Records of Processing Activities (ROPA)
Reviewed: 29 January 2026
This living register documents our processing activities. It must be kept accurate and up to date. Changes to systems, vendors, purposes, data categories, transfers, retention or security controls must be reflected here. This ROPA is reviewed at least quarterly and updated within 30 days of any material change to processing activities.
1. Glossary & guidance
- DS = Data subjects
- PD = Personal data
- SCD = Special category data (Art.9)
- DPIA = Data Protection Impact Assessment
- TRA/TIA = UK Transfer Risk/Impact Assessment. LIA = Legitimate Interests Assessment (documented balancing test).
Required fields (Art.30): purpose(s), categories of DS and PD, categories of recipients, international transfers & safeguards, retention periods, security measures (Art.32). For processor records: name/contact of controllers, categories of processing, transfers, security measures.
2. Controller ROPA (Article 30(1))
2.1 Account registration & service delivery
| Field | Entry |
| Purpose(s) | Create and manage customer accounts; provide digital mailbox services incl. opening/scanning of letters per settings; operate platform features. |
| Lawful basis | Contract (Art.6(1)(b)); Legitimate interests for platform security/abuse prevention. |
| DS categories | Prospects, customers (consumers & business users), approved recipients on accounts. |
| PD categories | Identity & contact; login identifiers; account settings; recipient names; mailbox metadata (item IDs, timestamps, routing), not content unless acting as controller (N/A—content handled under processor ROPA). |
| Recipients | Hosting & infrastructure providers; email/SMS providers; support platform; approved service partners; professional advisers. |
| International transfers | Possible (infrastructure/communications). Safeguards: IDTA / UK Addendum to SCCs; TRA where required. |
| Retention | Life of account + 12 months (account profile); mailbox metadata per Data Retention & Deletion Policy. |
| Security (Art.32) | Encryption in transit/at rest; RBAC + MFA; logging/monitoring; segmentation; vulnerability mgmt; supplier due diligence. |
| DPIA | Screening: No DPIA required (standard service delivery); reassess on material change. LIA completed and available on request for legitimate interests processing. |
2.2 KYC/AML & sanctions screening
| Field | Entry |
| Purpose(s) | Identity verification, liveness/biometric checks, address verification; AML/CTF and sanctions screening. |
| Lawful basis | Legal obligation (Money Laundering Regulations); Legitimate interests (fraud prevention). |
| DS categories | Customers, directors/beneficial owners (where applicable). |
| PD categories | ID images; biometric/liveness data; addresses; screening results; audit logs. |
| SCD / Art.9 | Biometric data processed for uniquely identifying a person via vendor processes. |
| Recipients | KYC/biometric vendors; sanctions screening providers; regulators/law enforcement where required. |
| International transfers | Possible via vendors; Safeguards: IDTA / UK Addendum to SCCs; TRA. |
| Retention | Up to 5 years after relationship end (MLR) or longer where legally required. |
| Security | Vendor due diligence & DPAs; encryption; strict access; audit logs; secure destruction. |
| DPIA | Screening required; full DPIA if scope changes or new modality used. APD (Appropriate Policy Document) maintained for biometric data processing under DPA 2018 Schedule 1. |
2.3 Payments & invoicing
| Field | Entry |
| Purpose(s) | Take payments; issue invoices; tax and accounting. |
| Lawful basis | Contract; Legal obligation (tax). |
| DS categories | Customers; payers. |
| PD categories | Billing details; tokenised payment identifiers (no raw PAN stored); invoices; VAT info. |
| Recipients | PCI-compliant payment processors; accounting/tax systems; auditors. |
| International transfers | Possible via processors; Safeguards: IDTA/UK Addendum. |
| Retention | 6 years from end of financial year. |
| Security | PCI-DSS processors; encryption; access controls. |
| DPIA | Not required (standard). |
2.4 Support, complaints & call recordings
| Field | Entry |
| Purpose(s) | Case handling; quality & training; dispute resolution. |
| Lawful basis | Legitimate interests. |
| DS categories | Customers; enquirers. |
| PD categories | Contact details; ticket content & attachments; call recordings (where used, with notice at the start of the call). |
| Recipients | Support/ticketing providers; professional advisers. |
| International transfers | Possible; Safeguards: IDTA/UK Addendum. |
| Retention | Tickets: 3 years from closure; recordings: 6–12 months. |
| Security | Access controls; encryption; audit logs. |
| DPIA | Not required. |
2.5 Platform analytics & telemetry
| Field | Entry |
| Purpose(s) | Measure performance; improve UX; troubleshoot. |
| Lawful basis | Legitimate interests; consent under PECR for non‑essential cookies. |
| DS categories | Visitors; users. |
| PD categories | Device/browser; usage events; pseudonymous IDs; error traces. |
| Recipients | Analytics & monitoring providers. |
| International transfers | Possible; Safeguards: IDTA/UK Addendum. |
| Retention | Minimum 12 months; up to 24 months for security investigations; aggregated/anonymised thereafter. |
| Security | Pseudonymisation; access controls. |
| DPIA | Not required. |
2.6 Marketing communications
| Field | Entry |
| Purpose(s) | Send updates/offers via email and in‑app message centre; social advertising where lawful. |
| Lawful basis | Consent (where required by PECR) or soft opt‑in/legitimate interests for similar products to existing customers. |
| DS categories | Prospects; customers. |
| PD categories | Contact details; marketing preferences; interaction data. |
| Recipients | Email service providers; CRM; social platforms (hashed data where used). |
| International transfers | Possible; Safeguards: IDTA/UK Addendum. |
| Retention | Active relationship + 24 months; suppression lists indefinite. |
| Security | Suppression controls; access controls. |
| DPIA | Not required. |
2.7 CCTV & site security
| Field | Entry |
| Purpose(s) | Safety; crime prevention; incident investigation. |
| Lawful basis | Legitimate interests. |
| DS categories | Staff; visitors; contractors; couriers. |
| PD categories | Video images; timestamps; location. |
| Recipients | Security vendors; law enforcement on request. |
| International transfers | Unlikely; if vendor processing occurs abroad, apply safeguards. |
| Retention | 30–90 days (longer if incident). |
| Security | Restricted access; tamper‑evident storage; audit logs. |
| DPIA | Screening complete; full DPIA if scope expands. CCTV areas are signed in accordance with ICO guidance. |
3. Processor ROPA (Article 30(2))
For activities where UK Postbox acts as a processor on documented instructions of the customer.
