Introduction

This Privacy & Cookies Policy explains how Johnston Smillie Ltd (“we”, “our”, “us”) collects, uses, stores and protects your personal data when you use our website, www.jsca.co.uk, engage our services, or otherwise interact with us.

Johnston Smillie Ltd is a company registered in Scotland under company number SC277435. Our registered office is:

5 South Gyle Crescent Lane
Edinburgh
EH12 9EG

Johnston Smillie Ltd is registered with the Information Commissioner’s Office (“ICO”) under registration number Z9981833.

We are committed to protecting your personal data and handling it responsibly in accordance with UK data protection legislation, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

This Privacy & Cookies Policy was last updated on 24 May 2026.

Who We Are

For the purposes of UK GDPR, Johnston Smillie Ltd is the Data Controller.

Lea Brash is responsible for data protection matters within the firm.

If you have any questions about this policy or how we use your personal information, please contact:

Lea Brash
Johnston Smillie Ltd
5 South Gyle Crescent Lane
Edinburgh
EH12 9EG

Email: lea.brash@jsca.co.uk
Telephone: 0131 317 7377

What Personal Data We Collect

Clients and Prospective Clients

We may collect and process the following personal data:

  • Full name
  • Date of birth
  • Contact details including postal address, email address and telephone numbers
  • Financial information including income, employment status, bank details, investments, tax returns and related financial records
  • Identity verification information
  • National Insurance numbers and tax references where required
  • Business interests and shareholdings
  • Any other information you choose to provide to us

For business and charity clients, we may also collect:

  • Business or charity details
  • Company registration details
  • VAT registration numbers
  • Information relating to directors, shareholders, partners or trustees

Employees and Job Applicants

We may collect:

  • CVs and covering letters
  • Employment history and qualifications
  • Contact details
  • Identity verification information
  • Payroll and pension information
  • Emergency contact information

Suppliers and Contractors

We may collect:

  • Contact details
  • Bank details
  • Billing and payment information

Website Visitors

When you visit our website, we may automatically collect certain technical information including:

  • IP address
  • Browser type and version
  • Device type
  • Pages visited
  • Time spent on pages
  • Referral source

We use Google Analytics and similar technologies to help us understand website usage and improve our services. This information is generally aggregated and pseudonymised and is not used by us to identify individual visitors.

Newsletter Subscribers

If you subscribe to our newsletter, we collect:

  • Your name
  • Your email address

Users of the Johnston Smillie MTD VAT Filer

We may collect:

  • Your name
  • Business name
  • VAT registration number
  • Email address
  • HMRC User ID (if you choose to provide it)

How We Collect Personal Data

We collect personal data through:

  • Emails and written correspondence
  • Telephone calls
  • Meetings and consultations
  • Our website and online forms
  • Cloud-based accounting and payroll software
  • Secure client portals
  • Social media interactions
  • Recruitment agencies
  • Referrals from professional contacts
  • Companies House and HMRC
  • CCTV systems at our premises
  • Newsletter subscription forms

Lawful Bases for Processing

Under UK GDPR, we must have a lawful basis for processing personal data.

We rely on the following lawful bases:

  • Providing accountancy and tax services – Contract
  • Identity verification and anti-money laundering checks – Legal obligation
  • Managing our business operations – Legitimate interests
  • Recruitment and employment administration – Contract and legitimate interests
  • Sending marketing communications – Consent
  • Complying with legal and regulatory requirements – Legal obligation
  • Website analytics and performance monitoring – Consent and legitimate interests

How We Use Your Personal Data

We use personal data to:

  • Provide professional accountancy, tax and advisory services
  • Communicate with clients and prospective clients
  • Respond to enquiries
  • Prepare and submit tax returns and statutory filings
  • Process payroll and pension information
  • Verify identity and comply with anti-money laundering regulations
  • Improve our website and services
  • Send newsletters and marketing communications where consent has been provided
  • Recruit and manage employees
  • Protect our business, staff and visitors

Sharing Your Personal Data

We may share personal data with trusted third parties where necessary to provide our services or comply with legal obligations.

These may include:

  • HM Revenue & Customs (HMRC)
  • Companies House
  • Pension providers
  • Payroll service providers
  • Tax investigation insurers
  • Cloud accounting providers such as Xero and QuickBooks
  • IT and software providers
  • Secure document portal providers
  • Professional advisers
  • Regulatory bodies
  • Law enforcement agencies where legally required

International Transfers

Some of our third-party service providers may store or process personal data outside the UK.

Where personal data is transferred internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR, including adequacy regulations or approved contractual safeguards.

How Long We Keep Personal Data

Unless a different retention period is required by law or regulation, we generally retain personal data as follows:

  • Client records – 7 years
  • Payroll records – 7 years
  • Tax records – 7 years
  • Supplier records – 7 years after contract ends
  • Unsuccessful job applicant data – 2 years
  • CCTV footage – Typically 30 days

How We Store and Protect Personal Data

We take appropriate technical and organisational measures to protect personal data.

Security measures include:

  • Encryption
  • Secure servers and cloud systems
  • Firewalls and endpoint protection
  • SSL certificates
  • Password protection and access controls
  • Staff training and confidentiality obligations
  • Locked filing cabinets for paper records

CCTV

We operate CCTV systems at our business premises for legitimate security purposes.

Marketing Communications

We may send newsletters, updates and marketing communications where you have consented to receive them.

Cookies Policy

What Are Cookies?

Cookies are small text files stored on your device when you visit a website.

Cookies We Use

  • Essential Cookies
  • Analytics Cookies
  • Functionality Cookies
  • Third-Party Cookies

Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Restrict processing of your data
  • Object to processing based on legitimate interests
  • Withdraw consent at any time
  • Request transfer of your data to another organisation
  • Lodge a complaint with the ICO

Complaints

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Website: https://ico.org.uk/concerns