including HMRC and other relevant authorities); and
third parties involved in an engagement, where you ask us to or where it is necessary (for example lenders, brokers, counterparties, or other advisers).

We require service providers to protect personal information and to use it only for providing services to us, unless they are acting as an independent controller.

International transfers

Some of our service providers or group operations may involve processing personal information outside the UK. Where we transfer personal information internationally, we use appropriate safeguards required by UK law, such as adequacy regulations where available, or approved contractual safeguards (for example the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses).

You can ask us for more information about the safeguards we use by contacting us (see section 2).

Security

We use technical and organisational measures designed to protect personal information against unauthorised access, loss, misuse, alteration or disclosure. These include access controls, encryption where appropriate, security monitoring, and staff training. No system is completely secure, but we work to maintain appropriate safeguards for a professional services firm.

How long we keep personal information

We keep personal information for as long as necessary for the purposes described in this notice. Retention periods vary depending on the nature of the information, the services provided, and legal or regulatory requirements. For example, anti-money laundering laws require us to keep certain customer due diligence records for a minimum period after the end of a business relationship or completion of a transaction.

We also retain information where needed to establish, exercise or defend legal claims, to meet professional standards, or to resolve disputes. When retention periods end, we securely delete or anonymise the information.

Your rights

Under UK data protection law, you may have the following rights (subject to legal conditions and exemptions):

Right to be informed about how we use your personal information.
Right of access (to request a copy of the personal information we hold about you).
Right to rectification (to correct inaccurate or incomplete information).
Right to erasure (to request deletion in certain circumstances).
Right to restrict processing in certain circumstances.
Right to data portability (in certain circumstances where processing is based on consent or contract).
Right to object to processing based on legitimate interests (including an absolute right to object to direct marketing).
Right to withdraw consent at any time where we rely on consent.
Rights related to automated decision-making and profiling.

To exercise your rights, please contact us using the details in section 2. We may need to verify your identity before responding.

Marketing choices

You can opt out of direct marketing at any time. Where we send electronic marketing (such as email or SMS), we do so in line with PECR. You can use the unsubscribe link in emails, follow the opt-out instructions in messages, or contact us. Opting out will not affect service communications we need to send you (for example about an engagement or your account).

Cookies and similar technologies

Our websites and digital services may use cookies and similar technologies to operate, remember your preferences, understand how visitors use our services, and improve performance. Some cookies are essential; others may require consent. Please see the relevant Cookie Notice on the website you are using for details.

Complaints

We take privacy concerns seriously. If you have a complaint about how we use your personal information, please contact us first and we will investigate and respond.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection.

Changes to this notice

We may update this notice from time to time to reflect changes in law, guidance, our services, or how we use personal information. The latest version will be published on the relevant Ascendant website. Where appropriate, we may notify you of material changes.