Spondoo is strongly committed to protecting your personal data. This Privacy Notice explains how we collect, use, store and share your Personal Data, while also informing you about your rights. This Privacy Notice applies to Personal Data you provide, whether directly or through others. We will only use your Personal Data as described in this Privacy Notice or as otherwise stated at the point of collection.

How have we made our Privacy Notice easier to understand?

To make this Privacy Notice accessible, we’ve included a short glossary below, clarifying some essential data protection terms including those we’ve capitalised throughout this Privacy Notice.

Consent: refers to when an individual gives agreement which is freely given, specific, informed and is an unambiguous indication of their wishes. It is done by a statement or by a clear positive action in respect of the Processing of any Personal Data relating to them.

Criminal Convictions Data: refers to Personal Data relating to criminal convictions and offences and includes Personal Data relating to criminal allegations and proceedings.

Data Controller: refers to an organisation that determines when, why and how to Process Personal Data. It is responsible for establishing policies and procedures in line with Data Protection Laws.

Data Processor: refers to an organisation that Processes Personal Data on behalf of a Data Controller. It is responsible for establishing policies and procedures in line with Data Protection Laws and also its contractual obligations with Data Controllers.

Data Protection Laws: refers to the UK GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any other applicable European Union legislation (such as the General Data Protection Regulation 2016/679) relating to Personal Data. The “UK GDPR” is the retained version of the General Data Protection Regulation 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). The UK GDPR sits alongside the Data Protection Act 2018.

European Economic Area (“EEA”): refers to the 27 countries in the European Union, Iceland, Liechtenstein and Norway.

Legitimate Interest: refers to when an organisation’s interests are legitimate (as they need to do something to operate) and these interests do not override an individual’s interests or fundamental rights and freedoms.

Personal Data: refers to any information identifying an individual or information relating to an individual that an organisation can identify (directly or indirectly) from that data alone or in combination with other identifiers that it Processes. Personal Data includes Special Category Personal Data, Criminal Convictions Data and pseudonymised Personal Data. Further examples of Personal Data are included in section 4 of this Privacy Notice. Personal Data excludes anonymous data or data that has had the identity of an individual permanently removed.

Process or Processing: refers to any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Special Category Personal Data: refers to information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data of an individual.

Key information about our business

Accounting SQL Limited, referred to as “Spondoo”, “we”, “us” and “our” is incorporated in England and Wales and has the registration number of 11318350 and registered address of 13 Vicarage Meadow, Fowey, England, PL23 1DZ.

Data Protection Laws have created the concepts of a Data Controller and a Data Processor. Spondoo acts as a Data Controller which means that we determine the purposes and means of Processing Personal Data. We are supervised by the Information Commissioner’s Office (“ICO”) which is the data protection supervisory authority in England and Wales. Our registration identification with the ICO is ZA793981.

To ensure compliance with Data Protection Laws, we have appointed a Data Protection Officer (“DPO”). Our DPO is responsible for overseeing our data processing activities to ensure that we adhere to the necessary legal requirements. This additional layer of oversight by our DPO enhances our commitment to safeguarding your Personal Data. Our DPO leads our Data Protection Team and can be contacted on info@spondoo.co.uk.

Our approach to data protection compliance

To emphasise our unwavering commitment to safeguarding the confidentiality of your Personal Data, we have established a robust data protection compliance program which includes governance, notices, policies and procedures as well as technical security controls.

Our data protection compliance program is founded on the following fundamental principles:

• Personal Data is processed lawfully, fairly and transparently.
• Personal Data is collected only for specified, explicit and legitimate purposes.
• Personal Data is adequate, relevant and limited to what is necessary for its intended purposes.
• Personal Data is accurate and, when necessary, kept up to date.
• Personal Data is not retained in an identifiable form for longer than required for its designated purposes.
• Personal Data is processed in a manner that ensures its security through suitable technical and organisation measures, guarding against unauthorised or unlawful processing, as well as accidental loss, destruction or damage.

What types of Personal Data do we collect?

We collect, use, store and transfer different kinds of Personal Data depending on our relationship with you. In general, the following categories are collected:

• Identity Data (e.g., first name, maidan name, last name, title, data of birth and marital status).
• Contact Data (e.g., phone number, email address, country of residence, business address and billing address).
• Financial & Transaction Data (e.g., salary, income, investments, benefits, tax residency, bank account details, value added tax numbers, tax code, national insurance number, invoices and payment details).
• Profile Data (e.g., next of kin, family dependents, information professional experience, agreements you have entered into with us such as our terms and conditions).
• Technical Data (e.g., internet protocol addresses, browser type and version, time zone settings and location).
• Usage Data (e.g., information about how you use our website).
• Special Category Data (e.g., information about your racial or ethnic origin, sexual orientation and mental and physical health).
• Communications & Marketing Data (e.g., your preferences in respect of cookies and marketing).

