Privacy Notice

E-Accounting Solutions Limited
Trading as Advancetrack | advancetrack.com | Last updated: May 2026

Controller	E-Accounting Solutions Limited (trading as Advancetrack)
ICO registration	Z1567259
Registered address	270–272 Radford Road, Coventry, CV6 3BU, United Kingdom
Company number	04808929 (England and Wales)
Privacy contact	privacy@advancetrack.com \| +44 (0)24 7601 6308
Data Protection Lead	Compliance Manager — contact via privacy@advancetrack.com
Version	2.2 \| May 2026
Applies to	Visitors to advancetrack.com, prospective clients, job applicants, and contacts met at events or through outreach. A separate notice applies to portal users and contracted clients.

About this notice

E-Accounting Solutions Limited, trading as Advancetrack ("we", "us", "our"), is registered with the Information Commissioner's Office (ICO registration Z1567259) as a data controller. This notice explains what personal data we collect from visitors to our website at advancetrack.com, from individuals who enquire about our services or attend events where we are present, and from people who apply for jobs with us. It also explains how we use that data, the legal basis on which we do so, and your rights.

We are committed to handling your personal data responsibly. As part of that commitment we hold ISO/IEC 27701:2025 certification — the international standard for privacy information management — alongside ISO/IEC 27001:2022 and BS 10012:2017, all independently audited by the British Standards Institution.

This notice does not cover the Client and Portal User Privacy Notice, which covers the processing we carry out in connection with the delivery of our accountancy outsourcing services.

1. Who we are and how to contact us

E-Accounting Solutions Limited is the data controller responsible for the personal data described in this notice. We are incorporated in England and Wales (company number 04808929) and our registered office is at 270–272 Radford Road, Coventry, CV6 3BU.

If you have any questions about how we handle your personal data, wish to exercise any of your rights, or want to make a complaint, please contact us using the details below. We aim to respond to all enquiries within five working days.

Contact details for privacy enquiries

Email: privacy@advancetrack.com

Post: Privacy Team, Advancetrack, University of Warwick Science Park, The Venture Centre, Sir William Lyons Road, Coventry, CV4 7EZ

Telephone: +44 (0)24 7601 6308

Data Protection Lead: Compliance Manager — contact via privacy@advancetrack.com

If you are not satisfied with our response you have the right to lodge a complaint with your relevant supervisory authority. For UK residents this is the ICO: ico.org.uk | 0303 123 1113. Residents of other countries should refer to Section 22 (International visitors) for the relevant authority in their jurisdiction.

PART A — WEBSITE VISITORS AND ENQUIRIES

This part applies to you if you visit advancetrack.com, use our contact forms, download resources, sign up for our newsletter or events, or contact us to enquire about our services.

2. What data we collect from website visitors

Category	Examples and detail
Identity data	Your name, job title, and the name of your organisation.
Contact data	Your email address, telephone number, and postal address where provided.
Technical and usage data	Your IP address, browser type and version, operating system, pages visited, time and date of visits, and referring URL. Collected automatically via our website analytics tools.
Communications data	The content of enquiries, messages, or comments you send us via contact forms, email, telephone, or live chat.
Marketing and preference data	Your preferences for receiving marketing from us, and your responses to surveys, webinars, or events you register for.
Cookie data	Data collected via cookies and similar technologies. Please see our Cookie Policy at advancetrack.com/cookies for full details.

We do not intentionally collect sensitive personal data through our website. Please do not include health data, financial account details, or information about criminal convictions in messages you send us.

3. How we use your data and our legal basis

Purpose	Lawful basis
Responding to enquiries and providing information	Legitimate interests (Article 6(1)(f)) — it is in our and your legitimate interests to respond to your enquiry effectively.
Processing a contact form, callback, or event registration	Legitimate interests, or performance of a contract where you are entering into an arrangement with us (Article 6(1)(b)).
Sending marketing emails (newsletter, updates)	Consent (Article 6(1)(a)) — we only send marketing emails where you have opted in. Withdraw consent at any time via the unsubscribe link or by emailing privacy@advancetrack.com.
Hosting and promoting webinars and events	Legitimate interests — we have a legitimate interest in promoting and delivering our events.
Website analytics	Legitimate interests — we have a legitimate interest in improving our website. Analytics tools are configured to anonymise IP addresses where possible.
Complying with legal obligations	Legal obligation (Article 6(1)(c)).
Establishing, exercising, or defending legal claims	Legitimate interests.
Preventing and detecting fraud or security incidents	Legitimate interests and legal obligation.

