Last updated: 26 May 2026

This policy explains how NDCA Ltd (“NDCA”, “we”, “us”), collects and uses personal data. It applies to visitors to nd-ca.co.uk and to clients, prospective clients, and anyone who contacts us.

Please read it carefully.

Who we are

NDCA Ltd is a company registered in England and Wales.

  • Company number: 15121110
  • Registered office: Suite 100 Unit 2, 94a Wycliffe Road, Northampton, England, NN1 5JF
  • ICO registration number: ZB890339
  • Our principal accountant is a member of the Association of Chartered Certified Accountants (ACCA), and the practice operates under ACCA’s anti-money laundering supervision

We are the data controller for the personal data described in this policy. This means we determine the purposes for which, and the manner in which, your data is processed. Contact us about data protection at info@nd-ca.co.uk or 01903 968618.

Scope

This policy applies only to NDCA’s processing of personal data through nd-ca.co.uk and in the course of providing our services. It does not extend to other websites we may link to, including social media platforms. You should read the privacy policy of any third-party site before using it.

What personal data we collect

From website visitors

  • Information you submit through contact forms (name, email, phone, business name, message content)
  • Cookies and similar technologies (see our cookie policy)
  • Server logs (IP address, browser type, pages visited)

From clients and prospective clients

  • Identification and verification data required for anti-money laundering checks (passport or driving licence, proof of address, date of birth, nationality)
  • Contact details and business information
  • Financial records, tax information, payroll data, and supporting documents needed to deliver our services
  • Bank details where needed for payments or direct debits
  • Information about directors, shareholders, beneficial owners, and employees of corporate clients

From third parties

  • Companies House and HMRC records
  • Credit reference and identity verification providers (used for AML checks)
  • Your previous accountant on professional clearance
  • Referrals (where someone introduces you to us)

How we collect data

We collect data in two ways: information you give us directly (through the website, by email, by phone, by post, during onboarding, or in the course of delivering services) and information collected automatically when you visit the site (IP address, browsing activity, cookie data).

Why we use your data and our lawful basis

Purpose Lawful basis
Responding to enquiries through the website or by email Legitimate interests (responding to your request)
Delivering accountancy, tax, bookkeeping, and payroll services Contract
Anti-money laundering and know-your-client checks Legal obligation (Money Laundering Regulations 2017)
Filing returns and reports with HMRC, Companies House, and other authorities Legal obligation
Sending invoices and collecting payment Contract
Keeping accounting and tax records Legal obligation
Sending service updates and occasional marketing to existing clients Legitimate interests (you can opt out at any time)
Marketing to prospective clients who have opted in Consent
Website analytics and improving the site Consent (via cookie banner)

Marketing

We will only send you marketing emails where we have a lawful basis to do so.

  • Existing clients: we may send you information about our services under the “soft opt-in” — you can opt out at any time using the unsubscribe link in any email or by emailing info@nd-ca.co.uk.
  • Prospective clients: we will only send marketing emails where you have explicitly opted in (for example, by ticking a consent box on a form).

You can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Who we share data with

We share personal data only where needed:

  • HMRC and Companies House — for filings, returns, and statutory submissions
  • Cloud accounting and practice software — Xero, QuickBooks, and FreeAgent (your data is held on their systems on our behalf)
  • Identity verification providers — for AML checks
  • Our professional indemnity insurer and ACCA — where required by our regulator or in connection with a claim
  • Payment processors and our bank — for invoicing and payments
  • IT and hosting providers — including our website host and email provider
  • Professional advisors — solicitors or specialist tax advisors, only where you have agreed
  • Relevant authorities — where required by law, including for the detection of crime, anti-money laundering, or collection of taxes and duties

We do not sell personal data. We do not share it for third-party marketing.

International transfers

Some of our software providers (including Xero, QuickBooks, FreeAgent, and our email provider) may process data outside the UK. Where this happens, transfers are covered by the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or an adequacy decision.

How long we keep data

  • AML and client identification records: 5 years after the end of the client relationship
  • Accounting and tax records: 7 years (HMRC requirement for most records; longer for some company records)
  • Payroll records: 6 years
  • Website enquiries that don’t become clients: 24 months
  • Marketing data: until you opt out
  • Server logs: 30 days

Even after deletion, data may persist on backup or archival media for a limited period for legal, tax, or regulatory reasons.

Security

We use technical and organisational measures to protect your data, including encrypted storage, multi-factor authentication on practice systems, and access controls limited to staff who need the data. Despite this, no system is completely secure. If you suspect misuse, loss, or unauthorised access to your data, email info@nd-ca.co.uk immediately. If a breach affects your data, we will notify you and the ICO where the law requires.

For general advice on protecting your information online, the government-backed service Get Safe Online is a useful resource.

Your rights

Under UK GDPR you have the right to:

  • Access — ask for a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate or incomplete data
  • Erasure — ask us to delete your data, subject to legal retention requirements above
  • Restriction — ask us to limit how we use your data
  • Portability — ask us to transfer your data to another provider
  • Object — object to our use of your data, including where we rely on legitimate interests
  • Withdraw consent — where consent is the lawful basis, withdraw it at any time

To exercise any of these rights, email info@nd-ca.co.uk. We will respond within one month. There is no fee unless the request is manifestly unfounded or excessive.

If you are not satisfied with how we handle your complaint, you can refer it to the Information Commissioner’s Office: ico.org.uk, 0303 123 1113.

Please keep us informed if your details change so the data we hold stays accurate.

The site may link to other websites. We have no control over those sites and are not responsible for their content or privacy practices. This policy does not extend to them.

Changes of business ownership

We may from time to time expand, restructure, or sell parts of the business. Where relevant, personal data may be transferred as part of that change. Any new owner will be bound by this policy in relation to data originally provided to us, and we will take reasonable steps to protect your privacy through any such transition. We may also disclose data to a prospective purchaser as part of due diligence, subject to confidentiality.

General

You may not transfer your rights under this policy to anyone else. We may transfer our rights where we reasonably believe your rights will not be affected.

If any part of this policy is found by a court to be invalid or unenforceable, the rest of the policy will continue to apply.

A delay or failure to enforce any right under this policy is not a waiver of that right.

This policy is governed by the law of England and Wales. Disputes are subject to the exclusive jurisdiction of the courts of England and Wales.

Changes to this policy

We may update this policy from time to time, or as required by law. The “last updated” date at the top will change. Material changes will be notified by email to active clients. We encourage you to review the policy periodically.

Contact

Questions or requests relating to this policy: info@nd-ca.co.uk.