Privacy Policy

1 - Introduction

Bright Grahame Murray (“BGM” and its Group Companies, ("we", “us”, “our” and “ours”) is a firm of Chartered Accountants, tax and business advisers (“Services”). We are a Partnership based at Emperor’s Gate, 114a Cromwell Road, Kensington, London, SW7 4AG.

We recognise and respect the importance of protecting your privacy. This Privacy Policy describes how we collect and process your personal data when you visit or use www.bgm.co.uk (our “Website”), as well as when you interact with us via telephone, post, email, social media, or by using our Services.

2 - Who we are

For the purpose of the Data Protection Legislation, BGM are the ‘data controller’. This means that we are responsible for deciding how we hold and use personal data about you. We are required under the Data Protection Legislation to notify you of the information contained in this privacy policy.

Our Partner Matthew Eade is our Head of Privacy and Data Protection and he is our Data Protection Point of Contact and responsible for assisting with enquiries in relation to this privacy policy or our treatment of your personal data. Should you wish to contact our Data Protection Point of Contact you can do so by emailing post@bgm.co.uk.

We work closely with other companies which are part of our Group. We may share your personal data with such companies for the purposes of security, optimisation of our Services, as well as internal reporting.

Such group companies include: BGM, BGM Helmores Ltd, BGM Lewis Hickie Ltd and BGM Prometheus Tax Ltd. Such group companies may also act as controllers when using your personal data and as such this privacy policy applies in respect of how our group companies will user your personal data too.

3 - How and when we may collect your personal data

We collect personal data about you from a variety of sources, including:

from you directly when you use our Services or communicate with us (by email, phone or post) and via social media;
our clients who engage us to provide our Services and also during the provision of those Services. Such clients may share personal data about you in the course of those Services such as for inheritance planning we may receive personal data about family members;
from information we generate about you during our relationship with you, such as data collected from cookies and other similar technologies which are described in our Cookies Policy; and
from information we collect about you from other sources, such as Google and social media. We may also be provided with your personal data via your employer in the course of providing our Services such as for pension planning. We may also use personal data found on commercially available sources too, such as public databases (where permitted by law) such Companies House and Sanctions Lists.

4 - What personal data we collect

We collect the following information about you, from you directly::

your personal details and contact information e.g. your name, address, date of birth, telephone number, email address, payment method;
details of contact we have had with you in relation to the provision, or the proposed provision, of our Services and details of any Services you have received from us;
our correspondence and communications with you;
information about any complaints and enquiries you make to us;
your personal details and preferences for marketing purposes - this is where you have consented to receive marketing communications from us or where you have previously enquired about our Services or you are a client of our Services, we may send you marketing communications where we consider in our legitimate interests that you would be happy to receive such marketing communications because of your previous interaction with us and you may opt out at any time; and
information from research, surveys, and marketing activities.

When you are using our Website or contacting us, we collect and process other types of information about you, such as:

technical information collected from your computer or mobile device when browsing our Website e.g. your IP address, your location (by country, state and city), device type, browser type, operating system; and
information generated about you e.g. information about your visit to our Website, such as the pages you visit, how often you use our Website, problems with our Website, all of which help us to understand your interests.

Finally, we collect information about you from other sources, such as:

publicly available information required for identity verification purposes via Google and social media e.g. gender, country you are located in.
a client’s employer in the course of providing our Services such as for pension planning e.g. your pension provider, your reference number, authority to act on your behalf, salary, role, years of service, pension contributions;
Information we receive from other sources, such as publicly available information, provided by public databases (where permitted by law) such Companies House and Sanctions Lists e.g. name, month and year of birth, correspondence address, company history.
our clients who engage us to provide our Services and also during the provision of those Services. Such clients may share personal data about you in the course of those Services such as for inheritance planning we may receive personal data about family members e.g. name, address, relation, contact information;
or information from other third parties.

