01Who we are

Oasis Accountants Limited (“Oasis”, “we”, “us”, “our”) is a firm of chartered accountants and tax advisers. We are the controller responsible for your personal data in respect of the services we provide to you, except where we act as a processor on your instructions (see section 4).

• Registered company name: Oasis Accountants Limited
• Company registration number: 08359050 (registered in England and Wales)
• Registered/trading office: Office Gold, Building 7, Floor 5, 566 Chiswick High Road, Chiswick Business Park, London, W4 5YG
• Telephone: 020 3818 9530
• General email: hello@oasisaccountants.co.uk
• ICO data protection fee registration number: ZA029313

Our data protection contact
If you have any questions about this notice or wish to exercise your rights, please contact our data protection lead:

• Email: hello@oasisaccountants.co.uk
• Telephone: 020 3818 9530
• Post: Mr. Prashant Yadav, Oasis Accountants Limited, Office Gold, Building 7, Floor 5, 566 Chiswick High Road, Chiswick Business Park, London, W4 5YG

We are not legally required to appoint a Data Protection Officer, but the contact above is responsible for overseeing our compliance with data protection law.

02About this privacy notice

This notice explains what personal data we collect about you, how and why we use it, who we share it with, how long we keep it, and the rights you have. It applies to clients, prospective clients, the directors, owners, employees and beneficiaries connected to our clients, our suppliers and contractors, visitors to our website, and applicants for employment.
Please read it alongside any engagement letter or terms of business we have agreed with you, and any separate notice we may give you when we collect data for a specific purpose.

03The law that applies

We process your personal data in accordance with:

• the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025;
• the Privacy and Electronic Communications Regulations 2003 (PECR), which govern electronic marketing and the use of cookies; and
• our wider legal and regulatory obligations, including the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, the Companies Act 2006, and HMRC tax legislation.

The supervisory authority for data protection in the UK is the Information Commissioner’s Office (ICO).

04The capacities in which we process your data

When providing our services we may act either as:
a) A controller — where we decide the purposes and means of processing. This covers the data we hold to manage our relationship with you, to deliver our services and to meet our own legal and regulatory duties. Most of this notice concerns processing in this capacity.
b) A processor — where we process data on your documented instructions to achieve a purpose you have determined (for example, processing your employees’ payroll data). The terms on which we act as a processor are set out in Appendix A and in our engagement letter, consistent with Article 28 UK GDPR.

05The personal data we collect

Depending on the services you use, the personal data we process may include:

• Identity and contact data: name, date of birth, gender, address, email addresses and telephone numbers, National Insurance number, Unique Taxpayer Reference, and identification documents such as a passport or driving licence.
• Verification data: information gathered for “know your client” and anti-money laundering checks, including the results of electronic identity, sanctions and politically exposed person (PEP) screening.
• Financial data: bank account and payment details, income, taxes, payroll, pensions, investments, assets and liabilities, and other accounting records.
• Family and beneficiary data: details of spouses, dependants and nominated beneficiaries where relevant to tax, estate or retirement planning work.
• Correspondence and engagement data: records of our communications with you, meeting notes, instructions, and the terms of your contract with us.
• Website and technical data: IP address, device and browser information, and information collected through cookies and similar technologies when you use our website (see section 10).

Special category and criminal offence data
Some of the data we handle is more sensitive. We may process special category data (such as information that could reveal racial or ethnic origin, religious beliefs, health, or trade union or political affiliations — for example where it appears in identity documents or expense records) and criminal offence data (for example adverse-information or sanctions results obtained during due diligence). We only process this data where the law allows and we apply additional safeguards, including an appropriate policy document where required by the Data Protection Act 2018.

06How we collect your data

We collect personal data:

• Directly from you — in person, by telephone, email, post, through our website forms or client portal i.e., Microsoft SharePoint and through documents you provide.
• Automatically — through cookies and analytics when you use our website (see section 10).
• From third parties and public sources — including Companies House, HMRC, the Land Registry, credit reference and fraud prevention agencies, electronic verification and AML screening providers, banks and other financial institutions, your previous advisers, and your employer or the business that engaged us.

Where we ask for data we are required to collect by law or under our engagement, and you do not provide it, we may be unable to act for you.

