MTD starts 6 April 2026: Get ready in 10 minutesSee how Provestor works →

Privacy Notice

Provestor Services

Important

From time to time we may update this Privacy Notice and you agree to review this notice regularly. Continued use of our services will mean that you agree to any changes. You will be notified of any significant changes to our Privacy Notice.

Last updated: 19th January 2026
Version: 1.1
Provider: Provestor Accounts Ltd (Company No. 10510713)
Registered Office: 1 Derwent Business Centre, Clarke Street, Derby. England. DE1 2BU

This Privacy Notice applies to clients of Provestor Accounts Ltd and should be read alongside our Terms and Conditions. It explains how we collect, use, and protect your personal data in the course of delivering our accountancy and tax services, as well as your rights under UK data protection law. By engaging our services, you agree to the handling of your personal data as outlined in this notice and our Terms and Conditions of Service.

This Privacy Notice also applies to services provided in connection with Making Tax Digital for Income Tax (“MTD”), which may involve more frequent processing and transmission of personal and financial data.

Introduction

The Data Protection Act 2018 (“DPA 2018”) and the UK General Data Protection Regulation (“UK GDPR”) impose certain legal obligations in connection with the processing of personal data.

Provestor Accounts Ltd is a data controller within the meaning of the GDPR and we process personal data. The firm’s contact details are as follows:

Provestor Accounts Ltd
1, Derwent Business Centre, Clarke Street, Derby, DE1 2BU
Email: dpo@provestor.co.uk
Phone: 01332 460275

We may amend this Privacy Notice from time to time. We will notify you of any material changes. The current version will always be available on our website.

Depending on the service provided, Provestor may act as a data controller or a data processor. Where we act as a data processor on behalf of a data controller, we provide an additional schedule setting out required information as part of that agreement, which should be read alongside this notice.

In particular, for MTD services, Provestor acts as a software provider and/or agent facilitating digital record keeping and submissions. Responsibility for the accuracy, completeness, and approval of data submitted to HM Revenue & Customs remains with the taxpayer unless expressly agreed otherwise under a Done For You engagement.

The purposes for which we intend to process personal data

We intend to process personal data for the following purposes:

  • To enable us to supply professional accountancy and tax advisory services to you as our client.

  • To provide software tools and digital platforms for bookkeeping and company compliance.

  • To enable compliance with Making Tax Digital for Income Tax, including digital record keeping, quarterly updates, cumulative submissions, and year-end returns.

  • To fulfil our obligations under relevant laws (for example, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 as amended – “MLR 2017”).

  • To comply with professional obligations to which we are subject.

  • To use in the investigation and/or defence of potential complaints, disciplinary proceedings, and legal proceedings.

  • To enable us to invoice you and resolve any related fee disputes.

  • To contact you about services we provide that may be of interest to you, where consent is required.

  • To improve the functionality, support, and delivery of our digital services.

  • To operate automated tools that assist with transaction categorisation, validation, reconciliation, and calculation, with appropriate human oversight.

  • To analyse aggregated client satisfaction data for service improvement and performance monitoring.

The legal bases for our intended processing of personal data

Our intended processing of personal data has the following legal bases:

  • The processing is necessary for the performance of our contract with you.

  • The processing is necessary for compliance with legal obligations to which we are subject (including tax legislation and MLR 2017).

  • The processing is necessary for the purposes of the following legitimate interests which we pursue:

    • Delivering and improving our professional and digital services.

    • Investigating or defending actual or potential legal claims.

    • Monitoring and improving client experience, product features, and performance.

Where we send marketing communications, this is based on our legitimate interests or your consent, as appropriate. You may opt out of receiving these communications at any time by following the instructions included in the communication or by contacting us directly.

It is a condition of our contract with you that you provide the personal data we request. If you do not provide this, we may not be able to act for you.

Categories of personal data collected

We collect and process the following categories of personal data:

  • Identity data (for example, name, date of birth, National Insurance number, UTR).

  • Contact data (for example, email address, phone number, address).

  • Financial and transactional data (for example, bank details, income, expenses).

  • Digital records required under MTD, including income, expenses, allowances, and cumulative totals.

  • Company and business details (for example, incorporation data and accounting records).

  • MTD-related identifiers and authorisations (for example, agent permissions).

  • Platform usage data (for example, access logs, support tickets, and submitted records).

  • IP addresses and cookies (for security, analytics, and support purposes).

Source of personal data

Where we obtain personal data from sources other than you, they may include:

  • Publicly available sources (for example, Companies House and HMRC).

  • Your authorised agents (for example, mortgage brokers and accountants).

  • Our digital platforms and integrations.

  • Data generated through your ongoing use of our MTD-enabled bookkeeping and reporting tools.

  • Other third parties you instruct us to liaise with (for example, software providers and letting agents).

Persons and organisations to whom we may give personal data

We may share your personal data with:

  • HMRC, including via Making Tax Digital application programming interfaces (APIs), for the purposes of submitting digital records, quarterly updates, and year-end returns.

  • Any third parties with whom you instruct us to correspond.

  • Our subcontractors and software providers.

  • Tax investigation or fee protection insurance providers (if applicable).

  • Our professional indemnity insurers.

  • Our professional bodies and/or OPBAS in relation to MLR 2017 compliance.

  • Inni Ltd, the parent company of Provestor Accounts Ltd, as it owns and operates the Provestor Platform.

  • Our platform development and support team.

  • Stripe or other payment providers.

Where services are introduced or supported through partners (for example, estate agents or platform partners), we may share limited personal data necessary for onboarding, support, and compliance. Partners do not receive tax or financial data unless you have authorised this.

If required by law, we may share your data with:

  • The police or other law enforcement agencies.

  • Courts and tribunals.

  • The Information Commissioner’s Office.

If you ask us not to share your data with certain third parties, we may need to cease acting for you.

Transfers of personal data outside the UK or EEA

Your personal data is stored and processed in the UK and the EEA.

Where we engage third parties outside the UK or EEA, we ensure appropriate safeguards are in place, such as adequacy decisions or standard contractual clauses.

Retention of personal data

In line with best practice and our regulatory requirements, we retain records as follows:

  • Tax returns: kept for 7 years from the end of the tax year to which the information relates.

  • Advisory work: retained for 7 years from the date the business relationship ceased.

  • Ongoing relationships: data needed for ongoing compliance is retained during the relationship and deleted 7 years after it ends, unless you request extended retention.

Our Terms and Conditions include a 7-year document destruction clause and your agreement to those terms confirms agreement to this retention period.

For MTD services, you remain responsible for reviewing and approving data before submission unless you have engaged us under a Do-It-For-You service with explicit authority to submit on your behalf.

You must retain records relevant to your own tax affairs:

Individuals

  • With rental or trading income: 5 years and 10 months after the end of the tax year.

  • Otherwise: 22 months after the end of the tax year.

Companies

  • 6 years from the end of the accounting period.

Where we act as a data processor, we will delete or return personal data to the controller on the agreed basis.

Requesting personal data we hold about you (Subject Access Requests)

You have the right to access personal data we hold about you.

Please submit Subject Access Requests in writing to dpo@provestor.co.uk.

To process your request, please provide details to confirm your identity and help us locate the data (for example, full name, previous addresses, date of birth, National Insurance number, or tax reference).

We aim to respond within one month. We do not charge for this service.

Your other rights under the UK GDPR

You also have the right to:

  • Request correction of inaccurate or incomplete data (right to rectification).

  • Request deletion of your data in certain circumstances (right to erasure).

  • Object to or restrict processing (for example, marketing or profiling).

  • Request a copy of your data in a machine-readable format (right to data portability).

  • Withdraw your consent (where consent has been given) at any time.

To exercise any of these rights, please contact us using the details above. We will respond within one month. In some cases, we may be legally entitled to refuse the request, in which case we will explain why.

Automated decision-making

We do not carry out automated decision-making that produces legal or similarly significant effects without human involvement.

We do use automated processes and tools to assist with data categorisation, validation, calculations, and reporting as part of our digital services, including MTD, with appropriate oversight.

Complaints

If you are unhappy with how we have handled your data, please raise your concern with us first.

Complaints should be sent to dpo@provestor.co.uk.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office at www.ico.org.uk.