A & C Christofi LTD | PRIVACY POLICY
Effective Date: 1 December 2025
1-Minute Summary (Plain Language Version)
This summary provides a quick overview of how we handle your personal information. For full details, please read the complete policy below.
- Who We Are: We are A & C Christofi Ltd, a professional accounting and advisory firm based in Cyprus.
- What We Do With Your Data: We use your personal data primarily to provide professional services (accounting, tax, audit), to comply with legal obligations (including anti-money laundering checks), and to operate our business securely.
- How We Get Your Data: Mostly from you directly. We may also obtain information from public sources (e.g., company registries) and from other professionals you work with (e.g., your lawyer) where necessary.
- Your Privacy Rights: You have rights over your data, including access, correction, deletion, and the right to object to marketing at any time.
- We Protect Your Data: We use strong security measures such as encryption, access controls, and staff training.
- We Don’t Sell Your Data: We never sell or rent personal information.
- Questions? Contact our Data Protection Officer (DPO), Chris Christofi, at dataprotection@acccyp.com.
1. Introduction & Who We Are
A & C Christofi Ltd (“ACC CY”, “we”, “us”, “our”) is a limited liability company registered in the Republic of Cyprus under registration number HE 233717 and regulated by the Institute of Certified Public Accountants of Cyprus (ICPAC).
We provide accounting, audit & assurance, tax compliance & advisory, corporate services, payroll, and business consulting services to Cypriot and international clients.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you:
- visit our website www.acccyp.com
- use our client portal, tax calculators, or booking system
- subscribe to newsletters or download resources
- enquire about or receive our professional services
We are committed to protecting your privacy and processing personal data fairly and lawfully in compliance with EU, UK, and Cyprus data protection laws, including:
- EU General Data Protection Regulation (GDPR)
- UK GDPR (where applicable)
- Cyprus Law 125(I)/2018
- Cyprus AML Law 188(I)/2007 (as amended)
2. Data Controller & Data Protection Officer
Data Controller
A & C Christofi Ltd
37 Nicou & Despinas Pattichi Avenue, Evi Court, 3rd Floor, Offices 302–303
CY-3071 Limassol, Cyprus
Telephone: +357 25 332 177
Email: info@acccyp.com
Data Protection Officer (DPO)
Name: Chris Christofi
Email: dataprotection@acccyp.com
You can contact the DPO for any privacy-related question, request, or concern. We aim to respond within 5 business days (and always within the statutory one-month period).
3. Scope of this Privacy Policy
This Privacy Policy applies to all personal data we process through:
- our public website and sub-domains
- the secure client portal
- online forms, calculators, and appointment booking tools
- email and telephone communications
- signed engagement letters and delivery of professional services
Separate or additional notices may be issued for specific services (e.g., payroll processing for employees).
This Privacy Policy covers personal data relating to:
- clients (and where clients are legal entities: directors, officers, shareholders, beneficial owners, employees, or authorised representatives)
- prospective clients
- employees, former employees, job applicants, trainees, and interns
- contractors, consultants, advisers, and other third parties
- website users and visitors
- any other natural person whose data is processed for professional services or legal/regulatory compliance
3.1 California and U.S. Visitors
We do not target U.S. consumers. However, California visitors may have rights under the CCPA/CPRA in limited circumstances. As a “service provider” under CPRA, ACC CY confirms that:
- we do not sell or share personal data
- we use personal data only for purposes in this Policy
- we do not retain or use data outside our service provider role
- we will assist with CPRA-related requests where applicable
3.2 UK Data Protection Notice
For individuals in the UK, we process personal data in accordance with UK GDPR and the UK Data Protection Act 2018. References to “GDPR” include UK GDPR where applicable.