07How and why we use your data, and our lawful bases

We only use your personal data where the law permits. The lawful bases we rely on are:

Performance of a contract — Article 6(1)(b). To provide the accounting, tax, payroll and related services you have requested, to take steps before entering into a contract, and to administer our relationship with you (including invoicing and collecting payment).

Legal obligation — Article 6(1)(c). To comply with duties imposed on us, including anti-money laundering checks and record-keeping, tax reporting to HMRC, filings at Companies House, and responding to lawful requests from regulators, courts and government bodies.

Legitimate interests — Article 6(1)(f). For the proper running of our practice where this is not overridden by your rights, including: managing and improving our services; client and quality surveys; record-keeping and good governance; internal administration and group reporting; keeping our systems and premises secure; preventing fraud; and (where lawful) telling you about services that may be relevant to you. Where we rely on legitimate interests we balance our interests against your rights, and you can ask us about that assessment.

Recognised legitimate interests. Following the Data (Use and Access) Act 2025, certain limited activities — such as detecting, investigating or preventing crime and safeguarding — may be carried out as a “recognised legitimate interest.” Where this applies we do not need to complete a separate balancing test, but we still process only what is necessary and remain transparent about it.

Consent — Article 6(1)(a). Where we have asked for and you have given consent, for example for certain marketing or optional processing. You can withdraw consent at any time.

Vital interests — Article 6(1)(d) and public task — Article 6(1)(e) may apply in limited circumstances.

Special category and criminal offence data
Where we process special category data we rely on your explicit consent (Article 9(2)(a)), or on the basis that processing is necessary for the establishment, exercise or defence of legal claims (Article 9(2)(f)), for reasons of substantial public interest (Article 9(2)(g)) — including the prevention and detection of unlawful acts and fraud — or in connection with employment obligations (Article 9(2)(b)). We process criminal offence data under the conditions set out in Schedule 1 to the Data Protection Act 2018, principally for preventing or detecting unlawful acts and meeting our anti-money laundering duties.

08Anti-money laundering and other regulatory duties

As accountants we are supervised for anti-money laundering purposes by the Association of Chartered Certified Accountants (ACCA) under the Money Laundering Regulations 2017. To meet these duties we must:

• verify your identity and that of beneficial owners and connected persons before and during our engagement, and keep records of those checks;
• monitor transactions and report knowledge or suspicion of money laundering to the National Crime Agency (NCA) where required; and
• where a report is made, comply with the law on “tipping off,” which may prevent us from telling you that a report has been made or why we have taken (or not taken) a particular action.

These obligations override our duty of confidentiality to you and, in limited respects, some of the data subject rights described in section 16.

09Marketing communications

We may send you newsletters, tax updates and information about our services. Where the law requires it, we will only do so with your consent, and we rely on the “soft opt-in” only where you are an existing client and we are telling you about similar services.
You can opt out of marketing at any time by using the unsubscribe link in any message or by contacting us. Opting out of marketing will not stop service-related communications that we need to send you (for example about your accounts, tax deadlines or our engagement).

10Cookies and website analytics

Our website uses cookies and similar technologies to make the site work, to remember your preferences, and to understand how the site is used. This includes analytics and advertising tools such as Google and Meta (Facebook) technologies.
Strictly necessary cookies do not require your consent. For analytics and similar non-essential cookies we rely on your consent or, where the Data (Use and Access) Act 2025 permits, on a low-risk basis with the option to opt out. You can manage your choices through our cookie banner and your browser settings. Please see our separate Cookie Policy for the full list of cookies we use and how to control them.

11Who we share your data with

We do not sell your personal data. We share it only where necessary, including with:

• other companies within the Oasis group;
• HMRC, Companies House and other UK and overseas government bodies and tax authorities;
• our regulators and professional bodies, and the ICO;
• the National Crime Agency and law enforcement, where the law requires;
• our software and service providers acting as our processors — for example Capium (compliance and client portal), Xero (bookkeeping), and Microsoft 365 (email and document storage) — who may only use your data on our instructions;
• credit reference, fraud prevention and electronic identity verification agencies;
• banks, payment providers and, where relevant, pension providers;
• our own legal, professional and IT advisers; and
• courts, and any party where you have consented or where we are required or permitted by law.

We put written contracts in place with our processors requiring them to keep your data secure and to use it only as instructed.

12Transferring your data outside the UK

(a) We may transfer the personal information we collect about you to the country/countries outside the UK in order to perform our contract with you. There are adequacy regulations in respect of those countries. This means that the country OR countries to which we transfer your data are deemed to provide an adequate level of protection for your personal information.
(b) However, to ensure that your personal information does receive an adequate level of protection we have put in place the appropriate measure[s] to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the UK laws on data protection.

13How long we keep your data

We keep your personal data only for as long as necessary for the purposes described in this notice and to meet our legal and regulatory obligations. In general:

• payment card and similar data is deleted as soon as it is no longer needed;
• tax records are kept for at least six years from the end of the tax year to which they relate (reflecting current HMRC requirements);
• anti-money laundering records are kept for five years after our relationship with you ends; and
• other client records are generally kept for up to six years from the end of our engagement.

We may keep data for longer where needed to deal with queries or potential legal claims, or where the law requires it. When data is no longer required we securely delete or anonymise it.

14How we keep your data secure

We take the security of your data seriously and maintain appropriate technical and organisational measures. We are Cyber Essentials Plus certified. Our measures include access controls, encryption where appropriate, staff confidentiality obligations and training, secure storage, and procedures to detect, report and investigate any personal data breach. Where a breach is likely to result in a risk to your rights, we will notify the ICO and where required, you.

15Automated decision-making and profiling

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without meaningful human involvement. Some tools we use (for example AML screening) flag matters for review, but a person makes the final decision. If we ever introduce solely automated decision-making, we will tell you, explain the logic involved, and — in line with the Data (Use and Access) Act 2025 — give you the ability to make representations, obtain human intervention and challenge the decision.

16Your rights

Subject to certain conditions and exemptions, you have the right to:

• be informed about how we process your data (this notice);
• access your data and obtain a copy of it;
• have inaccurate data corrected and incomplete data completed;
• have your data erased in certain circumstances (the “right to be forgotten”);
• restrict our processing in certain circumstances;
• object to processing based on our legitimate interests, and to direct marketing at any time;
• data portability — to receive certain data in a structured, commonly used format; and
• rights in relation to automated decision-making and profiling.

To exercise any of these rights, contact our data protection lead (section 1). We will not charge you in most cases, and we will respond within one month. We may ask you to verify your identity, and — as confirmed by the Data (Use and Access) Act 2025 — we may ask you to clarify your request; in that case the time limit may pause until we receive the information we reasonably need. Our searches in response to an access request will be reasonable and proportionate.

17How to make a complaint

If you are concerned about how we have handled your personal data, please contact our data protection lead (section 1) first so that we can try to put things right. You have the right to complain directly to us, and we will acknowledge your complaint within 30 days, take appropriate steps to resolve it without undue delay, and keep you informed of the outcome.
You also have the right to complain to the ICO at any time:

18Changes to this notice

We may update this notice from time to time. The current version is always available on our website, and we will tell you about significant changes where appropriate. This version was last updated on the date shown at the top.

Appendix A —Where we act as your data processor

This appendix applies where we process personal data on your instructions as your processor (section 4(b)) — for example data about your employees, contractors or customers that you share with us so that we can carry out a task you determine.
Where you share such data with us, you confirm that:

• you have met your own transparency obligations under Article 13 UK GDPR towards those individuals; and
• you have established and documented a lawful basis for the processing, including (where relevant) for special category data, and have obtained valid consent where you rely on it.

In acting as your processor, and consistent with Article 28 UK GDPR, we will:

• process the data only on your documented instructions, unless required by law to do otherwise;
• ensure that people authorised to process the data are under a duty of confidentiality;
• take appropriate technical and organisational measures to keep the data secure;
• engage sub-processors only with your authorisation and under a written contract imposing equivalent obligations;
• assist you, so far as possible, in responding to individuals exercising their rights;
• assist you with security, breach notification and data protection impact assessments, taking into account the nature of the processing and the information available to us;
• delete or return all personal data to you at the end of the engagement, unless the law requires us to keep it; and
• make available the information needed to demonstrate compliance and submit to audits or inspections.