Munir Tatar Ltd, trading as M. Tatar & Associates
Last updated: March 2026 | Replaces all previous versions
1. Who We Are
Munir Tatar Ltd, trading as M. Tatar & Associates (“we”, “us”, “our”), is a chartered accountancy practice incorporated in England and Wales. We are registered as auditors in the United Kingdom by the Association of Chartered Certified Accountants (ACCA) and our members hold qualifications from ICAEW and ACCA.
Our registered office and principal place of business is:
32 Willoughby Road, London, N8 0JG
We are the data controller in respect of all personal data we process in the course of providing accountancy, tax, audit, and related advisory services, and in respect of data collected through our website at mtatarandassociates.co.uk.
For data protection enquiries, please contact us at [email protected].
2. Scope of This Notice
This privacy notice applies to:
- Existing and prospective clients and their principals, directors, shareholders, employees, and beneficial owners whose data we process in the course of providing our services
- Visitors to our website at mtatarandassociates.co.uk
- Contacts who engage with us for business development, events, or marketing purposes
This notice should be read alongside our engagement letter, which sets out the specific terms of our services to you and may contain additional data processing information relevant to your matter.
3. Personal Data We Collect and Why
3.1 Client and professional services data
In the course of providing accountancy, tax, audit, corporate finance, and advisory services, we collect and process the following categories of personal data:
- Identity data: full name, date of birth, National Insurance number, Unique Taxpayer Reference (UTR), Companies House director information, passport or identity document details where required for anti-money laundering (AML) purposes
- Contact data: postal address, email address, telephone number
- Financial data: income, employment and self-employment records, bank statements, investment portfolios, property ownership details, tax history, and accounting records
- Business data: company financial statements, payroll records, VAT and PAYE records, and related corporate information
- AML and due diligence data: proof of identity, proof of address, source of funds information, and politically exposed persons (PEP) screening results, as required under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
- Correspondence: emails, letters, and records of meetings and telephone calls relating to your matter
3.2 Website visitor data
When you visit our website we may collect:
- Name, email address, and telephone number submitted via enquiry or contact forms
- Technical data including IP address, browser type, and pages visited, collected via cookies and analytics tools
3.3 Marketing and business development data
Where you have consented or we have a legitimate interest to do so, we may hold your name, employer, role, and email address for the purpose of sending you newsletters, technical updates, and information about our services. You may opt out at any time by contacting us at [email protected].
4. Legal Bases for Processing
We process personal data only where we have a valid legal basis to do so under UK GDPR. The bases we rely on are:
| Legal basis | When we rely on it |
|---|---|
| Performance of a contract | Providing accountancy, tax, audit, and advisory services to you as our client |
| Compliance with a legal obligation | Anti-money laundering checks, statutory filing obligations, HMRC-related duties, and regulatory compliance with ACCA and ICAEW requirements |
| Legitimate interests | Business development, improving our services, maintaining client records beyond the contractual period, and internal analytics. We balance these interests against your rights before relying on this basis |
| Consent | Direct marketing communications where required; processing carried out on the basis of consent may be withdrawn at any time without affecting the lawfulness of prior processing |
| Vital interests | In exceptional circumstances where processing is necessary to protect the life of an individual |
5. How We Use Your Personal Data
We use the personal data we collect for the following purposes:
- Providing and administering accountancy, tax, audit, payroll, and advisory services
- Complying with our legal and regulatory obligations, including AML checks, HMRC reporting, and professional body requirements
- Communicating with you regarding your matter, including responding to enquiries
- Sending you technical updates, newsletters, and marketing communications (where you have consented or we have a legitimate interest to do so)
- Maintaining our business records and managing our client relationships
- Improving and developing our services
- Fraud prevention, security, and protecting our legitimate business interests
6. Use of Artificial Intelligence Tools
We use artificial intelligence (AI) tools, including Claude (provided by Anthropic PBC), to support our professional work. These tools assist us with tasks such as drafting correspondence and documents, analysing legal and technical frameworks, preparing structured workpapers, and enhancing the quality and efficiency of our services.
Where we use AI tools in connection with client matters, we do so as follows:
- We have entered into a Data Processing Addendum (DPA) with Anthropic PBC, effective 24 February 2025, which governs Anthropic’s processing of any personal data as our data processor. Anthropic is contractually prohibited from using client data to train its models or for any purpose other than providing the service to us.
- We apply a data minimisation approach: we input only the personal data that is necessary for the specific task. We do not input special category personal data (such as health or immigration information), passwords or login credentials, or documents that are subject to legal professional privilege.
- All AI-assisted outputs are reviewed by a qualified member of our team before being relied upon or sent to clients. We remain fully responsible for the accuracy of all advice and correspondence issued by this firm. In no way do AI tools replace the need for human intervention for our work.
