Privacy Statement

1. Overview

The General Data Protection Regulation (GDPR) imposes specific legal obligations in connection with the processing of personal data. The Data Protection Act 2018 (DPA 2018) sets out the framework for delivering data protection law and specifies how the GDPR applies in the UK.

This privacy notice provides information on how we collect and process your personal data when you use our website or are in contact with us about the accountancy services we provide (whether by telephone, email, face-to-face, or via the form on our website).

My Student Years is a data controller, and we are responsible for your personal data (hereafter referred to as "we", "us" or "our").

Our full contact details are:

Name: My Student Years




Email address:


2. Information we may collect from you

We may collect and process the following information about you:

  • Personal identifiers such as your name, occupation and job title;
  • Contact details including your postal/email address and phone number;
  • Transaction details about services you specifically request from us;
  • Financial information concerning any services bought from us including addresses for invoices;
  • Profile details from documents you complete online such as your username and password, preferences, interests and your transaction history;
  • Information from customer surveys and feedback forms in respect of any of our services you may have purchased; and
  • Details of your visits to our website including but not limited to traffic data, location data, weblogs and other communication data and the resources that you access or use.

If you do not wish us to collect any of the personal information stated above, you should discuss this with us. We can explain the reasons for collection and discuss the consequences of not providing the information, or of providing partial or incomplete information, and the effect this may have on our ability to deliver our services.

We may process your personal data without your knowledge or consent where this is required or permitted by law.

Given the nature of the services we sell, it is extremely unlikely that we will require to collect any sensitive data about you. Sensitive data is personal information that includes your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or biometric data, or information concerning your health or mental wellbeing or sexual orientation. Where we do require to process such sensitive data to provide services to you, we will notify you in advance and will request your express consent in writing to process such sensitive data.

We do not carry out automated decision making or any type of automated profiling.

3. Uses made of your information

We will only use your personal data for the purpose it was collected for or a reasonably compatible purpose if necessary. For more information on this, please email If we need to use your details for an unrelated new purpose, we will let you know and explain the legal grounds for processing.

We intend to process your personal data for the following purposes:

Activity or purpose of processing

Type of Data Processed

What is our Legal Ground for doing this?

Registering you as a client or a service user

Your identity and contact details

  • Performance of a contract
  • Legal obligation

Maintaining our relationship with you

Your identity and contact and profile details

  • Performance of a contract
  • Legal obligation
  • Legitimate interest (i.e. to keep our records updated, identifying how you use our services, making you aware of other services)

Ensuring that content from our website is relevant to you and is presented most effectively for you including seeking your views on our products and services

Your identity, contact, profile and technical details

  • Legitimate interest (i.e. to review the services we supply to you and to inform our overall marketing strategy)

Processing or delivering our services including managing your contract

Your identity, contact, financial and transaction details

  • Performance of a contract
  • Legal obligation



Payment for services

Your identity, contact, financial and transaction details

  • Performance of a contract

Credit verification, fraud detection, and legal obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017)

Your identity, financial and transaction details

  • Performance of a contract

Administration of our website and business (including webhosting and support)

Your identity, contact and technical data

  • Legal obligation
  • Legitimate interest (i.e. running business, ensuring security and performance of the website, admin and support, monitoring for viruses or malicious software)

Handling customer enquiries in real-time

Your identity, contact and technical data

  • Performance of a contract

To make suggestions that may be of interest to you such as new, enhanced, or related services or products and advise you on service/security or technical issues that may affect you

Your identity, contact, profile and technical data

  • Legitimate interests (i.e. to develop our services)

To use in the investigation and/or defence of potential complaints, disciplinary proceedings and legal proceedings

Your identity, contact, financial and transaction data

  • Legal obligation


We will retain your personal information for as long as is necessary in line with the purposes for which it was originally requested or collected or where we are required to do so for legal or reporting purposes. Namely:

  • Where tax returns have been prepared it is our policy to retain information for two years from the end of the tax year to which the information relates.
  • Where ad hoc advisory work has been undertaken it is our policy to retain information for one year from the date the business relationship ceased.
  • Where we have an ongoing client relationship, data which is needed for more than one year's tax compliance (e.g. capital gains base costs and claims and elections submitted to HMRC) is retained throughout the period of the relationship but will be deleted one year after the end of the business relationship unless you as our client ask us to retain it for a longer period.
  • Where we are required by law to keep records for six years after the end of the year in which the last transaction occurred. This means we are required to keep some information even though our relationship with you may have ceased.

4. Sharing your information

We will not sell the personal information that we collect from you and will only use it for the purposes set out in this privacy notice. We may share your personal data with the parties set out below.

  • HMRC and other regulatory authorities who require reporting of our activities by law;
  • Service providers who provide us with IT and administration services such as our IT support and back-up provider, website hosting company, and our CRM provider.
  • Professional advisors such as our lawyers, bankers, insurers, and marketing services provider;
  • Our trusted email marketing tool, MailerLite;
  • Any third parties with whom you require or permit us to correspond;
  • An alternate appointed by us in the event of incapacity or death.

If the law allows or requires us to do so, we may share your personal data with:

  • the police and law enforcement agencies;
  • courts and tribunals;
  • the Information Commissioner's Office (ICO).

All third parties with whom we share your data are required to protect your personal data, treat it confidentially and to process it in accordance with the law. Where we use third parties, we will take all reasonable steps to ensure that they are GDPR compliant and in particular that:-

  • they have adequate technical and other measures in place to ensure the security of your personal information;
  • that they only use it for specified purposes;
  • that any employees or contractors who have access to the information are adequately trained and deal with it on a need to know basis only;
  • and that they act only in accordance with our instructions.

5. IP addresses and cookies

We may collect information about your computer, including where available your I.P. address, operating system and browser type, for system administration. This is statistical data about our users' browsing actions and patterns and does not identify any individual. Where we use third-party providers, such as Matamo or Google Analytics, although these third-party services record data such as your geographical location, device, browser and operation system none of this information identifies you to us. We do not make and do not allow these third-party services to make any attempt to find out the identities of anyone who visits our website.

You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies.

Besides the analytics cookies described above, this website uses essential cookies only.

We use tracking technology to understand how you interact with content in our emails. This tracking technology allows us to know if the email has been opened and if so, how many times, which links have been clicked on and whether or not you have shared our content to social media.

6. Marketing information

Our lawful ground for processing your personal data to send you marketing communications is either your consent or our legitimate interest.

Under the Privacy and Electronic Communications Regulation (PECR), we may send you marketing communications (i.e. information on services and products that we may provide) if:-

  • You purchased our services or asked for information from us about our services; or
  • You specifically requested marketing information from us; or
  • Previously acquired similar services from us; or
  • Consented by way of ticking a box or opting in to receiving marketing from us and have not opted out of receiving such communications since.

If you have opted out of marketing, we will not send you any future marketing without your consent.

Under PECR, if you are a limited company, we may send you marketing emails without your consent, but you can still opt-out of receiving such emails from us at any time.

Each time we market to you, we will always give you the right to opt-out of any future marketing but would point out that you have the right at any time to ask us not to market to you by emailing us at rather than waiting on a specific opt-out.

7. Security of personal data

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure or loss of or damage to your personal information, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect from you. These include robust procedures for dealing with breaches including incident reporting and notifying the Information Commissioner, and where appropriate you, of any breaches, the consequences of the same and the remedial action taken.

Where possible the information you provide us with will be held within the European Economic Area (“EEA”) or within the UK.

8. Overseas transfers

Countries outside of the EEA do not always have similar levels of protection for personal data as those inside the EEA. The law provides that transfers of personal data outside of the EEA is only permitted where that country has adequate safeguards in place for the protection of personal data.  Some types of processing may use cloud solutions which can mean information may sometimes be held on servers which are located outside of the EEA or may use processors who are based overseas.

Where we use cloud-based services or third-party providers of such services, and in either or both circumstances the data is processed outside of the EEA, that will be regarded as an overseas transfer. Before instigating an overseas transfer, we will ensure that the recipient country and/or processor has security standards at least equivalent to our own and in particular, one of the following permitted safeguards applies:

  • The country in question is deemed to have adequate safeguards in place as determined by the European Commission; or
  • There is a contract or code of conduct in place which has been approved by the European Commission which gives your personal information the same protection it would have had if it was retained within the EEA; or
  • If the overseas transfer is to the United States, then the transferee is a signatory to the EU-US Privacy Shield as all Privacy Shield signatories are obliged to give your personal information the same degree of protection it would have had if it was retained within the EEA.

If none of these safeguards exists, then we may seek your explicit consent for an overseas transfer. In line with your rights as an individual, you are free to withdraw this consent at any time.

9. Your rights

Your individual rights can be exercised in relation to the information we hold about you. These rights are:-

  • the right to restrict processing of your personal data;
  • the right to rectification or correction of your personal data;
  • the right to object to the processing of your personal data;
  • the right of erasure of personal data, also referred to as the right to be forgotten;
  • the right not to be subject to a decision based solely on automated processing or profiling;
  • the right to transfer your personal data, also referred to as the right of portability;
  • the right to withdraw your consent to process your personal data; and
  • the right of access to your personal data.


You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please contact if you wish to make a request.

10. Access to personal information

As outlined above, you have the right to request access to your personal data that we hold. Such requests are known as Subject Access Requests (SARs).

Any request requires to be in writing and if we do hold any personal information about you, we will:

  • Give you a description of it;
  • Tell you why we are holding it;
  • Tell you who it has or will be disclosed to;
  • The source of the information (if not you);
  • Where possible, the period for which it will be stored; and
  • Let you have a copy of the information in an intelligible form.

We will respond to SARs within one month. To do so, we may need additional information from you to determine your identity or help us find the information more quickly. Where the information you have requested is complex, we may take longer than 30 days but shall keep you advised as to progress should this be the case.

If you believe that any information we hold about you is incorrect or incomplete, email and the information will be corrected without delay.

11. Complaints

We would prefer to resolve any issues or concerns you may have directly with you. If you feel you are unable to resolve matters by contacting us directly, or you are unhappy or dissatisfied with how we collect or process your personal information you have the right to complain about it to the Information Commissioner who is the statutory body that oversees data protection law in the U.K. They can be contacted through

We keep our privacy notice under review.

This privacy notice was last updated on 22-01-2023.

Supported by...
Community Enterprise
Scottish Tech Army
Field and Lawn Services