Privacy Policy

Privacy Policy

Artema is strongly committed to protecting personal data. This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us, both by individuals themselves or by others.  We may use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.

Personal Data:

Personal data is any information relating to an identified or identifiable living person. Artema processes personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.

When you make an enquiry with us about any of the services we offer, we’ll ask you to provide some contact information. This may include some or all of the following:

  • full name
  • previous names
  • current home address
  • previous residential addresses
  • date of birth
  • landline and mobile phone number
  • email address
  • National Insurance Number
  • Tax reference number (UTR)
  • When applicable, your bank details.

If you give personal information about someone else (such as a spouse or dependant), you must have their permission to do so.

How do we use your personal information:

You will agree that we need to have your personal information in order to do our job properly. Information such as name, address, tax references etc. are essential when processing and submitting your tax return or speaking to HMRC on your behalf. This information is stored on our system and backed up regularly on a secure server in the UK. We will also use your personal data to confirm your identity for Anti Money Laundering purposes and processing your payroll and Auto Enrolment services and submitting it to HMRC.

The law requires us to comply with a number of regulations. Where necessary, we use your personal data to allow us to fulfil our legal and regulatory requirements.

We will only share personal information with others (i.e. HMRC and Companies House) when we are legally permitted to do so.  When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security standards.

We use third parties to help us run our business. To fulfil our contractual obligations, we may share your personal data with certain third parties including, but not limited to:

HMRC (via phone or through a secure link via government gateway). Rarely, HMRC will accept emails but those will require our clients’ consent in advance.

Companies House (we only send information that is available on public records).

Equifax for Money Laundering checks and credit score reports.

Your bank details and the DD facility is looked after by one of our close partners (SmartDebit) which are FCA regulated and holds an ISO 27001:2013 security certificate.

Xero. When personal data is hosted or processed outside of the European Economic Area by Xero, GDPR requires that it remains protected by appropriate safeguards in line with EU law. There are a few ways that Xero achieves this.

First, some of their EU customers’ data is processed in New Zealand (where their Headquarters are located). New Zealand is recognised by the EU as an ‘adequate’ country (i.e. safe country) to receive and process EU personal data, pursuant to European Commission Decision 2013/65/EU.

When they process EU customer data in other territories, like the United States of America or Australia, they ensure “appropriate safeguards” are in place that are prescribed by GDPR – i.e. by entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).

You can read more about what Xero is doing to prepare for GDPR on their GDPR Centre. A copy of Xero’s DPA, which includes instructions on how it should be executed, is available under the FAQs

Xero: GDPR Centre

We are using various other bookkeeping packages which are based on the cloud such as Sage One, Kashflow, QuickBooks, Free Agent. However, those have been the choice of some of our clients who are also the owners of such accounts and it is therefore not our responsibility to manage.

We use third parties to support us with our Information Technology and marketing departments. Personal data may be stored with any one of them.

We do not share your information with or introduce you to another third party (Independent Financial Advisers, Banks, Mortgage Brokers, Lenders etc.) without your written or oral consent.

We do not record calls however we may keep the time and date we have spoken to you if something of importance was discussed during this conversation.

We do not keep any information on unsuccessful candidates who did not join our team.

Data Security:

All of our Pcs and portable devises are encrypted.

We do not send sensitive information via email without encrypting the content and attachments. Non-sensitive details are sent normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk.

We use our Client Portal to send confidential information over to our clients such as statutory accounts, financial reports and any other information with sensitive content.

How long do we keep your information for:

In order to comply with legislation, we keep information and data for seven years from the end of the financial year. We also keep information for seven years from the date our relationship has ended.

Your rights:

Your right to be informed. You have the right to be informed about the collection and use of your personal data. We use this Privacy Policy to explain that.

Your right of access. You have the right to access your personal data and supplementary information. Individuals have the right to obtain:

  • confirmation that their data is being processed
  • access to their personal data
  • other supplementary information

We may charge for initial requests to provide information and will charge a fee if requests for further copies of the same information are made.  We will provide the requested information to you within a month of receiving your request, unless the request is complex or numerous in which case we may extend this period by up to a further two months.

Right to Rectification. Individuals have the right to request that inaccurate personal data is rectified or completed if it is incomplete.

Right to be forgotten. You have the right to have your personal data erased if:

  • the personal data is no longer necessary for the purpose which it was originally collected
  • we rely upon consent as our lawful basis for holding the data and you withdraw that consent
  • we have processed your personal data unlawfully

The right to be forgotten does not apply where processing is necessary for comply with a legal obligation. As an example, we are required to retain records that demonstrate our workings and evidence for our calculation.  These records contain personal information and sensitive data. We will not remove or delete any personal information or data until such time as our obligation has been fulfilled in respect of each transaction.

Where a request is manifestly unfounded or excessive, particularly if it is repetitive we may charge a fee to provide the information requested or refuse to respond.  In these instances, we will inform you and explain our reason.

Before we proceed with any request, we will take steps to verify the identity of the person making the request.

Our Website:

We do not use cookies on our website and any IP information collected is deleted automatically after two days.

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.


Under the Legitimate Business Interest rules and the Soft Opt-In rules, we will continue to send our clients our newsletters.

Should you wish to unsubscribe to those, you may tick the relevant option at the bottom of each email.

We do not send any marketing materials to individuals or organisations who are not our client unless we have their verbal or written consent to do so.


Sensitive personal information, including tax returns, payslips etc. will be sent via a secured channel of communication or any other agreed method. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

When you send us confidential information over an email, this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems.

Should you have any concerns or questions on the above, please contact us.

Artema Ltd