Your right to object to legitimate interests processing
Where we rely on legitimate interests as our lawful basis, you have the right to object to that processing at any time. We will stop unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. To object, contact privacy@advancetrack.com.

4. Cookies and analytics

Our website uses cookies and similar technologies to help us understand how visitors use the site and to remember your preferences. We use Complianz to manage your cookie consent preferences.

Strictly necessary cookies: Essential for the website to function. No consent required.
Analytics cookies: Help us understand visitor interactions. Set only with your consent.
Functional cookies: Enable features such as live chat (Moneypenny) and personalised content. Set only with your consent.
Marketing cookies: LinkedIn Insight Tag for campaign measurement. Set only with your consent; off by default.

5. Who we share your data with

We share your personal data only where necessary. We do not sell your personal data.

Recipient	Purpose and safeguard
HubSpot (CRM)	We use HubSpot to manage our contact and marketing database. HubSpot processes data on our behalf under a data processing agreement. Data may be stored on US servers; HubSpot participates in the UK IDTA framework.
Microsoft 365	We use Microsoft 365 for email and communications. Data stored in UK and EU data centres under a data processing agreement.
Moneypenny	Live chat on our website is provided by Moneypenny Ltd (UK). Chat data is processed on our behalf under a data processing agreement.
Analytics providers	We use Google Analytics to understand website usage. IP addresses are anonymised before transmission. Google participates in the UK IDTA framework.
LinkedIn	The LinkedIn Insight Tag measures the effectiveness of our LinkedIn advertising campaigns. LinkedIn Ireland processes this data under a data processing agreement.
Event platform providers	Where you register for webinars or events, your registration data is shared with the relevant platform provider under a data processing agreement.
Professional advisors	Legal, financial, and audit advisors where necessary. All bound by confidentiality obligations.
Regulatory and law enforcement authorities	Where required by law, court order, or regulatory obligation.
Buyers of the business	If we sell or merge any part of our business. We will inform you if this occurs.

6. International transfers

Some third parties we work with process data outside the UK. Where your personal data is transferred outside the UK, we ensure appropriate safeguards are in place under UK GDPR Chapter V, including:

Transferring to countries with a UK adequacy decision (including EU/EEA member states, Canada, and New Zealand).
Using UK International Data Transfer Agreements (IDTAs) or ICO-approved standard contractual clauses for transfers to non-adequate countries (including the United States and Australia).
Transferring only to organisations that participate in recognised certification schemes.

For information about the specific safeguards in place for any transfer, contact privacy@advancetrack.com.

7. How long we keep your data

Type of data	Retention period
Website enquiry or contact form	2 years from the date of last contact, unless you become a client or ask us to delete sooner.
Marketing contact (newsletter, events)	Until you unsubscribe or until 2 years from your last engagement, whichever is sooner.
Analytics and technical data	Aggregated and anonymised after 26 months. Raw session data up to 14 months.
Telephone call recordings	90 days, or until resolution of any related dispute.
Records of consent to marketing	Until you withdraw consent, plus 6 months.

PART B — JOB APPLICANTS

This part applies if you apply for a role with Advancetrack, whether through our website, a recruitment agency, LinkedIn, or any other channel.

8. What data we collect from job applicants

Category	Detail
Identity data	Full name, date of birth, NI number (where an offer is made), nationality.
Contact data	Home address, personal email address, telephone number.
Employment and education history	CV, cover letter, previous employers and roles, qualifications, professional memberships.
Recruitment process data	Interview notes, assessments, test results, references.
Right to work documentation	Passport, visa, or equivalent. Not retained beyond what is necessary.
Criminal record data	Details of unspent convictions where a DBS check or equivalent is required for the role.
Special category data (with consent)	Ethnicity, gender, disability, religion, or sexual orientation for diversity monitoring. Entirely voluntary; no bearing on recruitment decisions.

