Privacy Policy


Who we are

Ardcairn Ltd is a company registered in Scotland No. SC599934. Our website address is:

GDPR statement of compliance

Introduction and overview

We follow the UK Information Commissioner’s Office (ICO) guidelines concerning compliance with the General Data Protection Regulation (GDPR) rules. This document explains how Ardcairn Ltd complies.


All Ardcairn Ltd Associates and staff have read and adhere to our data protection privacy policies.

Our commitment to your privacy

We’re serious about protecting your personal data. This note explains:

  • Why we may collect your personal data;
  • How and when we use personal data;
  • The personal data that we collect;
  • Storing your personal data;
  • How you can access your personal data
  • Data Protection Policy

If you have any questions or queries about this notice please contact us using our contact form below. Please head the query “FAO the Data Protection Officer (DPO)”.

Why Ardcairn Ltd (“we”) may collect your personal data

Your privacy is important to us. We are committed to safeguarding the privacy of your information.

When required we collect personal data to provide an appropriate level of service to you and to comply with the law regarding data sharing. In legal terms this is called ‘legitimate interests’. We may collect your personal data when you correspond with us during a sales process or sign up for one of our services. When it is required, we may also ask you for your consent to process your data. We never share your information with others, other than those who need the information to effectively complete our contracted work with you, such as by our Associates.

How and when we use your personal data

We’re committed to using your personal data responsibly and lawfully. Here’s what we do with your personal data:

  • We will use it to ensure we deal with your enquiries quickly and efficiently.
  • We will use it to deliver services to you and your company
  • We will use it to establish ongoing communication with you regarding
    the provision of a good relationship with you and our company.

The categories of information that we may collect and hold include:

  • Personal information (such as name, telephone number, address and email address)
  • Corporate information (such as company name, address, email address, invoicing details)

The data held may include:

  • Names, email addresses, location data and additional data people have chosen to share with us, which may include postal addresses, phone numbers and the organisations they work for, of people or organisations who have contacted us or been a contact within an organisation with which we have worked – recorded in our online client management software (password protected).
  • Names, e-mail addresses and location data of people who have signed up to marketing, such as newsletters (password protected).

We do not share this information with anyone outside of Ardcairn Ltd, companies or individuals contracted by us who may be provided with specific client data for the sole purpose of client work delivery and who must comply with our data protection privacy policies, such as our accountants. 

Storing your data

Your personal data is stored within the UK or the EU or on platforms including Google Applications that have Privacy Shield and/or other features to ensure we can use them in ways compliant with the GDPR in general, and our privacy and data retention policies specifically.

To help us to maintain the accuracy of the personal data that we hold please let us know if we hold out of date or inaccurate information about you.

We hold your data for varying lengths of time depending on the type of information in question but in doing so we always comply with Data Protection legislation. We will hold your data for six years from the end of contracted business relationship or the date of last correspondence, whichever is the later.

Sharing your personal data

We will not share your information with third parties without your consent unless the law requires us to do so or as necessary for own legitimate interests or those of other persons and organisations eg:

  • For good governance, conducting, accounting, managing and auditing our business operations

There are only a few occasions where we will share your personal data with a third party. They are:

  • Where we’re required to disclose it by law – to government bodies for example.
  • Where we need to do so in order to complete a contractually agreed services using 3rd party tools (when integrating a 3rd party data service or development tool for example). [Example – with our professional advisors (who are required to keep your data confidential)].
  • Associates, subcontractors and other persons who help us to provide our products and services.
  • Companies and other persons providing services to us.
  • To protect the security or integrity of our business operations.
  • Payment systems, where it is necessary to process transactions.

Who do we share your information with?

Our accountants, based in the UK, have access to the following data:

  • Email addresses, postal addresses, invoicing and bank details of organisations with whom we have worked – recorded in our online bookkeeping software FreeAgent (password protected).

Requesting access to your personal data

Under Data Protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information contact our Data Protection Officer (DPO).

You also have the right to:

  • Object to processing of personal data that is likely to cause, or is causing, damage or distress
  • Prevent processing for the purpose of direct marketing
  • Object to decisions being taken by automated means
  • In certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • Claim compensation for damages caused by a breach of the Data Protection regulations.

For further information on how your information is used, how we maintain the security of your information and your rights to access information we hold on you please get in touch with our Data Protection Officer using the contact details below.

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at


To discuss anything in this privacy notice, please contact our Data Protection Officer: using our contact form. Please head the query “FAO the Data Protection Officer (DPO)”.


“Data Protection Legislation” means the Data Protection Act 1998, the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (SI 2426/2003 as amended), and all applicable laws and regulations, including any replacement UK or EU data protection legislation relating to the Processing of Personal Data, including, where applicable, the guidance and codes of practice issued by the Information Commissioner’s Office.

The Data Protection Legislation (“the Legislation”) is concerned with the protection of human rights in relation to personal data. The aim of the Legislation is to ensure that personal data is used fairly and lawfully and that where necessary the privacy of individuals is respected. As part of regular business activities, Ardcairn Ltd will collect, store and process personal data about our staff, Associates, clients and suppliers and other third parties and we recognise that the correct and lawful treatment of this data will maintain confidence in Ardcairn Ltd. This policy sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.

The Data Protection Officer (“DPO”) is responsible for ensuring compliance with the Legislation and with this policy.

Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the DPO.

What is personal data?

Personal data is defined as data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the the data controller.

Processing personal data

All personal data should be processed in accordance with the Legislation and this policy. Any breach of this policy may result in disciplinary action.

Processing includes obtaining, holding, maintaining, storing, erasing, blocking and destroying data.

Personal data is data relating to a living individual. It includes employee data. It will not include data relating to a company or organisation, although any data relating to individuals within companies or organisations may be covered. Personal data can be factual (for example a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

Examples of personal data are employee details, including employment records, names and addresses and other information relating to individuals, including supplier details, any third-party data and any recorded information including any recorded telephone conversations, video calls, emails or CCTV images.

Staff and Associates who process data on behalf of Ardcairn Ltd should assume that whatever they do with personal data will be considered to constitute processing. Individuals should only process data:

  • If they have consent to do so; or
  • If it is necessary to fulfil a contractual obligation or as part of the employer/employee relationship; for example, processing the payroll
  • If neither of these conditions are satisfied, individuals should contact the Data Protection Compliance Manager before processing personal data.

Compliance with the Legislation

Staff and Associates who process data on Ardcairn Ltd’s behalf have a responsibility for processing personal data in accordance with the Legislation. Anyone who has responsibility for processing personal data must ensure that they comply with the data protection principles in the Legislation. These state that personal data must:

  • Be obtained and used fairly and lawfully
  • Be obtained for specified lawful purposes and used only for those purposes
  • Be adequate, relevant and not excessive for those purposes
  • Be accurate and kept up to date
  • Not be kept for any longer than required for those purposes
  • Be used in a way which complies with the individual’s rights (this includes rights to prevent the use of personal data which will cause them damage or distress, to prevent use of personal data for direct marketing, and to have inaccurate information deleted or corrected)
  • Be protected by appropriate technical or organisational measures against unauthorised access, processing or accidental loss or destruction
  • Not be transferred outside the UK or European Economic Area unless with the consent of the data subject or where the country is determined to have adequate systems in place to protect personal data.

Monitoring the use of personal data

Ardcairn Ltd are committed to ensuring that this data protection policy is put into practice and that appropriate working practices are being followed. To this end the following steps will be taken:

  • Staff and Associates who deal with personal data are expected to be aware of data protection issues and to work towards continuous improvement of the proper processing of personal data;
  • Staff and Associates who handle personal data on a regular basis or who process sensitive or other confidential personal data will be more closely monitored;
  • Staff and Associates must evaluate whether the personal data they hold is being processed in accordance with this policy. Particular regard should be given to ensure inaccurate, excessive or out of date data is disposed of in accordance with this policy;
  • An annual report on the level of compliance with or variance from good data protection practices is produced by the company. Data breaches will be recorded and investigated to see what improvements can be made to prevent recurrences.

