Privacy Policy

Last updated: May 2026

1. Introduction and Who We Are

Goldfin Advisory Ltd, trading as Certax Accounting Chelmsford, is a modern, digital-first accounting practice built specifically for Essex businesses. We are registered in England and Wales (Company No. 17072344) and operate as a member of the Certax Accounting franchise network.

We respect your privacy and are committed to protecting your personal data. This Privacy and Cookie Policy sets out how we collect, use, store and protect your information when you visit our website (goldfin.uk), use our secure client portal, or engage our accounting, tax, and payroll services.

This policy applies in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018. We are registered with the Information Commissioner's Office (ICO) as a data controller under registration number ZC136878.

2. Contact Us

We have appointed a data privacy manager responsible for overseeing questions relating to this policy. If you have any questions, including requests to exercise your legal rights, please contact us:

Full legal name: Goldfin Advisory Ltd (Company No. 17072344) ICO Registration: ZC136878 Email: hello.certax@goldfin.uk Telephone: 01245 377 510 Postal address: Saxon House, 27 Duke Street, Chelmsford, CM1 1HT Website: goldfin.uk

3. The Data We Collect About You

Personal data means any information about an individual from which that person can be identified. As a digital practice, we collect, use, store and transfer different kinds of personal data, grouped as follows:

Identity Data: First name, last name, username, title, date of birth, and gender.

Contact Data: Billing address, residential address, email address, and telephone numbers.

Financial Data: Bank account details, payroll records, tax references, and payment card details.

Transaction Data: Details about payments to and from you, and details of the monthly plans or add-ons you have purchased.

Technical & Usage Data: IP address, login data, browser type and version, time zone, and information about how you use our website and client portal.

Communications Data: Your preferences for receiving communications from us and your communication history via our portal and email.

Recordings Data: Audio and video recordings of telephone calls and virtual meetings (such as Google Meet), including any transcripts generated from those recordings.

4. How Is Your Personal Data Collected?

We use different methods to collect data from and about you, including through:

Direct interactions: You may give us your Identity, Contact, and Financial Data by filling in forms, uploading records during onboarding, using our secure client portal, or corresponding with us by post, phone, or email.

Automated technologies (Cookies): As you interact with our website, we automatically collect Technical Data about your equipment, browsing actions, and patterns using cookies and similar technologies.

Third parties and publicly available sources: We may receive personal data about you from third parties such as HM Revenue & Customs, Companies House, your previous accountants or advisers (typically through professional clearance correspondence), identity verification providers, and publicly available sources such as the Companies House register and the UK PEP and sanctions databases.

Call and meeting recordings: We record telephone calls and virtual meetings for quality assurance, training, and record-keeping purposes. You will be informed at the start of any call or meeting that recording is taking place. Recordings are stored securely on UK GDPR-compliant cloud infrastructure with access restricted to authorised personnel. Recordings are retained for a period of three years from the date of the call or meeting, after which they are securely deleted, unless a longer retention is required by law, professional obligation, or in connection with an active matter, dispute, or regulatory enquiry.

5. How We Use Your Personal Data and Our Lawful Bases

We will only use your personal data when the law allows us to. We rely on the following lawful bases:

Performance of a Contract: To administer your account, deliver the services agreed upon in your chosen monthly plan, and manage payments.

Legal and Regulatory Compliance: To comply with statutory obligations, including mandatory AML identity checks, HMRC reporting, Companies House filing, and the prevention of financial crime and money laundering.

Legitimate Interests: For the running of our business, updating and enhancing our client records, conducting management analysis, protecting against legal claims, and improving our services and website.

Consent: We will only contact you with details of other services or marketing where you have explicitly consented. You have the right to withdraw consent at any time by contacting us.

Client acceptance procedures: As set out in our Terms and Conditions, all engagements are conditional upon successful completion of our client acceptance procedures, including AML and KYC checks. Where we are unable to accept an engagement following these checks, we will retain your data only for as long as necessary to demonstrate compliance with our regulatory obligations, including AML record-keeping requirements (see Section 11). Where retention is not legally required, declined prospects' data is securely deleted within 12 months.

6. Anti-Money Laundering (AML) Compliance

Clients are required to cooperate fully with Goldfin's Anti-Money Laundering obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. This includes providing satisfactory proof of identity and address — typically two forms of government-issued identification and proof of residence — as well as any additional verification such as facial recognition or document scans where requested. Engagement cannot commence and services may be suspended or terminated if a client fails to provide the required documentation within a reasonable timeframe or if identity verification cannot be completed to the required standard.

Where AML verification involves the processing of biometric data (such as facial recognition for identity matching), we rely on UK GDPR Article 9(2)(g) — processing necessary for reasons of substantial public interest, namely the prevention of money laundering and terrorist financing. Biometric data is processed only for identity verification purposes, by UK GDPR-compliant providers, and is not retained beyond what is necessary for that purpose.

7. Cookie Policy

Our website uses cookies to distinguish you from other users, providing you with a better experience and allowing us to improve our site. We use the following categories of cookies:

Strictly Necessary Cookies: Required for the operation of our website and secure client portal, including cookies that enable you to log into secure areas.

Analytical/Performance Cookies: Allow us to recognise and count the number of visitors and see how visitors move around our website. All data is anonymised.

