Privacy Policy


At PennyBooks Limited we are committed to protecting personal data and to fair and transparent processing. Please find our Privacy Policy – it will help you to understand how we collect and use personal data from individuals, clients, vendors or others during the course of our business. We will only use personal data for the purposes described in this privacy statement or as agreed on a case by case basis.

Who we are

PennyBooks Limited is a limited liability company registered in England with registration number 11529360. Our registered office is 87 Cobbold Road, London, England, W12 9LA.

Our basis for processing

We rely on several lawful basis of processing when we collect and use personal data to operate our business and provide products and services to our clients. These include:

Public interests – where the processing of data is necessary for providing certain services to clients (eg statutory audit) or for certain requirements we are subject to.

Legal obligations – in order to comply with the legal and regulatory obligations we are subject to as a provider of regulated services and as a commercial business.

Contract – in order to perform contractual obligations we may have with an individual or to take steps to enter into a contract with an individual.

Consent – where an individual has freely given consent at the time their personal data was provided to us.

Legitimate interests – the legitimate interests can be ours, our clients or other third parties (eg to provide our services, to develop or protect our business, or to keep people informed about relevant products and services) and we always balance the rights of individuals with ours’ and others’ legitimate interests.

How we keep data secure

Security is of the upmost importance to us. Whilst no data transmission over the internet or any other network can be guaranteed as 100% secure, we take all reasonable steps to safeguard the personal data we hold and we have in place appropriate technical and organisational measures. These include detailed policies, procedures and training of our people relating to data protection, confidentiality and information security. These are regularly reviewed to ensure they are effective and fit for purpose.

Who we share data with

We only share personal data with others when absolutely necessary for the purposes for which we hold it and where appropriate contractual arrangements and security mechanisms are in place. When we share data with others, we put contractual arrangements and security mechanisms in place as appropriate to protect the data and to comply with our data protection, confidentiality and security standards.

We share Personal Data with our Indian subsidiary ‘PennyBooks (India) Limited’ which is domiciled outside of the European Economic Area (EEA). We have put in place the GDPR compliant ‘Standard Clauses’ for a Controller to Controller transfer of personal data.

How long do we keep personal data?

We keep personal data only for as long as necessary and this will reflect the requirements of:

  • The activity or service for which it is being processed
  • Any legal, regulatory or contractual requirements
  • The time in which any litigation or investigations might arise from providing a service.


We take the security of all the data we hold seriously. We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure.

Who we share your personal data with

We will only share personal data with others when we are legally permitted to do so.  When we share data with others, we put contractual arrangements and security mechanisms in place as appropriate to protect the data and to comply with our data protection, confidentiality and security standards.

We use third party support to help manage our IT systems. For example, providers cloud based software as a service providers. Further details of these providers are included below:

  • Xero Accounting
  • KeyPay – payroll software
  • Dropbox – file storage


Individuals’ rights

Individuals have certain rights over their personal data that we process as data controllers.

If we process your personal data and you exercise any of your rights we will aim to respond promptly and within any required time limit.

You have a right to:

Access – You have the right to obtain confirmation as to whether we process personal data about you, receive a copy of your personal data  held by us as a controller and obtain certain other information about how and why we process your personal data (similar to the information provided in this privacy statement).  This right may be exercised by emailing us at We aim to respond to any requests for information promptly, and in any event within the legally required time limits.

Rectification – if you become aware of any errors or inaccuracies concerning your personal data, please let us know either by updating your details on the website or applications you are registered with or contacting us

Withdraw consent – where we process personal data based on consent, you have a right to withdraw consent at any time. To stop receiving direct marketing emails from us, please click on the unsubscribe link in the relevant email or update your preferences. For any other withdrawals of consent please contact us

Erasure/deletion– you can ask us to erase or delete your personal data when we no longer need it for the purposes it was obtained

Data portability – you can ask for your personal data to be sent to you or to another organisation

Review automated decision making – if we make automated decisions about you, you can ask for those decisions to be reviewed

Restrict or object to our processing – you can ask to restrict or object to our processing of your personal data (eg removal from a marketing subscription list).

If you wish to exercise any of your rights, please contact us.

Who to contact

If you have any questions about this privacy statement, wish to complain about our use of personal data or exercise one of your rights, please send your correspondence to our Data Protection Manager:

We regularly review this privacy statement and may make changes at any time without giving notice.

You also have the right to report concerns or make complaints to the Information Commissioner’s Office (ICO). For more information on your rights and how to contact the ICO, please refer to their website.

Contact forms

We you submit a contact form on our website you subscribe to being contacted using the information provided.

We also use contact forms to collect Personal Data and when this occurs the Data is processed under the policy documented in this Privacy Statement.


If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.