Privacy Policy

The General Data Protection Regulation (GDPR) is an essential safety requirement for any organisation that deals with personal data. We will only use the information that we collect about you lawfully (in accordance with the new General Data Protection Regulations 2018).

Eight Data Protection Principles

Personal information must be:
– processed fairly and lawfully
– processed for limited purposes
– adequate, relevant and not excessive
– accurate and up to date
– kept no longer than is necessary
– processed in line with the data subjects’ rights
– secure
– not transferred to other countries without adequate protection

Under the terms of the GDPR legislation, we are required to explain to you how we will treat any personal and/or private data which we collect from you.

Who we are
We are C Allan & Son Accountancy Services Limited. We are a Chartered Accountancy practice, providing (among other things) accountancy and bookkeeping services. The C Allan & Son Accountancy website (to be further referenced as ‘the site’) is owned by C Allan & Son Accountancy Services Ltd. and hosted by Xtensive Web Design and IT Services. The website is updated by both Xtensive and C Allan & Son.

C Allan & Son Accountancy Services Ltd is a Data Controller, “…a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.”

Computer Tracking and ‘Cookies’
The C Allan & Son website makes use of internet browser cookies, which we use to ensure that your experience of our website and business offerings is as effective as possible. Cookies are small amounts of information which we store on your computer and exist to improve the ease of use of this site. You may choose not to use cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting you may be unable to access certain parts of our site. For more information on cookies, please visit

The site uses Google Analytics (GA) to track user interaction. We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey through the website.

Although GA records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you to us. GA also records your computer’s IP address which could be used to personally identify you, but Google do not grant us access to this. We consider Google to be a third-party data processor (see section 6.0 below).
GA makes use of cookies, details of which can be found on Google’s developer guides. FYI our website uses the analytics.js implementation of GA.

Disabling cookies on your internet browser will stop GA from tracking any part of your visit to pages within this website.

Collection of Information from Potential Clients
To undertake work for you we require certain personal data, collected at the time of first contact.
‘Personal data’ can be defined as any data which relates to a living individual who can be identified (a) from that data or (b) from that data and other information that is in the possession of or is likely to come into the possession of the data controller. 
‘Data controller’ – any person who determines the purpose for which, and the way any personal data is likely to be processed.

At first contact we may collect and process the following data about you: –
(1) your name and contact details (telephone number, email address or mail correspondence)
(2) information that you provide by filling in the contact form on our website 
(3) any information you may post to our social media pages
(4) details of your visits to our site including but not limited to traffic data, location data, and other communication data, whether this is required for our own billing purposes or not.

It is our policy that this information is private and confidential. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. The website is hosted by Xtensive and they use a number of security systems to ensure the site’s safety and integrity.

Contact forms and email links

Should you choose to contact us using the contact form on our Contact us page or an email link on the site the data will be collated into an email and sent to us over the Simple Mail Transfer Protocol (SMTP). Our SMTP servers are protected by TLS (sometimes known as SSL) meaning that the email content is encrypted using SHA-2, 256-bit cryptography before being sent across the internet. The email content is then decrypted by our local computers and devices.

Becoming a Client
To undertake and complete work on your behalf, we will require to collect (but not limited to) the following information:
– your National Insurance number
– your marital status
– your financial information relating to your status as a Sole Trader or Limited Company
– a copy of your identification documents (e.g. passport, driver’s licence)
– date of birth
– Unique Taxpayer Reference (UTR)
– PAYE reference number (if applicable)

Once we have received your information the personal information you provide to us (where required) is stored securely on BTC software and is accessible only by designated staff. We will use it only for the purposes for which you provide the information under this privacy statement.

BTC’s privacy policy can be viewed here

Data Retention
We have a legal obligation to hold certain financial information for HMRC for a period of 6 years from the end of the last company financial year they relate to, or longer if:
– they show a transaction that covers more than one of the company’s accounting periods
– the company has bought something that it expects to last more than 6 years, like equipment or machinery
– you sent your Company Tax Return late
– HMRC has started a compliance check into your Company Tax Return
Any information that we do not require to hold must be removed from our office and held by the client for the required period.

Data Storage on C Allan & Son Accountancy Services Ltd Website

There is currently no occasion where personal data will be stored on the site.

About C Allan & Son Accountancy Services Ltd Website Server

The site is hosted within a UK data centre located just outside London.

Some of the data centre’s more notable security features are as follows:

– 3m rota-spike security fence and perimeter anti ram barriers
– blast proof anti-intruder shielded external windows and doors
– proximity access locks on all external and internal doors
– interlocked man-trap doors with biometric iris scanners to gain access into data floors
– server cabinets have locked doors (no open racks)
– perimeter and internal IP CCTV system monitored 24×7
– 24×7 on-site security guards with static and mobile patrols
– all on-site personnel are security vetted to BS7858 standard
– only authorised security cleared staff are allowed into the facility

All traffic (transferral of files) between this website and your browser is encrypted and delivered over HTTPS.

This information has been provided by Xtensive Ltd, C Allan & Son Accountancy Services Ltd believe it to be true and accurate.

