Privacy Notice

for Thomas Croft Limited 

Last updated: 19 March 2026

1. Who we are

Thomas Croft Limited is an accountancy and tax advisory practice based in England. For the purposes of UK data protection law, Thomas Croft Limited is the controller of your personal data.

Contact details
Address: Solent House, 107a Alma Road, Portswood, Southampton, SO14 6UY
Email: info@thomascroft.co
Telephone: 02380516470
Data protection contact: Mark Thomas

This privacy notice explains how we collect, use, store, share and protect personal data relating to clients, prospective clients, website users and other people we deal with in the course of our business. It is intended to be clear, accessible and kept under review. 

2. The personal data we collect

Depending on the work we do for you, we may collect and use the following categories of personal data:

  • identity data, such as your name, title, date of birth, National Insurance number, UTR, passport or driving licence details;

  • contact data, such as your address, email address and telephone number;

  • financial and tax data, such as income, expenditure, assets, liabilities, payroll, VAT, accounts and tax-return information;

  • transaction data, such as billing records, payment details and services provided;

  • compliance data, such as identity verification records, beneficial ownership information, sanctions / PEP screening results and AML records;

  • communication data, such as emails, letters, call notes and correspondence;

  • meeting data, such as audio recordings, transcripts, summaries, action points and file notes created from meetings and calls; and

  • technical data, such as IP address, browser data and website usage data where our website collects it.

This includes information processed through tools we use for meetings and note-taking, including , but not limited to ,  Plaud AI and Microsoft Teams / Microsoft 365, where those tools are used in connection with our services. We aim to collect only the personal data that is reasonably necessary for the relevant purpose.

3. How we collect personal data

We may collect personal data:

  • directly from you;

  • from someone acting for you or your business;

  • from your employer, company, partnership, trust or other organisation;

  • from HMRC, Companies House, banks, payroll providers, pension providers or other institutions, where lawful and appropriate;

  • from your previous or other professional advisers, where authorised;

  • from publicly available sources;

  • from identity verification, AML or sanctions-screening providers; and

  • through our website, email, telephone systems and meeting platforms.

If we obtain your personal data from a source other than you, we will usually tell you where it came from, unless a legal exemption applies.

4. Why we use personal data and our lawful bases

We use personal data only where the law allows us to do so. Depending on the circumstances, we rely on one or more of the following lawful bases:

  • steps before entering into a contract or performance of a contract, for example to assess an enquiry, take you on as a client, and provide accountancy, tax, payroll, VAT, bookkeeping or advisory services;

  • legal obligation, for example to comply with anti-money laundering, tax, regulatory and record-keeping obligations;

  • legitimate interests, for example to run our practice efficiently, maintain accurate records, manage IT and information security, recover fees, handle complaints and claims, and keep reliable meeting notes; and

  • consent, where required, for example for certain marketing communications or certain non-essential website cookies.

Where we rely on legitimate interests, we consider whether the processing is necessary and whether your interests, rights and freedoms override those interests. We also use safeguards to reduce privacy impact where appropriate. 

If you do not provide personal data that we reasonably require to act for you or comply with our legal obligations, we may be unable to start or continue the engagement, complete the relevant work, or provide advice or filings. 

5. AI-assisted meeting notes, recordings and transcripts

We may use Plaud AI, Microsoft Teams or other similar technology and related Microsoft 365 functionality to record, transcribe and summarise meetings, calls and discussions. This may include audio, transcripts, summaries, action points and related file notes.

We use these tools to help us maintain accurate records, reduce administrative time, improve continuity of service, and support quality and compliance in our client files. AI outputs are used as an aid to our work and are subject to human review.

We do not use these tools to make decisions about you solely by automated means where those decisions have legal or similarly significant effects.

Where a meeting or call is to be recorded or transcribed, we aim to make that clear at or before the start. If you object, please let us know. We will consider whether a reasonable alternative is available, although we may still need to take manual notes to keep an accurate record.

6. Anti-money laundering and compliance checks

As an accountancy and tax practice, we may be required to collect and process personal data to comply with anti-money laundering and related legal obligations. This may include identity documents, proof of address, beneficial ownership information, risk assessments and screening results.

We process this information to comply with legal and regulatory duties and to help prevent money laundering, terrorist financing and related financial crime. 

7. Who we share personal data with

We may share personal data where necessary with:

  • HMRC, Companies House, regulators and public authorities;

  • banks, lenders, payroll providers, pension providers and other institutions connected with the work;

  • previous, current or successor professional advisers, where authorised;

  • legal advisers, insurers, auditors and compliance advisers;

  • IT support, cyber-security, cloud hosting, remote desktop, backup and software providers;

  • communications and productivity providers, including Microsoft / Microsoft 365 / Teams;

  • AI note-taking or transcription providers, including Plaud AI, where used in our services; and

  • debt recovery providers or courts, where necessary.

Where another organisation processes personal data on our behalf, we seek to ensure appropriate contractual and governance arrangements are in place. Even where we use processors, we remain responsible for our own compliance as controller. 

8. International transfers

Some of our suppliers may process personal data outside the UK. Where that happens, we will only transfer personal data where the law allows us to do so and where appropriate safeguards are in place, such as adequacy regulations or approved contractual transfer mechanisms.

Where required, we will assess whether the level of protection for the transferred personal data is not materially lower than in the UK and take additional measures where appropriate. 

9. Data security

We take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These measures may include access controls, role-based permissions, encryption, secure systems, backups, device controls and staff training.

Access to personal data is limited to those who need it for a legitimate business purpose. 

10. How long we keep personal data

We keep personal data only for as long as necessary for the purpose for which it was collected, taking account of legal, regulatory, professional and limitation requirements. We maintain an internal retention schedule.

Our usual retention approach is:

  • enquiry / prospective client data: usually up to 12 months after the last meaningful contact;

  • ordinary client files, advice records, correspondence and billing records: usually 6 years after the end of the client relationship, unless a longer period is justified;

  • AML / CDD records: normally 5 years from the end of the business relationship or the completion of the occasional transaction, after which personal data obtained for MLR purposes should be deleted unless another lawful reason applies;

  • raw meeting recordings: usually deleted after 90 days once the recording has been checked and an adequate note or transcript retained, unless a longer retention period is needed for a complaint, dispute, regulatory issue or other lawful reason; and

  • meeting transcripts, summaries and checked file notes: usually kept with the relevant client file for the applicable file-retention period.

We may anonymise data rather than delete it where appropriate.

11. Cookies and website technologies

Our website may use cookies or similar technologies. Where we use non-essential cookies or similar technologies, we will obtain consent where the law requires it. Strictly necessary cookies may be used without consent where permitted.

If we use analytics, advertising cookies or similar tools, further information will be provided through our cookie banner or cookie settings. 

12. Marketing communications

If we send marketing communications, we will do so in accordance with data protection law and PECR. You can opt out of marketing emails at any time by using the unsubscribe link or contacting us. 

13. Your rights

Subject to the conditions and exceptions in data protection law, you may have the right to:

  • request access to your personal data;

  • request correction of inaccurate or incomplete personal data;

  • request erasure of personal data;

  • request restriction of processing;

  • object to processing; and

  • request data portability in certain cases.

You can exercise your rights by contacting us using the details above. 

14. Complaints

If you have a concern about how we use your personal data, please contact us first and we will try to resolve it.

You also have the right to complain to the Information Commissioner’s Office (ICO).

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113

15. Changes to this notice

We may update this privacy notice from time to time. The latest version will be made available on our website and, where appropriate, provided to you directly.