MTD starts 6 April 2026: Get ready in 10 minutesSee how Provestor works →

Privacy Notice

Provestor Services

Important

From time to time we may update this Privacy Notice and you agree to review this notice regularly. Continued use of our services will mean that you agree to any changes. You will be notified of any significant changes to our Privacy Notice.

Last updated: 30 January 2026
Version: 1.2
Provider: Provestor Accounts Ltd (Company No. 10510713)
Registered Office: 1 Derwent Business Centre, Clarke Street, Derby, England, DE1 2BU

Overview

This Privacy Notice applies to clients of Provestor Accounts Ltd and should be read alongside our Terms and Conditions. It explains how we collect, use, and protect your personal data in the course of delivering our accountancy, tax, and digital services, as well as your rights under UK data protection law.

By engaging our services, you agree to the handling of your personal data as outlined in this notice and our Terms and Conditions of Service.

This Privacy Notice also applies to services provided in connection with Making Tax Digital for Income Tax (“MTD”), which may involve more frequent processing and transmission of personal and financial data.

Introduction

The Data Protection Act 2018 (“DPA 2018”) and the UK General Data Protection Regulation (“UK GDPR”) impose certain legal obligations in connection with the processing of personal data.

Provestor Accounts Ltd is a data controller within the meaning of UK GDPR. Our contact details are:

Provestor Accounts Ltd
1 Derwent Business Centre, Clarke Street, Derby, DE1 2BU
Email: dpo@provestor.co.uk
Phone: 01332 460275

We may amend this Privacy Notice from time to time. We will notify you of any material changes. The current version will always be available on our website.

Depending on the service provided, Provestor may act as a data controller or a data processor. Where we act as a data processor on behalf of a data controller, we provide an additional schedule setting out required information as part of that agreement, which should be read alongside this notice.

Where personal data is provided to us by letting agents or similar intermediaries, Provestor and the agent each act as independent data controllers.

In particular, for MTD services, Provestor acts as a software provider and/or agent facilitating digital record keeping and submissions. Responsibility for the accuracy, completeness, and approval of data submitted to HM Revenue & Customs remains with the taxpayer unless expressly agreed otherwise under a Done For You engagement.

The purposes for which we process personal data

We process personal data for the following purposes:

  • to enable us to supply professional accountancy and tax advisory services to you as our client;

  • to provide software tools and digital platforms for bookkeeping and company compliance;

  • to enable compliance with Making Tax Digital for Income Tax, including digital record keeping, quarterly updates, cumulative submissions, and year-end returns;

  • to fulfil our obligations under relevant laws (for example, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 as amended – “MLR 2017”);

  • to comply with professional obligations to which we are subject;

  • to use in the investigation and/or defence of potential complaints, disciplinary proceedings, and legal proceedings;

  • to enable us to invoice you and resolve any related fee disputes;

  • to contact you about services we provide that may be of interest to you, where consent is required;

  • to improve the functionality, support, and delivery of our digital services;

  • to operate automated tools that assist with transaction categorisation, validation, reconciliation, and calculation, with appropriate human oversight; and

  • to analyse aggregated client satisfaction data for service improvement and performance monitoring.

The legal bases for our processing of personal data

Our processing of personal data is based on the following legal bases:

  • the processing is necessary for the performance of our contract with you;

  • the processing is necessary for compliance with legal obligations to which we are subject (including tax legislation and MLR 2017);

  • the processing is necessary for the purposes of our legitimate interests, including:

    • delivering and improving our professional and digital services;

    • enabling compliance with Making Tax Digital;

    • managing relationships with authorised agents and intermediaries;

    • sending service-related invitations and onboarding communications; and

    • investigating or defending actual or potential legal claims.

Where we send marketing communications, this is based on our legitimate interests or your consent, as appropriate. You may opt out of receiving these communications at any time by following the instructions included in the communication or by contacting us directly.

It is a condition of our contract with you that you provide the personal data we request. If you do not provide this data, we may not be able to act for you.

Categories of personal data collected

We collect and process the following categories of personal data:

  • identity data (for example, name, date of birth, National Insurance number, UTR);

  • contact data (for example, email address, phone number, address);

  • financial and transactional data (for example, bank details, income, expenses);

  • digital records required under MTD, including income, expenses, allowances, and cumulative totals;

  • company and business details (for example, incorporation data and accounting records);

  • MTD-related identifiers and authorisations (for example, agent permissions);

  • platform usage data (for example, access logs, support tickets, and submitted records); and

  • IP addresses and cookies (for security, analytics, and support purposes).

