Last updated: 7 March 2026

Keywhites Limited ("Keywhites", "we", "us" or "our") is committed to protecting personal data and handling it fairly, lawfully and transparently. This privacy notice explains how we collect, use, store and share personal data when you visit our website, contact us, become our client, or when we provide accountancy, tax, bookkeeping, payroll, CIS and related professional services.

1. Who we are

Keywhites Limited is a company registered in England and Wales.
Registered office: 26 Grisedale Gardens, Purley, Surrey CR8 1EN
Email: info@keywhites.co.uk
Telephone: 020 8432 2202

For the purposes of the UK GDPR and the Data Protection Act 2018, Keywhites Limited will usually be the controller of the personal data covered by this notice.

2. The personal data we may collect

Depending on your relationship with us, we may collect and use the following categories of personal data:

• Identity and contact details, such as names, home or business address, email address and telephone number
• Business information, including business name, company registration details, VAT number and details of directors, shareholders or beneficial owners
• Tax and financial information, including accounting records, invoices, receipts, bank details, tax references, payroll information, pension information, VAT data, CIS data and other information needed to prepare accounts, returns and filings
• Proof of identity and address and other due diligence information collected for anti-money laundering, fraud prevention and compliance purposes
• Communication records, including emails, messages, call notes and instructions you give us
• Information relating to employees, workers or contractors where this is required for payroll, pension, CIS or related services
• Website and technical information, such as IP address, browser type, device information and information about how you use our website

3. How we collect personal data

We may collect personal data:

• Directly from you
• From your business, employer, fellow directors, shareholders, staff or representatives
• From records, documents and software you provide to us
• From HMRC, Companies House, banks, pension providers, software platforms or other third parties where you have authorised this or where it is lawful for us to do so
• When you contact us through our website, by telephone, by email, by post or through messaging services such as WhatsApp
• Automatically through your use of our website, including through cookies and similar technologies where used

4. How we use personal data and our lawful bases

We use personal data for the following purposes and rely on one or more of the following lawful bases under the UK GDPR:

• To respond to enquiries, discuss potential services and onboard new clients
  Lawful basis: taking steps at your request before entering into a contract, and our legitimate interests in running and developing our business.
• To provide accountancy, bookkeeping, VAT, payroll, CIS, tax, advisory and related services
  Lawful basis: performance of a contract, and where relevant our legitimate interests in delivering services efficiently and maintaining service quality.
• To verify identity, carry out customer due diligence, prevent fraud and comply with professional, legal and regulatory obligations
  Lawful basis: compliance with a legal obligation and, where relevant, our legitimate interests in protecting our practice and clients from fraud and financial crime.
• To submit information to HMRC, Companies House and other authorities, regulators or bodies where required or authorised
  Lawful basis: compliance with a legal obligation, performance of a contract, or our legitimate interests, depending on the context.
• To manage our business operations, including invoicing, record keeping, complaints handling, file reviews, training, insurance, IT support, security, backup, business continuity and debt recovery
  Lawful basis: our legitimate interests and, where relevant, compliance with legal obligations.
• To administer and improve our website, monitor security and troubleshoot technical issues
  Lawful basis: our legitimate interests in operating a secure and effective website.

We do not sell personal data.

5. Who we may share personal data with

We may share personal data where appropriate and lawful with:

• HMRC, Companies House and other public authorities, regulators, law enforcement agencies or courts
• Banks, lenders, pension providers and other third parties where you ask us to deal with them on your behalf
• Our professional advisers, insurers and auditors
• Software providers and platforms we use to deliver our services, such as cloud accounting, document management, payroll, tax, bookkeeping, communications and practice management systems. These may include providers such as Microsoft (for email and cloud storage services including OneDrive), secure backup providers such as Backblaze, and other technology providers supporting the operation and security of our systems.
• Subcontractors and outsourced service providers who help us deliver services or run our practice, for example outsourced bookkeeping support, payroll support, tax return preparation support, administrative support, document processing, IT support, hosting, backup, cyber security and other operational support
• Third-party communication providers where you choose to communicate with us through those services
• Any successor business, purchaser or professional adviser in connection with a merger, acquisition, restructuring or sale of all or part of our business

Where we use subcontractors or outsourcers to process personal data on our behalf, we require them to keep the data confidential, act only on our instructions where applicable, implement appropriate security measures, and meet applicable data protection obligations.

6. International transfers

Some of our service providers, subcontractors, outsourcers or communication platform providers may process personal data outside the UK. Where we make or authorise such transfers, we will take steps to ensure that personal data is protected and transferred lawfully, for example by relying on UK adequacy regulations or appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms recognised under UK data protection law.

7. Anti-money laundering and compliance checks

As an accountancy practice, we may be required to verify identity, obtain proof of address, identify beneficial owners, carry out customer due diligence and keep records for anti-money laundering, fraud prevention and compliance purposes. This may involve checking information you provide against electronic verification sources or obtaining information from third parties where lawful.

8. How long we keep personal data

We keep personal data only for as long as reasonably necessary for the purpose for which it was collected and to meet our legal, regulatory, tax, accounting, insurance and professional obligations.

As a general guide, we will usually retain core client engagement records and working papers for up to 6 years after the end of the relevant tax year, accounting period or business relationship, and sometimes longer where we are required to do so by law, regulation, anti-money laundering requirements, limitation periods, insurance requirements, complaints handling or where there is an ongoing dispute or investigation.

Different retention periods may apply to different categories of information.

9. Website, cookies and third-party services

Our website may use cookies and similar technologies and may include or link to third-party content, tools or services. These technologies may collect technical information about your device and browsing activity.

Some cookies or similar technologies may be strictly necessary for the operation of the website, while others may be used for functionality, analytics, embedded content or security. Where required, we will ask for your consent before using non-essential cookies or similar technologies.

Third-party providers may have their own privacy notices and cookie practices, and we encourage you to review them.

10. Data security

We use appropriate technical and organisational security measures to protect personal data from unauthorised access, loss, misuse, alteration or disclosure. These measures may include access controls, secure systems, encrypted storage and backups, strong authentication controls, password management, staff confidentiality obligations and procedures for handling data securely.

However, no transmission of data over the internet or method of electronic storage is completely secure, so we cannot guarantee absolute security. Where appropriate, we also use multi-factor authentication and other security measures to further protect access to systems containing personal data.

11. Your rights

Subject to applicable law, you may have the right to:

• Request access to your personal data
• Request correction of inaccurate or incomplete personal data
• Request erasure of personal data
• Request restriction of processing
• Object to processing based on legitimate interests
• Request transfer of certain personal data to you or another provider
• Withdraw consent where we rely on consent
• Complain to the Information Commissioner’s Office (ICO)

These rights are not absolute and may not apply in every case, particularly where we need to retain or use personal data to comply with legal or regulatory obligations or to establish, exercise or defend legal claims.

12. How to contact us or make a complaint

If you have any questions about this privacy notice or the way we handle personal data, please contact:

Keywhites Limited
26 Grisedale Gardens, Purley, Surrey CR8 1EN
Email: info@keywhites.co.uk
Telephone: 020 8432 2202

You also have the right to complain to the Information Commissioner’s Office if you believe your personal data has been handled unlawfully.

13. Changes to this privacy notice

We may update this privacy notice from time to time. Any changes will be posted on this page and will take effect when published. Please check this page regularly for the latest version.