Last updated: June 3, 2026 · Email: [email protected] · Website: keelstoneacc.com
Keelstone is a full-service B2B accounting and accounting-technology firm. We help businesses set up their financial systems, keep their books, and stay compliant, and our work spans far more than any short list: chart-of-accounts design, platform implementation and migration, bank and payroll integrations, automation, ongoing bookkeeping, tax and compliance support, period-end and audit-readiness work, and a broad range of related services shaped around each client.
Handling a business’s finances means handling some of its most sensitive information, and our profession comes with legal duties that an ordinary supplier does not carry. Both of those facts run through this policy. It applies to keelstoneacc.com and to every engagement we deliver.
Our Role
Privacy law treats the party that decides how data is used (the controller) differently from one that simply acts on instructions (the processor). For an accounting firm the answer is not always the same, so we set it out honestly.
When we carry out professional work such as bookkeeping, tax preparation, or compliance, and when we meet our own legal obligations, we generally act as a controller in our own right. We exercise professional judgement and we answer to tax and regulatory authorities for that work, so the responsibility for the data sits with us. When the work is narrower, such as configuring an accounting platform purely on a client’s instruction without touching the underlying judgement, we act as the client’s processor. Many engagements involve both at different moments, and your client agreement records which applies where.
Information We Collect
From Clients and Prospects
When you enquire, become a client, or browse the site, we collect your name, business email, phone number, company, role, and the details you share about your finances and goals, along with our correspondence. For active clients we also hold engagement records, billing details, and the working papers a professional file contains.
Identity Verification Data
Because accountants are often regulated under anti-money-laundering law, we are required to verify who our clients are before and during an engagement. This means we may collect identity documents, proof of address, company ownership and control information, and details of beneficial owners. We explain this separately below, because it is a legal duty rather than a choice.
Financial Records We Work With
Doing the accounting means working inside a client’s financial data: ledgers and transactions, bank feed data, invoices and expenses, payroll figures, tax information, and the vendor and customer records held in the books. Where a supplier or customer in those records is an individual, that information is personal data too, and we treat it accordingly.
Information Collected Automatically
As you use keelstoneacc.com, the site logs ordinary technical data such as your IP address and rough location, device and browser type, the pages you open, and how you arrived. We use it to run and secure the site, not to profile you.
Anti-Money-Laundering and Know-Your-Customer Checks
Where we are subject to anti-money-laundering and counter-terrorist-financing rules, the law requires us to carry out customer due diligence. In practice this means verifying the identity of a client and, for companies, the people who own or control them, and keeping a record of those checks. We may use specialist verification services to confirm the information.
This processing is not something you can decline if you wish to engage us, because it is a legal obligation we must meet to act for you at all. We collect only what the rules require, we keep it secure, and we retain it for the period the law sets, which is usually several years after the engagement ends.
Confidentiality, and When the Law Requires Us to Report
Client confidentiality is fundamental to our profession, and as a rule we do not discuss a client’s affairs with anyone outside the engagement. There are defined exceptions, and being straight about them matters more than sounding reassuring.
We may be required to disclose information to tax authorities, to a court or regulator, or to our professional supervisory body during an inspection of our files. Separately, anti-money-laundering law can oblige us to report a suspicion of certain financial crime to the relevant authority. Where that duty applies, two consequences follow that you should know about. We may have to make such a report without your consent, and in some cases the law makes it a criminal offence to tell you that a report has been made or that an investigation is under way. This is sometimes called the prohibition on tipping off. It means that, in narrow circumstances, we may be legally unable to act on or fully answer a request from you about your data, and we will not be able to explain why at the time.
How We Use Information and Our Lawful Bases
Each kind of data has a defined use. Contact and enquiry data lets us respond and run engagements. Financial records are used to deliver the accounting, tax, and compliance work you engaged us for. Identity data is used for the legal checks described above. Where European law applies, our lawful bases include the performance of our contract with you, compliance with a legal obligation such as tax and anti-money-laundering law, and our legitimate interests in running and securing the practice. With your opt-in, we send occasional updates on accounting and compliance, which one click ends.
AI and Automated Tools
Some of our work uses AI to speed up routine tasks: matching transactions during reconciliation, flagging unusual or duplicate entries, forecasting cash flow from historical trends, and sorting expenses into the right accounts. These tools assist our accountants; they do not replace the professional reviewing the result. An anomaly the system raises is checked by a person before any conclusion is drawn, and forecasts inform decisions rather than make them. We do not use one client’s financial data to build models for another.
Who We Share Data With
Delivering the work means data reaches a limited set of recipients:
- Accounting platforms we configure and work in, such as QuickBooks, Xero, Sage, NetSuite, and FreshBooks
- Bank-feed, payroll, invoicing, and expense providers connected to those platforms
- Identity-verification services used for anti-money-laundering checks
- Tax authorities and, where required, auditors, courts, regulators, and our professional supervisory body
- Our own hosting, email, and practice-management tools used to run Keelstone and communicate with you
Each provider operates under its own terms, and we choose ones that meet established security standards and bind them to use shared data only for the agreed purpose. We do not sell personal data. Beyond the recipients above, disclosure happens only where the law requires it, to defend our legal rights or protect people from harm, and in a sale or merger where records would pass to a buyer bound by protections no weaker than these, subject to our confidentiality duties.
How Long We Keep Records
Accounting and tax records carry legal retention periods, commonly six years or more depending on the country, and we keep them for as long as the law and our professional obligations require. Anti-money-laundering records are held for the period that legislation sets, usually several years after the relationship ends. Engagement working papers are retained in line with professional standards. Website enquiry data that does not become a client relationship is removed within around two years. De-identified statistics that point to no individual may be kept without a fixed end date.
Security and Confidentiality Controls
We protect data with technical and organisational safeguards suited to its sensitivity. Information is encrypted in transit and at rest, access is limited to the people working on your file, and our team is bound by professional confidentiality and trained on data protection. Working papers and client records are kept within controlled systems, and we apply checks through every migration so financial data is not lost or altered in transit.
No system is completely secure, and a firm in our position should say so plainly rather than promise the impossible. Keep your own platform credentials strong and private, and tell us promptly if you suspect a problem on an environment we share with you.
Cookies
Our site uses a small set of cookies: necessary ones that run security and forms, analytics cookies that show in anonymised form how the pages perform, and preference cookies that remember simple settings. Your browser can block or delete them, and where consent is legally required for non-essential cookies, we ask first.
Your Rights
You can ask to access the data we hold on you, get a copy, correct it, delete it, restrict or object to its use, or withdraw a consent. Email [email protected] to begin, and we verify identity before acting. Two limits specific to our profession apply honestly here. Deletion of financial, tax, and anti-money-laundering records may be refused where the law requires us to keep them, in which case we restrict the data instead. And as explained above, in rare cases connected to a suspicious-activity report we may be legally unable to act on or answer a request, and unable to tell you that this is the reason.
EEA, UK, and Switzerland
We process personal data on a lawful basis: a contract, a legal obligation such as tax and anti-money-laundering law, our legitimate interests, or consent. Where we rely on consent, you can withdraw it at any time without affecting earlier processing. You may also complain to your national data protection authority.
California
Under the CCPA and CPRA you can request the categories and pieces of personal information we collected, ask for access, deletion, or correction, and opt out of any sale or sharing. We do not sell personal data, and using your rights will not get you treated differently. Statutory retention may limit deletion as noted above.
International Transfers
Keelstone and some providers operate across borders, the United States included, where privacy law may differ from your own. For international transfers we apply recognised safeguards such as Standard Contractual Clauses or rely on an adequacy decision.
Children
This is a business service not directed to anyone under 16. We do not knowingly collect children’s data and will delete it if we find we have. A parent or guardian with a concern can write to [email protected].
Links to Other Sites
Our pages may link to platforms, authorities, or resources we do not operate. This policy ends at our boundary. Once you follow a link, that site’s own policy applies, so review it before sharing anything.
Changes to This Policy
We revise this policy as our services and the law change. The current version sits on this page with its date, and we make a reasonable effort to flag significant changes. Continuing to use the site after an update means the new version applies to you.
Contact
For any privacy question, request, or complaint, reach us directly.