Privacy NOTICE

‍Lawson Advisory Ltd respects your privacy and is committed to protecting personal data. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This privacy notice explains how we collect, use and protect personal information when providing professional services.

‍This privacy notice tells you what to expect us to do with your personal information.

• Contact details

• What information we collect, use, and why

• Our role when providing services

• Professional confidentiality

• ‍Lawful bases and data protection rights

• Where we get personal information from

• ‍How long we keep information

• ‍Change of purpose

• ‍Who we share information with

• ‍International transfers of personal data

• ‍How we protect personal data

• ‍ Automated decision making

• ‍ Changes to this privacy notice

• ‍ How to complain

‍Contact details

• ‍Data Protection Point of Contact: David Lawson

• ‍Email - david@lawson-advisory.co.uk

• ‍Telephone - 07971 506887

• ‍Company No. - 16984370

• ‍Registered Office - 71-75 Shelton Street, London, WC2H 9JQ

‍What information we collect, use, and why

‍We collect the personal information listed below where relevant to the services we provide. Not all categories will apply in every client relationship.

‍We collect or use the following information to provide and improve products and services for clients:

• Names and contact details

• Addresses

• ‍Occupation

• Date of birth

• ‍Financial data (including income and expenditure)

• ‍Transaction data (including details about payments to and from you and details of products and services you have purchased)

• ‍Usage data (including information about how you interact with and use our website, products and services)

• ‍Records of meetings and decisions

‍ We collect or use the following personal information for the operation of client or customer accounts:

• ‍Names and contact details

• Addresses

• ‍Purchase or service history

• ‍Account information, including registration details

• ‍Information used for security purposes

• Marketing preferences

• ‍Technical data, including information about browser and operating systems

‍We collect or use the following personal information for information updates or marketing purposes:

• Names and contact details

• ‍Addresses

• Profile information

• Marketing preferences

• Purchase or account history

• ‍Website and app user journey information

• IP addresses

‍We collect or use the following personal information to comply with legal requirements:

• Name

• Contact information

• Identification documents

• Client account information

• ‍Information required to comply with our professional and regulatory obligations, including anti-money laundering legislation and professional conduct requirements

• Any other personal information required to comply with legal obligations

‍We collect or use the following personal information for dealing with queries, complaints or claims:

• ‍Names and contact details

• Addresses

• ‍Account information

• Purchase or service history

• Customer or client accounts and records

• ‍Financial transaction information

• Correspondence

‍Our website may contain links to other websites. This privacy notice only applies to Lawson Advisory Ltd. If you follow a link to another website, you should review their privacy notice.

‍Our role when providing services

‍When providing professional advisory services to clients, Lawson Advisory Ltd may process personal data on behalf of the client organisation.

‍In these circumstances the client organisation acts as the data controller and Lawson Advisory Ltd acts as a data processor, processing personal data only in accordance with the client’s instructions and applicable data protection law.

‍Lawson Advisory Ltd acts as a data controller for personal data relating to our own business operations, such as client contact information, billing information and marketing communications.

‍Professional confidentiality

‍As a member of the Institute of Chartered Accountants in England and Wales (ICAEW), Lawson Advisory Ltd is bound by the ICAEW Code of Ethics, which imposes a duty of professional confidentiality on members. This means that client information is treated as confidential and is not disclosed to third parties except where disclosure is required or permitted by law, authorised by the client, or necessary to fulfil our professional obligations.

‍This professional duty applies alongside, and is consistent with, our obligations under UK data protection law.

‍Lawful bases and data protection rights

‍ Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

‍Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

• ‍Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.

• ‍Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.

• Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.

• Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.

• ‍Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.

• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.

• Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

• If you make a request, we must respond to you without undue delay and in any event within one month.

‍To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

‍We will not charge a fee to handle a data protection rights request. However, we may charge a reasonable fee to cover administrative costs if a request is manifestly unfounded or excessive, or if you request further copies of the same information. In such circumstances we may alternatively refuse to comply with the request. We will notify you if either applies.

‍Our lawful bases for the collection and use of your data

‍We rely on the following lawful bases when processing personal data:

• Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

• Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

• ‍Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests include carrying out client due diligence and ongoing monitoring in order to comply with our professional and legal obligations, including obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, and responding to and addressing queries, complaints or claims in a professional manner.

• Consent – where you have given us permission to use your personal data, such as for marketing communications. You may withdraw consent at any time.

‍For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

‍Where we get personal information from

• ‍Directly from you.

• Publicly available sources.

• ‍From our clients, in the course of providing services, where that client's employees, suppliers or customers are the subject of the data.

‍How long we keep information

‍We retain personal data only for as long as necessary for the purposes for which it was collected, including satisfying legal, accounting, or reporting requirements.

‍ In particular:

• Client engagement records and related correspondence – normally retained for 6 years after the end of the engagement.

• Financial and accounting records – retained for at least 6 years to comply with tax and regulatory obligations.

• AML identification records – retained for 5 years after the end of the business relationship in accordance with the Money Laundering Regulations.

• ‍Marketing data – retained until consent is withdrawn or the data is no longer relevant. For more information on how long we store your personal information or the criteria we use to determine this please contact us using the details provided above.

‍Change of purpose

‍Where we need to use your personal data for a purpose other than that for which it was originally collected, we will only do so where that purpose is compatible with the original. If we need to use your data for a new purpose, we will notify you and confirm the lawful basis for doing so.

‍Who we share information with

Data processors

‍We may share personal data with trusted third-party service providers who act as data processors on our behalf. These providers help us operate our business and deliver our services.

‍These service providers may carry out the following activities for us:

• Hosting, maintaining and securing our IT systems and cloud infrastructure

• ‍Providing email, document storage and collaboration systems

• Managing customer relationship management (CRM) systems and contact records

• Processing website enquiries and hosting our website

• Providing data backup, cybersecurity and system monitoring services

• ‍Providing accounting, billing and payment processing services

• Providing professional advisory services such as legal, regulatory or accounting advice

• Supporting the administration and delivery of our professional services

‍Others we share personal information with

Organisations we’re legally obliged to share personal information with.

‍International transfers of personal data

‍Some of the third-party service providers we use may store or process personal data outside the United Kingdom.

‍Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK data protection law. These safeguards may include:

• transfers to countries recognised as providing an adequate level of protection

• ‍the use of standard contractual clauses approved for use in the UK

• ‍other appropriate legal safeguards

‍Many modern cloud service providers operate global infrastructure and may process data in multiple jurisdictions as part of their service delivery.

‍How we protect personal data

‍We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse or alteration.

‍These measures may include secure cloud-based systems, access controls, encryption where appropriate and restricting access to personal data to those who need it for legitimate business purposes. ‍

We have procedures in place to deal with any suspected personal data breach and will notify you and the ICO where we are legally required to do so.

‍Automated decision making

‍We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals.

‍Changes to this privacy notice

‍We may update this privacy notice from time to time to reflect changes in legal requirements or how we operate. The latest version will always be available on our website.

‍How to complain

‍If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

‍If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO. Our ICO registration reference is ZC126232.

‍The ICO’s address:           

‍Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Last updated: 30 April 2026

‍