Privacy Policy

B2 Bookkeeper Ltd (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and the rights you have over your data. It applies to data collected through our website, by email, by telephone, and in the course of providing our bookkeeping, accounting, payroll, VAT, CIS and AML-related services.

We process personal data in accordance with the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the Money Laundering Regulations).

1. Who we are (data controller)

For the purposes of UK data protection law, the data controller is:

B2 Bookkeeper Ltd
Company number: 14574320
Registered office: 49 Church Road, Leyland PR25 3AA
Telephone: 01772 435206
Email: alan.w@b2bookkeeper.co.uk

B2 Bookkeeper Ltd is registered with the Information Commissioner's Office (ICO) as a data controller. Our ICO registration details are available on request.

2. Personal data we collect

Depending on your relationship with us, we may collect and process the following categories of personal data:

2.1 Information you provide to us

• Contact and enquiry information: name, business name, email address, telephone number, postal address, and the content of any enquiry you submit through the contact form, by email or by telephone.
• Client onboarding and Know Your Customer (KYC) information: full name, previous names, date of birth, residential and previous addresses, nationality, passport and/or driving licence details, National Insurance number, occupation, source of funds, beneficial ownership and shareholding details, and any other information we are required to collect under the Money Laundering Regulations.
• Engagement information: letter of engagement, scope of services, correspondence and notes relating to your file.
• Financial and accounting records: bank statements, sales and purchase invoices, expense receipts, payroll data (including employee personal data where you provide it as employer), VAT records, CIS deduction records and management accounts.

2.2 Information collected automatically

• Technical data: IP address, browser type and version, device type, operating system, referring URL, pages visited and timestamps. This is collected by our hosting provider (Vercel) and by Google reCAPTCHA for fraud and abuse prevention.
• Rate-limiting and security data: we use Upstash (Redis) to prevent automated abuse of our contact and information-request forms. This stores your IP address temporarily.

3. Why we collect your data (lawful bases)

We rely on the following lawful bases under UK GDPR:

• Contract: to enter into and perform our engagement with you (Article 6(1)(b)).
• Legal obligation: to comply with the Money Laundering Regulations 2017, HMRC reporting obligations, the Companies Act 2006, and other regulatory and statutory duties (Article 6(1)(c)). For special category data collected as part of identity verification, we rely on the “substantial public interest” condition in the Data Protection Act 2018, Schedule 1, Part 2.
• Legitimate interests: to respond to your enquiries, manage our client relationships, recover debt, prevent fraud, secure our website and improve our services (Article 6(1)(f)). Where we rely on legitimate interests, we balance those interests against your rights and freedoms.
• Consent: where we ask for it explicitly, for example for optional marketing communications (Article 6(1)(a)). You may withdraw consent at any time.

4. How we use your data

We use personal data to:

• respond to enquiries and provide quotations;
• verify your identity and assess money-laundering risk;
• provide bookkeeping, VAT, CIS, payroll, management reporting and tax compliance services;
• communicate with you about your engagement and our services;
• submit returns and information to HMRC and Companies House on your behalf;
• maintain accurate accounting and audit records;
• meet our regulatory obligations to the Institute of Certified Bookkeepers (ICB), HMRC and the National Crime Agency;
• secure our systems and prevent abuse, fraud or unauthorised access;
• recover unpaid invoices where necessary.

5. Who we share your data with

We only share your data with third parties where there is a lawful basis to do so. The categories of recipient include:

• HM Revenue & Customs (HMRC) and Companies House — where we are required to submit returns, accounts or other statutory filings on your behalf.
• The National Crime Agency (NCA) — where we are required to make a Suspicious Activity Report under the Proceeds of Crime Act 2002 or the Money Laundering Regulations 2017. We will not tell you if we have made such a report.
• The Institute of Certified Bookkeepers (ICB) — our supervisory body for AML and professional standards purposes.
• Cloud accounting software providers — primarily Xero and QuickBooks, where you have engaged us to maintain your books on those platforms. These providers act as data processors under our instructions and are subject to their own privacy policies.
• Specialist identity-verification and AML-screening providers — where we use third-party tools to perform electronic identity checks, sanctions screening and politically-exposed-person (PEP) checks.
• Our IT and infrastructure providers — including our website host (Vercel), email-delivery provider (Amazon Web Services SES), form-protection providers (Google reCAPTCHA, Upstash), and any other professional IT services we use.
• Professional advisors — including our own auditors, insurers and legal advisors, where engagement is necessary.
• Successor practitioners — if our practice is sold, merged or transferred, your records may be transferred to the successor practice subject to equivalent confidentiality and data-protection terms.
• Law enforcement, regulators and courts — where we are required to do so by law.

We do not sell your personal data to anyone. We do not share your personal data for third-party marketing purposes.

6. International transfers

Most of our processing takes place within the United Kingdom. Some of our service providers (for example Xero, QuickBooks, Google reCAPTCHA, AWS, Vercel and Upstash) may process personal data outside the UK and the European Economic Area. Where they do, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfers to jurisdictions covered by UK adequacy regulations.

7. How long we keep your data

We keep personal data only for as long as we need it, taking into account regulatory requirements and any legitimate business reasons.

• Client accounting and tax records: at least six years from the end of the accounting period to which they relate (in line with HMRC requirements).
• AML and KYC records: five years from the end of our business relationship with you (in line with the Money Laundering Regulations 2017).
• Engagement letters and correspondence: six years from the end of the engagement.
• Contact-form enquiries that do not result in an engagement: up to two years from the last contact.
• Website analytics and security logs: typically up to 30 days, depending on the provider.

At the end of the applicable retention period, your personal data will be securely deleted, destroyed or anonymised.

8. How we keep your data secure

We take the security of your personal data seriously. We use industry-standard technical and organisational measures, including:

• encrypted transmission of data via HTTPS/TLS;
• encrypted form submissions and rate-limited endpoints to prevent automated abuse;
• access controls, strong authentication and the principle of least privilege for staff;
• secure cloud accounting platforms (Xero, QuickBooks) with two-factor authentication;
• vetted third-party processors with appropriate contractual safeguards;
• regular review of our security practices.

No method of transmission over the internet or method of electronic storage is one hundred per cent secure. While we strive to protect your personal data, we cannot guarantee its absolute security. We will notify you and the ICO of any personal-data breach where required by law.

9. Your rights

Under UK data protection law you have the following rights, subject to certain exemptions:

• Right of access — to request a copy of the personal data we hold about you.
• Right to rectification — to ask us to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) — to ask us to delete your data, subject to our legal and regulatory obligations to retain certain records.
• Right to restriction of processing — in certain circumstances.
• Right to data portability — where applicable.
• Right to object — including to processing based on legitimate interests and to direct marketing.
• Right to withdraw consent — where we rely on consent as our lawful basis.
• Rights in relation to automated decision-making — we do not carry out solely automated decision-making that produces legal or similarly significant effects on you.

To exercise any of these rights, please contact us using the details in Section 12. We will respond within one month of your request. There is normally no fee, but we may charge a reasonable fee or refuse to act on a request that is manifestly unfounded or excessive.

10. Cookies and similar technologies

Our website uses a minimal set of cookies and similar technologies:

• Strictly necessary cookies — used by our hosting platform (Vercel) to deliver the site reliably and securely.
• Google reCAPTCHA — used on our contact and information-request forms to distinguish real users from automated bots. Google reCAPTCHA collects hardware and software information such as device and application data and sends it to Google. Use of this information is subject to Google's Privacy Policy and Terms of Service.

We do not use third-party advertising or marketing-tracking cookies on this site.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other reasons. The “Last updated” date at the top of this page shows when it was most recently revised. Where changes are significant, we will take reasonable steps to notify you.

12. How to contact us & how to complain

If you have any questions about this Privacy Policy, or wish to exercise any of your rights, please contact us:

B2 Bookkeeper Ltd
49 Church Road, Leyland PR25 3AA
Email: alan.w@b2bookkeeper.co.uk
Telephone: 01772 435206

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk