Last updated 22 May 2018

This notice applies across all websites that we own and operate and all services we provide, including our online and mobile accounting services products, and any other apps or services we may offer (for example, events or training). For the purpose of this notice, we’ll just call them our ‘services’.

The notices describe how we collect and use personal data about you, in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act (2018) and any other national implementing laws, regulations and secondary legislation.

We may need to update this notice from time to time. Where a change is significant, we’ll make sure we let you know– usually by sending you an email. You can read the whole notice below.

Who are ‘we’?

When we refer to ‘we’ (or ‘our’ or ‘us’), that means Exchange Accountancy Services Limited and all its wholly owned subsidiaries. Our registered office is 2nd Floor Murray’s Exchange, 1 Linfield Road, Belfast, Northern Ireland, BT12 5DR.

We are a general accountancy practice offering accounting and taxation services to small business across the UK and Ireland.  We are registered in Northern Ireland as a limited company under number NI608120

For European Union data protection purposes, when we act as a controller in relation to your personal data, Exchange Accountancy Services Limited (company number NI608120) is our representative in the European Union.

We have appointed a Data Protection Officer and a Data Protection Point of Contact.  The Data Protection Officer has overall responsibility for Data Protection and the Data Protection Point of Contact is responsible for assisting with enquiries in relation to this privacy notice or our treatment of your personal data.  Should you wish to contact our Data Protection Point of Contact you can do so using the contact detailed noted in this policy.

Exchange Accountancy Services Limited is committed to safeguarding the privacy of personal data.  This Privacy Policy provides detailed information on when and why we collect your personal information, how we use it, the limited conditions under which we may disclose it to other and how we keep it secure.

Our principles of data protection

Our approach to data protection is built around four key principles. They’re at the heart of everything we do relating to personal data.

Transparency: We take a human approach to how we process personal data by being open, honest and transparent.

Enablement: We enable connections and efficient use of personal data to empower productivity and growth.

Security: We champion industry leading approaches to securing the personal data entrusted to us.

Stewardship: We accept the responsibility that comes with processing personal data.

Types of personal data

When we say ‘personal data’ we mean identifiable information about you. If you can’t be identified (for example, when personal data has been aggregated and anonymised) then this notice doesn’t apply.

Identity data: includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth nationality, national insurance number, Unique taxpayer reference number and gender.

Contact data: includes billing address, main address, service address, home address, email address, telephone numbers, fax numbers.

Financial data: includes bank account and payment card details

Transaction data: includes details about payments to and from you and other details od services you have purchased from us, details of any services you have received form us, our correspondence and communications with you along with information about any complaints and enquiries you make to us.

Technical data: includes internet protocol (IP) address and other technology on the devices you use to access the website.

Marketing and Communications data: includes your preferences in receiving marketing form us.

Other data: includes information we receive from other sources, such as publicly available information, information provided by your employer or our clients.

We do not collect any  Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data) unless we have your explicit consent to do so.  Nor do we collect any information about criminal convictions and offences.

If you fail to provide personal data we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services).  In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time.

How we collect your data

When you visit our websites or use our services, we collect personal data. The ways we collect it can be broadly categorised into the following:

Information you provide to us directly: When you visit or use some parts of our websites and/or services we might ask you to provide personal data to us. If you don’t want to provide us with personal data, you don’t have to, but it might mean you can’t use some parts of our websites or services.

We receive various forms of communication from you such as emails, phone calls, text messages, faxes, social media and uploads via our online portal Open space.  We may collate this information and save it our internal database as it may be of relevance to services that we are completing and providing to you as part of our ongoing engagement of services with you or your employer

Information we collect automatically: We collect some information about you automatically when you visit our websites or use our services, like your IP address and device type. We also collect information when you navigate through our websites and services, including what pages you looked at and what links you clicked on. This information is useful for us as it helps us get a better understanding of how you’re using our websites and services so that we can continue to provide the best experience possible.

Some of this information is collected using cookies and similar tracking technologies.

Information we get from third parties: The majority of information we collect, we collect directly from you.  Sometimes we might collect personal data about you from other sources, such as publicly available materials or trusted third parties like Financial Advisors, HM Revenue & Customs, Banks.  We use this information to supplement the personal data we already hold about you, in order to better inform, personalise and improve our services, and to validate the personal data you provide.

Where we collect personal data, we’ll only process it:

  • to perform a contract with you, or your employer, or our clients. This may include processing your personal data where you are an employee, subcontractor, supplier or customer of our client, or
  • where we have legitimate interests to process the personal data and they’re not overridden by your rights and freedoms, this includes processing for marketing, business development, statistical and management purposes, or
  • in accordance with a legal obligation, or
  • where we have your consent.

If we don’t collect your personal data, we may be unable to provide you with all our services, and some functions and features on our websites may not be available to you.

How we use your data

First and foremost, we use your personal data in order to carry out obligations arising from any agreements entered into between you, or your employer, our clients and us (which will most usually be for the provision of our services).  It also includes carrying out our obligations arising from any agreements entered into between our clients and us (which will most usually be for the provision out our services) where you may be a subcontractor, supplier or customer of our client.

We also use your personal data for other purposes, which may include the following:

To communicate with you. This may include:

  • providing you with information you’ve requested from us (for example year end accounts, payslips for your employees, personal tax returns etc) or information we are required to send to you
  • operational communications, like changes to our websites and services, security updates, or assistance with using our websites and services
  • marketing communications (about Exchange or another product or service we think you might be interested in) in accordance with your marketing preferences
  • asking you for feedback or to take part in any research we are conducting (which we may engage a third party to assist with).

To support you: This may include assisting with the resolution of accounting or taxation issues or other issues relating to your business in general.

To enhance our websites and services and develop new ones: For example, by tracking and monitoring your use of websites and services so we can keep improving, or by carrying out technical analysis of our websites and services so that we can optimise your user experience and provide you with more efficient tools.

To protect: So that we can detect and prevent any fraudulent or malicious activity, and make sure that everyone is using our websites and services fairly and in accordance with our terms of use.

To market to you: We may send you marketing communications to you such as newsletters, details of service offerings we feel may interest you, charitable issues, events, latest news etc…

How we can share your data

There will be times when we need to share your personal data with third parties. We will only disclose your personal data to:

  • other companies in the Exchange group of companies
  • subcontractors and service providers such as IT (and cloud) services, occasional professional advisory services and subcontractors in completing certain engaged compliance services
  • financial institutions such as banks, financial advisors and lenders only where you have given written permission by email, letter or fax to do so (for example in the application of a personal mortgage or an annual review carried out by your bank.
  • regulators, law enforcement bodies, government agencies, courts or other third parties where we think it’s necessary to comply with applicable laws or regulations, or to exercise, establish or defend our legal rights. Where possible and appropriate, we will notify you of this type of disclosure
  • an actual or potential buyer (and its agents and advisors) in connection with an actual or proposed purchase, merger or acquisition of any part of our business
  • other people where we have your consent.

All of our third-party service providers are required to take commercially reasonable and appropriate security measures to protect your personal data.  We only permit our third-party service provider to process your personal data for specified purposes and in accordance with our instructions.

International Data Transfers

When we share data, it may be transferred to, and processed in, countries other than the country you live in, where our data hosting provider’s servers are located. These countries may have laws different to what you’re used to. Rest assured, where we disclose personal data to a third party in another country, we put safeguards in place to ensure your personal data remains protected.

For individuals in the European Economic Area (EEA), this means that your data may be transferred outside of the EEA. Where your personal data is transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data, or to a third party where we have approved transfer mechanisms in place to protect your personal data – i.e., by entering into the European Commission’s Standard Contractual Clauses, or by ensuring the entity is Privacy Shield certified (for transfers to US-based third parties). For further information, please contact us using the details set out in the Contact us section below.


Security is a priority for us when it comes to your personal data. We’re committed to protecting your personal data.  We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.  They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.


The length of time we keep your personal data depends on what it is and whether we have an ongoing business need to retain it (for example, to provide you with a service you’ve requested or to comply with applicable legal, tax or accounting requirements).

We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected.  When assessing what retention period is appropriate for your personal data, we take into consideration:

  • the requirements of our business and the services provided;
  • any statutory or legal obligations;
  • the purposes for which we originally collected the personal data;
  • the lawful grounds on which we based our processing;
  • the types of personal data we have collected;
  • the amount and categories of your personal data; and
  • whether the purpose of the processing could reasonably be fulfilled by other means

Following that period, we’ll make sure it’s deleted or anonymised.

Your rights

It’s your personal data and you have certain rights relating to it. When it comes to marketing communications, you can ask us not to send you these at any time – just follow the unsubscribe instructions contained in the marketing communication, or send your request to

You also have rights to:

  • know what personal data we hold about you, and to make sure it’s correct and up to date
  • request a copy of your personal data, or ask us to restrict processing your personal data or delete it
  • object to our continued processing of your personal data

You can exercise these rights at any time by sending an email to

If you’re not happy with how we are processing your personal data, please let us know by sending an email to We will review and investigate your complaint and try to get back to you within a reasonable time frame. You can also complain to your local data protection authority. They will be able to advise you how to submit a complaint.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights).  However, we may charge a reasonable fee if your request for access is clearly excessive. Alternatively, we may refuse to comply with the request in such circumstances.

How to contact us

We’re always keen to hear from you. If you’re curious about what personal data we hold about you or you have a question or feedback for us on this notice, our websites or services, please get in touch.

As a cloud-based accounting practice, we prefer to communicate with you by email – this ensures that you’re put in contact with the right person, and in accordance with any regulatory time frames.

Our email is

Our Data Protection Officer is Gary Laverty, Director who may be contacted by email: , or contact Gary at the following:


Address: F.A.O Data Protection Officer

Exchange Accountancy Services Limited

 2nd Floor Murray’s Exchange

 1 Linfield Road


 BT12 5DR


Telephone: 028 9040 7470