5 - How we use personal data and the legal basis on which we use it

purpose	activity	legal basis
To provide you with the Services: personal and contact details (including your address); details of contact we have had with you in relation to the provision, or the proposed provision, of our Services; details of any Services you have received from us; our correspondence and communications with you; information about any complaints and enquiries you make to us; publicly available information required for identity verification purposes via Google and social media; a client’s employer in the course of providing our Services; Information we receive from other sources, such as publicly available information, provided by public databases (where permitted by law) such Companies House and Sanctions Lists; and our clients who engage us to provide our Services.	We use your personal data to provide you with the Services you have requested, and keep you informed of its status.	This is so that we can comply with our contractual obligations to you. For example, as per our terms of Service as set out in our engagement letters. If you refuse to provide us with certain information when requested, we may not be able to perform the contract we have entered into with you. Alternatively, we may be unable to comply with our legal or regulatory obligations
To operate our business, we use: personal and contact details; details of contact we have had with you in relation to the provision, or the proposed provision, of our Services; details of any Services you have received from us; our correspondence and communications with you; information about any complaints and enquiries you make to us; publicly available information required for identity verification purposes via Google and social media; a client’s employer in the course of providing our Services; Information we receive from other sources, such as publicly available information, provided by public databases (where permitted by law) such Companies House and Sanctions Lists; our clients who engage us to provide our Services; technical information; and information generated about you	We use your personal data to ensure we can run our business, by enabling you to create an account, browse our Website and use our Services. We also use your personal data where it is necessary to verify your identity and to satisfy legal or regulatory requirements to which we are subject. Further, we use your personal data in order to exercise and protect our legal rights. For example, to detect, prevent and respond to: (i) fraudulent activity and claims; (ii) infringement claims; (iii) violations of law or our terms of purchase; and (iv) to prevent or detect money laundering.	It is in our legitimate interest to operate our business in an efficient, safe and lawful way and protect it from fraudulent or other unlawful activity. In some cases, we are under a legal obligation (whether by a regulatory authority or a court order) to conduct certain checks and disclose personal data.
To improve our business, we use: personal and contact details; details of contact we have had with you in relation to the provision, or the proposed provision, of our Services; details of any Services you have received from us; our correspondence and communications with you; information about any complaints and enquiries you make to us; publicly available information required for identity verification purposes via Google and social media; a client’s employer in the course of providing our Services; Information we receive from other sources, such as publicly available information, provided by public databases (where permitted by law) such Companies House and Sanctions Lists; our clients who engage us to provide our Services; technical information; and information generated about you	We use your personal data to ensure we can run our business, by enabling you to create an account, browse our Website and use our Services. We also use your personal data where it is necessary to verify your identity and to satisfy legal or regulatory requirements to which we are subject. Further, we use your personal data in order to exercise and protect our legal rights. For example, to detect, prevent and respond to: (i) fraudulent activity and claims; (ii) infringement claims; (iii) violations of law or our terms of purchase; and (iv) to prevent or detect money laundering.	It is in our legitimate interest to operate our business in an efficient, safe and lawful way and protect it from fraudulent or other unlawful activity. In some cases, we are under a legal obligation (whether by a regulatory authority or a court order) to conduct certain checks and disclose personal data.
To communicate with you, we use: personal and contact details; details of contact we have had with you in relation to the provision, or the proposed provision, of our Services; details of any Services you have received from us; our correspondence and communications with you; and information about any complaints and enquiries you make to us.	We may use your personal data when we communicate with you, for example, if we are providing information about changes to our terms of Service or if you contact us with questions about any Services or our business in general. This includes seeking your thoughts and opinions on the Services we provide; and notifying you about any changes to our Services.	It is in our legitimate interest that we are able to respond to your queries in an appropriate and personalised way and also assist you with your shopping experience with us. Also, it is in our legitimate interest to provide you with relevant information about our Services and/or business.
To inform you about our Services, events or other news that may be of interest you, we use: personal and contact details; details of contact we have had with you in relation to the provision, or the proposed provision, of our Services; details of any Services you have received from us; our correspondence and communications with you; information about any complaints and enquiries you make to us; technical information; and information generated about you	We use your personal data to better understand your preferences and to personalise the messages we send to you. This includes sending you information by email and/or post about our products and services, as well as news or events that may be of interest to you.	We add you to our marketing list on the basis of your opt in consent. However if you have used our Service or made an enquiry about our Services (during which you did not opt out of receiving marketing emails), we rely on our legitimate interest to send you communications we think you may be interested in. Such legitimate interests include to grow our business by sending you events, updates and other news about our Services. You may opt out at any time without affecting the lawfulness of any processing undertaken prior to you withdrawing such consent.
To customise your experience, we use: personal and contact details; details of contact we have had with you in relation to the provision, or the proposed provision, of our Services; details of any Services you have received from us; our correspondence and communications with you; information about any complaints and enquiries you make to us; technical information; and information generated about you	When you use our Website and Services, we may use your personal data to improve your experience with us.	It is in our legitimate interest to provide and develop our Services and Website based on your feedback and content generated about you.

purpose

activity

legal basis

To provide you with the Services:

personal and contact details (including your address);
details of contact we have had with you in relation to the provision, or the proposed provision, of our Services;
details of any Services you have received from us;
our correspondence and communications with you;
information about any complaints and enquiries you make to us;
publicly available information required for identity verification purposes via Google and social media;
a client’s employer in the course of providing our Services;
Information we receive from other sources, such as publicly available information, provided by public databases (where permitted by law) such Companies House and Sanctions Lists; and
our clients who engage us to provide our Services.

