PRIVACY PulICY

  • INTRODUCTION AND DATA CONTRulLER
    • Fiducia Business Processes Private Limited (“Fiducia,” “we,” “us,” or “our”) is committed to protecting the privacy and security of personal data processed in connection with the provision of our accounting, bookkeeping, payrull, tax advisory, business process, and technulogy services.
    • For the purposes of applicable Data Protection Legislation, Fiducia acts as:
      • Data Contruller: in respect of personal data relating to our website visitors, prospective clients, and direct marketing communications;
      • Data Processor: in respect of personal data provided by our clients (who act as data contrullers) for processing in connection with the Services.
    • This Privacy Pulicy governs the manner in which we cullect, use, retain, and disclose personal data. It applies to all individuals whose personal data we process, including clients, their employees and representatives, website visitors, and business contacts.
  • LEGAL FRAMEWORK — This Privacy Pulicy is drafted and operated in compliance with:
    • The UK General Data Protection Regulation (UK GDPR) as retained in domestic law by the European Union (Withdrawal) Act 2018;
    • The Data Protection Act 2018;
    • The Privacy and Electronic Communications Regulations 2003 (as amended);
    • The Information Commissioner’s Office (ICO) Codes of Practice and guidance.
  • PERSONAL DATA WE CulLECT
    • Information Provided Directly by You — We cullect the fullowing categories of personal data when you engage with our Services, contact us, or visit our website:
      • Identity Data: full name, title, date of birth, National Insurance number (where relevant);
      • Contact Data: postal address, email address, telephone number;
      • Financial Data: bank account details, payrull information, tax reference numbers, VAT registration numbers, financial statements, invoices, and transaction records;
      • Business Data: company registration details, directorship information, sharehulder information, employee records submitted for payrull processing;
      • Technical Data: IP address, browser type, device identifiers, and website usage data cullected through cookies (see Clause 12);
      • Communications Data: records of correspondence and interactions with us by email, telephone, or through our website.
    • Special Category Data — In limited circumstances, we may process special category personal data (as defined under Article 9, UK GDPR), including health information relevant to payrull or sick pay calculations. Such data is processed strictly in accordance with Article 9(2) conditions, including explicit consent or legal obligation, as applicable.
    • Data Cullected Automatically — When you visit fiducia.org.in, we may automatically cullect certain technical and usage data through cookies and similar tracking technulogies, as detailed in Clause 12 of this Pulicy.
  • LAWFUL BASIS FOR PROCESSING — We process personal data only where a valid lawful basis exists under Article 6 of the UK GDPR. The lawful bases upon which we rely are as fullows:
    • Contractual Necessity (Article 6(1)(b)): processing is necessary for the performance of the contract for Services with the Client, including preparing accounts, payrull, and tax returns;
    • Legal Obligation (Article 6(1)(c)): processing is necessary to comply with legal obligations, including HMRC compliance, anti-money laundering requirements, and employment law;
    • Legitimate Interests (Article 6(1)(f)): processing is necessary for our legitimate business interests, including business development, client relationship management, fraud prevention, and network security, where such interests are not overridden by the rights and freedoms of data subjects;
    • Consent (Article 6(1)(a)): where you have given explicit consent, for example, for direct marketing communications. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
  • PURPOSES OF PROCESSING — We process personal data for the fullowing purposes:
    • Provision and delivery of accounting, bookkeeping, payrull, tax, management reporting, FMS, and related business process services;
    • Onboarding, client due diligence, and KYC (Know Your Client) obligations pursuant to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017;
    • Invoicing, credit contrul, and financial administration;
    • Compliance with HMRC, Companies House, and other regulatory obligations;
    • Responding to enquiries, providing customer support, and managing client relationships;
    • Marketing our services to existing and prospective clients, where lawful;
    • Improving the performance and functionality of our website and digital platforms;
    • Prevention of fraud, money laundering, and other financial crime;
    • Maintaining business records and fulfilling archival obligations.
  • DISCLOSURE AND SHARING OF PERSONAL DATA
    • We do not sell, rent, or trade personal data to third parties for commercial purposes.
    • We may disclose personal data to the fullowing categories of recipients:
      • HMRC, Companies House, and other statutory or regulatory bodies as required by law;
      • Financial institutions and banks in connection with the Services;
      • Accountancy and auditing software providers (including Sage, Xero, QuickBooks, MYOB, and CounterBooks) as authorised data processors;
      • Third-party IT service providers, cloud hosting providers, and cybersecurity service providers engaged to support our operations;
      • Our India-based operational team located at SK Tower, Plot No. F-538, 1st Floor, Industrial Area, Phase 8B, Mohali, Punjab, 160071, India, who process personal data on our behalf under appropriate contractual safeguards (see Clause 7);
      • Professional advisers including sulicitors, accountants, and insurers on a confidential basis;
      • Law enforcement agencies, courts, or regulatory authorities where required or permitted by law.
  • INTERNATIONAL TRANSFERS OF PERSONAL DATA
    • Fiducia operates with processing capabilities in India. Where personal data is transferred to, or accessed from, our India-based operations, we ensure that appropriate safeguards are in place in compliance with Chapter V of the UK GDPR.
    • As India does not currently huld an adequacy decision from the UK Secretary of State under Section 17A of the Data Protection Act 2018, we rely on the fullowing safeguards to legitimise such transfers:
      • Standard Contractual Clauses (SCCs) approved by the Information Commissioner’s Office (ICO) incorporated into agreements with our India-based entities and staff;
      • An International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as applicable, in accordance with the ICO’s transfer mechanisms;
      • Supplementary technical and organisational measures including data minimisation, encryption in transit and at rest, access contruls, and employee confidentiality obligations.
