Privacy Notice
This is the privacy notice of bluepath Limited. In this document, “we”, “our”, or “us” refer to bluepath Limited.
Our registered office is at 2 Vache Mews, Vache Lane, Chalfont St Giles, HP8 4UT
Our registered company number is 4491925
Introduction
This notice explains how Bluepath Limited collects, uses, and protects personal information — whether you're a client, a supplier, an employee or contractor of one of our clients, or simply visiting our website.
We're committed to handling your information with care and transparency. If you have any questions about anything in this notice, please get in touch at admin@bluepath.co.uk.
1. Who we are and what law applies
Bluepath Limited is a virtual finance practice providing bookkeeping, payroll, HR, compliance, and financial advisory services to SMEs across the UK.
We are the Data Controller for personal information we hold about our clients and their contacts. Where we process personal data on behalf of our clients — for example, running payroll for their employees — we act as a Data Processor and are governed by a Data Processing Agreement with that client.
This notice is written in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are registered with the Information Commissioner's Office (ICO) under registration number ZB696550.
2. What personal data we process
The personal data we process depends on our relationship with you.
For clients and their business contacts, we may process:
- Contact details — name, email address, phone number, business address
- Business information — company structure, directors, partners, and their roles
- Financial data — income, expenses, bank details, tax records, and investment information
- Employment and payroll data — salary, National Insurance numbers, pension details, and statutory pay records
- HMRC and Companies House registration details
For suppliers, we process contact details and the information necessary to manage our contract with you.
If you contact us via our website or by email, we collect the information you provide in order to respond to you.
We do not collect personal data from website visitors beyond standard web server logs (see Section 7 on cookies and website data).
3. The lawful bases on which we process your data
UK GDPR requires us to identify a lawful basis for every type of processing we carry out. We rely on the following bases:
Contract — where processing is necessary to carry out our obligations under a contract with you, or to take steps at your request before entering into a contract. This covers the core delivery of our services to clients.
Legal obligation — where we are required to process data to comply with a law. For example, we may be required to disclose information to HMRC, Companies House, or other statutory authorities on request, or in response to a court order or search warrant.
Legitimate interests — where processing is necessary for our legitimate business interests and those interests are not overridden by your rights. This includes: maintaining records for the proper administration of our practice, responding to communications you would expect us to reply to, and protecting our legal rights.
Consent — in limited circumstances where you have given us explicit permission to use your data for a specific purpose. You can withdraw your consent at any time by contacting us at admin@bluepath.co.uk. Withdrawing consent will not affect anything we've done based on your consent before it was withdrawn.
4. Who we share your data with
We do not sell your personal data to anyone.
We may share data in the following circumstances:
- With HMRC, Companies House, and other statutory bodies where we are legally required to do so
- With our own service providers who help us deliver our services — for example, our accounting software provider (Xero), our cloud storage provider (Google Workspace), and payroll or HR platforms. These providers act as Data Processors and are contractually required to handle your data securely and only on our instructions
- With professional advisers such as our accountants or legal advisers, where necessary and subject to confidentiality obligations
- Where you or your employer have specifically authorised us to share information with a third party
If we receive your data from one of our clients (for example, because we process their payroll), we ask that client to make you aware that your data has been passed to us and to direct you to this privacy notice.
5. International data transfers
Our primary systems — Google Workspace and Xero — are hosted in the UK or European Economic Area (EEA), or use data centres that provide equivalent protections.
Where any personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR. These safeguards may include the UK International Data Transfer Agreement (IDTA) or transfers to countries covered by UK adequacy regulations.
If you would like details about the specific safeguards in place for any transfer, please contact us at admin@bluepath.co.uk.
6. How long we keep your data
We keep personal data only for as long as necessary for the purpose it was collected, or as required by law. Our standard retention periods are:
- Financial and accounting records: 6 years from the end of the relevant tax year, in line with HMRC requirements
- Payroll records: 3 years from the end of the tax year to which they relate
- Client correspondence and supporting documents: 6 years from the end of the engagement
- Supplier records: for the duration of the contract and 6 years thereafter
- Website enquiry records: 12 months from the date of enquiry
When data reaches the end of its retention period, we securely delete or anonymise it.
7. Our website and cookies
Our website (bluepath.co.uk) is a marketing and information site. We do not require you to log in and we do not run surveys or collect personal data through forms beyond a standard contact enquiry.
Our web server automatically records technical information when you visit, including your IP address, browser type, device type, and the pages you view. We use this information in aggregate to understand how our site is used and to improve it. We do not use it to identify individual visitors.
Cookies
Cookies are small text files placed on your device when you visit a website. We use only the cookies that are strictly necessary for our website to function correctly. We do not currently use analytics or advertising cookies.
You can control and delete cookies through your browser settings. Restricting cookies will not affect your ability to use our website.
8. Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
| Right of access | You can ask us for a copy of the personal data we hold about you. We will respond within one month. This is free of charge in most cases. |
| Right to rectification | You can ask us to correct inaccurate or incomplete personal data we hold about you. |
| Right to erasure | You can ask us to delete your personal data where there is no longer a legitimate reason for us to hold it. This right is not absolute — we may need to retain certain data to comply with legal obligations. |
| Right to restriction | You can ask us to restrict how we use your data in certain circumstances — for example, while we investigate a dispute about its accuracy. |
| Right to data portability | Where we process your data by automated means on the basis of your consent or a contract, you can ask us to provide it to you in a structured, commonly used format. |
| Right to object | You have the right to object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. |
| Automated decisions | You have the right not to be subject to decisions made solely by automated processing that significantly affect you. We do not carry out this type of processing. |
To exercise any of these rights, please contact us at admin@bluepath.co.uk. We will verify your identity before acting on any request, to protect your information.
9. Complaints
If you have any concerns about how we handle your personal data, please contact us in the first instance at admin@bluepath.co.uk. We will do our best to address your concern promptly.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time. You can do this at ico.org.uk/concerns or by calling the ICO helpline on 0303 123 1113.
10. Changes to this notice
We review this privacy notice at least annually and whenever there is a material change to how we process personal data. The current version is always published on our website at bluepath.co.uk. The date at the top of this notice shows when it was last reviewed.
If we make significant changes that affect how we use your data, we will take reasonable steps to notify you directly where we hold your contact details.
Data Controller: Bluepath Limited | ICO Registration: ZB696550 | Contact: admin@bluepath.co.uk
Last reviewed: April 2026