We use your personal data to provide you with the Services you have requested, and keep you informed of its status.

This is so that we can comply with our contractual obligations to you. For example, as per our terms of Service as set out in our engagement letters.

If you refuse to provide us with certain information when requested, we may not be able to perform the contract we have entered into with you. Alternatively, we may be unable to comply with our legal or regulatory obligations

To operate our business, we use:

personal and contact details;
details of contact we have had with you in relation to the provision, or the proposed provision, of our Services;
details of any Services you have received from us;
our correspondence and communications with you;
information about any complaints and enquiries you make to us;
publicly available information required for identity verification purposes via Google and social media;
a client’s employer in the course of providing our Services;
Information we receive from other sources, such as publicly available information, provided by public databases (where permitted by law) such Companies House and Sanctions Lists;
our clients who engage us to provide our Services;
technical information; and
information generated about you

We use your personal data to ensure we can run our business, by enabling you to create an account, browse our Website and use our Services.

We also use your personal data where it is necessary to verify your identity and to satisfy legal or regulatory requirements to which we are subject. Further, we use your personal data in order to exercise and protect our legal rights. For example, to detect, prevent and respond to: (i) fraudulent activity and claims; (ii) infringement claims; (iii) violations of law or our terms of purchase; and (iv) to prevent or detect money laundering.

It is in our legitimate interest to operate our business in an efficient, safe and lawful way and protect it from fraudulent or other unlawful activity. In some cases, we are under a legal obligation (whether by a regulatory authority or a court order) to conduct certain checks and disclose personal data.

To improve our business, we use:

personal and contact details;
details of contact we have had with you in relation to the provision, or the proposed provision, of our Services;
details of any Services you have received from us;
our correspondence and communications with you;
information about any complaints and enquiries you make to us;
publicly available information required for identity verification purposes via Google and social media;
a client’s employer in the course of providing our Services;
Information we receive from other sources, such as publicly available information, provided by public databases (where permitted by law) such Companies House and Sanctions Lists;
our clients who engage us to provide our Services;
technical information; and
information generated about you

We use your personal data to ensure we can run our business, by enabling you to create an account, browse our Website and use our Services.

To communicate with you, we use:

personal and contact details;
details of contact we have had with you in relation to the provision, or the proposed provision, of our Services;
details of any Services you have received from us;
our correspondence and communications with you; and
information about any complaints and enquiries you make to us.

We may use your personal data when we communicate with you, for example, if we are providing information about changes to our terms of Service or if you contact us with questions about any Services or our business in general.

This includes seeking your thoughts and opinions on the Services we provide; and notifying you about any changes to our Services.

It is in our legitimate interest that we are able to respond to your queries in an appropriate and personalised way and also assist you with your shopping experience with us. Also, it is in our legitimate interest to provide you with relevant information about our Services and/or business.

To inform you about our Services, events or other news that may be of interest you, we use:

personal and contact details;
details of contact we have had with you in relation to the provision, or the proposed provision, of our Services;
details of any Services you have received from us;
our correspondence and communications with you;
information about any complaints and enquiries you make to us;
technical information; and
information generated about you

We use your personal data to better understand your preferences and to personalise the messages we send to you. This includes sending you information by email and/or post about our products and services, as well as news or events that may be of interest to you.

We add you to our marketing list on the basis of your opt in consent.

However if you have used our Service or made an enquiry about our Services (during which you did not opt out of receiving marketing emails), we rely on our legitimate interest to send you communications we think you may be interested in. Such legitimate interests include to grow our business by sending you events, updates and other news about our Services.

You may opt out at any time without affecting the lawfulness of any processing undertaken prior to you withdrawing such consent.

To customise your experience, we use:

personal and contact details;
details of contact we have had with you in relation to the provision, or the proposed provision, of our Services;
details of any Services you have received from us;
our correspondence and communications with you;
information about any complaints and enquiries you make to us;
technical information; and
information generated about you

When you use our Website and Services, we may use your personal data to improve your experience with us.

It is in our legitimate interest to provide and develop our Services and Website based on your feedback and content generated about you.

In some circumstances we may anonymise or pseudonymise the personal data so that it can no longer be associated with you, in which case we may use it without further notice to you.

6 - Data retention

We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected.

