Home | Privacy policy

Privacy Policy

PKF Smith Cooper Systems

A company registered in England with company number 09165906
Registered Office: Prospect House, 1 Prospect Place, Millennium Way, Derby, DE24 8HG
Last updated: 26 March 2026

1. Who we are

For the purposes of UK data protection law, the controller of personal data collected through this website is:

PKF Smith Cooper Systems
Prospect House, 1 Prospect Place, Millennium Way, Derby, DE24 8HG
Phone: 01332 959 008
Email: dataprotection@smithcooper.co.uk
Website: pkfscs.co.uk

We process personal data in line with the UK General Data Protection Regulation (UK GDPR) as amended by the Data (Use and Access) Act 2025, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR) as amended.

2. Key definitions

The following terms have the meanings given in the UK GDPR:

  • Personal data means any information relating to an identified or identifiable natural person.
  • Data subject means the individual whose personal data is processed.
  • Processing means any operation performed on personal data, including collection, recording, organisation, storage, alteration, retrieval, use, disclosure, restriction, erasure or destruction.
  • Controller means the organisation that decides why and how personal data is processed.
  • Processor means an organisation that processes personal data on behalf of a controller.
  • Recipient means anyone to whom personal data is disclosed.
  • Third party means any person other than the data subject, controller, processor or people authorised to process personal data under the direct authority of the controller or processor.
  • Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes signifying agreement to the processing of personal data.

3. Personal data we collect

Depending on how you interact with us, we may collect the following categories of personal data:

  • Identity data such as your name and job title.
  • Contact data such as your business address, email address and telephone number.
  • Technical data such as your IP address, browser type and version, time zone setting and operating system.
  • Usage data such as information about how you use our website, pages viewed and time spent on pages.
  • Marketing and communications data such as your preferences for receiving marketing from us.
  • Transaction and account data where you engage us for Sage software licensing, support or consultancy services.
  • Support interaction data such as information you provide on support tickets, emails and recorded calls to our helpdesk.

We do not intentionally collect sensitive or special category personal data through this website. Please do not submit sensitive personal data through our contact forms.

4. How we collect personal data

We collect personal data in the following ways:

  • Directly from you when you complete a contact form, register for an event or newsletter, email us, call us or otherwise communicate with us.
  • Automatically as you interact with our website through cookies and similar technologies.
  • In the course of delivering Sage software, support and consultancy services to your organisation.
  • From publicly available sources such as Companies House, LinkedIn or your organisation's website, where relevant to our business relationship.

5. How we use personal data and our lawful basis

We only use personal data when UK law permits us to do so. The table below sets out our processing purposes and the lawful basis we rely on for each:

Purpose Lawful Basis Detail
Responding to enquiries Legitimate interests To respond to contact form submissions and general enquiries about our products and services.
Delivering Sage products and services Contract To perform our obligations under contracts with clients for Sage software licensing, implementation, support and consultancy.
Managing client relationships Legitimate interests / Contract To maintain client records, manage accounts and ensure continuity of service.
Sending marketing communications Consent (PECR) or Legitimate interests To send newsletters and marketing emails where you have consented, or where legitimate interests apply and you have not opted out.
Newsletter tracking Consent To analyse open rates and click activity in our newsletters where you have consented to receive them.
Website analytics Consent (where required) To understand how visitors use our website and improve its content and performance using Google Analytics.
Advertising and remarketing Consent To serve relevant advertising through Google Ads and remarketing tools where you have consented via our cookie controls.
Complying with legal obligations Legal obligation To keep records for tax, regulatory and insurance purposes.
Cybersecurity and fraud prevention Legitimate interests / Legal obligation To protect our systems and clients from fraud, cyberattacks and misuse of our services.

Where we rely on legitimate interests, we have assessed that those interests are not overridden by your rights and freedoms. Where we rely on consent you have the right to withdraw it at any time without affecting the lawfulness of prior processing.

6. Newsletter and marketing communications

You can subscribe to our newsletter through our website. We will only send you marketing emails where you have given your consent or where we have a legitimate interest and you have not opted out. Each newsletter contains an unsubscribe link. You can also opt out at any time by contacting us at dataprotection@smithcooper.co.uk.

Our newsletters may contain tracking pixels which allow us to see when an email has been opened and which links have been clicked. This tracking is used solely to improve the relevance of our communications and is based on your consent to receive our newsletter. You can withdraw consent at any time by unsubscribing.

7. Cookies and similar technologies

Our website uses cookies. Cookies are small text files stored on your device when you visit a website. We use the following categories of cookies:

  • Strictly necessary cookies: required for the website to function. These are set without consent.
  • Analytics cookies: help us understand how visitors use our site. These require your consent under PECR before being set.
  • Advertising and targeting cookies: used to serve relevant advertising. These require your consent before being set.
  • Preference cookies: remember your settings and choices on the site.

When you first visit our website you will be presented with a cookie banner giving you the option to accept or decline non-essential cookies. You can change your preferences at any time through our cookie preference centre or your browser settings.

8. Google services, LinkedIn and X

Google Analytics

We use Google Analytics to collect information about how visitors use our website. Google Analytics uses cookies to collect data such as the pages visited, time spent on the site and how you arrived at the site. This data is used to improve our website and services.

Google Analytics is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. Data collected through Google Analytics may be transferred to and stored on Google's servers in the United States. This transfer is covered by a UK International Data Transfer Addendum to the Standard Contractual Clauses between us and Google.

We use IP anonymisation so that your full IP address is not transmitted to Google. Analytics cookies are only set with your consent. You can opt out of Google Analytics tracking at any time by adjusting your cookie preferences on this site or by installing the Google Analytics opt-out browser add-on at: tools.google.com/dlpage/gaoptout.

For more information about how Google uses data collected through its services, see: policies.google.com/privacy.

Google Ads and Remarketing

We use Google Ads to promote our services in Google search results and on the Google Display Network. We may also use Google Remarketing to show relevant advertising to people who have previously visited our website.

These services use cookies and similar technologies to recognise your browser and associate your visit with previous activity. They are only activated with your consent through our cookie controls. You can manage your Google advertising preferences at: adssettings.google.com.

Data processed through Google Ads is subject to the same US transfer safeguards described above.

LinkedIn

Our website may include LinkedIn social plugins or share buttons. If you interact with these features, LinkedIn may collect information about your visit. This is subject to LinkedIn's own privacy policy, available at: linkedin.com/legal/privacy-policy.

If you are logged into LinkedIn when you visit our site, LinkedIn may associate your visit with your LinkedIn account regardless of whether you click the plugin. You can prevent this by logging out of LinkedIn before visiting our site.

X (formerly Twitter)

Our website may include share buttons or embedded content from X (formerly Twitter). If you interact with these features, X Corp may collect information about your visit, subject to X's own privacy policy at: x.com/en/privacy.

If you are logged into X when you visit our site, X may associate your visit with your account. You can prevent this by logging out of X before visiting our site.

9. Sage: our key technology partner

As a Sage business partner and reseller, we work with Sage (UK) Limited and its group companies to deliver Sage software products, support and associated services to our clients. In the context of these activities:

  • Where we deliver Sage products and services to your organisation, your organisation is typically the controller for personal data relating to your staff and Sage users, and PKF Smith Cooper Systems may act as a processor or sub-processor under your instructions.
  • Where we manage our own client relationships and licensing records, PKF Smith Cooper Systems acts as controller.

Sage (UK) Limited acts as an independent controller for data processed through its own platforms and products. For information about how Sage processes personal data, please see Sage's privacy policy at sage.com/en-gb/legal/privacy-and-cookies.

10. Other third party service providers

We may share personal data with:

  • Members of our corporate group where needed to deliver services.
  • Professional advisers including lawyers, accountants and insurers.
  • IT service providers including hosting, email, telephony and security providers.
  • Marketing service providers where we have engaged them to assist with communications.
  • Regulators, law enforcement agencies and other authorities where required by law or to protect our legal rights.
  • Potential buyers and their advisers in the context of a merger, acquisition or restructuring, subject to confidentiality obligations.

We do not sell personal data to third parties.

11. International transfers

Where we transfer personal data outside the UK we will ensure that one of the following conditions applies:

  • The destination country has been deemed adequate by the UK Government under UK adequacy regulations.
  • We use a UK International Data Transfer Addendum or other approved contractual mechanism with the recipient.
  • Another appropriate safeguard recognised under UK data protection law applies.

You can contact us at dataprotection@smithcooper.co.uk for more information about the specific transfer mechanisms in place for your data.

12. Data retention

We keep personal data only for as long as necessary for the purposes set out in this policy and to meet our legal, regulatory, tax and accounting obligations. Our general retention periods are:

  • Website enquiry data: up to 3 years from last contact.
  • Client and contract records: for the duration of the contract and for 7 years afterwards.
  • Call recordings: 30 days, or longer if needed in connection with a complaint, claim or investigation.
  • Website analytics data: in accordance with Google Analytics retention settings, typically up to 26 months.

Where we no longer need personal data we will delete or anonymise it.

13. Call recording

When you call our helpdesk or support lines your call may be recorded. We use call recordings to monitor and improve the quality of our customer service, train and develop our staff, and investigate complaints, incidents and potential security issues.

Call recordings may be shared with third parties who help us deliver telephony and recording services, and with regulators, law enforcement or professional advisers where required by law or in connection with a claim.

We normally retain call recordings for 30 days. Recordings needed for complaints, disputes or legal matters may be kept for longer. You have the same rights in relation to call recordings as for other personal data, described in section 16 below.