Functionality Cookies: Used to recognise you when you return to our website or portal, enabling us to personalise our content for you.

A cookie consent banner will appear on your first visit to our website. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website or the client portal may become inaccessible or not function properly.

8. Disclosures of Your Personal Data

Communication between us is strictly confidential. We do not sell your personal data. We may share your personal data with the following parties for the purposes set out in Section 5:

Service Providers: Third parties providing IT, cloud accounting software, and system administration services. All providers are contractually bound to protect your data.

Identity Verification Providers: We use third-party providers, including services integrated within our practice management software, to verify your identity for AML purposes. This may include processing of facial recognition data, document scans, and identity database searches. All such providers are UK GDPR-compliant and contractually bound to handle your data securely.

Government Bodies and Regulators: HM Revenue & Customs, Companies House, the Information Commissioner's Office, the National Crime Agency (in connection with Suspicious Activity Reports under the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2017), our professional body, and other authorities to whom we have statutory reporting obligations.

Subcontractors: We may occasionally subcontract work on your affairs to other tax or accounting professionals. Any subcontractors used are strictly bound by our client confidentiality terms.

Certax Quality Assurance: As a member firm of the Certax Accounting network, we are required under ethical and regulatory rules to allow access to client files and records for the purpose of maintaining our membership and ensuring quality assurance standards are met.

Continuity Alternate: We have arrangements in place for an alternate professional to manage matters in the event of permanent incapacity or illness. This protects you by ensuring your business operations are not disrupted. This alternate will have access to the information we hold in order to make initial contact with you.

9. Our Specific Role as a Data Processor (Payroll & Pensions)

When Goldfin provides standard accounting and tax advice, we act as a Data Controller. However, when we provide payroll and workplace pension administration services, we act as a Data Processor on your documented instructions. In this capacity, we legally commit to the following UK GDPR Article 28 obligations:

— We process personal data only on your documented instructions. — We ensure anyone authorised to process the data commits to strict confidentiality. — We implement all required technical and organisational security measures. — We will not engage another sub-processor for your payroll data without your prior written consent. — We assist you in fulfilling your obligations to respond to data subject requests. — At the end of our contract, we will delete or return all personal data processed on your behalf, unless required by law to retain it. — We will allow you or an appointed auditor to carry out inspections to demonstrate our compliance.

10. Data Security and Digital Communications

As a modern practice, we prioritise secure communication. We communicate and transfer data primarily using the Goldfin Client Portal, ensuring your finances and messages are accessible in one secure place. Our security measures include encrypted data transmission (SSL/TLS) on all client-facing systems, secure cloud-based storage with reputable UK GDPR-compliant providers, access controls limiting who within our practice can view client data, virus-scanning software, and regular security reviews.

Electronic communication outside of our portal — such as standard, unencrypted email — is not totally secure, and there is an inherent risk of interception or misdirection. If you require us to correspond with you by standard email, you accept the risks associated with this form of communication.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours as required by UK GDPR.

11. Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes for which it was collected. Specific retention periods are as follows:

Companies, LLPs and other corporate entities: Six years from the end of the relevant accounting period, as required by HMRC.

Individuals, sole traders and partnerships: Five years and ten months after the end of the relevant tax year (where trading or rental income is present), or 22 months after the end of the tax year otherwise.

Payroll records: Minimum three years following the relevant tax year.

AML identity verification records: Minimum five years from the end of the client relationship, as required by the Money Laundering Regulations 2017.

Enquiry and contact data (where no engagement follows): 12 months from the date of enquiry.

Website analytics data: 26 months.

While certain documents legally belong to you and will be returned upon request, we reserve the right to securely destroy correspondence and files that are more than seven years old. After applicable retention periods, data is securely deleted or anonymised.

12. Your Legal Rights

Under UK data protection law you have the right to:

Access — request a copy of the personal data we hold about you. Rectification — request correction of inaccurate or incomplete data. Erasure — request deletion of your data where we have no legal obligation to retain it. Restriction — request that we limit how we process your data in certain circumstances. Portability — receive your data in a portable, machine-readable format. Objection — object to processing based on legitimate interests. Withdraw consent — withdraw consent at any time where we rely on consent to process your data.

To exercise any of these rights, please contact us at hello.certax@goldfin.uk. We will respond within 30 days.

13. Third Party Websites

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and recommend you review their privacy policies independently before providing any personal data to them.

14. Complaints

If you have a concern about how we handle your data, please contact us first so that we can put it right. You also have the right to make a complaint to the Information Commissioner's Office (ICO):

Website: www.ico.org.uk Telephone: 0303 123 1113

If you would prefer to speak to us directly before raising a formal complaint, you can reach us at hello.certax@goldfin.uk or 01245 377 510.
You may also raise concerns with our professional body, Certax Accounting, in relation to our conduct as a member firm.

15. Changes to This Policy

We may update this policy from time to time. The most current version will always be available at goldfin.uk/privacy. We will notify existing clients of any material changes by email or via the client portal.

Goldfin Advisory Ltd · Registered in England & Wales · Company No. 17072344 Trading as Certax Accounting Chelmsford · ICO Registration: ZC136878 Saxon House, 27 Duke Street, Chelmsford, CM1 1HT · hello.certax@goldfin.uk · goldfin.uk