How we collect, use, and protect your personal data in accordance with UK GDPR and the Data Protection Act 2018.
Last updated : 06-09-2025
11TaxAssist Ltd (company no. 16416027) is the data controller for personal data processed via our websites, products and services unless stated otherwise.
Registered address: 6 Alexander Court, Baker Street, Reading, England, RG1 7XZ.
Email:[email protected].
This notice explains how we collect, use, share and protect personal data in accordance with the UK GDPR, the Data Protection Act 2018, and other applicable UK laws. It covers data processed when you visit our website, contact us, or use our services.
We may collect and process the following categories of data:
We collect data directly from you and, where lawful, from third parties such as HMRC, Companies House, banks and payment processors.
We process personal data to provide our services, comply with legal obligations, manage payments, protect systems, and–with your consent–send marketing communications.
| Purpose | Example activities | Lawful basis |
|---|---|---|
| Provide and manage services | Onboarding, filing, advice, support | Contract |
| Legal & regulatory compliance | HMRC/Companies House submissions, record keeping | Legal obligation |
| Billing & payments | Invoicing and payment processing | Contract / Legitimate interests |
| Security & fraud prevention | Access controls, logs, DDoS/WAF via CDN | Legitimate interests |
| Marketing (optional) | Newsletters, updates | Consent |
We do not use automated decision–making that produces legal or similarly significant effects without explicit consent.
You have the right to access, rectify, erase, restrict or object to processing, and to data portability. Where processing is based on consent you may withdraw consent at any time. To exercise your rights contact us (see Contact section).
Some providers may process data outside the UK/EEA. Where this occurs, we implement appropriate safeguards such as UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs), or rely on adequacy regulations, and apply additional technical and organisational measures where appropriate.
We use Cloudflare for TLS termination, WAF/DDoS mitigation and content delivery. Cloudflare may process limited operational and security metadata across its global network. We have a data processing agreement in place and rely on appropriate transfer mechanisms. TLS keys are managed securely, and traffic between Cloudflare and our origin uses Full (strict) encryption
We implement defence–in–depth security measures including:
We retain personal data only as long as necessary for the purpose collected and to meet legal or accounting requirements. Typical retention periods:
| Category | Typical period | Rationale |
|---|---|---|
| Tax & accounting records | 6 years after relevant tax year | Statutory requirements |
| Contracts & correspondence | 6 years after contract end | Limitation periods |
| Support tickets & logs | 12–24 months | Operational / security |
| Marketing data | Until you withdraw consent or 24 months inactivity | Preference management |
When retention ends, data is deleted or irreversibly anonymised.
You can lodge a complaint with the Information Commissioner's Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Website: ico.org.uk. Tel: 0303 123 1113. We'd appreciate the chance to resolve your concerns first – contact us at [email protected].
We may update this notice occasionally. The latest version will be published on our website and will show the "last updated" date.