Introduction
This Privacy & Cookies Policy explains how Johnston Smillie Ltd (“we”, “our”, “us”) collects, uses, stores and protects your personal data when you use our website, www.jsca.co.uk, engage our services, or otherwise interact with us.
Johnston Smillie Ltd is a company registered in Scotland under company number SC277435. Our registered office is:
5 South Gyle Crescent Lane
Edinburgh
EH12 9EG
Johnston Smillie Ltd is registered with the Information Commissioner’s Office (“ICO”) under registration number Z9981833.
We are committed to protecting your personal data and handling it responsibly in accordance with UK data protection legislation, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.
This Privacy & Cookies Policy was last updated on 24 May 2026.
Who We Are
For the purposes of UK GDPR, Johnston Smillie Ltd is the Data Controller.
Lea Brash is responsible for data protection matters within the firm.
If you have any questions about this policy or how we use your personal information, please contact:
Lea Brash
Johnston Smillie Ltd
5 South Gyle Crescent Lane
Edinburgh
EH12 9EG
Email: lea.brash@jsca.co.uk
Telephone: 0131 317 7377
What Personal Data We Collect
Clients and Prospective Clients
We may collect and process the following personal data:
- Full name
- Date of birth
- Contact details including postal address, email address and telephone numbers
- Financial information including income, employment status, bank details, investments, tax returns and related financial records
- Identity verification information
- National Insurance numbers and tax references where required
- Business interests and shareholdings
- Any other information you choose to provide to us
For business and charity clients, we may also collect:
- Business or charity details
- Company registration details
- VAT registration numbers
- Information relating to directors, shareholders, partners or trustees
Employees and Job Applicants
We may collect:
- CVs and covering letters
- Employment history and qualifications
- Contact details
- Identity verification information
- Payroll and pension information
- Emergency contact information
Suppliers and Contractors
We may collect:
- Contact details
- Bank details
- Billing and payment information
Website Visitors
When you visit our website, we may automatically collect certain technical information including:
- IP address
- Browser type and version
- Device type
- Pages visited
- Time spent on pages
- Referral source
We use Google Analytics and similar technologies to help us understand website usage and improve our services. This information is generally aggregated and pseudonymised and is not used by us to identify individual visitors.
Newsletter Subscribers
If you subscribe to our newsletter, we collect:
- Your name
- Your email address
Users of the Johnston Smillie MTD VAT Filer
We may collect:
- Your name
- Business name
- VAT registration number
- Email address
- HMRC User ID (if you choose to provide it)
How We Collect Personal Data
We collect personal data through:
- Emails and written correspondence
- Telephone calls
- Meetings and consultations
- Our website and online forms
- Cloud-based accounting and payroll software
- Secure client portals
- Social media interactions
- Recruitment agencies
- Referrals from professional contacts
- Companies House and HMRC
- CCTV systems at our premises
- Newsletter subscription forms
Lawful Bases for Processing
Under UK GDPR, we must have a lawful basis for processing personal data.
We rely on the following lawful bases:
- Providing accountancy and tax services – Contract
- Identity verification and anti-money laundering checks – Legal obligation
- Managing our business operations – Legitimate interests
- Recruitment and employment administration – Contract and legitimate interests
- Sending marketing communications – Consent
- Complying with legal and regulatory requirements – Legal obligation
- Website analytics and performance monitoring – Consent and legitimate interests
How We Use Your Personal Data
We use personal data to:
- Provide professional accountancy, tax and advisory services
- Communicate with clients and prospective clients
- Respond to enquiries
- Prepare and submit tax returns and statutory filings
- Process payroll and pension information
- Verify identity and comply with anti-money laundering regulations
- Improve our website and services
- Send newsletters and marketing communications where consent has been provided
- Recruit and manage employees
- Protect our business, staff and visitors
Sharing Your Personal Data
We may share personal data with trusted third parties where necessary to provide our services or comply with legal obligations.
These may include:
- HM Revenue & Customs (HMRC)
- Companies House
- Pension providers
- Payroll service providers
- Tax investigation insurers
- Cloud accounting providers such as Xero and QuickBooks
- IT and software providers
- Secure document portal providers
- Professional advisers
- Regulatory bodies
- Law enforcement agencies where legally required
International Transfers
Some of our third-party service providers may store or process personal data outside the UK.
Where personal data is transferred internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR, including adequacy regulations or approved contractual safeguards.
How Long We Keep Personal Data
Unless a different retention period is required by law or regulation, we generally retain personal data as follows:
- Client records – 7 years
- Payroll records – 7 years
- Tax records – 7 years
- Supplier records – 7 years after contract ends
- Unsuccessful job applicant data – 2 years
- CCTV footage – Typically 30 days
How We Store and Protect Personal Data
We take appropriate technical and organisational measures to protect personal data.
Security measures include:
- Encryption
- Secure servers and cloud systems
- Firewalls and endpoint protection
- SSL certificates
- Password protection and access controls
- Staff training and confidentiality obligations
- Locked filing cabinets for paper records
CCTV
We operate CCTV systems at our business premises for legitimate security purposes.
Marketing Communications
We may send newsletters, updates and marketing communications where you have consented to receive them.
Cookies Policy
What Are Cookies?
Cookies are small text files stored on your device when you visit a website.
Cookies We Use
- Essential Cookies
- Analytics Cookies
- Functionality Cookies
- Third-Party Cookies
Your Rights
Under UK GDPR, you have the right to:
- Access your personal data
- Correct inaccurate data
- Request deletion of your data
- Restrict processing of your data
- Object to processing based on legitimate interests
- Withdraw consent at any time
- Request transfer of your data to another organisation
- Lodge a complaint with the ICO
Complaints
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Website: https://ico.org.uk/concerns