14. Artificial intelligence

AI tools we use

We use AI tools to assist in the delivery of our services and in our internal operations. Our policy is to use only approved AI tools within a controlled environment. The AI tools we currently use are:

  • Microsoft Copilot for Microsoft 365 — integrated across our Microsoft 365 environment including Word, Excel, Outlook and Teams, used to assist with drafting, summarising, data analysis and other productivity tasks.
  • Microsoft Copilot (paid subscription) — used for general AI-assisted tasks within our business.
  • Claude, accessed via Microsoft Azure — used for AI-assisted drafting and analysis, deployed within Microsoft's infrastructure.

Staff are only permitted to use these approved tools when working with personal data. Use of other AI tools for processing personal or client data is not authorised.

14.1 Where AI processes personal data

When we use Microsoft Copilot and Claude in delivering Sage consultancy, support and related services, personal data relating to your staff, accounts and business operations may be processed through these tools. This may occur, for example, where Copilot assists with drafting client communications, preparing reports or analysing data in connection with a Sage engagement. Sage's own AI features, including Sage Copilot, are subject to Sage's own data processing terms and privacy policy.

14.2 Data location and transfers

All of the AI tools listed above are operated within Microsoft's infrastructure. Personal data processed through these tools is held in Microsoft data centres in Sweden. Sweden is a member of the European Economic Area and is covered by UK adequacy regulations, meaning data flows to Sweden freely without the need for additional transfer safeguards such as an IDTA or Standard Contractual Clauses.

This is a deliberately chosen position — we have selected AI tools hosted within the Microsoft estate specifically to ensure that personal data remains within a controlled, adequacy-covered environment.

14.3 Automated decision-making and AI

We do not use AI tools to make solely automated decisions about individuals that produce legal or similarly significant effects. AI is used as an assistive tool to support human decision-making, not to replace it. All decisions that affect individuals are subject to human review.

Under Articles 22A to 22D of the UK GDPR, as updated by the Data (Use and Access) Act 2025, you have the right to certain safeguards where significant decisions are made about you by automated means. As we do not make such decisions through AI, these provisions do not currently apply to our use of AI. If this position changes we will update this policy accordingly.

14.4 Your rights in relation to AI processing

Your rights under UK data protection law apply equally to personal data processed through AI tools. If you have questions about how AI tools are used in connection with your personal data, or if you wish to object to such processing, please contact us using the details in section 1.

15. Automated decision-making

We do not use solely automated decision-making processes that produce legal or similarly significant effects on individuals in connection with this website or our services, including through our use of AI tools.

Under Articles 22A to 22D of the UK GDPR, as updated by the Data (Use and Access) Act 2025, you have the right to certain safeguards where significant decisions are made about you by automated means. A decision is solely automated where there is no meaningful human involvement. As we do not make such decisions, these provisions do not currently apply. Please see the AI section of this policy for more information about how we use AI tools.

16. Your rights

Subject to certain conditions and exemptions under UK data protection law, you have the following rights:

  • Right of access: to request a copy of the personal data we hold about you and information about how we process it.
  • Right to rectification: to ask us to correct inaccurate or incomplete personal data.
  • Right to erasure: to ask us to delete your personal data where there is no longer a lawful reason to hold it.
  • Right to restriction of processing: to ask us to restrict how we use your personal data in certain circumstances.
  • Right to data portability: to receive your personal data in a structured, machine-readable format or to have it transferred to another controller, where technically feasible.
  • Right to object: to object to processing based on legitimate interests where you believe your rights and interests outweigh ours. You can object to direct marketing at any time.
  • Right to withdraw consent: where we rely on consent, you can withdraw it at any time. This will not affect the lawfulness of processing carried out before that withdrawal.

To exercise any of these rights please contact us at dataprotection@smithcooper.co.uk or by post using the contact details in section 1. We will respond without undue delay and in any event within one month of receipt. In complex cases we may extend this by a further two months and will notify you if this is necessary.

17. Complaints

If you have a concern about how we have handled your personal data, we ask that you raise it with us directly in the first instance. We have a formal data protection complaints procedure in place and are committed to handling all complaints fairly and within the timeframes set out below.

You can submit a complaint by:

We will acknowledge your complaint within 30 days of receipt and will respond to it without undue delay. We may ask you for further information to help us investigate your concern.

If you are not satisfied with our response, or if you would prefer to escalate directly, you have the right to complain to the UK supervisory authority:

18. Security

We have put in place appropriate technical and organisational measures to protect personal data against accidental loss, misuse, unauthorised access, alteration or disclosure. These measures include access controls, encryption where appropriate, regular security reviews and staff training.

We also expect our key third party providers including Sage and any sub-processors to implement appropriate security measures and we review their published security information and data processing terms.

Where a personal data breach occurs that is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware. Where the breach is likely to result in a high risk to individuals we will also notify those affected without undue delay.

19. Third party websites

Our website may contain links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party sites and are not responsible for their privacy statements. We encourage you to read the privacy notice of every website you visit.

20. Changes to this policy

We may update this policy from time to time. Changes will be posted on this page with an updated 'Last updated' date. Where changes are material we will bring them to your attention by email or by a prominent notice on our website.