Home About Us Services Testimonials Contact
Data Protection Notice

Privacy Policy

How Santra Ltd collects, uses, stores, shares, and protects your personal data — in line with UK GDPR, the DPA 2018, PECR and the Data (Use and Access) Act 2025.

Version 2.0 Effective from 1 August 2026 Next review 1 July 2027

This policy explains how Santra Ltd collects, uses, stores, shares, and protects your personal data. Please read it carefully.

Section 01

Introduction and Who We Are

Santra Ltd ("we", "our", "us") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data in accordance with:

  • the UK General Data Protection Regulation (UK GDPR)
  • the Data Protection Act 2018 (DPA 2018)
  • the Privacy and Electronic Communications Regulations 2003 (PECR)
  • the Data (Use and Access) Act 2025 (DUAA 2025), which amends the UK GDPR, the DPA 2018, and PECR
  • applicable guidance issued by the Information Commissioner's Office (ICO)

We are registered with the ICO as a data controller under registration number ZB674841. For the purposes of the UK GDPR, we act as the data controller in respect of your personal data.

Firm Details

Santra Ltd

Summit House, 4–5 Mitchell Street, Edinburgh, Scotland, EH6 7BD

Company Registration: SC404716

ICO Registration: ZB674841

This policy applies to clients, prospective clients, suppliers, website visitors, and other individuals whose personal data we process. Please read this policy carefully.

Section 02

Personal Data We Collect

We may collect and process the following categories of personal data:

2.1 Identity and Contact Information

  • Full name, title, and date of birth
  • Home and business addresses
  • Email addresses and telephone numbers
  • National Insurance number and Unique Taxpayer Reference (UTR)
  • Passport, driving licence, or other government-issued ID (for AML and KYC purposes)

2.2 Financial and Tax Data

  • Income details, employment records, and bank account information
  • Details of business activities, financial statements, and accounting records
  • Tax returns, HMRC correspondence, and VAT records
  • Details of assets, liabilities, pensions, and investments

2.3 Business Information

  • Company registration details and directorship information
  • Payroll and employee data (where we provide payroll services)
  • Details of business transactions and corporate structures

2.4 Special Category Data

In limited circumstances (for example, where relevant to tax claims or benefits), we may process special category data such as health information. We will only process special category data where a condition under Article 9 of the UK GDPR applies, for example your explicit consent, or where the processing is necessary for the establishment, exercise, or defence of legal claims.

2.5 Website and Communication Data

  • IP addresses and browser type when you visit our website
  • Email and telephone communication records

2.6 If You Do Not Provide Your Personal Data

Where we need to collect personal data by law, or under the terms of our engagement with you, and you do not provide that data when we ask for it, we may be unable to provide the services you have requested, or we may be prevented from meeting our legal and regulatory obligations, including our obligation to verify your identity for anti-money-laundering purposes. Where this is the case, we will tell you and explain the effect.

Section 03

How We Collect Your Personal Data

We collect personal data through the following means:

  • Directly from you, when you engage our services, complete onboarding forms, sign engagement letters, or contact us
  • From third parties, including HMRC, Companies House, your employer, other professional advisers, and credit reference agencies
  • Publicly available sources, such as Companies House, the Electoral Roll, and HMRC databases
  • Our website, through enquiry forms
Section 04

Lawful Basis for Processing

Under the UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out the purposes for which we process your data and our lawful basis for doing so:

Purpose of Processing Type of Data Lawful Basis
Providing accounting, tax, and advisory services Identity, financial, tax data Contract (Art. 6(1)(b)) and Legal Obligation (Art. 6(1)(c))
Compliance with HMRC, Companies House, and AML obligations Identity, financial, KYC data Legal Obligation (Art. 6(1)(c))
Managing client accounts and billing Identity, financial, contact data Contract (Art. 6(1)(b))
Marketing and business development (existing clients) Identity, contact data Legitimate Interests (Art. 6(1)(f))
Marketing to prospective clients Identity, contact data Consent (Art. 6(1)(a))
Preventing fraud and financial crime Identity, financial data Legal Obligation and Legitimate Interests
Improving our services and internal training Anonymised or pseudonymised data Legitimate Interests (Art. 6(1)(f))

Where we rely on legitimate interests as our lawful basis, we carry out a Legitimate Interests Assessment (LIA) to check that your interests and rights do not override our own. For a limited set of activities, such as detecting, investigating, or preventing crime, we may rely on the recognised legitimate interests basis introduced by the Data (Use and Access) Act 2025, where a separate balancing assessment is not required. We do not rely on that basis for direct marketing, which continues to require an assessment of your interests and rights.

