top of page

Privacy & Data Protection

We are committed to protecting a data subject's privacy in accordance with the General Data Protection Regulation (GDPR).  You can read more about GDPR on the Information Commissioner's Office (ICO) website by clicking on the below link.

ICO Registration


Both TASH & TAP are registered with the ICO.  You can view our certificates by clicking on the below buttons.  Where we engage with a sub-processor, we insist they have their own ICO registration.

Privacy & Data Protection Policy

Our Privacy & Data Protection Policy explains when we collect personal data, why we require it, how we utilise it, how we try to keep it secure and the conditions under which we may disclose it to a third party authority.  You can read more about this by clicking on the below link.

We will only use personal data when legally permitted. The most common uses of personal data are:
Where we need to perform a Contract for Services.

Where it is necessary for our legitimate interests (or those of a third party) and the data subject's interests and fundamental rights do not override those interests.

Where we need to comply with a legal or regulatory obligation.

Where we have been given consent.  However, generally, we do not rely on consent as a legal ground for processing personal data as typically, we are able to demonstrate Contract, Legitimate or legal obligation.
Website Privacy & Cookie Policy
You can read our Website Privacy & Cookie Policy by clicking on the below link.

Like many other websites, our website uses cookies. 'Cookies' are small pieces of information sent by an organisation to your computer and stored on your hard-drive to allow that website to recognise you when you visit. They collect statistical data about your browsing actions and patterns and do not identify you as an individual. This helps us to improve our website and deliver a better, more personalised service. It is possible to switch off cookies by setting your browser preferences. Turning cookies off may result in a loss of functionality when using our website.

Accountability and Governance

The GDPR applies to ‘controllers’ and ‘processors’:

A controller determines the purposes and means of processing personal data

A processor is responsible for processing personal data on behalf of a controller

We access and use data supplied by regulated IFA firms with their permission, during the period of a Contract for Service.  We have identified ourselves as a ‘processor’.   Though we may act as co-intermediaries, we believe that the regulated IFA firm appointed by the client to advise is classed as the ‘data controller’.  The regulated IFA firm retains control of the data, subject to its own client agreement and Privacy Policy and retains control in terms of access rights granted to all third party processors.  In most circumstances we have no direct client consent to process data so rely mostly on a contractual right to process that data. 

WWhen we use the data our IFA firms provide us with (with their permission), we have a duty of care in terms of how we handle that data. There are specific responsibilities under GDPR that provide sufficient guarantees that the requirement of the GDPR will be met and the rights of the data subjects protected.

You can read about controllers and processors in more detail here

How we store data


We store our personal data electronic formats (pdf, word, excel etc) and occasionally paper. Paper files are retained within our secure alarmed premises.  Occasionally, a client file containing personal data may be taken outside of our premises, such as when working away from the office.

Our electronic files containing personal data are stored/backed-up in two locations:

1. Internal Server, sited on our premises.

2. Dropbox, which is a US-based company which complies with EU-US Privacy Shield Framework 

How long will we keep Personal Data

We will not keep a data subjects personal data for any longer than is necessary in light of the reason(s) for which it was first collected.  A data subject’s personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):

  1. Until when it is no longer in our legitimate business interests to keep it.

  2. We also reserve the right to retain data for longer than this due to the possibility that it may be required to defend a future claim against us. Please note that in the event of a pension transfer, a regulated IFA firm is required to hold client records indefinitely and if we believe we are part of this intermediary process, we may choose to also hold records indefinitely.

  3. We recognise that a data subject has the right to request deletion of their personal data and we will comply with this request, subject to the restrictions of our legal or regulatory obligations and legitimate business interests as noted above.

If we receive a specific request from an IFA firm that we delete all data relating to a data subject, then you waive the right to any future claim of errors and omissions.




Our emails are of SSL (Secure Sockets Layer) standard, which is a protocol that helps secure communications over computer networks, and is most often used with email.  Our system encrypts at 256-bit key rate  which is the standard level of Banking encryption.  Our internal emails never leave our host email server (located in Manchester UK) and are therefore always encrypted at 256-bit key rate.  When we send external emails, we cannot be held responsible for the level of security of the receiving server.  However, in order to protect personal data as best we can, as a minimum we will always password protect personal data.

Please note however, regulated firms are responsible for providing a method for the secure transmission of a data subject's personal data to us, whether that is by email encryption, or through a secure communication portal.  

We strongly recommend that you have appropriate technology in place, enabling the secure transmission of personal data, in line with the expectations of current data protection legislation. 


The PCs which are kept on our premises have two layers of security.  Stage 1 is Windows 10 encryption and Stage 2 is Window's user profile password entry. 


All laptops used away from the office have the same two levels of security, but DESlock Encryption is used in place of Windows encryption. 

Only management level staff use mobile devices (phones and iPad) for work activities.  All devices require either a 6 digit pass-code or fingerprint recognition and automatically lock after 1 minute of inactivity.  All devices are Apple products and Apple automatically build in encryption to their products, which you can read about here -  

Across all our devices (excluding mobile phones and iPad) we have installed ESET end-to-end protection which monitors all our PCs and laptops to ensure that our Firewalls & Anti-virus software remain up to date.  This is monitored by our IT partners Ahead4, whose details are provided below.

Third parties and Data Sharing

We are committed to the protection of a data subject's personal data.

We will not sell or rent personal data to third parties under any circumstances.

We will not share personal data with third parties without the data controllers permission. 


We will not share personal data with third parties for marketing purposes.

We keep a list of the software platforms we use to operate our business. A list is available upon request.

We have an outsourced support team for our own business which may include Web Designers, IT support, Sales and Marketing, Accounting, sub-processors and more. They have limited access to personal data, where the service they provide to us means they need it.  For example, Ahead4 ( are our trusted and chosen IT partners. Naturally, in order for Ahead4 to support our business with an IT service, they are required from time-to-time, to access our systems with our authority.  Ahead4 takes Data Protection very seriously. They are UK based and you can read about their own Privacy Policy here and the steps they have taken to comply with GDPR. 

 We may share personal data with third parties, such as back-office systems, cloud-based document storage, technical or research software providers, product providers or investment companies, which assist us in providing a Contract for Service. 

We do not usually transfer any personal data outside of the EU except when we need to perform pre-contractual measures (credit and ID checks) or because the checks we request are necessary for important reasons of public interest.

Please note however, regulated firms are responsible for ensuring that their own Privacy Policy and other appropriate client documentation permits the sharing of a data subject's personal data with third party processors such as us.

Employee Awareness


All our employees and sub-processors will be required to undertake annual training with respect to data protection requirements to demonstrate their understanding of data protection requirements.


Breach Management


In the event of a data breach, we have processes to manage, investigate, and mitigate the impact of data breaches.

Links to other websites

Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on any other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.  In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.


Review of this Policy

We keep this Policy under regular review. We are committed to continuous implementation of technical and organisational measures to ensure we are doing the best we can at all times.  Supervision of our commitment to the protection of personal data is the responsibility of our senior management.


This Policy was last updated in May 2018.

Should you have any questions regarding this Privacy Policy and/or our data handling methods we request you email the Data Privacy Officer (DPO) or by writing to him at 51 Trinity Row, South Woodham Ferrers, Essex CM3 5DE.

You may also contact us via telephone 01245 200425.

bottom of page