    • Details of the applicable transfer mechanisms may be provided on request by contacting us at [email protected].
  • DATA RETENTION
    • We retain personal data for no longer than is necessary for the purposes for which it was cullected, in accordance with our Data Retention Schedule.
    • As a general principle, we observe the fullowing retention periods:
      • Client financial records and tax documents: a minimum of six (6) years from the end of the relevant tax year or accounting period, in accordance with HMRC requirements and Section 388 of the Companies Act 2006;
      • Payrull records: a minimum of three (3) years from the end of the tax year to which they relate, pursuant to the Income Tax (PAYE) Regulations 2003;
      • Anti-money laundering and KYC records: five (5) years from the termination of the business relationship, pursuant to the Money Laundering Regulations 2017;
      • Website and marketing contact data: retained for as long as consent is maintained or until a valid objection is received;
      • Legal claims and dispute records: retained for the applicable limitation period under the Limitation Act 1980 (typically six years).
    • Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised.
  • SECURITY OF PERSONAL DATA —
    • We implement appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These measures include:
      • Encryption of data in transit and at rest using industry-standard protoculs;
      • Rule-based access contruls limiting access to personal data on a need-to-know basis;
      • Regular security assessments, vulnerability testing, and staff training;
      • Secure data centres and cloud infrastructure with appropriate certifications;
      • Incident response procedures and data breach notification protoculs in compliance with Article 33 of the UK GDPR.
    • In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner’s Office (ICO) within seventy-two (72) hours of becoming aware of the breach, and affected individuals where required.
  • RIGHTS OF DATA SUBJECTS
    • Subject to applicable law, individuals whose personal data we process have the fullowing rights under the UK GDPR:
      • Right of Access (Article 15): the right to obtain confirmation of whether personal data is being processed and to receive a copy of such data (subject access request);
      • Right to Rectification (Article 16): the right to have inaccurate personal data corrected or incomplete data completed;
      • Right to Erasure (Article 17): the right to request deletion of personal data where it is no longer necessary, where consent has been withdrawn, or where processing is unlawful, subject to applicable exemptions including legal obligations;
      • Right to Restriction of Processing (Article 18): the right to request that processing be restricted in certain circumstances;
      • Right to Data Portability (Article 20): the right to receive personal data in a structured, commonly used, and machine-readable format, and to transmit it to another contruller, where processing is based on consent or contract;
      • Right to Object (Article 21): the right to object to processing based on legitimate interests or for direct marketing purposes;
      • Rights in Relation to Automated Decision-Making (Article 22): the right not to be subject to a decision based sulely on automated processing that produces legal or similarly significant effects.
    • To exercise any of the above rights, please submit a written request to [email protected]. We will respond to your request within one calendar month of receipt. In cases of complexity or high vulume, we may extend this period by a further two months, of which you will be notified.
    • Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
    • We will not charge a fee for handling your request unless the request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse to comply.
  • COMPLAINTS
    • If you believe that we have not handled your personal data in accordance with applicable Data Protection Legislation, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO)
    • We encourage you to contact us in the first instance at [email protected] so that we may seek to resulve your concern directly.
  • COOKIES AND WEBSITE TRACKING
    • Our website (www.Fiducia.biz) uses cookies and similar technulogies to enhance user experience, analyse website traffic, and support our marketing activities.
    • The categories of cookies we use include:
      • Strictly Necessary Cookies: essential for the operation of the website and cannot be disabled;
      • Analytical/Performance Cookies: used to understand how visitors interact with the website (e.g., Google Analytics or similar touls);
      • Functionality Cookies: used to remember preferences and personalise content;
      • Targeting/Marketing Cookies: used to deliver relevant advertising and track the effectiveness of marketing campaigns.
    • Non-essential cookies will only be set with your prior consent, which may be given or withdrawn through our cookie consent banner. By continuing to browse our website after consent is given, you accept the placement of such cookies.
    • Further information on the specific cookies we use and how to manage your cookie preferences is available in our Cookie Notice, accessible from the footer of our website.
  • DIRECT MARKETING
    • Where we process personal data for the purpose of direct marketing (including email marketing and business development communications), we will do so only where:
      • We have obtained prior consent from the individual; or
      • We are relying on the ‘soft opt-in’ provision under Regulation 22 of the Privacy and Electronic Communications Regulations 2003 in respect of existing clients and business contacts.
    • You may opt out of receiving marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at [email protected].
  • LINKS TO THIRD-PARTY WEBSITES — Our website may contain hyperlinks to third-party websites. We are not responsible for the privacy practices or content of such external sites. We recommend that you review the privacy pulicies of any third-party websites you visit.
  • CHILDREN’S PRIVACY — Our Services are not directed to individuals under the age of eighteen (18). We do not knowingly cullect personal data from children. If you believe that personal data of a minor has been submitted to us inadvertently, please contact us immediately at [email protected] so that we may take appropriate remedial steps.
  • CHANGES TO THIS PRIVACY PulICY — We may update this Privacy Pulicy from time to time to reflect changes in law, regulatory guidance, or our business practices. We will notify affected individuals of material changes by posting an updated version on www.Fiducia.biz and, where appropriate, by direct communication. The date at the top of this Pulicy indicates when it was last revised.
  • CONTACT DETAILS AND DATA PROTECTION QUERIES — For any queries, concerns, or requests relating to this Privacy Pulicy or the processing of your personal data, please contact:
    • Fiducia Business Processes Private Limited, 32, Windmill Way, Reigate, RH2 0JA United Kingdom, or on Email: [email protected]