9. How we use applicant data and our legal basis

Purpose	Lawful basis
Assessing applications and making decisions	Legitimate interests (Article 6(1)(f)); also Article 6(1)(b) for pre-contractual steps.
Verifying right to work	Legal obligation (Article 6(1)(c)).
Background screening	Legitimate interests; for criminal record data, legal obligation or substantial public interest (Schedule 1 DPA 2018).
Contacting references	Legitimate interests. We only contact referees with your prior knowledge.
Diversity monitoring	Consent (Article 6(1)(a)). You may withdraw consent at any time without affecting your application.
Complying with employment law obligations	Legal obligation.

Special category data

Diversity data: processed only with your explicit consent (UK GDPR Article 9(2)(a)). You may decline to provide it without affecting your application.

Criminal record data: processed under legal obligation / substantial public interest conditions where applicable.

Health data relevant to adjustments: processed to comply with our Equality Act 2010 obligations.

10. Sources of applicant data

Directly from you through your application, interview, or subsequent correspondence.
Recruitment agencies acting on your behalf or ours.
Your named referees, where you have authorised us to contact them.
Professional networking platforms such as LinkedIn, where you have made your profile public or applied through the platform.
Background screening providers where a check is required for the role.

11. How long we keep applicant data

Outcome	Retention period
Unsuccessful application	6 months from the date we inform you of our decision, then securely deleted unless you have consented to retention for future opportunities.
Successful — becomes employee	Transferred to your employee record. Refer to the Staff Privacy Notice provided on commencement of employment.
Right to work documentation	2 years following the end of employment (Immigration, Asylum and Nationality Act 2006).
Diversity monitoring data	Anonymised and aggregated immediately after the recruitment round.

PART C — CONTACTS MET AT EVENTS, THROUGH RESEARCH, AND OUTREACH

This part applies if we collected your contact details in a business development or marketing context — for example at an industry event, trade show, or conference; if your details were shared by a mutual contact or partner; if we identified your firm through market research; or if you engaged with us on LinkedIn. It explains how we handle your data for marketing communications and business relationship building.

12. What data we collect and where it comes from

Category	Detail
Identity data	Your full name, job title, and organisation name.
Contact data	Business email address, business telephone number, and business address.
Professional data	Sector, firm size, services currently used, and relevant professional memberships (e.g. ICAEW, ACCA, CIMA).
Interaction data	Events attended where we were present, conversation notes, responses to previous communications, records of follow-up calls or meetings.
Preference data	Stated or indicated areas of interest, communication preferences, and records of any consent or opt-in provided.

We obtain this data from the following sources:

Directly from you: when you hand over a business card, scan your badge at an event, fill in a contact form on our stand, or give your details to a member of our team.
Event organisers: where an event provides attendee lists or badge-scanning to exhibitors. We only use this data where the event organiser's terms confirm that attendees were notified their details may be shared with exhibiting companies.
Professional networking platforms: where you have made your contact details publicly available on LinkedIn or similar and we contact you about services relevant to your professional role.
Market research and publicly available sources: including company websites, published directories, and professional membership listings where contact details are listed in a professional capacity.
Referrals: where a mutual contact, existing client, or partner introduces us to you or provides your details with your knowledge.

