Website privacy policy

Website privacy notice 

Last updated: March 2026

The Shaw Gibbs Group is committed to protecting and respecting your privacy.  This Policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

Shaw Gibbs is a trading name for the Shaw Gibbs Group of companies. For full details of all companies in the Shaw Gibbs Group, refer to our Legal Notice page.

Entities in the Shaw Gibbs Group act as the ‘data controller’ of the personal information submitted by visitors to our website and collected by us through such visits or otherwise collected by us in relation to:

• The provision of our products and services to clients
• Enquiries regarding our products and services

• People who supply services for us

• Professional contacts

• People who elect to receive business communications from us

This privacy notice explains how the Shaw Gibbs uses personal information in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

If you have any questions about this privacy notice, please contact us at datarequest@shawgibbs.com

Quick Reference Guide 

• What information we collect about you

• How we use your information and the legal basis How long we keep your data

• How we share your information

• International data transfers

• How we may market to you

• How we keep your information secure

• Your rights

• Cookies

• Children’s data

• Other websites

• Changes to our privacy notice

• How to contact us

1. What information do we collect about you?

We collect information about you when you register with us or engage us to provide products or services, or otherwise when you do business with us. We also collect information when you voluntarily complete customer surveys, provide feedback and participate in competitions.

We will collect some or all of the following information from you:

• Your name and contact details (including postal and email address and telephone number(s))

• Your date of birth
• Identification documents such as copies of passports or drivers licences, where required by law.

• Financial information including taxation affairs and your banking information
• Unique identifiers such as your National Insurance number, Company House personal code, unique taxpayer reference number, and VAT numbers for individuals

• Information about your family members (where relevant to our services)

• Information relevant to the products or services you engage us to provide, including the types of services provided to you

• Information relevant to the products or services you provide to us

• Information you provide when you register for events or to receive other communications from us including special requirements such as dietary requirements
• Information you provide when you inquire about our products or services

• Employment and business information
• Information about your shareholding

• Professional qualifications and memberships
• Job title
• Marketing preferences
• CCTV (Images and Recordings) and information included in visitor logs and car registration number when you visit our offices

We may also obtain information about you from other sources in order to help us provide the required services or comply with our legal and regulatory obligations, including:

• Credit reference agencies and fraud prevention agencies

• Identity verification services for anti-money laundering purposes

• Companies House and other public registers

• HMRC and other regulatory bodies

• Other professional advisers (with your consent)

• Your internet protocol (IP) address, operating system and web browser when you visit our website

• Website usage information collected using cookies, please see our cookie policy for further details.

Important: If you share other people’s data with us, you must ensure that person consents to you providing that information to us, or that there is another lawful basis for sharing their information.

2. How we use your information and the legal basis:

We process your personal data for the following purposes and on the following legal bases:

Purposes	Lawful Basis
Direct Marketing including sending you information about products or services which we feel may interest you (where you have consented or we have a legitimate interest)	Consent, or Legitimate Interest where you have contacted us about a provisions of a Shaw Gibbs’ service.
Improve our website and services	Legitimate Interests
Event Registration and Management	Legitimate Interests
Responding to inquiries made by web form, telephone calls or emails	Legitimate Interests
Managing our relationship with you as a customer	Necessary to fulfil a contract with you
Manage our business operations and quality control	Legitimate Interests
Coordinating and responding to inspections from regulatory bodies to provide required evidence	Legal Obligation
Meeting legal obligations in relation to the services we provide to you	Legal Obligation
Carry out identity verification and anti-money laundering checks	Legal Obligation
Assess and manage conflicts of interest	Legitimate Interests
Manage or investigate complaints you may make	Legitimate Interests
Controlling, monitoring and managing security of our offices using CCTV, access logs for the purposes of preventing, detecting and investigating crime, unauthorised access and security incidents; Safeguarding Shaw Gibbs premises, assets, information and equipment; Supporting incident investigation, accident reporting and health & safety compliance	Legitimate Interests
Deliver professional services to you (audit, tax, advisory, and related services)	Necessary to fulfil a contract with you
Collect information from credit reference agencies and fraud prevention agencies	Legitimate Interests
Maintain our records for administrative purposes	Legitimate Interests
Defend or pursue legal claims	Legitimate Interests
Fraud prevention and detection	Legitimate Interests

Where we rely on legitimate interests, we have balanced our interests against your rights and freedoms. You have the right to object to processing based on legitimate interests.

3. How long do we keep your data?

We will retain your personal data only for as long as necessary for the purposes for which your data was collected. This could include, keeping your data for as long as necessary to perform our contract with you, to comply with our legal and regulatory requirements, and otherwise in accordance with guidance from our supervisory bodies (e.g., ACCA, FCA).

Retention periods include:

• Client engagement data: six years from the end of the engagement (or longer where required by specific regulations)

• Tax records: In accordance with HMRC requirements (typically six years)

• Audit files: In accordance with professional standards (typically six years)

• Anti-money laundering records: five years from the end of the business relationship

• Marketing consent records: Until consent is withdrawn, plus a reasonable period to maintain suppression lists

• Website analytics: Typically  26 months

For further information about specific retention periods, please see our Data Retention Policy or contact our Data Protection Officer.

5. How we share your information

We will only share information with third parties where necessary to provide our services or comply with legal obligations.

We share information with the following categories of recipients:

• Other companies in the Shaw Gibbs Group

• Business associates and other professional advisers (where requested or necessary)

• Our IT service providers and technology platforms (e.g., cloud hosting, document management, practice management software)

• Email and communication service providers

• Professional indemnity insurers

• Credit reference agencies and fraud prevention agencies

• Banking and payment service providers

• HMRC and other tax authorities

• Legal and regulatory authorities, including ACCA and FCA

• Courts, tribunals and law enforcement agencies where required by law

• Prospective buyers or investors (in the event of a business sale or restructure)

6. International data transfers

In some circumstances, the information you provide may be transferred to countries outside the United Kingdom that may not have equivalent data protection laws.

Where we transfer data internationally, we will take steps to ensure adequate protections are in place, including:

• Transferring to countries with UK adequacy decisions

• Using Standard Contractual Clauses approved by the UK authorities

• Ensuring the recipient is covered by appropriate binding corporate rules

• Relying on appropriate derogations where necessary

You have the right to obtain information about the safeguards we have in place for international transfers. Please contact us using the details at the end of this notice.

7. How we may market to you

We would like to send you information about products and services of ours and other companies in our Group which may be of interest to you.

We may contact you by:

• Email

• Post

• Telephone (where you have provided consent)

Your right to opt out: You have the right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes or wish to change your preferences, please email .

Choosing to opt out of marketing communications will have no detrimental impact to your relationship with the Shaw Gibbs Group.

If you opt out, we will add you to a do not contact list to ensure we comply with your request and that you are not added back into our marketing lists.

8. How we keep your information secure

We take the security of your information seriously. We have implemented appropriate technical and organizational measures to protect your personal data from loss, misuse, alteration, unauthorized access or destruction, including:

• Secure storage on encrypted servers and in controlled physical premises

• Access controls and authentication requirements

• Regular security assessments and penetration testing

• Staff training on data protection and information security

• Secure communication channels

• Regular backups and disaster recovery procedures

• Confidentiality obligations for all staff and third-party processors

Our security and privacy policies are regularly reviewed and updated.

10. Your rights

Under the General Data Protection Regulation, all individuals have certain rights in relation to their personal data.  You are entitled to:

Right	What this means
Right to be informed	You have the right to clear information about how we use your data (this notice)
Right of access	You can request a copy of your personal data
Right to rectification	You can ask us to correct inaccurate or incomplete data
Right to erasure	You can ask us to delete your data in certain circumstances
Right to restrict processing	You can ask us to stop processing your data temporarily
Right to data portability	You can request your data in a machine-readable format
Right to object	You can object to processing based on legitimate interests or for direct marketing
Rights related to automated decision-making	You have rights regarding automated decisions

 

Please note: These rights are not absolute and are dependent on the lawful basis relied upon and may be overridden by our legal obligations. For example, we may need to retain certain information to comply with regulatory requirements.

To exercise any of your rights, please:

• Contact our Data Officer using the details below
• Specify which right you wish to exercise and the data it relates to

Where necessary, you may be asked to provide proof of identity (copy of driving license or passport) and address (recent utility or credit card bill)

We will respond to your request within one month. In complex cases, we may extend this by a further two months and will inform you if this is necessary.

If you are not satisfied with our response or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner Office (ICO): https://ico.org.uk/

11. Cookies

Cookies are small text files placed on your computer to collect standard internet log information and visitor behavior information. This information helps us track visitor use of the website and compile statistical reports on website activity.

We use cookies to:

• Remember your preferences and settings

• Understand how you use our website

• Improve website performance and user experience

• Provide analytics on website traffic

For detailed information on the cookies we use and how to manage your cookie preferences, please refer to our Cookie Policy.

12. Children’s data

Our services are not directed at children under the age of 16, and we do not knowingly collect personal data from children.

If we become aware that we have inadvertently collected data from a child under 16, we will take steps to delete that information as quickly as possible.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

14. Other websites

Our website may contain links to other websites. This privacy notice only applies to the Shaw Gibbs Group website.

When you click on links to other websites, you should read their own privacy policies to understand how they collect and use your information. We are not responsible for the privacy practices of other organisations.

15. Changes to our Privacy Notice

We keep our privacy notice under regular review to reflect changes in law, best practice, and our data processing activities.

Any updates will be posted on this webpage. Where changes are significant, we may also notify you directly by email.

Previous versions of this notice are available on request.

16. How to contact us

If you have any questions about this privacy notice, wish to exercise your rights, or have concerns about how we handle your data, please contact:

Data Protection Officer
Shaw Gibbs
264 Banbury Road
Oxford
OX2 7DY
Email: datarequest@shawgibbs.com

Shaw Gibbs Group | Version 3.0 | March 2026