Privacy Policy

Introduction

LPA Accountancy ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our services, including our Companies House Identity Verification services, website, and related offerings.

We are registered as an Authorised Corporate Service Provider (ACSP) and are supervised by HMRC under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. We comply with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Economic Crime and Corporate Transparency Act 2023 (ECCTA)

Data Controller Information

LPA Accountancy is the data controller responsible for your personal data. Our contact details are:

Personal Data We Collect

We collect different types of personal data depending on the services you use:

1. Identity Verification Services

When you use our Companies House Identity Verification or ACSP Verification Service, we collect:

2. Website Usage Data

When you visit our website, we automatically collect:

• Technical Data: IP address, browser type, device information, operating system
• Usage Data: Pages visited, time spent, referring websites, click patterns
• Cookie Data: Preferences, session information (see Cookies section)

3. Communication Data

• Email correspondence
• Phone call records (with consent)
• Live chat transcripts
• Customer support tickets
• Feedback and survey responses

4. Payment Information

• Payment card details (processed securely by our payment provider)
• Billing address
• Transaction history
• Invoice details

How We Use Your Personal Data

We use your personal data for the following purposes:

1. Service Provision

• Process your Companies House Identity Verification application
• Submit verification statements to Companies House as your authorised ACSP agent
• Issue your Companies House Personal Code
• Provide Director ID Verification UK services
• Complete PSC identity verification
• Deliver professional accounting and compliance services

2. Legal and Regulatory Compliance

• AML Compliance: Verify your identity to prevent money laundering and terrorist financing
• ECCTA 2023: Comply with Companies House verification requirements
• Record Keeping: Maintain records as required by HMRC and regulatory bodies
• Fraud Prevention: Detect and prevent fraudulent verification attempts
• Legal Obligations: Respond to legal requests and protect our rights

3. Communication

• Send verification status updates
• Respond to your inquiries
• Provide customer support
• Send service-related notifications
• Request feedback on our services

4. Business Operations

• Process payments and invoicing
• Improve our services and website
• Analyze service performance
• Protect against security threats
• Train our staff

5. Marketing (With Your Consent)

• Send newsletters and service updates
• Inform you about new services
• Share industry insights and compliance updates

Legal Basis for Processing

Under UK GDPR, we process your personal data based on the following legal grounds:

Who We Share Your Data With

We only share your personal data when necessary and with appropriate safeguards:

1. Regulatory Bodies

• Companies House: Submission of identity verification statements
• HMRC: AML supervision and tax compliance
• ICO (Information Commissioner's Office): Data protection compliance

2. Service Providers (Data Processors)

We use trusted third-party service providers who process data on our behalf:

• Identity Verification Platforms: For biometric checks and document verification
• Payment Processors: Stripe, PayPal, etc. (who have their own privacy policies)
• Cloud Storage: Secure encrypted storage providers (AWS, Microsoft Azure)
• Email Services: For transactional and marketing emails
• Website Analytics: Google Analytics (anonymized)
• Customer Support: Help desk and ticketing systems

3. Professional Advisors

• Legal advisors and solicitors
• Professional indemnity insurers
• External auditors
• IT security consultants

4. Legal Requirements

We may share data if required by law:

• Court orders and legal proceedings
• Law enforcement agencies
• Tax authorities
• Regulatory investigations

5. International Transfers

Some of our service providers may process data outside the UK/EEA. When this occurs, we ensure:

• Transfers are to countries with adequate data protection (UK adequacy decisions)
• Standard Contractual Clauses (SCCs) are in place
• Additional safeguards protect your data
• You can contact us for details of these safeguards

How Long We Keep Your Data

We retain your personal data only as long as necessary for the purposes outlined in this policy:

Your Data Protection Rights

Under UK GDPR and Data Protection Act 2018, you have the following rights:

1. Right to Access (Subject Access Request)

You can request a copy of the personal data we hold about you, free of charge. We will provide this within 1 month.

2. Right to Rectification

You can ask us to correct inaccurate or incomplete personal data.

3. Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data in certain circumstances:

• Data is no longer necessary for the purpose collected
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• Data was processed unlawfully

Note: This right does not apply if we have a legal obligation to retain your data (e.g., AML regulations require 6-year retention).

4. Right to Restriction of Processing

You can ask us to restrict processing of your data while we:

• Verify the accuracy of disputed data
• Assess whether our legitimate interests override your objection
• Keep data you need for legal claims even though we no longer need it

5. Right to Data Portability

You can request your personal data in a structured, machine-readable format to transfer to another service provider.

6. Right to Object

You can object to processing based on:

• Legitimate interests: We must stop unless we demonstrate compelling legitimate grounds
• Direct marketing: We will stop immediately

7. Rights Related to Automated Decision-Making

We use automated systems for fraud detection during verification. You have the right to:

• Request human intervention
• Express your point of view
• Challenge automated decisions

8. Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time (this won't affect processing done before withdrawal).

9. Right to Complain

If you're unhappy with how we handle your data, you can complain to:

Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience on our website.

What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us remember your preferences and understand how you use our site.

Types of Cookies We Use

Third-Party Cookies

We use the following third-party services that may set cookies:

• Google Analytics: Website traffic analysis (anonymized IP)
• Google Tag Manager: Managing website tags
• Facebook Pixel: Advertising performance (with consent)
• LinkedIn Insights: Professional network analytics (with consent)

Managing Cookies

You can control cookies through:

• Cookie Consent Banner: Manage preferences when you first visit
• Browser Settings: Block or delete cookies (may affect functionality)
• Opt-Out Tools: Google Analytics opt-out browser add-on

Data Security Measures

We take data security seriously and implement industry-standard measures to protect your personal information:

Technical Security

• Encryption: All data transmitted is encrypted using TLS/SSL (256-bit encryption)
• Encrypted Storage: Personal data is stored encrypted at rest
• Secure Servers: Hosted in ISO 27001 certified data centers
• Firewall Protection: Advanced firewall and intrusion detection systems
• Access Controls: Multi-factor authentication for staff access
• Regular Backups: Encrypted backups stored securely

Organizational Security

• Staff Training: Regular data protection and security training
• Limited Access: Only authorized personnel can access personal data
• Confidentiality Agreements: All staff sign confidentiality agreements
• Incident Response Plan: Procedures for data breach management
• Regular Audits: Internal and external security audits
• Vendor Due Diligence: All processors undergo security assessments

Document Security

For identity verification documents:

• Uploaded via secure, encrypted portal
• Stored in encrypted format
• Access logged and monitored
• Automatically deleted after retention period

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email (for material changes)
• Display a prominent notice on our website
• Seek your consent where required by law

We encourage you to review this policy periodically. Your continued use of our services after changes indicates acceptance of the updated policy.

Children's Privacy

Our services are not directed at children under 18. We do not knowingly collect personal data from children. If you are under 18, please do not use our services or provide any personal information.

If we discover we have collected data from a child under 18, we will delete it immediately. If you believe we have inadvertently collected such data, please contact us at [email protected].