13. How we use this data and our legal basis

Purpose	Lawful basis and detail
Sending marketing emails about our services, events, and industry insights	UK/EEA/NZ/AU residents: Legitimate interests (UK GDPR Article 6(1)(f)) combined with PECR compliance. We contact you only at a business email address in your professional capacity; every email contains a clear unsubscribe link. Canadian residents: We rely on implied consent under Canada's Anti-Spam Legislation (CASL) where we have an existing business relationship with your organisation (valid for 2 years). For new contacts without an existing relationship, we require your express prior consent before sending marketing emails. Express consent is obtained at point of contact (e.g. at an event) or via a consent mechanism on our website. US residents: We comply with the CAN-SPAM Act. Every marketing email contains a clear opt-out mechanism and we honour all opt-out requests within 10 business days. For California residents, see Section 22.
Following up after an event or meeting	Legitimate interests (Article 6(1)(f)). It is in our mutual legitimate interests to follow up on a conversation or introduction.
Inviting you to webinars, roundtables, and events (including gbX)	Legitimate interests — we organise educational events for accounting professionals.
Recording consent and communication preferences in our CRM	Legal obligation and legitimate interests — we are required to keep records of consent and preferences to demonstrate compliance.
Personalising communications based on firm type, role, or interests	Legitimate interests — tailoring communications makes them more relevant and reduces irrelevant messages.

Our approach to marketing emails and PECR / CASL

UK and most international recipients: Under PECR and UK GDPR, we may send marketing emails to business contacts at corporate email addresses without prior consent, provided the communication is relevant to their professional role and every message contains an easy unsubscribe link.

Canadian recipients: Canada's Anti-Spam Legislation (CASL) is stricter than PECR. We rely on implied consent only where we have a genuine existing business relationship with your organisation. For all other Canadian contacts, we obtain express consent before sending marketing emails.

We do not send marketing to personal email addresses (e.g. Gmail, Hotmail) without your explicit prior consent, regardless of jurisdiction.

You can object to marketing communications at any time — see Section 17 (Your rights).

14. How long we keep marketing contact data

Situation	Retention period
Active and engaged contact	Retained as long as you remain engaged and have not unsubscribed.
You unsubscribe from marketing emails	Removed from active lists immediately. A suppression record (email address and unsubscribe date only) is retained for 3 years to prevent accidental re-addition.
No engagement for 2 years	We send a re-engagement email. If no response or active re-consent within 30 days, we remove you from our active database.
You ask us to delete your data entirely	Contact record deleted from CRM within 30 days. Note: without a suppression record we cannot prevent accidental re-addition from future event lists. We recommend unsubscribing rather than requesting deletion if your preference is simply not to receive marketing.
You become a contracted client	Contact record updated to reflect the client relationship. Client retention periods (typically 7 years post-contract) then apply.

PART D — YOUR RIGHTS

This part applies to everyone covered by this notice. Under UK GDPR and equivalent legislation in other jurisdictions, you have rights in relation to your personal data. We will always respond to your request and explain clearly if we are unable to fulfil it in full.

15. Your rights in detail

Right	What it means in practice
Right of access (SAR)	You may request a copy of the personal data we hold about you. We will respond within one calendar month. No fee in almost all circumstances.
Right to rectification	If any data we hold is inaccurate or incomplete, you can ask us to correct or update it.
Right to erasure	You can ask us to delete your personal data where it is no longer necessary, you withdraw consent, you object and we have no overriding legitimate grounds, or it has been processed unlawfully. Does not apply where we are required by law to retain the data.
Right to restriction	You can ask us to suspend processing while a dispute about accuracy or use is resolved.
Right to data portability	Where we process by automated means on the basis of consent or contract, you can request your data in a structured, machine-readable format.
Right to object	You have an absolute right to object to processing for direct marketing. We will stop immediately. You also have the right to object to processing based on legitimate interests.
Right not to be subject to automated decision-making	We do not currently make solely automated decisions with legal or significant effects on individuals.
Right to withdraw consent	Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

How to exercise your rights

Contact us at privacy@advancetrack.com or write to: Privacy Team, Advancetrack, University of Warwick Science Park, The Venture Centre, Sir William Lyons Road, Coventry, CV4 7EZ.

We will respond within one calendar month. We may need to verify your identity — we will ask for the minimum information necessary.

If you are not satisfied with our response, you have the right to complain to your relevant supervisory authority. See Section 22 for the authority in your jurisdiction.

PART E — INTERNATIONAL VISITORS

Our website is accessible worldwide and we work with accounting practices and professionals across many countries. This part explains the additional or different rights and protections that apply to residents of specific countries or regions. In all cases, the rights and protections described in the rest of this notice apply as a minimum standard.

16. Ireland and the European Union

If you are resident in Ireland or another EU member state, your personal data is protected by the EU General Data Protection Regulation (EU GDPR), which is equivalent in substance to the UK GDPR described throughout this notice. The rights described in Part D apply fully to you.

The relevant supervisory authority for EU residents is the data protection authority in your country of residence. For residents of Ireland, this is the Data Protection Commission (DPC):

Data Protection Commission (Ireland)

Website: dataprotection.ie

Email: info@dataprotection.ie

Post: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Telephone: +353 (0)1 765 0100

Data transfers (UK to EU/Ireland): The United Kingdom currently holds an EU adequacy decision, which means personal data can flow between the UK and EU/EEA member states without requiring additional transfer safeguards. This adequacy decision is subject to periodic review and may change. We will update this notice if the position changes.

17. Canada

If you are resident in Canada, your personal data is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, equivalent provincial legislation. Residents of Quebec are also protected by Law 25 (formerly Bill 64), which imposes additional requirements broadly similar to the EU GDPR.

The rights described in Part D are substantially equivalent to your rights under PIPEDA, including the right to access your personal data and to request correction of inaccurate data. The relevant supervisory authority is:

Office of the Privacy Commissioner of Canada

Website: priv.gc.ca

Telephone: 1-800-282-1376 (toll-free in Canada)

Marketing emails and CASL: Canada's Anti-Spam Legislation (CASL) requires that commercial electronic messages sent to Canadian recipients are based on either express or implied consent. We obtain express consent from Canadian contacts who do not have an existing business relationship with us before sending marketing communications. Where we have an existing relationship, we rely on implied consent within the 2-year window permitted by CASL. You may withdraw consent at any time using the unsubscribe link in any communication or by contacting privacy@advancetrack.com.

Data transfers (UK to Canada): Canada holds a UK adequacy decision. Personal data can flow between the UK and Canada without requiring additional transfer safeguards.

18. United States

There is no single federal privacy law in the United States equivalent to UK GDPR. Your rights depend on the state in which you reside. Advancetrack's approach — described throughout this notice — provides a high standard of protection that meets or exceeds the requirements of most US state privacy laws currently in force.

California residents (CCPA / CPRA): If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you the following specific rights in addition to those in Part D:

The right to know what personal data we collect, use, disclose, and sell.
The right to delete personal data we hold about you, subject to certain exceptions.
The right to correct inaccurate personal data.
The right to opt out of the sale or sharing of your personal data.
The right not to receive discriminatory treatment for exercising your CCPA rights.

Do Not Sell or Share My Personal Information

Advancetrack does not sell your personal data to third parties, and does not share your personal data for cross-context behavioural advertising purposes.

Because we do not sell or share personal data in these ways, the CCPA right to opt out of sale/sharing does not apply in practice to our processing activities. If you have any concerns about how your data is used, please contact privacy@advancetrack.com.

Other US states: Residents of Virginia, Colorado, Connecticut, Texas, and other US states with comprehensive privacy laws have rights broadly similar to those described in Part D. We will respond to verifiable consumer requests from residents of all US states in accordance with applicable law. To make a request, contact privacy@advancetrack.com.

Data transfers (UK to USA): The United States does not currently hold a UK adequacy decision. Where your personal data is transferred to US-based third parties (including HubSpot and Google), we rely on UK International Data Transfer Agreements (IDTAs) or equivalent standard contractual clauses to ensure appropriate safeguards are in place.

Marketing emails and CAN-SPAM: Marketing emails sent to US recipients comply with the CAN-SPAM Act, including clear identification as a commercial message, an honest subject line, our physical address, and a working opt-out mechanism. We honour all opt-out requests within 10 business days.

19. Australia

If you are resident in Australia, your personal data is protected by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The rights described in Part D are broadly consistent with your rights under the APPs, although Australia's privacy framework differs from UK GDPR in some respects — for example, the APPs do not include a standalone "right to erasure" in the same form as UK GDPR (though reform of the Privacy Act is currently under consideration). You do have the right to request access to and correction of personal data we hold about you.