Handling personal data and data security

We will take appropriate technical and organisational steps to guard against unauthorised or unlawful processing. Records will be stored on Google Apps, our online client management software, our online bookkeeping software and other software that may be required for relevant and lawful processing of data. Access to these records will be restricted to account holders with passwords only. Paper-based records relating to members, clients or suppliers will be kept secure in a locked cabinet. Access to these will be restricted to the Secretary.

We will ensure that staff and Associates who handle personal data are adequately trained and monitored.

Security policies and procedures will be regularly monitored and reviewed to ensure data is being kept secure.

Where personal data needs to be deleted or destroyed, adequate measures will be taken to ensure data is properly and securely disposed of. This will include destruction of files and back up files and physical destruction of manual files. Particular care is taken over the destruction of manual sensitive data (written records) including shredding or disposing via specialist contractors.

All data will be stored in a secure location and precautions will be taken to avoid data being accidentally disclosed. Any agent employed to process data on our behalf will be bound to comply with this data protection policy by a written contract. Personal data stored on a laptop should be password protected.

The rights of individuals

The Legislation gives individuals certain rights to know what data is held about them and what it is used for. In principle everyone has the right to see copies of all personal data held about them. There is also a right to have any inaccuracies in data corrected or erased. Data subjects also have the right to prevent the processing of their data for direct marketing purposes.

Any request for access to data under the Legislation should be made to the DPO in writing. In accordance with the Legislation we will ensure that written requests for access to personal data are complied with within 30 days of receipt of a valid request.

When a written data subject access request is received the data subject will be given a description of a) the personal data, b) the purposes for which it is being processed, c) those people and organisations to whom the data may be disclosed, d) be provided with a copy of the information in an intelligible form.

Sensitive data

No sensitive data will be requested, gathered or stored by Ardcairn Ltd.

Communicating private information

We have taken the following steps:

  1. Placed this privacy policy on our website.
  2. Ensured staff and our contractors are up to date with latest policy amendments and procedures.

Individuals’ rights

Any individual or organisation may request to be informed on the data held by Ardcairn Ltd about them. We will update or delete this data subject to reasonable requests in order to comply with GDPR. Note that we have a legal requirement to retain some financial records for auditing purposes.

Subject access requests

We will respond to all requests for information within the one month compliance period. In order to action the request, please note that the individual or organisation will be requested to prove their identity.

Lawful basis for processing data

  • When an individual or organisation contacts us via email, their email address is stored on our email servers.
  • If an individual or organisation has opted into one of our email lists they have done so in the knowledge that they will receive regular updates via email. They may unsubscribe at any time.
  • When people/organisations have entered into a working contract with us, their contact details are saved in our online client management software (password protected).
  • When people/organisations have completed a working contract for us, their contact details are saved in our online client management software and our online bookkeeping software (password protected).


Any individual or organisation subscribed to our email lists can unsubscribe at any time by clicking the relevant link in one of our communications, or by contacting us via our website. These email addresses are retained as ‘unsubscribed users’ for a one-year period for auditing reasons.

Information held in our online bookkeeping software is stored solely for accounting purposes.


Individuals and organisations who subscribe to our email lists must be over the age of 13. If we find that there are subscribers under this age, we will remove them from the list, explaining why we are doing so.

Data breaches

We aim to prevent data breaches by using strong passwords with two-factor authentication where available. If any organisations who we use as data processors are compromised we would take steps to follow their advice immediately, and inform the data subjects.

Data Protection by Design and Data Protection Impact Assessments

We are registered with the UK’s lead data protection supervisory authority, the Information Commissioner’s Office (ICO).

We have familiarised ourselves with the ICO’s code of practice on Privacy Impact Assessments.

Data Protection Officers

We have appointed a Data Protection Officer (DPO) who can be contacted using our contact form. Please head the query “FAO the Data Protection Officer (DPO)”.

Changes to this policy

We reserve the right to change this policy at any time. Where appropriate we will notify data subjects of those changes by mail or email.

Policy adopted on 2/3/20. Last updated: 28/2/24