Privacy Notice
Ola Accountancy — Self Assessment Workflow · Last updated: June 2026
This notice explains how the Ola Accountancy workflow system processes personal data, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Who we are
Ola Accountancy is the data controller for client information processed in this system. Contact: privacy@ola-accountancy.co.uk. Ola Accountancy Ltd is registered in England & Wales (company number [ADD COMPANY NUMBER]), registered office [ADD REGISTERED OFFICE], and is registered with the Information Commissioner's Office (registration number [ADD ICO NUMBER]). As an accountancy practice we are also subject to anti-money-laundering record-keeping obligations.
What we collect and why
| Data | Purpose | Lawful basis |
|---|---|---|
| Identity & contact details (name, DOB, address, phone, email) | Client onboarding, identity verification, HMRC filings | Contract |
| Tax identifiers (NINO, UTR) | HMRC agent authorisation and Self Assessment submission | Contract; legal obligation |
| Identity verification documents (e.g. passport, driving licence, proof of address) | Anti-money-laundering customer due diligence (KYC) | Legal obligation (Money Laundering Regulations 2017) |
| Bank account details and statement transactions | Preparation of income/expense figures for the tax return | Contract |
| Payment records | Billing for our services | Contract; legal obligation (accounting records) |
| System audit logs (who accessed or changed what, when, from which IP) and in-app navigation (which pages/steps a user views). We do not use third-party analytics or tracking. | Security, accountability and improving the service | Legitimate interests |
Where your data lives
All data is stored encrypted at rest in a database located in London, United Kingdom, and is transmitted only over encrypted (TLS) connections. Application servers run in the London region.
Processors we use
| Processor | Purpose |
|---|---|
| Vercel Inc. | Front-end hosting and content delivery (London region) |
| Amazon Web Services (AWS) | Application server and database hosting (London / eu-west-2 region, encrypted at rest) |
| Stripe Payments UK Ltd | Card payment processing — card numbers never touch our systems |
| Anthropic PBC | AI-assisted categorisation of bank statement transactions, under a data processing agreement. Anthropic does not use this data to train its models, and transaction text is not retained beyond what is needed to return the result. |
| HM Revenue & Customs | Agent authorisation and tax return submission (statutory) |
International transfers
Your data is hosted in the United Kingdom. Where any processor is based outside the UK, or may access data from outside the UK for support, we ensure an adequate safeguard is in place — UK adequacy regulations or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
How long we keep it
Tax records are retained for 6 years after the end of the relevant tax year, as required by HMRC record-keeping rules. Login sessions expire after 8 hours. Security and accountability audit logs (access and changes) are retained for up to 6 years; lower-level in-app navigation logs are kept for a much shorter period (around 90 days) and then automatically deleted.
Your rights
- Access — request a full export of your data (we provide a machine-readable JSON export).
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data. Where the law requires us to keep tax records (HMRC, 6 years), we anonymise your record instead and delete it fully once the retention period ends.
- Restriction, portability and objection — as provided by UK GDPR.
- Complaints — you can complain to the Information Commissioner's Office (ico.org.uk).
Cookies
This system uses only strictly necessary cookies: a login session cookie and, during HMRC authorisation, short-lived cookies that secure the OAuth process. We do not use analytics, advertising or tracking cookies. Full details are set out in our Cookie Policy.
Security
Measures include: encrypted storage and transport, hashed passwords (bcrypt), automatic account lockout on repeated failed logins, role-based staff access, an append-only audit trail of every access and change, and UK data hosting.