Section 05

Anti-Money Laundering and Legal Obligations

As a regulated accountancy firm, we are subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and the Proceeds of Crime Act 2002 (POCA 2002). As a result:

  • We are legally required to verify your identity and the identity of beneficial owners of businesses (Know Your Customer, or KYC, checks)
  • We must retain copies of identity documents for a minimum of five years after the end of our relationship with you
  • We may be required to file Suspicious Activity Reports (SARs) with the National Crime Agency (NCA) without notifying you (the 'tipping off' prohibition under POCA 2002 s.333A)

These obligations take precedence over normal confidentiality duties and override your rights to erasure or restriction of processing in respect of AML-related records.

Section 06

How We Use Your Personal Data

We use your personal data for the following purposes:

  • Delivering accounting, bookkeeping, tax preparation and filing, payroll, audit, and advisory services
  • Preparing and submitting tax returns, VAT returns, and statutory accounts to HMRC and Companies House
  • Fulfilling legal and regulatory obligations, including AML checks and reporting
  • Communicating with you about your matters, including sending letters, emails, and invoices
  • Processing payments and managing our client accounts
  • Sending relevant updates on tax law changes, deadlines, and regulatory developments
  • Improving our services and staff training (using anonymised data where possible)
  • Protecting against fraud, financial crime, and cybersecurity threats
Section 07

Sharing Your Personal Data

We do not sell your personal data. We may share your data with:

7.1 Regulatory and Government Bodies

  • HM Revenue & Customs (HMRC)
  • Companies House
  • The National Crime Agency (NCA), where required under AML legislation
  • The Information Commissioner's Office (ICO)

7.2 Professional Third Parties

  • Other professional advisers (solicitors, financial advisers) where you have engaged them jointly
  • Barristers, tax counsel, or other specialists where instructed on your behalf

7.3 Technology and Service Providers

We use, or may use, the following providers, whose software and services support the delivery of our work:

  • Cloud accounting and bookkeeping software (e.g. Xero, QuickBooks)
  • Payroll software (e.g. Staffology)
  • Cloud storage, email, productivity, and AI-enabled tools (e.g. Microsoft, including Microsoft Copilot under an enterprise subscription)
  • File storage and sharing platforms (e.g. Dropbox, OneDrive, SharePoint, Google Drive)
  • Website hosting (e.g. GitHub, Wix)
  • Other cloud and productivity services (Google)

We require any third party that processes personal data on our behalf to be bound by a data processing agreement, under which they are contractually required to keep your data secure, to act only on our instructions, and to use it only for specified purposes.

Section 08

International Data Transfers

Your personal data is stored within our managed cloud environment, and is hosted and backed up on servers located in the United Kingdom and the European Economic Area. We do not routinely transfer your personal data outside the United Kingdom.

Some of the providers we use are international companies, and their staff may access data from outside the United Kingdom in limited circumstances, for example to provide technical support. Where this happens, the transfer is covered by appropriate safeguards, which may include:

  • Adequacy regulations made under the UK GDPR (for example, transfers to EU and EEA countries covered by UK adequacy regulations)
  • International Data Transfer Agreements (IDTAs) approved by the ICO
  • Binding Corporate Rules (BCRs) where applicable
Section 09

Data Retention

We retain your personal data only for as long as is necessary for the purposes for which it was collected, taking into account legal and regulatory obligations. Our standard retention periods are:

  • Client files and engagement records: 6 years from the end of the relevant tax year or engagement (in line with HMRC statutory time limits)
  • AML and KYC identity documents: 6 years from the end of the business relationship (MLR 2017, Regulation 40)
  • VAT records: 6 years (VATA 1994, Schedule 11)
  • Payroll records: 6 years from the end of the tax year to which they relate (Income Tax (Pay As You Earn) Regulations 2003)
  • Company accounts and statutory records: 6 years from the end of the financial year (Companies Act 2006, s.388)
  • Email and correspondence: 6 years from the date of the last relevant communication

Records may be retained for longer periods where required by law, ongoing litigation, or regulatory investigation. At the end of the applicable retention period, data is securely deleted or anonymised.

Section 10

Your Rights Under UK GDPR

Under the UK GDPR and the DPA 2018, as amended by the Data (Use and Access) Act 2025, you have the following rights in relation to your personal data:

10.1 Right of Access (Subject Access Request, or SAR)

You have the right to request a copy of the personal data we hold about you. We will respond within one calendar month of receiving your request. We may extend this by up to two further months where your request is complex or where you have made a number of requests, and we will tell you if this applies.

We may ask you for information to confirm your identity, or to help us locate the data you have asked for, where we reasonably need it. Where we do, the one-month period does not begin, or is paused, until we receive that information. When we respond to a request, we carry out a search that is reasonable and proportionate to locate your data.

10.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data we hold about you.

10.3 Right to Erasure ('Right to be Forgotten')

You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent, or where it has been unlawfully processed. This right does not apply where we are required to retain data by law, for example anti-money-laundering records and tax records.

10.4 Right to Restriction of Processing

You may request that we restrict processing of your data in certain circumstances, such as where you contest its accuracy, or where processing is unlawful but you do not want erasure.

10.5 Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you may request that we provide your data in a structured, commonly used, and machine-readable format.