Third Party Software
To provide some of our key services, we utilise the services of trusted partner websites and cloud-based systems. We believe the data held on all third-party systems to be safe, secure, and only available to C Allan & Son Accountancy Services Ltd for the purposes of completing our service as an accountancy practice. 

Microsoft 365 (including One Drive)

We believe the information we provide to Microsoft to be held within the EU and meeting the GDPR. To view Microsoft’s privacy policy, please click

Intuit Quickbooks
HMRC require businesses to keep company financial records for at least 6 years from the end of the last financial year, so if you’ve been a paying customer over that time frame, then we’ll likely hold data about you on Intuit Quickbooks – the system we use for our practice accounts, including invoicing customers and receiving monies due.
While legally we cannot delete this data, we can make changes to the contact details etc where it is inaccurate. If you’d like to see what data we hold, or you think we should update the accuracy of it, please just contact us at any time, by contacting our Privacy Officer (details below).

For information on Intuit’s privacy policy please visit

Clients favouring Xero for contracted work completion should know that we will pass your personal details on to Xero. Their privacy statement highlights that although their headquarters are in New Zealand, “For European Union data protection purposes, when we act as a controller in relation to your personal data, Xero (UK) Limited (company number 06071722) is our representative in the European Union”.

To view Xero’s privacy statement in its entirety, please click


Clients favouring Sage UK for contracted work completion should know that we will pass your personal details on to Sage Group plc. 

Their privacy policy can be viewed by clicking


As is the nature of our business, we regularly liaise with HM Revenue and Customs as an ‘Agent’. Their online services are provided by the Government Digital Service (GDS) as part of the Cabinet Office.

The transfer of information may be (but not limited to) the submission of accounts via BTC software (please see earlier for their privacy policy), via the telephone or letter correspondence. 

The information we share can include your name, address, marital status, National Insurance Number, financial information relating to your status as a Sole Trader, Limited Company, Partnership, Charity or Individual.

We cannot become a client’s agent without their consent – this is directly requested by HMRC, in letter format.

It should be noted by clients that the information we share with HMRC “…may, throughout the course of its processing at GDS, be transferred outside of the European Economic Area (EEA). Where this is the case, all appropriate technical and legal safeguards will be put in place to ensure that you are afforded the same level of protection as within the EEA”.

C Allan & Son Accountancy accepts no responsibility or liability for personal data once it has been passed over to HMRC via GDS.

HMRC’s privacy policy can be viewed in its entirety here

Facebook including Messenger

C Allan & Son Accountancy Services Ltd use Facebook to promote our business and highlight upcoming changes that our client’s and subscribers may find useful.

C Allan & Son Accountancy Services Ltd. engages with individuals via Messenger to arrange appointments, at this stage we do not require personal data other than your name.

We do not advocate the use of this facility to share documents that outline personal data, e.g. letters from HMRC or bank statements. Therefore, from May 25th 2018 we will not process documents received via Messenger and will delete the conversation immediately. C Allan & Son Accountancy Services Ltd will not be held accountable or liable for any breach of Messenger resulting in the disclosure of personal data if the service is breached before we have the opportunity to delete personal information.

Facebook’s privacy policy can be viewed here

Skype (Microsoft)

C Allan & Son Accountancy Services Ltd use Skype to communicate with clients, such is the nature of our cloud services. 

Skype’s privacy policy can be viewed in its entirety here

Privacy Officer

C Allan & Son Accountancy Services Ltd has a Privacy Officer – this is Michelle Allan (Director), who can be contacted on, for Subject Access Requests (SAR), to update client details, information deletion requests (although this may not be fully possible for all data we hold, due to our obligations to HMRC) and any enquiries relating to data protection.

Giving your consent

It is important that you read and understand these statements. By purchasing any of our services, a binding agreement between you (and/or your business) and C Allan & Son Accountancy Services Ltd will be created such that we can use your information in this way.


We warrant that we will not disclose your information or personal details to any other third party without your approval other than is set out elsewhere in this privacy statement.

We generally do not send commercial emails; we do send reminder emails to clients with prior consent.

We will seek to act in the best interest of our customers and will not abuse our position of data controller for any commercial gain.

In the event we sell our business or assets the personal data we collect about you may be transferred to the purchaser of our business or assets. We may also use the information we collect about you to enforce or apply our terms of use or supply.

To prevent or detect fraud or abuse of this site, or to assist in verifying your identity, we may make searches of our data records and reserve the right to cooperate with law enforcement agencies should fraud or illegal activities occur. If you give us false or inaccurate information and we suspect fraud, we will record this.

We may use this information to protect our interests including without limitation to protect the rights property or safety of C Allan & Son Accountancy Services Limited, our customers or others. This includes exchanging information with other companies and organisations for the purposes of credit risk and fraud reduction.

Changes to our privacy policy

This privacy policy may change from time to time in line with legislation or industry developments. We will not explicitly inform our clients or website users of these changes. Instead, we recommend that you check this page occasionally for any policy changes. Specific policy changes and updates will be outlined below.

Have we done something wrong?

If you think there is a problem with the way we have handled your data then be aware you have the right to raise a complaint to the ICO (Information Commissioner’s Office). We’d be grateful if you spoke to us about the issue first, but if you’d prefer to go direct to the ICO please visit:

Thank you for your trust