- Anthropic PBC is based in the United States. Transfers of personal data to Anthropic are governed by the UK Addendum to the Standard Contractual Clauses (SCCs), issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018, incorporated within the DPA.
If you have any concerns about the use of AI tools in connection with your matter, please contact us at [email protected].
7. Who We Share Your Data With
We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We may share your data with the following categories of third parties where necessary to provide our services or comply with our obligations:
| Recipient category | Purpose |
|---|---|
| HM Revenue & Customs | Statutory filing of tax returns, payroll information, VAT returns, and compliance with HMRC information notices |
| Companies House | Filing of statutory accounts, confirmation statements, and other corporate filings |
| ACCA and ICAEW | Regulatory oversight, quality assurance, and professional conduct matters |
| Cloud accounting and practice management software | Provision of accounting, payroll, and practice management services (e.g. Xero, Microsoft 365). All providers are subject to appropriate data processing terms |
| AI tools (Anthropic Claude) | Drafting, analysis, and document preparation support, subject to a UK GDPR-compliant DPA — see section 6 |
| Subcontractors and professional advisers | Where we engage other professionals (e.g. barristers, specialist tax counsel, or overseas advisers) in connection with your matter, subject to confidentiality obligations |
| Legal and regulatory authorities | Where required by law, court order, or regulatory authority |
8. International Transfers
Some of our third-party processors operate outside the UK. Where personal data is transferred outside the UK, we ensure that an appropriate safeguard is in place, being one of the following:
- An adequacy decision by the UK Secretary of State confirming that the destination country provides an equivalent level of protection
- Standard Contractual Clauses approved by the ICO, including the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs
In particular, personal data processed by Anthropic PBC (USA) is transferred under the UK Addendum to the EU Standard Contractual Clauses, as described in section 6.
9. How Long We Keep Your Data
We retain personal data for as long as is necessary for the purposes for which it was collected and to comply with our legal and regulatory obligations. Our standard retention periods are:
| Data category | Retention period |
|---|---|
| Client accounting and tax records | 7 years from the end of the relevant tax year or accounting period, in line with HMRC requirements |
| AML due diligence records | 5 years from the end of the client relationship, as required by the Money Laundering Regulations 2017 |
| Audit working papers | 6 years from the date of the audit report, in line with ACCA and Companies Act requirements |
| Correspondence and general client files | 7 years from the end of the engagement |
| Prospective client and marketing data | 3 years from last contact, or until consent is withdrawn |
| Website enquiry data | 2 years from submission, or until the matter is resolved |
10. How We Keep Your Data Secure
We have implemented appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:
- Access controls and multi-factor authentication on all systems containing personal data
- Encrypted transmission of data in transit (TLS) and at rest
- Regular staff training on data protection and information security
- Data processing agreements with all significant third-party processors
- Annual review of our data protection practices
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where required.
11. Your Rights Under UK GDPR
You have the following rights in respect of your personal data:
| Right | What it means |
|---|---|
| Right of access | You may request a copy of the personal data we hold about you (a ‘subject access request’) |
| Right to rectification | You may ask us to correct inaccurate or incomplete personal data |
| Right to erasure | You may ask us to delete your personal data where there is no longer a lawful basis for us to hold it, subject to our legal and regulatory obligations |
| Right to restrict processing | You may ask us to restrict the processing of your data in certain circumstances |
| Right to data portability | Where processing is based on consent or contract and carried out by automated means, you may request a machine-readable copy of your data |
| Right to object | You may object to processing based on legitimate interests or direct marketing at any time |
| Right to withdraw consent | Where we rely on consent as our legal basis, you may withdraw it at any time without affecting the lawfulness of prior processing |
To exercise any of these rights, please contact us at [email protected] or in writing to 32 Willoughby Road, London, N8 0JG. We will respond within one month. We do not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive.
12. How to Make a Complaint
If you have a concern about how we handle your personal data, please contact us in the first instance at [email protected]. We will endeavour to resolve your concern promptly.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the supervisory authority for data protection in the UK:
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
13. Cookies
Our website uses cookies and similar tracking technologies to improve your browsing experience and to help us understand how visitors use the site. You can control your cookie preferences through your browser settings. For detailed information on the cookies we use, please refer to our Cookie Policy available at mtatarandassociates.co.uk.
14. Changes to This Notice
We review and update this privacy notice periodically to reflect changes in our practices, legal obligations, or regulatory guidance. The current version will always be published on our website at www.mtatarandassociates.co.uk. Where we make material changes, we will notify existing clients directly. The ‘Last updated’ date at the top of this document indicates when this version was last revised.
15. Contact Us
M. Tatar & Associates
32 Willoughby Road
London N8 0JG
Email: [email protected]
Telephone: 020 8341 9994
Website: mtatarandassociates.co.uk
Munir Tatar Ltd is registered in England and Wales. Registered as auditors by the Association of Chartered Certified Accountants (ACCA). Members hold qualifications from ICAEW and ACCA.