BOOKKEEPING PACKAGES LTD

Privacy Policy (UK GDPR)

 

Last updated: 2 September 2025

We care about privacy and keep things simple. This notice explains what we collect, why, how long we keep it, and your rights.

Who we are. BookkeepingPackages.co.uk (“we”, “us”) provides fixed-fee bookkeeping services in the UK. For our website, billing and – where required by law – anti-money laundering checks, we act as data controller. When we work inside your Xero/QuickBooks tenant, we act as a data processor on your instructions and you remain the controller of that data.

Where your accounting data lives. Your ledgers, transactions, and payroll live in your own Xero or QuickBooks account. You grant and remove our access as you wish. We don’t create separate backups of your accounting data.

You can use this page with our Cookie Policy at /cookies.

Data we collect

  • Account & contact details – name, business name, role, email, UK phone, your chosen package, onboarding notes.

  • Service access & authorisations – the access you grant to Xero/QuickBooks; HMRC agent/MTD authorisations where your package includes VAT/PAYE filings. Accounting records remain in your Xero/QB tenant.

  • Payroll data (if in your package) – employee details required to run PAYE, processed inside your system.

  • AML/KYC (where required by law) – basic identity verification of directors/beneficial owners and business details, recorded on a risk-based basis.

  • Website & analytics – enquiry details, consent logs, device/IP and cookie IDs for security and analytics (see /cookies).

  • Channels – we’ll communicate by email and, if you prefer, WhatsApp (end-to-end encrypted in transit). Approvals sent via email/WhatsApp count as written approval.

Roles recap: we’re controller for website, billing and AML (where performed); we’re processor for personal data handled inside your Xero/QuickBooks.

Legal bases

  • Contract (Art. 6(1)(b)) – to deliver bookkeeping, reconciliations, and VAT/PAYE submissions included in your package.

  • Legal obligation (Art. 6(1)(c)) – AML/C/DD (where applicable) and record-keeping duties under UK law.

  • Legitimate interests (Art. 6(1)(f)) – running and securing our site/tools, preventing fraud, and reasonable follow-ups to your enquiry.

  • Consent (Art. 6(1)(a)) – non-essential cookies/analytics, optional marketing, and your choice to use specific channels (e.g., WhatsApp) for approvals.

International transfers. Some service providers may process data outside the UK/EEA. Where they do, we use appropriate safeguards (e.g., UK IDTA/EU SCCs).

Retention

  • Accounting data: held in your own Xero/QuickBooks account; you control retention there. We do not keep separate backups of your accounting records.

  • Our client file (own records): contracts, approvals, billing and service notes – 6 years after the end of the financial year relating to the engagement (or longer if required by law).

  • VAT/PAYE proofs we store outside Xero/QB (if any): kept in the client file as above.

  • AML/CDD (where performed): 5 years after the end of the client relationship, then securely deleted unless the law allows/requires longer.

  • Enquiries that don’t proceed: up to 12 months.

  • Website analytics: typically 14–26 months (tool-dependent; see /cookies).

Your rights

You have the right to access your data, request rectification, erasure (where applicable), restriction, portability, and to object to processing based on legitimate interests. Where we rely on consent, you can withdraw it at any time (e.g., cookies/marketing).
You also have the right to complain to the Information Commissioner’s Office (ICO), though we’d welcome the chance to resolve anything first.

Sharing & providers

We use carefully selected service providers (processors) to help run our business, including: website hosting/analytics (e.g., Google/Blogger), communications (email; WhatsApp if you choose), and accounting platforms (Xero/QuickBooks) in your tenant. We require appropriate confidentiality, security and data-protection commitments from all providers.

Security

We apply proportionate technical and organisational measures: access controls, least-privilege permissions, encrypted channels, and staff confidentiality. No method is 100% secure, but we continuously improve our controls.

Children

Our services and site are aimed at UK businesses and are not intended for children.

Changes to this notice

We may update this notice from time to time. We’ll post changes here and update the date at the top. Material changes may also be notified by email.

DPO/Contact

Privacy contact: Stuart Kerr (Privacy Lead) — privacy@bookkeepingpackages.co.uk