When assessing what retention period is appropriate for your personal data, we take into consideration:

the requirements of our business and the services provided;
any statutory or legal obligations;
the purposes for which we originally collected the personal data;
the lawful grounds on which we based our processing;
the types of personal data we have collected;
the amount and categories of your personal data; and
whether the purpose of the processing could reasonably be fulfilled by other means.

7 - Change of purpose

Where we need to use your personal data for another reason, other than for the purpose for which we collected it, we will only use your personal data where that reason is compatible with the original purpose.

Should it be necessary to use your personal data for a new purpose, we will update this Privacy Policy and communicate the legal basis which allows us to do so.

8 - Data sharing

We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you under a contract or where we or the third party has a legitimate interest in doing so. Such legitimate interests include facilitate our business, fulfil obligations, comply with legal requirements, seek legal advice, and ensure efficient internal operations within our business.

We may share your personal data with third parties under the following circumstances:

a) We share your personal data with our service providers and business partners. These third parties belong to the following categories:

Professional service providers, such as payroll, messaging services, telephony providers, IT software providers, sales tax software providers, marketing and research agencies, profile and behavioural analytics companies and website hosts who help us run our business.
Consultants who help us provide our Services.
Tax authorities such as HMRC.
Credit reference agencies, law enforcement and fraud prevention agencies, so we can help tackle fraud.
Governmental bodies and regulators to comply with our legal obligations.

Further details about the specific third parties we engage can be provided on request.

b) Group companies

Such group companies include: BGM, BGM Helmores Ltd,BGM Lewis Hickie Ltd and BGM Prometheus Tax Ltd.

c) As required by law

We may share your personal data with law enforcement agencies, courts, government authorities or other third parties where we believe it is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of a third party.

d) In the context of a transaction

We may share your personal data with potential partners, service providers, advisors, and other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell or transfer all or a portion of our assets or business. Should such a sale or transfer occur, we will use reasonable efforts to obligate the entity to which we transfer your personal data to use it in a manner that is consistent with this Privacy Policy.

9 - Transferring personal data outside the UK

In some cases, your personal data will be transferred to, stored, and processed in a country that is not regarded as providing the same level of protection for personal data as the UK.

We have put in place appropriate safeguards to provide adequate protection of your personal data in accordance with applicable legal requirements. The approved data transfer mechanisms include relying on derogations set our in data protection laws (such as for the fulfilment of the contract with you), an adequacy decision, self-certification mechanisms such as the EU-US Data Privacy Framework and the UK extension to the EU-US Data Privacy Framework or standard contractual clauses (such as the EU Standard Contractual Clauses, UK International Data Transfer Agreement and the UK Addendum to the EU Standard Contractual Clauses).

For more information on these safeguards or to obtain a copy of such safeguards, please contact us by emailing post@bgm.co.uk

10 - Data security

We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

11 - Your rights

Your duty to inform us of changes

It is important that the personal data we hold about you is accurate and current. Should your personal information change, please notify us of any changes of which we need to be made aware by contacting us, using the contact details below.

Under certain circumstances, by law you have the right to:

Be informed about the collection and use of your personal data (as described in this Privacy Policy);
Request access a copy of your personal data. This enables you to receive details of the personal data we hold about you and to check that we are processing it lawfully.
Request correction of the personal data that we hold about you.
Request erasure of your personal data if it is no longer necessary in relation to the purposes for which it was collected or processed (or, in some instances, where you have withdrawn your consent or objected to the processing). This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this basis. You also have the right to object where we are processing your personal information for direct marketing purposes.
Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your personal data to you or another data controller if the processing is based on consent, carried out by automated means and this is technically feasible.

If you want to exercise any of the above rights, please email our data protection point of contact.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive or further requests are received. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

12 - Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose (for example, in relation to direct marketing that you have indicated you would like to receive from us), you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please email our data protection point of contact or click the link at the bottom of any email correspondence we send you.

Once we have received notification that you have withdrawn your consent, we will no longer process your personal information (personal data) for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law such as to send you service messages.

Such withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

13 - Changes to this notice

Any changes we may make to our privacy notice in the future will be updated on our website at www.bgm.co.uk

14 - Third party links on our website

Our website may, from time to time, contain links to and from third party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

15 - Contact us or make a complaint

If you have any questions regarding this notice or if you would like to check with us about the manner in which we process your personal data, please email our Data Protection Point of Contact via post@bgm.co.uk

You also have the right to make a complaint to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues, at any time. The ICO’s contact details are as follows:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone - 0303 123 1113 (local rate) or 01625 545 745

Website - https://ico.org.uk/concerns