PRIVACY POLICY - Upstreamly LTD

Introduction

Upstreamly Ltd (“Upstreamly,” “we,” “us,” or “our”) is committed to protecting your personal data and respecting your privacy in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020 (together referred to as “Data Protection Legislation”).

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website or otherwise interact with us. We regularly review this Policy and may update it periodically.

 

Contents

1. Who We Are. 

2. Definitions. 

3. What Personal Data We Collect. 

4. How We Collect Your Data. 

5. Why We Process Your Data. 

6. Legal Bases for Processing. 

7. Sharing Your Data. 

8. International Data Transfers. 

9. Use of Images and Hosting Provider. 

10. Cookies and Tracking Technologies. 

11. Data Retention. 

12. Data Sources. 

13. Your Rights Under Data Protection Law.

14. Change of Purpose. 

15. Children’s Privacy. 

16. Data Security. 

17. Third-Party Links. 

18. Email Marketing and Client Communications. 

19. Use of Artificial Intelligence (AI) 

20. Accessibility. 

21. Updates to This Policy. 

22. Complaints and Supervisory Authority. 

23. Version Control 

 

1. Who We Are

Upstreamly Ltd is a limited company registered in England and Wales under company number 09580262

We are a chartered accountancy firm and a practising member of the Institute of Chartered Accountants in England & Wales (ICAEW).

Our Data Protection Point of Contact is responsible for handling privacy-related matters and can be reached at info@upstreamly.com.

This Privacy Policy applies to all personal data collected by Upstreamly through our website and related services. It does not apply to any third-party websites linked on our site.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual.

  • Processing: Any operation performed on personal data, whether automated or manual.

  • Controller: The entity that determines the purposes and means of processing personal data.

3. What Personal Data We Collect

We may collect and process the following types of personal data:

  • Identity Data: name, title, or similar identifiers

  • Contact Data: email address, phone number, and correspondence address

  • Professional Data: qualifications, employment history, and CVs

  • Financial Data: payment information, invoices, and tax details (where relevant)

  • Technical Data: IP address, browser type, operating system, and analytics data

  • Communications Data: correspondence and feedback

  • Image Data: photographs or professional images shared with consent

4. How We Collect Your Data

We collect data in the following ways:

Directly from you:

  • When you contact us via email, phone, or our website

  • During client onboarding or recruitment

  • When you provide information for service delivery

Indirectly from third parties

  • Companies House or other public databases

  • Recruitment partners or professional networks (e.g., LinkedIn, ICAEW training directory)

  • Referrals from existing clients

Automatically:

  • Through website cookies and analytics technologies

5. Why We Process Your Data

We process your personal data for the following purposes:

  • To provide and manage professional services

  • To verify identity and maintain client records

  • To process payments and meet contractual obligations

  • To manage client and supplier relationships

  • To handle recruitment applications

  • To send important service updates (with consent where required)

  • To improve website performance and user experience

  • To comply with legal obligations and prevent fraud

6. Legal Bases for Processing

We rely on the following lawful bases for processing your data:

  • Contractual Necessity: when processing data to deliver or administer our services

  • Legal Obligation: where we are required to comply with law or regulation (e.g., HMRC)

  • Legitimate Interest: to operate our business effectively, improve services, and manage relationships

  • Consent: where you have provided explicit consent (e.g., for optional communications)

  • Public Interest: where processing supports regulatory or professional compliance

You can withdraw consent at any time by contacting info@upstreamly.com.

7. Sharing Your Data

We share personal data only where necessary and in accordance with the law. This may include sharing with:

  • Service Providers: e.g., Squarespace, Google Analytics, Microsoft 365

  • Professional Advisors: auditors, lawyers, consultants

  • Regulatory or Legal Bodies: e.g., HMRC, the ICAEW, the ICO

  • Third Parties in Business Transactions: such as mergers or transfers

  • Internal Staff: on a strict need-to-know basis

All third parties are contractually required to maintain confidentiality and data security. We do not sell personal data or share it for marketing purposes.

8. International Data Transfers

Where personal data is transferred outside the UK or EEA, we ensure an adequate level of protection through:

  • Adequacy Regulations under the Data Protection Act 2018

  • UK International Data Transfer Agreement (IDTA) or UK SCCs

  • Other lawful safeguards as appropriate

You may contact us to learn more about our transfer mechanisms.

9. Use of Images and Hosting Provider

Our website may display images or professional photos hosted securely by Squarespace.
We do not collect or process biometric data. Identifiable images are used only with explicit consent or where otherwise lawful.

Requests for image removal can be sent to info@upstreamly.com.

10. Cookies and Tracking Technologies

We use cookies to enhance website functionality and user experience. These small text files help us recognise returning visitors, measure traffic, and improve site performance.

You can control cookie settings via your browser. Blocking cookies may affect some site functionality. Our cookies do not store any personally identifiable information.

Further details are set out in our Cookies Policy, available on our website.

11. Data Retention

We retain personal data only as long as necessary for the purposes it was collected, taking into account legal, accounting, and regulatory requirements.
Retention periods are defined in our Data Retention Schedule.

12. Data Sources

We may receive personal data from:

  • Public registers or professional directories

  • Clients, suppliers, or referral partners

  • Recruitment or training platforms

All such data is processed lawfully and proportionately.

13. Your Rights Under Data Protection Law

You have the right to:

  • Access your personal data

  • Rectify inaccurate or incomplete data

  • Request erasure (“right to be forgotten”)

  • Restrict or object to processing

  • Request data portability

  • Withdraw consent at any time

  • Not be subject to automated decisions with legal or significant effects

To exercise these rights, contact info@upstreamly.com.

We may need to verify your identity before processing your request.

Requests are generally free of charge, unless manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse the request.

14. Change of Purpose

If we need to process your data for a purpose different from that originally collected, we will inform you and explain the legal basis for the new processing before proceeding.

15. Children’s Privacy

Our services are not directed to children under 16, and we do not knowingly collect data from them. If you believe your child has submitted data to us, please contact us to have it removed.

16. Data Security

We maintain robust technical and organisational measures to safeguard personal data, including:

  • Encryption and secure servers

  • Access controls and confidentiality agreements

  • Regular staff training on data protection

  • Breach detection and response procedures

We will notify you and the Information Commissioner’s Office (ICO) of any data breach where legally required.

17. Third-Party Links

Our website may contain links to external websites. We are not responsible for their privacy practices. Please review their privacy policies before sharing information.

18. Email Marketing and Client Communications

Upstreamly does not operate a public newsletter or marketing mailing list.

However, we may send service-related communications (e.g., regulatory updates, client surveys, notifications) to existing clients.
You can opt out by emailing info@upstreamly.com.

19. Use of Artificial Intelligence (AI)

Upstreamly may use AI technologies to enhance service quality and efficiency (e.g., workflow optimisation or content personalisation).
All AI use adheres to principles of fairness, transparency, and data minimisation.
We do not rely solely on automated decision-making, and human review is available upon request.

20. Accessibility

If you require this Privacy Policy in an alternative format or language, please contact info@upstreamly.com.

21. Updates to This Policy

We may update this Privacy Policy periodically. The latest version will always be available on our website.

Where changes are material, we will notify you via email or a prominent website notice.

22. Complaints and Supervisory Authority

We take all privacy concerns seriously. If you have a complaint, please contact us first at info@upstreamly.com.

You also have the right to contact the Information Commissioner’s Office (ICO):
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Tel: 0303 123 1113
Website: https://ico.org.uk

23. Version Control

This Privacy Policy supersedes all previous versions.
Please check our website regularly for the most current version.