The relevant supervisory authority is:

Office of the Australian Information Commissioner (OAIC)

Website: oaic.gov.au

Telephone: 1300 363 992 (within Australia)

Post: GPO Box 5218, Sydney NSW 2001, Australia

Data transfers (UK to Australia): Australia does not currently hold a UK adequacy decision. Where personal data is transferred to Australia, we rely on UK IDTAs or equivalent standard contractual clauses as the transfer mechanism. We also ensure that any Australian recipient of your personal data is bound by privacy obligations at least equivalent to the APPs, consistent with our obligations under APP 8.

20. New Zealand

If you are resident in New Zealand, your personal data is protected by the Privacy Act 2020 and the Information Privacy Principles (IPPs). The Privacy Act 2020 modernised New Zealand's privacy framework and is broadly aligned with international standards. Your rights under the IPPs include the right to access personal data we hold about you and the right to request correction of inaccurate data.

The relevant supervisory authority is:

Office of the New Zealand Privacy Commissioner

Website: privacy.org.nz

Telephone: 0800 803 909 (within New Zealand)

Data transfers (UK to New Zealand): New Zealand holds a UK adequacy decision. Personal data can flow between the UK and New Zealand without requiring additional transfer safeguards.

Breach notification: The Privacy Act 2020 requires organisations to notify the New Zealand Privacy Commissioner and affected individuals of notifiable privacy breaches. If a breach involving your personal data occurs that is likely to cause you serious harm, we will notify you without undue delay and will notify the Privacy Commissioner in accordance with applicable law.

PART F — FURTHER INFORMATION

21. Data security

We take the security of your personal data seriously. We implement and maintain technical and organisational measures appropriate to the risk, including encryption of data in transit and at rest, access controls, multi-factor authentication, regular vulnerability scanning, penetration testing, and staff training. Our information security programme is independently audited by BSI against ISO/IEC 27001:2022.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, and will notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms. Where applicable law requires notification to additional authorities (such as the Australian OAIC or the New Zealand Privacy Commissioner), we will fulfil those obligations too.

22. Supervisory authorities — quick reference

If you wish to make a complaint about how we have handled your personal data, you may contact the supervisory authority relevant to your country of residence:

Country / region	Supervisory authority
United Kingdom	Information Commissioner's Office (ICO): ico.org.uk \| 0303 123 1113
Ireland	Data Protection Commission (DPC): dataprotection.ie \| +353 (0)1 765 0100
EU member states (other)	Your national data protection authority. Find yours at: edpb.europa.eu/about-edpb/about-edpb/members_en
Canada	Office of the Privacy Commissioner of Canada: priv.gc.ca \| 1-800-282-1376
Australia	Office of the Australian Information Commissioner (OAIC): oaic.gov.au \| 1300 363 992
New Zealand	Office of the Privacy Commissioner: privacy.org.nz \| 0800 803 909
United States	No single federal authority. Complaints may be directed to the FTC (ftc.gov), your state attorney general, or the relevant state privacy authority.

23. Links to other websites

Our website may contain links to third-party websites. This notice does not apply to those websites. We encourage you to read the privacy notices of any third-party sites you visit.

24. Children

Our website and services are directed at business professionals and are not intended for use by children under the age of 18 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children through our website. If you believe we have inadvertently received personal data relating to a child, please contact privacy@advancetrack.com and we will delete it promptly.

25. Changes to this notice

We review and update this notice at least annually and whenever there is a material change to our processing activities or to applicable law. The current version is always available at advancetrack.com/privacy-policy. Where we make a material change, we will take reasonable steps to draw it to your attention.

Version: 2.2 | Last updated: May 2026 | Replaces: Version 2.1, May 2026

26. About Advancetrack

Advancetrack is a leading provider of outsourced accountancy and bookkeeping services to UK accounting practices and their clients. We have been first to achieve several landmark information security and privacy certifications in the accountancy outsourcing sector. For more information, see our Data Protection Overview. If you are an accountancy practice or prospective client, please speak with your account manager or contact privacy@advancetrack.com.