Source of personal data

Where we obtain personal data from sources other than you, these may include:

  • publicly available sources (for example, Companies House and HMRC);

  • letting agents or property managers authorised to act in relation to your rental property;

  • data imported from customer relationship management (CRM) systems used by letting agents, where those agents choose to connect their systems to Provestor;

  • our digital platforms and integrations;

  • data generated through your ongoing use of our MTD-enabled bookkeeping and reporting tools; and

  • other third parties you instruct us to liaise with (for example, software providers or advisers).

Personal data received from letting agents

Where a letting agent uses Provestor’s agent portal, the agent may provide personal data relating to landlords they act for. This may include:

  • identity and contact details;

  • property and ownership information;

  • rental income and expense data; and

  • letting statements and records required for MTD compliance.

Letting agents are responsible for ensuring they have a lawful basis to share this data with Provestor and that landlords have been informed.

Invitations and onboarding communications

Where a letting agent provides us with a landlord’s contact details, Provestor may send invitations or onboarding communications to that landlord.

These communications:

  • are sent to enable access to Provestor’s platform and services;

  • are branded as Provestor communications; and

  • are treated as service communications, not third-party marketing.

Landlords may opt out of non-essential communications at any time.

CRM integrations

Some letting agents choose to connect their own CRM systems to Provestor. Where this occurs:

  • personal data is imported into Provestor in accordance with the agent’s configuration;

  • the data is treated as if it had been provided directly by the agent; and

  • Provestor is not responsible for the accuracy or completeness of data sourced from third-party systems.

CRM integrations may be updated, modified, or discontinued over time.

Persons and organisations to whom we may give personal data

We may share your personal data with:

  • HMRC, including via Making Tax Digital application programming interfaces (APIs), for the purposes of submitting digital records, quarterly updates, and year-end returns;

  • any third parties with whom you instruct us to correspond;

  • our subcontractors and software providers;

  • tax investigation or fee protection insurance providers (if applicable);

  • our professional indemnity insurers;

  • our professional bodies and/or OPBAS in relation to MLR 2017 compliance;

  • Inni Ltd, the parent company of Provestor Accounts Ltd, as it owns and operates the Provestor Platform;

  • our platform development and support team; and

  • Stripe or other payment providers.

Where services are introduced or supported through partners (for example, estate agents or letting agents), we may share limited personal data necessary for onboarding, support, and compliance. Such sharing is carried out on a controller-to-controller basis. Partners do not receive tax return or submission data unless you have authorised this.

If required by law, we may share your data with law enforcement agencies, courts, tribunals, or the Information Commissioner’s Office.

If you ask us not to share your data with certain third parties, we may need to cease acting for you.

Transfers of personal data outside the UK or EEA

Your personal data is stored and processed in the UK and the EEA.

Where we engage third parties outside the UK or EEA, we ensure appropriate safeguards are in place, such as adequacy decisions or standard contractual clauses.

Retention of personal data

In line with best practice and our regulatory requirements, we retain records as follows:

  • tax returns: retained for 7 years from the end of the tax year to which the information relates;

  • advisory work: retained for 7 years from the date the business relationship ceased;

  • ongoing relationships: data required for compliance is retained during the relationship and deleted 7 years after it ends, unless extended retention is requested.

Our Terms and Conditions include a 7-year document destruction clause, and acceptance of those terms confirms agreement to this retention period.

For MTD services, you remain responsible for reviewing and approving data before submission unless you have engaged us under a Done For You service with explicit authority to submit on your behalf.

You must retain your own tax records in accordance with statutory requirements.

Where we act as a data processor, we will delete or return personal data to the controller on the agreed basis.

Subject Access Requests

You have the right to access personal data we hold about you.

Requests should be submitted in writing to dpo@provestor.co.uk.We may request information to confirm your identity and locate your data.

We aim to respond within one month and do not charge for this service.

Your other rights under UK GDPR

You have the right to request rectification, erasure, restriction, data portability, and to object to processing, including marketing. Where processing is based on consent, you may withdraw consent at any time.

Automated decision-making

We do not carry out automated decision-making that produces legal or similarly significant effects without human involvement.

We do use automated tools to assist with categorisation, validation, calculation, and reporting as part of our digital services, including MTD, with appropriate oversight.

Complaints

If you are unhappy with how we have handled your data, please contact us at dpo@provestor.co.uk.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office at www.ico.org.uk.