We also collect, use and share “Aggregated Data”. This type of data is gathered for purposes such as research and analysis. Aggregated Data might be created from your Personal Data but is not considered as such under Data Protection Laws. This is because Aggregated Data, by itself, doesn’t reveal your identity directly or indirectly. For instance, we might use your Usage Data to figure out what percentage of users access a specific website feature. However, if we ever combine or link Aggregated Data with your Personal Data in a way that it can identify you, we’ll treat this combined data as Personal Data which will be used in accordance with this Privacy Notice.

Who are the people that we collect Personal Data on?

Website users

We collect Technical Data and Usage Data for tracking purposes. We also collect Identity Data, Contact Data and Communications & Marketing Data (if you decide to get in touch with us).

We collect this data as you interact with our website, we automatically collect this data about you by using cookies and similar technologies (please see our Cookies Notice). We also collect this data through our direct interactions with you such as when you contact us through our website.

Our legal grounds for Processing are one or more of the following:

• Consent (i.e., in that you are choosing to provide us with your details so that we can contact you).
• Legitimate Interest (i.e., it is necessary for our Legitimate Interests in running and developing our business including our marketing strategy).
• Legal obligation (i.e., it is necessary for our us to comply with a legal obligation such as in the instance where you no longer wish to be contacted for direct marketing purposes).

Applicants

We collect Technical Data and Usage Data (for tracking purposes). We collect Communications & Marketing Data. We also collect Identity Data, Contact Data and Profile Data (for when you submit your application to us).

We collect some Special Category Personal Data about you (such as information about your health where you are an applicant, and we are required to put in place reasonable adjustment for your interview). We only collect this type of Personal Data when we have a legal ground in which to do so (i.e., you have given us your Consent and chosen to provide us with this data). If your application is successful, we carry out pre-employment screening checks as part of our onboarding process. We may collect Criminal Convictions Data in the employment context where we are permitted by law to do so when completing background checks.

We collect this data as you interact with our website, we automatically collect this data about you by using cookies and similar technologies (please see our Cookies Notice). We also collect this data through our direct interactions with you and third parties (such as through background check providers).

Our legal grounds for Processing are either:

• Consent (i.e., in that you are choosing to provide us with your details so that we can contact you about a vacancy).
• Contract (i.e., in that we need this information to potentially enter into an employment contract with you).

Clients using our services – individuals and business

We collect your Technical Data and Usage Data (for tracking purposes). We also collect your Identity Data, Contact Data, Financial & Transaction Data, Profile Data and Communications & Marketing Data (for when you entered into an agreement with us). In addition, we collect your Special Category Data where you choose to share it with us.

We collect this data as you interact with our website, we automatically collect this Personal Data about you by using cookies and similar technologies (please see our Cookies Notice). We also collect this Personal Data through our direct interactions with you in order to provide advice and deliverables to you.

Our legal grounds for Processing are one or more of the following:

• Contact (i.e., in that you have entered into an agreement with us).
• Consent (i.e., in that you are choosing to provide us with certain details which include Special Category Data).
• Legitimate Interests (i.e., its necessary for our Legitimate Interests in running and developing our business including our marketing strategy).
• Legal obligation (i.e., its necessary for us to comply with a legal obligation such as in the instance where you no longer wish to be contacted for direct marketing purposes).

Third party suppliers

We collect your Technical Data and Usage Data (for tracking purposes). We also collect your Identity Data, Contact Data, Financial & Transactional Data and Profile Data (for when we are engaging you for your services and expertise).

We collect this data as you interact with our website, we automatically collect this Personal Data about you by using cookies and similar technologies (please see our Cookies Notice). We also collect this Personal Data through our direct interactions with you (i.e., we will hold Personal Data on your staff that have engaged with us).

Our legal grounds for Processing are one or more of the following:
Contract (i.e., in that we need this information to perform a contract with you).
Legitimate Interests (i.e., its necessary for our Legitimate Interests in keeping records to develop our business strategy).
Legal obligation (i.e., its necessary for us to comply with a legal obligation such as in respect to our financial, tax and legal affairs).

Who do we share Personal Data with?

We will share your Personal Data only when it is necessary, and we have provided examples of the kinds of organisations with whom we may share it:

Technology companies that support us in providing our services and to help provide, run and manage our internal IT systems.
Insurers and professional advisers - we may need to share personal data with an insurer, for example, in the event of a claim. Additionally, we engage other professional advisors, including law firms, when required to address legal claims and obtain advice related to our business operations. Personal Data may be shared with these advisers as needed for the products and services they have been engaged to deliver to us.
Regulators and other governmental authorities (e.g., Companies House and HMRC) – which we need to engage with for the purposes of our business and may need to provide data.
Third party organisations that support us in delivering products, services or information for specific client projects – we may partner with or collaborate with other service providers to assist us in delivering professional services to our clients.
Other third parties to whom we may be in contact with to sell, transfer or merge parts of our business or assets, or to attempt to acquire or merge with other companies.

We require all third parties to respect the security of your Personal Data and to treat it in accordance with Data Protection Laws. We enter into contractual agreements with all of our third parties (with the exception of regulators and governmental authorities) which include the appropriate data protection clauses.

How do we protect your Personal Data?

We have put in place appropriate technical and organisational security measures (such as multi-factor authentication and encryption) to prevent your Personal Data from being accidentally lost, falsified, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, contractors and other third parties who have a business need to know. We have put in place policies, plans and procedures to deal with any suspected or actual personal data breaches (although we hope not to ever be in that position).

How do we safely transfer Personal Data across borders?

We ensure that Personal Data is transferred safely and securely at all times. Whenever your Personal Data travels outside of the UK and/or the EEA, we ensure that it’s protected by putting in one of the following safeguards:

We will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data as endorsed by the ICO and identified and determined by the European Commission.
We will only transfer your Personal Data where we have entered into specific contracts with an organisation outside of the UK and/or EEA which states that they will ensure that your Personal Data has the same level of protection as if it were in the UK and/or the EEA.

If you want to find out the specific mechanism used when transferring your Personal Data out of the UK and/or the EEA, please contact our Data Protection Team on info@spondoo.co.uk.

How long do we keep Personal Data for?

We will only keep your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax or reporting requirements.

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we Process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax or other requirements.

We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

What rights do you have in respect of your Personal Data?

In certain situations, you possess particular rights concerning the Personal Data we Process about you. These rights include:

• Right of access to information and copies of the Personal Data that we hold about you.
• Right to rectify (i.e., correct) your Personal Data where it is inaccurate or incomplete.
• Right to delete your Personal Data, but only in specific circumstances, for example where the Personal Data is no longer necessary in relation to the purpose for which it was originally collected or Processed. It may not therefore always be possible for us to delete all of the information we hold about you if you request this, for example, if we have an ongoing contractual relationship with you.
• Right to restrict Processing in specific circumstances, for example while we are reviewing the accuracy or completeness of data or deciding on whether any request for erasure is valid.
• Right to object to Processing in cases where Processing is based upon our Legitimate Interests or where Processing is for direct marketing purposes (including profiling).
• Right to data portability which means the right to receive, move, copy or transfer your Personal Data to another Data Controller. You have the right to this when we are Processing your Personal Data based on Consent or on a contract and the Processing is carried out by automated means.

Should you wish to exercise any of the rights set out above, kindly reach out to our Data Protection Team at info@spondoo.co.uk. You won’t have to pay a fee to access your Personal Data or to exercise any of your other rights. However, if your request is clearly unfounded, repetitive or excessive, we may charge a reasonable fee or decline your request in such instances.

To ensure your security and prevent unauthorised access to your Personal Data, we may request specific information to confirm your identity. This serves as a protective measure in your best interest.

Our aim is to address all valid requests within one month. However, if your request is particularly complex or you have made a number of requests, it may take longer. In such situations, we will keep you informed and notify you accordingly.

We want you to be aware that if you have concerns or are dissatisfied with our approach, you have a right to file a complaint with the ICO at www.ico.org.uk. While we strive to uphold the highest data protection standards, we acknowledge that errors can occur. If you’re unsatisfied with how we handle your Personal Data, we encourage you to contact us initially. Your feedback is invaluable to us.

How do we use your Personal Data in our marketing practices?

You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing. We will get your express opt-in Consent before we share your Personal Data with any third-party for marketing purposes. You can ask us or third parties to stop sending you marketing messages at any time by contacting us and withdrawing your Consent. Where you opt out of receiving these marketing messages, this will not apply to messages that we need to send you a result of performing a contract that we have with you (e.g., as we may be required to contact you in order to perform the contract).

When was this Privacy Notice last updated?

Our Privacy Notice was last updated in November 2023 by our Data Protection Team.

Want to get in touch with us?

Feel free to get in touch with our Data Protection Team on info@spondoo.co.uk. We’d welcome the opportunity to share more information on our practices with you.