This is the privacy notice for Citadel Accounting UK Limited (Citadel).
At Citadel, we respect your privacy and are committed to protecting your personal information. This notice explains how we handle your personal data, your rights in relation to that data, and how the law protects you.
This policy is set out in sections so you can easily find the information you need. You can also download a PDF version for reference. Please refer to the Glossary at the end for definitions of key terms.
Purpose of this privacy notice
This notice explains how Citadel collects and processes your personal data when you use our website for example, if you sign up to receive newsletters, request further information, or purchase a service. Our website and services are not aimed at children, and we do not knowingly collect information about children.
It is important that you read this notice along with any other privacy or fair processing notices we may provide on specific occasions. Together, these notices will give you a full picture of how and why we use your data.
Who controls your data
Citadel Accounting UK Limited is the controller of your personal data unless otherwise stated. This means we are responsible for deciding how your information is used.
We have appointed a Data Privacy Manager to oversee matters relating to this policy. If you have any questions or wish to exercise your legal rights, please contact our Data Privacy Manager using the details
Contact details:
You have the right to make a complaint at any time to the Information Commissioners Office (ICO), the UK regulator for data protection (www.ico.org.uk). However, we encourage you to contact us first so we can address your concerns directly.
Updates to this privacy notice
This notice was last updated on 25th August 2025. We may update it from time to time in line with legal requirements or changes to how we operate. Please check our website regularly for the latest version.
It is also important that the personal data we hold about you is accurate and up to date. Please let us know if your details change during your relationship with us.
Links to other websites
Our website may include links to third-party websites, plug-ins, and applications. Clicking on those links may allow others to collect or share data about you. We are not responsible for those third-party websites or their privacy practices, and we encourage you to read their privacy notices when you leave our site.
Personal data means any information that can identify you as an individual. This does not include anonymous data, where your identity has been removed and cannot be re-identified.
We may collect, use, store, and share different types of personal data, grouped into the following categories:
Identity Data : such as first name, last name, title, date of birth, gender, and similar identifiers (e.g., usernames).
Contact Data : such as postal address, billing address, email address, and telephone numbers.
Financial Data : such as bank account details and payment card information.
Transaction Data : details of payments you make to us and information about services or products you purchase from Citadel.
Technical Data : such as your IP address, login details, browser type and version, time zone settings, operating system, and the devices you use to access our website.
Usage Data : information about how you use our website, products, and services.
Marketing and Communications Data : your preferences for receiving marketing messages from us and your communication preferences.
We also collect and use Aggregated Data, such as statistical or demographic data, to help us understand trends and improve our services. Aggregated Data may be derived from your personal data, but is not considered personal data in law because it cannot directly identify you. However, if we combine Aggregated Data with your personal data in a way that identifies you, we treat it as personal data and handle it according to this privacy notice.
We do not collect any Special Categories of Personal Data (such as race, religion, health information, or biometric data), nor do we collect information on criminal convictions or offences.
If you choose not to provide data In some cases, we are required by law or by contract to collect personal data from you. If you do not provide this data when requested, we may not be able to fulfil our obligations (for example, providing a service you have requested). If this happens, we will let you know at the time.
We use different methods to collect personal data about you, including:
Direct interactions
You may provide us with Identity, Contact, and Financial Data by filling in forms or by corresponding with us by post, phone, email, or other means. This includes information you provide when you:
Engage Citadel for products or services
Request marketing communications
Contact us for information or support
Automated interactions
When you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this data using cookies and similar technologies. Please see our Cookie Policy for more details.
Third-party sources
We may receive personal data about you from third parties and publicly available sources, such as:
Analytics providers (e.g., Google Analytics)
Search information providers
Payment and delivery service providers (for Contact, Financial, and Transaction Data)
Publicly available sources such as Companies House (for Identity and Contact Data)
Identity verification services (to meet our legal obligations, for example, under anti-money laundering regulations)
We will only use your personal data when the law allows us to. Most often, this will be:
To perform a contract : when we need to deliver a service or product you have requested.
For legitimate interests : where it is necessary for running our business and these interests are not outweighed by your rights.
To comply with legal obligations : when we are required to process your data by law or regulation.
We generally do not rely on consent as a legal basis for processing personal data, except where we send direct marketing communications by email or text. You can withdraw consent for marketing at any time by contacting us.
Our website uses cookies to improve user experience. You can set your browser to refuse or block cookies, but some parts of our website may not work properly without them. For more details, please see our Cookie Policy.
We will only use your personal data for the purpose it was collected. If we need to use it for a different but compatible reason, we will explain this to you. If the new purpose is unrelated, we will seek your consent unless the law allows us to process it without consent.
We may need to share your personal data with certain third parties for the purposes outlined in Section 4. These include:
External service providers : such as IT providers, payment processors, auditors, or insurers, who support our business operations.
Regulators and authorities : such as HM Revenue & Customs or other bodies that require reporting of data processing activities.
Business transactions : in the event of a merger, sale, transfer, or acquisition involving Citadel. If ownership of the business changes, the new owners may use your personal data in the same way as described in this policy.
We require all third parties to protect your personal data and treat it in line with the law. Service providers are not allowed to use your personal data for their own purposes and may only process it on our instructions, for agreed purposes.
Some of our service providers and external partners are located outside the United Kingdom and the European Economic Area (EEA). This means that when they process your personal data, it may be transferred to countries where data protection standards are different from those in the UK or EEA.
Whenever we transfer your personal data outside the UK or EEA, we make sure it is protected to the same high standard by ensuring at least one of the following safeguards is in place:
Adequacy decision : we only transfer data to countries approved by the UK Government or European Commission as having adequate levels of data protection.
Contractual protections : we use contracts approved by the UK Government or European Commission that require third parties to protect your data to the same standard as in the UK/EEA.
Specific frameworks : where applicable, we may transfer data to US-based providers who are certified under recognised frameworks that provide equivalent safeguards.
If you would like more details about the specific safeguards we use when transferring your data internationally, please contact us.
Citadel has put in place appropriate technical and organisational measures to protect your personal data. These measures are designed to prevent your information from being accidentally lost, accessed or used without authorisation, altered, or disclosed.
Access to your personal data is limited to employees, contractors, and third parties who need it to perform their work. They are required to follow strict confidentiality obligations and will only process your data on our instructions.
We also have procedures in place to deal with any suspected data breach. Where the law requires, we will notify both you and the relevant regulator if a breach occurs.
We will only keep your personal data for as long as necessary to fulfil the purposes for which it was collected, including to meet any legal, regulatory, accounting, or reporting requirements.
When deciding how long to keep data, we consider:
The amount, type, and sensitivity of the data
The potential risk of harm from unauthorised use or disclosure
The purposes for which we process the data and whether those purposes can be achieved in other ways
Any applicable legal or regulatory requirements
Details of how long we retain specific types of data are set out in our internal Retention Policy, which is available on request.
Once the retention period has expired, your data will either be securely deleted, anonymised, or archived, depending on the circumstances and legal obligations.
Under data protection laws, you have a number of rights in relation to your personal data. These include the right to:
Access : request a copy of the personal data we hold about you.
Correction : ask us to correct or update any incomplete or inaccurate data we hold.
Erasure : request that we delete your personal data where there is no valid reason for us to continue processing it.
Object : object to the processing of your personal data where we are relying on legitimate interests, or where your data is being used for direct marketing.
Restriction : request that we suspend the processing of your personal data in certain circumstances (e.g., while we check its accuracy).
Transfer : request that we transfer your personal data to you or another service provider in a structured, commonly used, machine-readable format.
Withdraw consent : withdraw your consent at any time where we rely on consent to process your data. This will not affect the lawfulness of any processing carried out before consent was withdrawn.
If you wish to exercise any of these rights, please contact us. We may need to verify your identity before we can respond to your request, as a security measure to protect your data.
Fees
You will not normally have to pay to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. In some cases, we may refuse your request for these reasons.
Response time
We aim to respond to all valid requests within one month. If your request is complex or you have made several requests, it may take longer. If so, we will let you know and keep you updated.
Lawful Basis
1. Legitimate Interest: This is when we process your personal data to manage and run our business, provide you with the best products or services, and ensure a safe experience. We always weigh the impact on you before using your data and will not use it if your rights outweigh our interests, unless we have your consent or are legally required to do so. You can contact us for more details about how we assess legitimate interests for specific activities.
2. Performance of Contract: We process your data when it is necessary to fulfil a contract you are part of, or to take steps at your request before entering into a contract.
3. Legal or Regulatory Compliance: We process your data to comply with laws or regulatory obligations that apply to us.
Third Parties
1. External Service Providers: Companies in the EU, USA, and New Zealand that handle payroll, IT, and system administration on our behalf.
2. Professional Advisers: Banks, auditors, and insurers in the UK that provide financial, insurance, and accounting services.
3. Authorities: HM Revenue & Customs, regulators, and other UK authorities that require reporting of certain processing activities.
Your Legal Rights
You have the right to:
1. Access Your Data: Request a copy of the personal data we hold about you to check it is processed lawfully.
2. Correct Your Data: Request corrections to incomplete or inaccurate personal data. We may verify the new information you provide.
3. Erase Your Data: Request deletion of your personal data when there is no reason for us to keep it, if you successfully object to processing, if it was processed unlawfully, or if required by law. Some legal exceptions may apply.
4. Object to Processing: Object to data processing based on legitimate interests if it affects your rights, or if your data is used for direct marketing. In some cases, we may have overriding reasons to continue processing.
5. Restrict Processing: Ask us to temporarily suspend processing of your personal data in certain situations, such as verifying accuracy, unlawful processing, or disputes over data use.
6. Data Portability: Request your data in a structured, machine-readable format for yourself or a third party. This applies to automated data you provided or data used to fulfil a contract.
7. Withdraw Consent: Withdraw consent for processing based on your consent at any time. This won’t affect past lawful processing, but it may affect our ability to provide certain services, and we will inform you if this is the case.
Copyright © 2025 Citadel Accounting. All Rights Reserved.