10.6 Right to Object

You may object to processing based on legitimate interests, or to processing for direct marketing purposes, at any time. Where you object to direct marketing, we will stop using your data for that purpose. Where you object to other processing based on legitimate interests, we will stop unless we can demonstrate compelling legitimate grounds that override your interests.

10.7 Rights Relating to Automated Decision-Making

You have rights in relation to decisions made about you that are based solely on automated processing, meaning processing with no meaningful human involvement, where those decisions produce legal effects or similarly significant effects. We do not currently make decisions of this kind about you. If this changes, we will update this policy and put appropriate safeguards in place, including telling you about the decision, allowing you to make representations, and enabling you to obtain human involvement and to contest the decision.

10.8 Right to Withdraw Consent

Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of any processing we carried out before you withdrew it. To withdraw consent, please contact us using the details in Section 14.

To exercise any of these rights, please contact our Data Protection Lead (see Section 14). We may need to verify your identity before processing your request. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.

Section 11

Data Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. These measures include:

  • All client data is held within our managed Microsoft cloud environment, and is hosted and backed up on servers in the United Kingdom and the European Economic Area
  • Encryption of data in transit and at rest
  • Individual named user accounts, protected by multi-factor authentication (MFA)
  • Access to client information is limited to our staff, who are bound by professional duties of confidentiality, and who access client information only where it is necessary for their work
  • Documents we receive electronically are saved to our managed cloud storage, and are not saved to personal devices
  • Sensitive documents are shared using secure links from our managed cloud storage, rather than as email attachments
  • Our staff are made aware of their data protection and confidentiality responsibilities

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it (UK GDPR, Art. 33) and will notify you where required (Art. 34).

Section 12

Cookies

A cookie is a small text file that is placed on your device when you visit a website. Cookies are commonly used to make a website work, to remember your preferences, or to track how visitors use a site.

Our website is a static website hosted on GitHub. It does not place cookies on your device. We do not use analytics, advertising, or tracking cookies, and we do not use third-party analytics tools to monitor how visitors use our website.

Because we do not set any non-essential cookies, our website does not display a cookie consent banner. You do not need to make any choices about cookies in order to use our website.

If you send us an enquiry through our website, we will collect the details you choose to give us, such as your name, your contact details, and your message, so that we can respond to you. This is explained in Sections 2 and 3 of this policy.

If we introduce analytics or any other non-essential cookies in the future, we will update this policy and put an appropriate consent mechanism in place before those cookies are used.

Section 13

Use of Artificial Intelligence

13.1 How we use AI tools

We use AI-enabled software tools to help us deliver our services, for example to assist with bookkeeping, categorising transactions, looking up information about suppliers and merchants, and preparing documents. The tools we use include Xero JAX and Microsoft Copilot.

Where those tools process your personal data, we apply the following safeguards:

  • We only use AI tools on business or enterprise terms that are covered by a data processing agreement, and we do not put identifiable client information into free or consumer AI tools.
  • A member of our team reviews AI-assisted output before we rely on it. We do not make decisions about you based solely on automated processing, as set out in Section 10.7.
  • Where the use of an AI tool involves transferring personal data outside the United Kingdom, we ensure an appropriate safeguard is in place, as set out in Section 8.
  • AI providers that process personal data on our behalf do so as our processors or sub-processors under data processing agreements.

13.2 AI agents

An AI agent is an AI tool that can carry out a sequence of steps towards a goal, rather than responding to a single instruction. We expect to use them to assist with:

  • identifying and approaching prospective clients
  • arranging and booking client meetings
  • managing client contracts and engagement documents
  • carrying out periodic identity and anti-money-laundering checks
  • preparing and filing Self Assessment tax returns

Where we do use them, a qualified member of our team will review and approve the outcome before we act on it, before anything is sent to you, and before anything is submitted on your behalf.

13.3 If you would prefer us not to use AI

If you would prefer that we did not use AI tools in connection with your work, please contact us and we will discuss the available alternatives with you.

Section 14

Data Protection Lead and Contact Details

We have appointed a Data Protection Lead (DPL) who is responsible for overseeing our compliance with data protection law. If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your data, please contact:

Data Protection Lead

Prajakta Dudhmande

Santra Ltd

Email: privacy@santra.co.uk

Information Commissioner's Office

ICO

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113

Website: www.ico.org.uk

If you have a concern about how we handle your personal data, we would welcome the chance to address it, so please contact our Data Protection Lead in the first instance. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time.

Section 15

Changes to This Privacy Policy

We review and update this Privacy Policy periodically to reflect changes in law, our practices, or ICO guidance. Where changes are material, we will notify you by email or by a prominent notice on our website.

The version date at the top of this document indicates when it was last reviewed. We encourage you to review this policy periodically.

This Privacy Policy was last reviewed on 13 July 2026.

Santra Ltd · Company Registration SC404716 · ICO Registration ZB674841