Please enable JS

PRIVACY POLICY

Revision date 11.04.2026

1. Who We Are

Oppic Ltd (“Oppic”, “we”, “us”) is a UK-based accounting and advisory practice, registered with the ICO as a data controller (Registration No. ZB280526). This Privacy Policy explains how we collect, use, store, and share your personal data when you engage with us as a client, prospective client, supplier, or website visitor.

This website is not intended for children under 18. For questions about this policy, you can contact us at [email protected].

2. Personal Data We Collect

We only collect personal data that is necessary for specific purposes. Depending on your interaction with us, this may include:

  • Identity and contact: name, address, email, phone number, date of birth, job title
  • Business and financial: accounting records, bank details, VAT numbers, tax returns, payroll data, company information
  • Compliance: ID documents, proof of address, AML/KYC records
  • Communications: emails, meeting notes, and correspondence
  • Technical and usage: IP addresses, access logs, browser information, and how you interact with our website or portals
  • Marketing preferences: your preferences for receiving communications from us

We do not intentionally collect special category data (such as health or ethnicity information) unless strictly required by law, for example, where ID documents submitted for AML checks incidentally contain such data. We also do not knowingly collect data about individuals under 18.

3. How We Collect Your Data

We collect personal data in the following ways:

  • Directly from you: Via forms, correspondence (e.g., emails and phone calls), and through our secure portals.
  • Automatically: Our website uses cookies to improve your experience and collect technical data. See our Cookie Policy (https://oppic.uk/cookie-policy) for more details.
  • From third parties: Such as HMRC, Companies House, compliance verification providers, and your professional advisers if necessary.

4. Why We Use Your Data

We only process your data where we have a lawful basis. The table below summarises our key purposes and the basis we rely on:

Purpose Lawful Basis
Delivering our accounting, bookkeeping, payroll, or advisory services Contract (Art. 6(1)(b))
Complying with tax law, AML regulations, and other legal obligations Legal obligation (Art. 6(1)(c))
Managing our client relationship, handling queries, notifying you of changes to our terms or this policy Contract; legal obligation; and legitimate interests (Art. 6(1)(f)) (keeping records current and managing our relationship with you)
Protecting our business and IT systems, fraud prevention, security monitoring Legitimate interests (Art. 6(1)(f))
Improving our website and understanding how it is used Legitimate interests (Art. 6(1)(f))
Sending marketing communications about our services Legitimate interests (Art. 6(1)(f)) (existing clients) or Consent (Art. 6(1)(a)) (others)

Where we process special category data incidentally (e.g. nationality in AML documents), we rely on Article 9(2)(b) UK GDPR and Schedule 1 DPA 2018.

5. Marketing and Your Preferences

You have a right to control how and when you receive marketing communications:

  • To opt out of marketing emails, click the "unsubscribe" link or email [email protected].
  • We will never share your data with third parties for marketing purposes without your express consent.

6. Who We Share Your Data With

We share your data only where it is necessary and lawful, including with:

  • HMRC, Companies House, and other regulatory bodies as required by law
  • Cloud platform and software providers acting as processors under written data processing agreements
  • Employer of Record provider (Pelagonian GmbH) ilitating some of our team who is based in the Philippines (see Section 7).
  • Professional advisers and subcontractors bound by confidentiality obligations.

We do not sell your data or share it for third-party marketing.

7. International Transfers

Some of our team, including administrative staff, accountants and bookkeepers, are based in the Philippines, engaged through our Employer of Record provider (Pelagonian GmbH), which operates via its own Philippine entity. Your personal data may be accessed by these team members in the course of delivering our services.

Since the Philippines does not hold a UK adequacy decision, we protect your data through the following safeguards:

  • A completed Transfer Risk Assessment (TRA) under ICO guidance, which concluded the transfer is appropriate given the mitigations in place
  • Remote-access only: All client data remains securely stored within the UK.
  • Secure IT infrastructure: Encrypted devices, multi-factor authentication (MFA), timeouts, and role-based controls.
  • Contractual agreements with Philippines-based staff mirroring UK data protection standards.
  • Compliance with UK GDPR safeguards, including written Data Processing Agreements under Article 28.

[Our cloud service providers may also process data outside the UK. Where they do, we rely on the ICO-approved International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses. Copies available on request from [email protected].]

Transfer arrangements are reviewed annually and whenever the legal or operational environment changes materially.

8. Our Use of AI Tools

We use AI tools to support internal productivity only. We do not use AI to process your personal data without human oversight and do not use AI for automated decision-making.

We use AI tools (including ChatGPT) for drafting, research, and internal workflow support. Our approach is as follows:

  • Information is anonymised or generalised before being input
  • We do not intentionally input special category data into AI tools
  • All AI outputs are reviewed and approved by a team member before use
  • AI is not used to make decisions about you

For questions about AI use in connection with your matter, please contact us at [email protected].

9. Security

We store data in encrypted cloud systems (Google Workspace, Xero, OneDrive, approved portals). We do not store client data on personal devices or unencrypted local storage. Security measures include encryption in transit and at rest, MFA on all systems, role-based access, regular security reviews, and breach response procedures. If a breach is likely to risk your rights, we will notify the ICO within 72 hours and you directly where required.

10. How Long We Keep Your Data

We keep data only as long as necessary. Key periods (from end of engagement unless stated):

Record Type Retention Period
Financial records (accounts, tax, bookkeeping) 7 years
AML and identity verification records, inline with ASCP rules 7 years
Client correspondence and matter files 7 years
Payroll records 7 years from the relevant tax year
Marketing records Until consent withdrawn, or 3 years’ inactivity
Website access logs 12 months rolling

Our full Document Retention Policy is available on request. On expiry, data is securely deleted or anonymised. Anonymised data may be retained for statistical purposes.

11. Your Rights

Under UK data protection law, you have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Ask us to correct inaccurate or incomplete data
  • Erasure: Ask us to delete your data where there is no longer a lawful basis
  • Restriction: Ask us to pause processing in certain circumstances
  • Portability: Receive your data in a machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw consent: At any time for any consent-based processing

To exercise these rights, email [email protected]. We will verify your identity and respond within one month. Please also let us know if your personal details change so we can keep our records accurate.

12. Complaints

If you have concerns about how we handle your data, please contact us first at [email protected]. If unresolved, you may complain to the ICO who will generally expect you to have contacted us first:

Information Commissioners Office

Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Helpline: 0303 123 1113

Website: www.ico.org.uk

13. Third-Party Links

We review this policy at least annually. The current version is always available from [email protected]. We will notify you directly of any material changes before they take effect. Historic versions are available on request.

14. Changes to This Policy

We review this policy at least annually. The current version is always available from [email protected]. We will notify you directly of any material changes before they take effect.

15. Contact Us

Oppic Ltd: Data Protection Contact

Email: [email protected]

Post: Oppic Ltd, 86-90 Paul Street, London, EC2A 4NA

Registered No: 12587039

ICO Reg: ZB280526

Oppic Ltd is a limited liability company registered in England and Wales under company number 12587039

© OPPIC 2011-2026

Privacy Policy - Cookie Policy

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.