Last updated: May 2026
For Calculo clients and individuals connected to a client engagement
1. About this notice
This notice explains how Calculo handles personal data when you are a client of ours, or when we hold personal data about you because you are connected to a client (for example, a director, shareholder, beneficial owner, employee, spouse or dependant).
It sits alongside, and should be read with:
โข our Privacy Policy at calculo.uk/privacy-policy, which covers website visitors and marketing contacts; and
โข your engagement letter, which sets out the services we provide and how we work together.
If there is any conflict between this notice and your engagement letter, the engagement letter takes precedence on matters of service scope, fees and contractual terms; this notice takes precedence on matters of data protection.
2. Who we are and how to contact us
Calculo is the trading name of Calculo Ltd (company number SC417339, registered office 09 Eastworks, Gateway Court, Glasgow, G40 4DS). We are the data controller for the data described here, and are registered with the ICO under ZA587549.
Data Protection Officer (DPO) and Money Laundering Reporting Officer (MLRO): Gillian Graham
Contact: hello@calculo.uk
3. Personal data we collect about clients
To deliver our services and meet our regulatory obligations, we collect and hold:
โข Identification and contact details: full name, date of birth, addresses (current and previous), nationality, email address, phone number.
โข Identity verification data: passport, driving licence or other photo ID; proof of address documents; results of electronic ID checks.
โข Financial and tax data: National Insurance number, Unique Taxpayer Reference, bank account details, payroll and pension information, tax returns and supporting documentation.
โข Business and engagement data: details of your business, role, shareholdings, beneficial ownership, board minutes, contracts and correspondence.
โข Source-of-funds and source-of-wealth information where required for anti-money-laundering checks.
โข Correspondence and records of advice we have given.
Where you provide information about another person (for example, a director, spouse or dependant), you are responsible for making sure they have seen this notice and agree to their information being shared with us.
4. Special category and criminal offence data
We do not routinely process special category data (such as health information). Where it is unavoidable โ for example, in connection with a tax matter that depends on a medical condition โ we will process it only with your explicit consent or where another lawful condition under Article 9 UK GDPR applies.
Information about criminal convictions or alleged offences will only be processed where required to comply with our anti-money-laundering, sanctions and proceeds-of-crime obligations.
5. Why we process your data and our lawful basis
Providing accountancy and tax services to you โ Lawful basis: Performance of a contract (your engagement letter).
Complying with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and successor legislation โ Lawful basis: Legal obligation, and substantial public interest under Schedule 1, Part 2 of the Data Protection Act 2018 where special category or criminal-offence data is involved.
Filing returns and dealing with HMRC, Companies House and other authorities on your behalf โ Lawful basis: Performance of a contract and legal obligation.
Keeping records to evidence compliance with professional standards and to defend potential claims โ Lawful basis: Legitimate interests and legal obligation.
Internal administration, billing and credit control โ Lawful basis: Performance of a contract and legitimate interests.
Sending you service-related updates (e.g. tax deadline reminders, regulatory changes affecting your business) โ Lawful basis: Legitimate interests in keeping clients informed about matters relevant to the services we provide; you can opt out at any time.
6. Anti-money-laundering: a note on confidentiality
As an accountancy services provider in the UK we are subject to anti-money-laundering supervision. This means:
โข we must verify your identity and the identity of beneficial owners before we begin work, and on an ongoing basis;
โข we must keep records of those checks, normally for at least five years after the end of our engagement;
โข we may be required to report suspicious activity to the National Crime Agency; and
โข in those limited circumstances we are prohibited by law from telling you that a report has been made ("tipping off"). This is the one situation in which we may not be able to respond fully to a request you make about your data.
7. Who we share your data with
We share personal data only where necessary, and under appropriate safeguards, with:
โข HMRC, Companies House and other UK regulators and tax authorities as part of providing our services to you;
โข overseas tax authorities where you have a filing or disclosure obligation in another jurisdiction and we are instructed to deal with it;
โข our anti-money-laundering supervisor and, where relevant, the National Crime Agency;
โข professional advisers (legal, audit, insurance) where reasonably necessary;
โข software and service providers we use to deliver our services โ including our practice management system, cloud accounting platforms (e.g. for bookkeeping and payroll), document storage, email, and IT support โ all under written contracts that meet UK GDPR requirements;
โข banks, payment providers and lenders where you have asked us to deal with them on your behalf;
โข a purchaser or successor in the event of a sale or reorganisation of our business; and
โข any third party with your explicit instruction or consent.
8. International transfers
Most of your data is held within the UK. Some of the cloud-based services we use to deliver our work store or process data in the European Economic Area or the United States. Where that is the case we rely on one or more of: an adequacy decision recognised by the UK; the UK International Data Transfer Agreement; or the EU Standard Contractual Clauses with the UK Addendum. We can provide further information on request.
9. How long we keep your data
We keep client records for as long as we need them to deliver our services and meet our legal, regulatory and professional obligations. Typical retention periods are:
โข Client engagement records, tax returns and supporting documentation: 6 years after the end of the relevant tax year or the end of our engagement, whichever is later (in line with HMRC requirements and the limitation period for negligence claims in Scotland).
โข Anti-money-laundering records (ID, verification, ongoing monitoring): 5 years after the end of our engagement, in line with the Money Laundering Regulations 2017.
โข Records of advice and correspondence: 6 years after the end of our engagement.
โข Records relating to actual or potential legal claims: until the claim is resolved and the limitation period has expired.
After the relevant retention period we delete or securely destroy the records, unless we are required to keep them for longer by law.
10. Your rights
You have the same UK GDPR rights described in Section 9 of our Privacy Policy: access, rectification, erasure, restriction, objection, portability and the right to withdraw consent. In a client context, some of those rights are limited in practice:
โข We cannot delete records we are legally required to keep (for example, anti-money-laundering files within the statutory retention period).
โข We may need to refuse, or partially refuse, a request where complying would breach our legal obligations or tip off the subject of a suspicious-activity report.
โข Where we hold data as part of our work for another client (for example, you appear in their payroll), we will normally direct your request to that client as the controller of their own data.
We will explain clearly, in writing, where any of these limits apply to a request you make.
11. Complaints
If you are unhappy with how we have used your data, please contact Gill in the first instance so we can investigate. If you remain dissatisfied you can complain to the ICO at ico.org.uk, by phone on 0303 123 1113, or in writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
12. Security
We protect your data with measures appropriate to its sensitivity, including access controls, encrypted email for sensitive material on request, encrypted storage, supplier due diligence, multi-factor authentication for our systems, and regular staff training.
13. Changes to this notice
Where we make a significant change to this notice โ for example, because we adopt a new service provider that affects how your data is processed โ we will tell you directly, normally by email. Other updates will be published here with the "last updated" date refreshed.
14. How to contact us
Email: hello@calculo.uk
Post: 09 Eastworks, Gateway Court, Glasgow, G40 4DS