Privacy Policy
Last updated: [25 May 2026]
Penny & Paper ("we", "us", "our") is a sole trader business operated by Sebastian Prendiville, providing finance operations and bookkeeping services to small and medium-sized businesses.
We are committed to protecting your personal data. This policy explains how we collect, use, and safeguard your information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller
Sebastian Prendiville trading as Penny & Paper [BUSINESS ADDRESS] [EMAIL ADDRESS] ICO Registration Number: [ICO NUMBER]
What Data We Collect
We may collect and process the following personal data:
Contact information — your name, email address, phone number, and business name, provided when you contact us through our website, email, or other communication channels.
Business and financial information — bookkeeping records, invoices, bank statements, and other financial documents you share with us in connection with our services.
Website usage data — information collected automatically when you visit our website, including your IP address, browser type, pages visited, and time spent on our site (see our Cookie Policy below).
How We Use Your Data
We use your personal data for the following purposes:
To respond to enquiries and provide our services.
To manage our business relationship with you, including invoicing and correspondence.
To comply with legal and regulatory obligations, including anti-money laundering (AML) requirements.
To improve our website and services.
Legal Basis for Processing
We process your data on the following legal bases:
Contract — processing necessary to perform our services or take pre-contractual steps at your request.
Legal obligation — processing required to comply with AML regulations and other legal requirements.
Legitimate interests — processing necessary for our legitimate business interests, such as improving our services and maintaining our website, where these do not override your rights.
Anti-Money Laundering
As a provider of bookkeeping services, we are supervised for AML compliance by HMRC (Supervision Reference: [HMRC AML REFERENCE]). We are legally required to verify client identities and retain certain records. We may be unable to inform you if we are required to make a disclosure to the relevant authorities.
Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
Client records and financial data — 6 years from the end of our business relationship, in line with HMRC requirements.
Enquiry data (where no engagement follows) — 12 months.
Website analytics data — 26 months.
Data Sharing
We do not sell your personal data. We may share your data with:
HMRC and regulatory bodies — where required by law.
Our professional advisers — such as our accountant, on a confidential basis.
Software providers — we use cloud-based tools (e.g. Xero, Revolut Business) to deliver our services. These providers process data on our behalf under appropriate data processing agreements.
We do not transfer your data outside the UK unless necessary to provide our services, and where we do, appropriate safeguards are in place.
Your Rights
Under UK GDPR, you have the right to:
Access the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your data (subject to legal retention requirements).
Object to or restrict certain processing.
Data portability — receive your data in a structured, machine-readable format.
Withdraw consent at any time, where consent is the basis for processing.
To exercise any of these rights, contact us at [EMAIL ADDRESS].
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.