4. Categories of Personal Data We Process
| Category | Examples (non-exhaustive) |
|---|---|
| Identity & Contact Data | Name, job title, email, phone, address, signature |
| Identification & Verification | Passport/ID, proof of address, date of birth, nationality |
| Financial & Tax Data | Bank details, tax ID/VAT, income, assets, transactions, tax returns |
| Corporate & Ownership Data | Company documents, UBO declarations, shareholder registers |
| Employment & Payroll Data | Salary, social insurance number, contracts, leave records |
| Professional & Compliance Data | CVs, qualifications, AML/KYC files, conflict checks |
| Technical & Usage Data | IP address, browser type, pages visited, timestamps, cookie IDs |
| Communication Data | Emails, call recordings (where disclosed), meeting notes |
We collect only data that is adequate, relevant, and limited to what is necessary.
4.1 Accuracy of Information
You are responsible for ensuring that information provided is accurate and kept up to date. Incorrect, fraudulent, or misleading data may prevent us from providing services or fulfilling legal obligations (including AML/KYC).
4.2 Special Category & Criminal Data
We do not actively collect special category or criminal data unless required for regulated activities (AML/KYC checks, UBO verification, fit-and-proper assessments). Where processed, we rely on:
- Article 9(2)(g) GDPR (substantial public interest under AML legislation)
- Cyprus AML Law obligations
Such data is handled with enhanced security controls.
5. How We Collect Your Personal Data
- 5.1 Directly from you: forms, correspondence, uploads, engagement letters
- 5.2 Automatically: cookies, logs, similar technologies (see Section 9)
- 5.3 From third parties: public registries, banks/payment providers, sanctions databases, professional advisers, publicly accessible sources
6. Lawful Bases for Processing (with examples)
| Lawful Basis | When we rely on it |
|---|---|
| Contractual necessity | Onboarding, service delivery, invoicing under engagement letters |
| Legal obligation | AML/KYC, tax reporting, audit records, regulatory filings |
| Legitimate interests | Website security, fraud prevention, service improvement, direct marketing to business contacts (balanced) |
| Consent | Newsletters, non-essential cookies, marketing to non-clients |
| Vital interests | Rare emergency situations |
We never rely on consent where another lawful basis is more appropriate.
7. Purposes of Processing
| Purpose | Lawful Basis (Primary) | Typical Data Used |
|---|---|---|
| Providing professional services | Contract & legal obligation | All categories |
| Client onboarding, AML/KYC & conflict checks | Legal obligation | Identity, verification, corporate data |
| Billing, payments & debt recovery | Contract | Contact & financial data |
| Service updates & deadlines | Contract & legitimate interests | Contact & communication data |
| Tax alerts & newsletters | Consent / legitimate interests (existing clients) | Contact data |
| Appointments, portal and tools | Contract | Contact & technical data |
| Quality control & training | Legitimate interests | Professional & communication data |
| Legal claims | Legitimate interests | Relevant categories |
| Website analytics & improvements | Legitimate interests | Technical & usage data |
| Security monitoring & fraud prevention | Legitimate interests / legal obligation | Technical & identity data |
| Court orders & regulators | Legal obligation | Required categories |
| AI-assisted internal tools | Legitimate interests | Limited/pseudonymised datasets |
8. Marketing Communications & Newsletters
- We send marketing messages only with opt-in consent, or where legitimate interests apply to existing/recent clients (soft opt-in for similar services).
- Every marketing email includes a one-click unsubscribe link.
- You can withdraw consent at any time by emailing dataprotection@acccyp.com.
- Withdrawal does not affect processing before withdrawal and does not impact service communications.
8.5 Behavioural Tracking Technologies
We may use third-party tracking technologies (e.g., Meta Pixel, LinkedIn Insight Tag) only where you have consented to marketing cookies. You can withdraw consent via the cookie banner or by contacting us.
9. Cookies & Similar Technologies
- We use cookies for functionality, traffic analysis, and user experience improvements.
- Full details are in our separate Cookie Policy (including a cookie table): https://www.acccyp.com/cookie-policy
- You can manage preferences via the cookie banner or via “Cookie Settings” in the footer.
| Cookie Type | Purpose | Examples | Duration |
|---|---|---|---|
| Strictly Necessary | Security, sessions | Session ID, load balancer cookies | Session |
| Functional | Preferences | Language/settings cookies | Up to 12 months |
| Analytics | Traffic/performance | Google Analytics, Matomo | 1–26 months |
| Marketing | Remarketing/tracking | Meta Pixel, LinkedIn Insight Tag | Up to 12 months |
10. Data Sharing & Recipients
We share personal data only where necessary and under strict confidentiality obligations:
| Recipient Category | Purpose | Safeguards |
|---|---|---|
| Tax & regulatory authorities (Cyprus/EU/UK) | Statutory filings | Legal obligation |
| Banks & payment processors (e.g., Stripe) | Payments | DPA + PCI-DSS |
| IT & cloud providers | Service delivery/storage | Encryption + DPAs + SCCs/IDTA where applicable |
| External auditors & advisers | Quality reviews/legal advice | Confidentiality agreements |
| Sub-contractors & associate firms | Project support | DPA + confidentiality clauses |
| Law enforcement / courts | Legal orders | Legal obligation |
| AI/ML service providers | Internal drafting/translation/redaction support | Data minimisation, pseudonymisation, SCCs/IDTA, human oversight |
We never sell personal data. We do not use AI systems for profiling or automated decision-making (including AML risk scoring).
11. International Data Transfers
- Most processing occurs in Cyprus/EEA or other adequate jurisdictions.
- Where data is transferred outside the EEA/UK, we use safeguards such as EU SCCs (2021/914), Transfer Impact Assessments, and technical measures (e.g., encryption).
- Countries may include the United States, United Kingdom (adequacy), and Switzerland (adequacy), potentially via providers such as Microsoft 365, Google Cloud, AWS, or portal vendors.
- For UK data subjects, we apply the UK IDTA or UK Addendum, as applicable.
11.5 Data Localisation Commitment
Where feasible, we prioritise storing and processing personal data in the EU/EEA or UK. Transfers outside occur only where necessary and with appropriate safeguards.
12. Data Retention Schedule
| Data Type | Retention Period | Legal Basis / Reason |
|---|---|---|
| Full client files & accounting records | 10 years after engagement ends | Cyprus Tax Law & Cyprus Companies Law |
| Tax returns & computations | 10 years from relevant tax year | Assessment and Collection of Taxes Law |
| Audit working papers | 7 years from audit report date | ICPAC & ISA requirements |
| AML/KYC documents | 7 years after relationship ends | Cyprus AML Law |
| Payroll & social insurance records | 7 years after employment ends | Social Insurance & Income Tax Law |
| Invoices & payment records | 7 years from invoice date | VAT Law & accounting obligations |
| Marketing lists | Until consent withdrawn or 3 years inactivity | Consent / legitimate interest |
| Website logs & analytics | Max 26 months | Legitimate interest |
| General correspondence | 6 years from last contact | Limitation periods |
Data is securely deleted or anonymised once retention periods expire.
12.1 Conflicts Between Legal Obligations
Where multiple retention obligations apply, we retain data for the longest required period under law or professional standards (ICPAC/IFAC/ISA).
13. Data Security Measures
- Technical: AES-256 encryption at rest, TLS 1.3 in transit, MFA, penetration testing, endpoint protection, secure backups.
- Organisational: annual staff training, least-privilege access controls, confidentiality agreements, tested incident response plan, cyber insurance.
- Physical: restricted access, locked storage, CCTV, secure disposal of paper records.
13.4 NIS2, DORA & Supply-Chain Security
Where applicable, we maintain compliance with relevant EU security frameworks including NIS2 and DORA, including:
- vendor and supply-chain risk assessments
- data-processing and information-security audits
- contractual security guarantees
- secure development policies
- annual resilience and continuity testing
13.5 Personal Data Breach Notification
- We notify the Cyprus Commissioner within 72 hours of becoming aware of a reportable breach.
- Individuals are notified without undue delay where required.
14. Your Data Protection Rights
| Right | What it means in practice |
|---|---|
| Access | Receive a copy of your data within 1 month |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Delete data where no longer needed or consent withdrawn |
| Restriction | Limit processing in certain cases |
| Portability | Receive data in machine-readable format |
| Object | Object to processing based on legitimate interests |
| Object to marketing | Stop marketing instantly |
| Withdraw consent | At any time (no effect on prior processing) |
| Complain | Lodge a complaint with Cyprus Commissioner or UK ICO |
| Human Decision | No fully automated decisions |
To exercise any right, email dataprotection@acccyp.com. We respond within one month (extendable for complex cases).
14.1 Professional Secrecy
All personal data processed for regulated accounting, audit, and tax work is also protected by professional secrecy rules under ICPAC/IFAC/ISA and Cyprus law.
14.2 Cross-Border Complaints
If you are located in another EU/EEA Member State, you may complain to your local authority as well as the Cyprus Commissioner.
15. Automated Decision-Making & Profiling
We do not use your personal data for fully automated decision-making (including profiling) that produces legal or similarly significant effects.
15.1 Use of AI Tools
We may use AI-assisted tools (translation, document comparison, drafting aids) strictly under human supervision for internal efficiency. We do not use AI for profiling or automated risk decisions.
15.2 Human Oversight Safeguards
All AI-assisted outputs are reviewed and approved by qualified ACC CY professionals.
16. Children’s Privacy
Our website and services are not intended for individuals under 18. If we become aware that such data has been collected, we delete it without delay.
17. Third-Party Websites & Services
Our website may link to third-party sites. We are not responsible for their privacy practices and encourage you to review their privacy policies.
18. Changes to this Privacy Policy
- We may update this Policy to reflect legal, regulatory, or operational changes.
- Material changes may be communicated via website notice, email to active clients, or client portal notification.
- The version becomes effective on the “Effective Date” above.
- No material change will reduce your rights without consent where required by law.
19. Complaints & Supervisory Authorities
Cyprus (Lead Supervisory Authority)
Office of the Commissioner for Personal Data Protection
Iasonos 1, 1082 Nicosia, Cyprus
Tel: +357 22 818 456
Website: www.dataprotection.gov.cy
Email: commissioner@dataprotection.gov.cy
United Kingdom
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Helpline: +44 303 123 1113
Website: ico.org.uk
We would appreciate the opportunity to resolve concerns directly first — please contact our DPO.
20. Contact Us
For any question, request, or concern about this Privacy Policy or our data practices, contact:
Data Protection Officer
A & C Christofi Ltd
37 Nicou & Despinas Pattichi Avenue
Evi Court, 3rd Floor, Offices 302–303
CY-3071 Limassol, Cyprus
Email: dataprotection@acccyp.com
Telephone: +357 25 332 177
We respond to all legitimate requests within one month.
21. Processing on Behalf of Clients (Processor Role)
For certain services (e.g., payroll outsourcing, corporate administration, bookkeeping, escrow services), we act as a data processor under GDPR.
- We process data only on documented client instructions
- Confidentiality obligations apply to staff and subcontractors
- Appropriate technical and organisational measures are maintained
- Data is deleted or returned at engagement end unless retention is required by law
Processing terms are governed by engagement letters and Data Processing Agreements (DPAs).
Appendix 1: Lawful Basis Summary
| Processing Activity | Primary Lawful Basis | Secondary / Notes |
|---|---|---|
| Client onboarding, AML/KYC checks | Legal obligation | Cyprus AML Law 188(I)/2007, ICPAC Rules |
| Providing professional services | Contractual necessity | Some elements also legal obligation |
| Tax filings & statutory submissions | Legal obligation | Cyprus Tax Department, Registrar, EU/UK authorities |
| Audit work & working papers | Legal obligation | ISA/ICPAC requirements |
| Billing & payment processing | Contractual necessity | Legitimate interests may apply for debt recovery |
| Appointments, portal access & tools | Contractual necessity | Technical data under legitimate interests |
| Tax alerts & newsletters | Consent / Legitimate interests | Soft opt-in for existing clients |
| Website analytics, performance & security logs | Legitimate interests | Functionality and fraud prevention |
| Internal audits, training & quality control | Legitimate interests | Proportionate and safeguarded |
| Legal claims | Legitimate interests | Strictly necessary for the claim |
| Responding to legal requests | Legal obligation | May override other bases |
| Business communications & correspondence | Legitimate interests | Service delivery and record-keeping |
END OF PRIVACY POLICY