3.1 Digital mail handling (opening, scanning, storage, forwarding)
| Field | Entry |
| Controller(s) | Our customer (account holder); contact details held in contract records. |
| Processing on behalf of | Customers (consumers & business accounts). |
| Categories of processing | Receiving and registering items; opening letters (per settings); scanning contents; storing images; providing access; forwarding/return/disposal per instruction; logging actions. |
| DS categories | Account holders; approved recipients; senders/third parties named within mail content. |
| PD categories | Names, addresses, contact details; item metadata; scanned document contents (may include SCD incidentally). |
| Transfers | Forwarding to carriers; hosting/storage providers; sub‑processors listed in Trust Centre with change notifications per DPA clause 6.3. International transfers may occur via sub‑processors—safeguards: IDTA/UK Addendum; TRA. |
| Retention (on behalf of controller) | As configured by the customer for digital scans; physical mail: 1 month default storage then destruction unless instructed; logs retained per contract. |
| Security measures (Art.32) | Encryption at rest/in transit; RBAC + MFA; logging/monitoring; secure facilities; BS EN 15713 destruction; vetted staff. |
3.2 Customer support on controller instructions
| Field | Entry |
| Controller(s) | Our customer (account holder). |
| Categories of processing | Access account data to resolve tickets; view item metadata/scans as authorised by the customer. |
| DS categories | Account holders; approved recipients. |
| PD categories | Account/profile data; item metadata; selected scans where authorised. |
| Transfers | Support tooling providers (sub‑processors). |
| Retention | Ticket data per 3 years from closure unless otherwise specified by the controller; follow controller deletion instructions for copies. |
| Security | Access on least privilege; audit logs; time‑bound access approvals. |
4. Sub‑processors & disclosures
We maintain a live list of sub‑processors (hosting, storage/OCR, KYC/biometric, email, analytics, payments, support tooling). Changes are notified in advance where practicable. All sub‑processors are bound by DPAs and appropriate transfer safeguards for any extra‑UK processing.
5. Security measures (Article 32 summary)
- Encryption in transit and at rest; key management procedures.
- Access control & MFA; least privilege; quarterly access reviews.
- Logging/monitoring of admin and data access; SIEM alerting.
- Network segmentation; hardened perimeters; vulnerability management; penetration testing.
- Supplier due diligence; contractual security requirements; audit rights where appropriate.
- Employee vetting & training; confidentiality agreements.
- Secure destruction of paper/media (e.g., BS EN 15713).
6. International transfers & TRA/TIA
Where processing involves transfers outside the UK, we document destination, recipient, safeguard mechanism (IDTA / UK Addendum to SCCs), and outcomes of TRA/TIA. See linked TRA/TIA records for each activity/vendor.
8. Change control & versioning
- Changes must be raised via the ROPA Change Request form and approved by the DPO/Privacy Lead.
- The DPO updates the register and logs the change in the table below.
8.1 Change log
| Version | Date | Section | Change summary | Owner |
| 1.0 | 30 Oct 2025 | Initial | Created controller & processor ROPA entries aligned with Trust Centre policies. | DPO |
UK Postbox Limited
13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom
Support: support@ukpostbox.com
Security: security@ukpostbox.com
Legal notices: legal@ukpostbox.com
Data protection: dpo@ukpostbox.com
Complaints: complaints@ukpostbox.com
Accessibility: accessibility@ukpostbox.com
Website: www.ukpostbox.com
Registered in England and Wales Company Number: 06723381
MLR registration no: XLML00000192390
ICO registration no: ZA038907