Privacy policy
The Xeinadin website: https://xeinadin.com/ is maintained by Xeinadin Group Limited – Registered Office: 8th Floor Becket House, 36 Old Jewry, London, United Kingdom, EC2R 8DD; Registered Number – 11354408. Registered in England and Wales.
You can contact us on +44 203 086 8677 or write to us at [email protected]
The purpose of this Privacy Notice is to clarify to you how Xeinadin Group Limited manages your data in line with GDPR and other data protection regulation. Xeinadin is obligated by law to safeguard any personal information that we hold or process and this Privacy Notice outlines the necessary actions that we take to accomplish this. All information processed by us, whether handled via our website or within our internal processes is handled lawfully in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 (as amended from time to time).
What is Personal Data?
In this Privacy Notice and in our communication with you, the terms ‘personal data’, ‘personal information’ or ‘personally identifiable information’ may be used interchangeably. In all circumstances, and as defined by GDPR, personal refers to “any information relating to an identified or identifiable natural person (‘data subject’)”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Our lawful basis for collecting your personal data:
As per the UK & EU GDPR requirements, it is mandatory for us to identify a lawful basis that justifies the requirement for processing personal data, necessary to a specific purpose. As a group of accountancy firms, it is usually necessary for us to process your data for the purpose of fulfilling our contract with you. This lawful basis is regarded as the contractual basis for processing.
There are other lawful bases, which include:
- Your consent
- We have a legal obligation to process your data
- We process your data for your vital interest (to save your life)
- We need to process your data to perform a public task
- We have a legitimate interest for processing your data
We will process your personal data only in line with the lawful basis for which we collect it, unless we have reasonable grounds to believe that it is for a similar purpose that is compatible with the original lawful basis.
The Lawful Basis of Consent:
If we have used your ‘consent’ as our lawful basis for processing of your data, then it must have been given by you freely, specifically, on an informed basis, and with a clear affirmative action (you opted in). You have the right to withdraw your consent at any time by emailing [email protected] or calling us on +44 203 086 8677. Once you withdraw your consent, we will immediately cease processing your data. However, please be aware that this may also result in us being unable to provide our services to you any further.
Your information will be retained for as long as your consent is not withdrawn and the purpose for which the information was collected remain valid. To ensure that your consent remains valid, we will contact you every twelve (12) months to review your consent and request that you provide fresh consent for a further twelve (12) months.
What types of personal data do we collect?
As a group of accountancy companies, we frequently require personal and financial data in line with the requirements stemming from general accountancy services. We regularly gather and handle the following information to facilitate our services:
- First Name
- Last Name
- Address and Postcode
- Email Address
- Phone Number
- Bank Details
- Government ID
- Pay Slips and Bank Statements
- Tax Returns and other Historic Financial Reports
- National Insurance Numbers
- P45/P60
- Criminal Offence Data (where disclosed)
- Other relevant information
In the case of criminal offence data, the considerations of Articles 9 & 10 of UK GDPR and Schedule 1 of the Data Protection Act (DPA) 2018 are documented. In the case of Xeinadin, the ‘Consent’ Condition 29 of Schedule 1 of the Data Protection Act has been identified for the processing of such data, which only occurs when it is freely given, specific, informed, affirmative and unambiguous in the interest of securing accountancy services, as requested by the data subject.
Throughout the provision of our service, we ‘may’ potentially gather additional information from you directly in order to progress our services.
How do we get your information and why do we have it?
Xeinadin Group typically receives information from customers on a voluntary basis to assist with our services. To establish a contractual relationship with you, we need to gather and handle your information. Your information is typically processed to perform various accountancy functions, such as (but not limited to):
- Bookkeeping
- Financial Statement Preparation
- Tax Preparation and Planning
- Payroll Processing and Reporting
- Business Advisory Services
- Budgeting and Forecasting
- Management Accounting
- Take a service payment from you
Your personal information may be collected through several various channels such as phone calls, paper evaluation forms and our website portal. After receiving your information, it is uploaded to our secure client management software. Once we have completed our contract with you, your information is deleted in line with our data retention schedule (outlined further on).
How we handle your data:
Xeinadin Group, in its role as both data controller and data processor, is obligated to follow the data processing principles outlined in the General Data Protection Regulation. By processing your personal information in line with the below principles, Xeinadin Group is able to facilitate your rights, lawfully handle and safeguards your data.
The principles that Xeinadin abide by are:
The Principle of Lawfulness Fairness and Transparency – We only collect and process Personal Information in a way that is lawfully, fair, and transparent to you
The Principle of Accountability – We take responsibility for what we do with your personal data and how we comply with the other principles, and are able to demonstrate our compliance
The Purpose Limitation Principle – We only process your personal information for specified, explicit and legitimate purposes
The Data Minimisation Principle – The personal data collected that we process is adequate, relevant, and limited to what is necessary
The Data Accuracy Principle – We ensure that the data we process is accurate and, where necessary, kept up to date
The Storage Limitation Principle – We only keep personal information in a form which permits your identification no longer than is necessary
The Integrity & Confidentiality (security) Principle – We ensure that we appropriately secure your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Data Security:
Xeinadin Group are committed to ensuring the security and protection of your personal information as we understand that a breach of your information may cause undue stress, worry and in extreme cases my impact your rights and freedoms. To prevent such incidents, appropriate security measures in place to limit accidentally loss, unauthorised access, alteration or disclosure of your information.
We use several organisational measures to limit access to your personal data to only the employees, and other third parties who have a business ‘need to know’. Personal data is shared with third parties only when necessary for the provision of services. When doing so, we ensure that third parties have the appropriate security in place and that they are subject to a duty of confidentiality.
In the unlikely event of a data breach, we follow procedures set out by the Information Commissioners Office (ICO) to investigate and handle the breach transparently and ethically. Should our data breach investigation process determine that the breach may result in an impact to your rights and freedoms, we will notify you and the ICO where we are legally required to do so.
Who we share your data with:
At Xeinadin, we may share the information that you provide to us with other third parties in alignment with our processing purposes to deliver our services to you. Those trusted third parties and software providers include (but are not limited to):
- BrightPay
- Clearstone
- Creditsafe
- Iris
- Quickbooks
- Sage
- Senta
- Taxfiler
- Xero
- HMRC
- Banking and financial institutions
To safely process your information, all our service providers are obligated to maintain strict confidentiality and process your personal information solely according to our explicit instructions by means of written agreement.
There are circumstances where we may need to share your personal information with third parties to fulfill legal obligations, comply with decisions from judicial authorities or governing bodies, or meet other public interests. Your privacy and confidentiality remain our priority in any such disclosures.
International Data Transfers:
We commonly engage trusted third parties located within the United Kingdom (UK) or the European Economic Area (EEA). However, occasionally, we work with third parties located outside of these geographic areas. When we do and there is no adequacy decision in place, we implement measures and employ suitable safeguards such as Standard Contractual Clauses (SCCs), and Binding Corporate Rules (BCR’s) to uphold the security of your personal information.
Third countries include:
- India
- Pakistan
If you would like to know more about the safeguards that we use to secure your information, please get in touch by emailing us at [email protected] or via letter to: The Data Protection Manager, Xeinadin Group Limited, 8th Floor Becket House, 36 Old Jewry, London, United Kingdom, EC2R 8DD.
How long do we keep your data?
His Majesties Revenue and Customs (HMRC) has published Codes of Practice which stipulate that, by law, accountancy firms must keep personal records for a period of six years from the end of the accounting period to which they relate. However, some records may be required to be kept for a longer period in relation to money laundering regulations. Xeinadin Group maintains copies of your personal data in line with such stipulations, however, unless otherwise stipulated, all data is deleted six years from the end of the accounting period.
Marketing preferences
When you complete a form on our website, you will automatically be added to our email marketing database.
Unsubscribing from marketing emails
Should you receive a promotional email from Xeinadin, you may opt out of receiving further promotional email communications by following the unsubscribe link at the bottom of the email. Please note that even if you opt out of receiving promotional communications from us, we may continue to send you non-promotional emails.
Your data rights:
Both the UK & EU General Data Protection Regulation give you seven rights in relation to your data. It is important that you understand your rights and for that reason, we have listed them below:
- The right to access – the right to access copies of personal information.
- The right to rectification – the right to ask organisations to rectify information that isn’t correct.
- The right to erasure – the right to have personal information erased in certain circumstances.
- The right to restriction of processing – the right to have processing of personal data restricted in certain circumstances
- The right to object to processing – the right to object to having data processed in the first place or by a specific means.
- The right to data portability – the right to have information transferred from one organisation to another or be given to the data subject directly.
- Rights relating to automated decision making and profiling – the right to challenge the use of automated processing & decision making
Please note that not all rights are absolute. There may be certain circumstances we are unable to facilitate the exercise of your right(s) due certain allowed exemptions. Should this be the case, then we will explain the exemption reason to you in our response.
Exercising your rights – the SAR process:
Access to personal data is the first step to exercising your rights. By exercising your right to access , you are able to receive a copy of all the personal information held about you by Xeinadin Group. This allows you to understand why your data is being used and to verify that it is being used in accordance with the law. The right to access is exercised by submitting a Subject Access Request (SAR) to the organisation. You can submit a SAR verbally, by speaking to us on the phone or in person, or in writing, including on social media platforms. It is not necessary to use the term “Subject Access Request”; you can simply ask for a copy of your personal information. If you wish to make a written SAR directly to us, you can do so by sending an email to [email protected]or via letter to Xeinadin Group Limited, 8th Floor Becket House, 36 Old Jewry, London, United Kingdom, EC2R 8DD.
After receiving your request, we will need to verify your identity before providing you with a copy of your personal data. We will respond to your request within 30 days. Subject Access Requests are typically free of charge. However, if your request is deemed by our data protection manager to be manifestly unfounded or excessive, we may charge a reasonable fee to cover the administrative costs involved.
Information collected while using our website, including Cookies:
Upon visiting the Xeinadin website, certain information is collected from your internet browser for statistical purposes using cookies. These are small text files that are stored on your computers hard drive through your browser. Cookies do not contain any personal information about users but allow us to distinguish you as a separate entity and monitor your actions on our site. Once you close your browser, the cookies are automatically removed.
To find out more about cookies, please visit: http://www.allaboutcookies.org
Google Analytics
We keep track of our website traffic in Google Analytics. Through this way, we analyse the performance of our website, and we’re able to see the effect of our marketing actions. Google Analytics registers, among others:
- What is the source site of your visit?
- How long did you stay on our website?
- Which pages do you visit?
- Which device/operating system/browser do you use?
- Which forms do you fill?
When legally obliged, Google might share this information with third parties. If third parties process the information, Google might also share this information. We signed a data processing agreement with Google and forbade Google to use the obtained information for any other of their services.
No personal data is collected or saved in Google Analytics. The data will not be shared with third partners unless legally obliged
How to complain:
Complaints to Xeinadin Group
Should you be unhappy with the way in which their personal data is being handled, then a formal complaint may be made to either Xeinadin Group or to the Information Commissioners Office.
Complaints about the handling of data can be made to the Data Protection Team at [email protected]. The Data Protection Team are responsible for ensuring that data is handled in line with legal and regulatory requirements. Received complaints will result in an investigation of the data handling practices of the relevant office of department, prior to the issuing of a final report.
If the complaint is related to the handling of personal data by the Data Protection Team, then the formal Xeinadin Group complaints procedure can be used. All Group complaints must be sent to [email protected] this is for both internal and external complaints.
Complaints Handling:
Either department will provide written acknowledgment within 5 business days of its receipt. Giving the name or job title of the individual handling the complaint for the firm (Together with details of the firms’ internal complaints handling procedure).
The Group will, by end of eight weeks after its receipt of a complaint send the complainant either a final response; or a response which explains that the Group is still not able to make a final response, gives reasons for the further delay and indicated when it expects to be able to provide a final response.
Complaining to the ICO:
If you have any concerns about the way in which Xeinadin Group handle your personal information, you also have the right to complain to the Information Commissioners Office, which is the United Kingdom’s data protection regulator; the contact details of which can be handled below:
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk