Plain English summary: We collect only what we need, use it only for the purpose you gave it, protect it properly, and delete it when we no longer need it. We never sell your data. We sign a GDPR-aligned Data Processing Agreement before handling any client data.
1. Data Controller
EarthOne Accounting ("EarthOne", "we", "us", "our") is the data controller for personal data collected through this website (earthoneaccounting.com) and in connection with our services.
Registered address: 319, Avalon, Katargam, Surat, Gujarat, India 395004
Email: hi@earthoneaccounting.com
We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What Personal Data We Collect
Website enquiries and contact forms
- Name, email address, phone number (optional)
- Company or firm name
- Details of services you are interested in
- Any additional information you choose to provide
Service delivery
- Business contact details of client representatives
- Financial and accounting data necessary to perform the agreed services
- End-client data provided to us by accounting firms using our white-label services (see DPA section)
Website usage
- Standard server logs (IP address, browser type, pages visited), used for security and performance only, not marketing
3. How We Use Your Personal Data
- To respond to your enquiry or consultation booking
- To provide the accounting outsourcing services you have engaged us for
- To comply with legal and regulatory obligations
- To maintain records of our business relationship
We do not use your personal data for marketing without your explicit consent. We do not sell, rent or share your data with third parties for their marketing purposes.
4. Lawful Basis for Processing
- Contract: Where processing is necessary to perform a contract with you or take steps prior to entering into one.
- Legitimate interests: Where we have a legitimate business interest (e.g. responding to an enquiry), balanced against your rights.
- Legal obligation: Where we must process data to comply with UK law.
- Consent: Where you have given explicit consent (e.g. GDPR consent checkbox on our contact form).
5. GDPR Compliance & Data Processing
EarthOne operates in compliance with the UK General Data Protection Regulation (UK GDPR) and the EU GDPR where applicable. We implement the following safeguards:
- Role-based access controls, only team members who need access to data for service delivery have it
- Encrypted file transfer for all client data
- No client data used for any purpose other than the agreed service
- No sharing of client data with unauthorised third parties
- Data minimisation, we collect and hold only what is necessary
6. Data Processing Agreement (DPA)
Where EarthOne acts as a data processor on behalf of an accounting firm (i.e. handling end-client data as part of a white-label outsourcing engagement), a GDPR-aligned Data Processing Agreement is signed before any work begins.
The DPA covers:
- The subject matter and duration of processing
- The nature and purpose of processing
- The type of personal data and categories of data subjects
- Obligations and rights of the controller (the accounting firm)
- Sub-processor restrictions
- Data breach notification obligations
- Return or deletion of data on termination
To request a copy of our standard DPA or to discuss your firm's specific requirements, contact hi@earthoneaccounting.com.
7. Data Retention
We retain personal data only for as long as necessary for the purpose it was collected, or as required by law:
- Enquiry data: Up to 12 months if no engagement follows
- Client engagement data: For the duration of the engagement plus 7 years (to meet UK legal and tax obligations)
- Website logs: Up to 90 days for security purposes
On termination of a service engagement, data is returned to the client and/or deleted in accordance with the DPA terms.
8. Third Parties
We may share data with the following categories of third party where necessary to deliver our services:
- Cloud accounting software providers (Xero, QuickBooks, Sage, etc.), only where your firm has authorised us to access your existing accounts
- HMRC and Companies House, where authorised to submit on your behalf
- Professional advisers, under appropriate confidentiality obligations
We do not transfer data to any third party for commercial purposes. We do not use data brokers or advertising networks.
9. International Transfers
EarthOne's team is based in India. Where personal data is transferred from the UK or EU to India for service delivery purposes, we rely on appropriate safeguards including:
- Contractual safeguards (Data Processing Agreement and Standard Contractual Clauses where applicable)
- Technical safeguards (encrypted transfer, role-based access)
- Working within your UK-based software environment wherever possible to minimise data transfer
10. Your Rights
Under UK GDPR, you have the following rights:
- Right of access, to request a copy of the personal data we hold about you
- Right to rectification, to correct inaccurate or incomplete data
- Right to erasure, to request deletion of your data (subject to legal retention obligations)
- Right to restriction of processing
- Right to data portability
- Right to object, to processing based on legitimate interests
- Right to withdraw consent, where processing is based on consent
To exercise any of these rights, email hi@earthoneaccounting.com. We will respond within one calendar month.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): ico.org.uk, 0303 123 1113.
11. Cookies
This website uses minimal cookies. We do not use advertising or tracking cookies. The only cookies used are:
- Session cookies: Technically necessary for the website to function
- Calendly: If you use our booking widget, Calendly may set its own cookies. See Calendly's privacy policy.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The "last updated" date at the top of this page will reflect any changes. Continued use of our website or services after any update constitutes acceptance of the revised policy.