PRIVACY
POLICY.

1. Who We Are

MOIZ AFC (MOIZ Accounting & Finance Consultants) is the data controller responsible for your personal data. We are a remote accounting and financial consultancy operating across the UK, USA, Canada, and the Middle East.

For all data protection queries, please contact us at: info@moizafc.com

2. Data We Collect

Depending on the Services you engage us for, we may collect and process the following categories of personal data:

Identity & Contact Data:

• Full name, job title, and company name
• Email address, telephone number, and postal address
• National Insurance number (for payroll clients)
• Date of birth (where required for HMRC purposes)
• Unique Taxpayer Reference (UTR) and VAT registration numbers

Financial Data:

• Bank account details, transaction records, and financial statements
• Payroll records including salary, pension contributions, and tax deductions
• VAT records, invoices, receipts, and expense records
• Corporation tax records and Companies House filing information
• CIS subcontractor details and payment records

Technical Data:

• IP address and browser type (collected via our website contact form)
• Website usage data via cookies (see Section 10)

3. How We Collect Your Data

We collect personal data through the following means:

• Direct contact: When you complete our contact form, email us, or engage our services
• Client onboarding: Documents, records, and access credentials you provide when we begin an engagement
• Cloud accounting platforms: Data accessed through Xero, QuickBooks, Sage, SAP, or other platforms you grant us access to
• HMRC & Companies House: Information obtained in the course of submitting filings on your behalf
• Third parties: Payroll bureaus, pension providers, or other professional advisers with your consent

4. How We Use Your Data

We use your personal data solely for the purposes of delivering our services and maintaining our business relationship:

• Providing bookkeeping, VAT, payroll, management accounts, and tax compliance services
• Submitting statutory returns and filings to HMRC, Companies House, and other relevant authorities
• Processing payroll, PAYE, RTI submissions, and pension auto-enrolment
• Communicating with you regarding your account, invoices, and service delivery
• Complying with our legal, regulatory, and professional obligations
• Sending service-related updates and compliance reminders (not marketing)
• Maintaining accurate financial and business records as required by law

We do not use your personal data for marketing to third parties, sell your data, or use it for automated decision-making that produces legal or similarly significant effects.

5. Legal Basis for Processing

We rely on the following legal bases under UK GDPR to process your personal data:

• Contract (Article 6(1)(b)): Processing necessary to perform our services as agreed in the Engagement Letter
• Legal obligation (Article 6(1)(c)): Processing required to comply with HMRC regulations, the Companies Act, and other applicable laws
• Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate business interests such as record-keeping, fraud prevention, and service improvement, where these are not overridden by your rights
• Consent (Article 6(1)(a)): Where you have explicitly consented, such as via our contact form or for optional communications

6. Data Sharing

We share your personal data only where necessary and with appropriate safeguards in place:

• HMRC: For VAT returns, payroll RTI, corporation tax, CIS returns, and other statutory filings
• Companies House: For confirmation statements and annual filings
• Cloud accounting platforms: Xero, QuickBooks, Sage, SAP, and Zoho Books — strictly for service delivery
• Pension providers: For auto-enrolment compliance on behalf of payroll clients
• Professional advisers: Solicitors or other accountants where required and with your consent
• Hostinger (web hosting): Our website host may process contact form submission data on our servers

We never sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes.

7. International Data Transfers

MOIZ AFC operates across the UK, USA, Canada, and the Middle East. Where data is transferred outside the UK, we ensure appropriate safeguards are in place including:

• UK adequacy decisions for countries deemed to provide equivalent protection
• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO)
• Data processing agreements with all cloud platform providers operating internationally

All international tax compliance work (USA, Canada, UAE, GCC) is conducted using encrypted, cloud-based platforms with appropriate data protection agreements in place.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

• Client accounting records: Minimum 6 years from the end of the relevant tax year, in accordance with HMRC requirements
• Payroll records: Minimum 3 years from the end of the tax year to which they relate (PAYE records: 6 years)
• VAT records: Minimum 6 years
• Companies House records: As required by the Companies Act 2006
• Contact enquiries: 12 months from the date of enquiry if no engagement follows

After the applicable retention period, data is securely deleted or anonymised.

9. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your data where it is no longer necessary, subject to legal retention obligations
• Right to restrict processing: Request that we limit how we use your data in certain circumstances
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at info@moizafc.com. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies

Our website uses minimal cookies. We do not use advertising or tracking cookies. The cookies we may use include:

• Essential cookies: Required for the website to function correctly (e.g. session management)
• Analytics cookies: If enabled, used to understand how visitors use our site in aggregate, with no personal identification

You can control cookie settings through your browser at any time. Disabling cookies will not affect your ability to use our services or contact us.

11. Security

We take the security of your personal data seriously. Measures we have in place include:

• Encrypted cloud storage and access via HTTPS-secured platforms
• Role-based access controls on all accounting software platforms
• Secure document sharing through encrypted cloud services
• Regular review of access permissions for all client accounts
• Data processing agreements with all third-party platform providers

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware, as required by UK GDPR.

12. Third-Party Links

Our website may contain links to third-party websites including HMRC, Companies House, and cloud accounting platforms. This Privacy Policy applies only to moizafc.com. We are not responsible for the privacy practices of any third-party sites and encourage you to review their privacy policies independently.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. Where changes are material, we will notify active clients by email. The most current version will always be available at moizafc.com/privacy.html.

14. Contact & Complaints

For any questions, data subject requests, or complaints about how we handle your personal data: