Data Retention & Deletion Policy
Reviewed: 29 January 2026
At a glance
- We keep data only as long as necessary for the stated purpose and legal requirements, then delete or anonymise it.
- Mail handling is customer‑driven: digital scan retention is set by you in your account; physical mail is stored for 1 month by default, then destroyed unless you instruct otherwise.
- KYC/AML records are retained in line with the Money Laundering Regulations (typically up to 5 years after the relationship ends).
- Deletions occur on a defined schedule; encrypted backups purge within a limited window thereafter.
- Secure disposal uses recognised standards (e.g., BS EN 15713 for paper destruction).
Purpose
This Policy sets out how long UK Postbox retains different categories of data, the triggers for deletion, and the technical/organisational measures used to dispose of data securely and lawfully.
Scope
Covers all formats and systems we control: the website, web apps/portals, mail handling operations (including digitising/scanning), payment/billing systems, support tools, CCTV and telephony. It also describes how we align third‑party processors with this Policy.
Principles
- Necessity: retain no longer than needed for the stated purpose.
- Security: protect data throughout its lifecycle; delete/obfuscate/anonymise when retention ends.
- Accountability: maintain documentation (ROPA), audit trails and destruction records where appropriate.
- Consistency: apply uniform rules, with lawful exceptions (e.g., legal holds).
- Customer control: honour in‑product retention settings for digital scans.
Roles & responsibilities
- DPO/Privacy: owns this Policy and oversees compliance (dpo@ukpostbox.com).
- IT/Security: implements technical deletion schedules, backup purges, and secure destruction.
- Operations (Mailroom): applies physical retention windows and destruction processes.
- All staff: follow retention rules and escalate any legal hold instructions.
Master retention schedule (current standards)
These periods represent our current default standards. Where law requires longer/shorter periods, the legal requirement prevails. Business needs are reviewed against UK GDPR’s storage limitation principle.
|
Data/record type |
Examples |
Default retention |
Notes/authority |
| Account & profile | Account details, recipients list, settings | Life of account + 12 months | To support reactivation/dispute resolution; then delete/anonymise |
| Digital mail scans | Scanned page images, envelope scans, metadata | As set by customer in account (e.g., rolling period) | After expiry: deleted from live systems; persists in encrypted backups for a limited window (see §7) |
| Physical mail | Letters, flats, parcels in storage | 1 month free storage; thereafter charges; if no instruction, secure destruction | BS EN 15713; exceptions for legal holds or statutory mail |
| KYC/AML | ID images, liveness/biometric records, address checks, screening | Up to 5 years after relationship end | Money Laundering Regulations; longer if required due to investigations/legal obligation |
| Payments & billing | Invoices, VAT records, payment tokens/IDs | 6 years from end of financial year | Companies Act & tax law; payment card data held by PCI providers |
| Support & complaints | Tickets, attachments, outcomes | 3 years from case closure | Extended if part of a legal dispute/claim |
| Call recordings | Support/QoS recordings (where used) | 6–12 months | Notice provided at call start |
| CCTV | Office/handling area footage | 30–90 days | Longer if related to an incident or investigation |
| Platform logs | Access/admin/audit logs, security events | Minimum 12 months; up to 24 months for security investigations | For security, fraud and forensic readiness |
| Analytics/telemetry | Usage and performance metrics | 12–24 months (aggregated thereafter) | Pseudonymised/aggregated where feasible |
| Marketing records | Preferences, consent logs, suppression lists | Consent logs: as long as active relationship + 24 months; suppression indefinite | Suppression retained to honour opt‑outs |
| Shipping/forwarding records | Labels, tracking, customs forms | 3 years | For claims, customs queries and audit |
| Contracts & legal | Customer contracts, legal claims | 6 years (or statutory period) | Limitation Act 1980 (UK) |
If your organisation requires a bespoke schedule (e.g., enterprise DPA), we can apply a contract‑specific annex that overrides the defaults above.
Deletion triggers
- End of retention period – automatic deletion/anonymisation on schedule.
- Account closure – we begin decommissioning; digital scans follow your configured retention; KYC/AML and billing survive per law; physical mail destroyed or returned per your instruction.
- Successful right‑to‑erasure request – where applicable, remove data not required to be kept by law or for legal claims.
- Legal hold lift – once a hold ends, affected items follow their underlying schedule.
Backups and disaster recovery
- Encrypted backups exist to protect availability and integrity. When data is deleted from live systems, it will be purged from backups through scheduled rotation within 90 days. Immutable backups (write-once, read-many) used for ransomware protection follow the same rotation schedule.
- Backups are encrypted, access‑controlled and used only for restoration. If data is restored from backup (e.g., for disaster recovery), deletion schedules restart from the restoration date unless the original deletion date has passed, in which case the data is deleted promptly.
- We do not process erasure requests directly on backup media unless technically feasible without compromising other data; instead, we ensure expiry through rotation.
Secure destruction
- Paper/mail: cross‑cut shredding and secure destruction consistent with BS EN 15713 (or equivalent), followed by recycling where possible.
- Media/devices: cryptographic erasure or physical destruction following NIST SP 800-88 guidelines (Clear, Purge, or Destroy depending on media type and sensitivity).
- Certification: destruction logs or certificates retained for audit where appropriate.
Exceptions & legal holds
- We may suspend deletion where a legal hold applies (e.g., ongoing dispute, regulator request, law‑enforcement matter). Legal holds are initiated by Legal/Compliance, documented in the legal hold register, communicated to relevant data custodians, and lifted only with Legal/Compliance approval.
- Some records must be kept longer to comply with statute (e.g., tax, MLR).
- Where mail items are linked to statutory obligations (e.g., official notices), handling may differ; see the Mail Inspection & Handling Policy.
Third‑party processors
- We require processors/sub‑processors to implement equivalent or stronger retention/deletion controls via contract (DPA).
- Where processors store data outside the UK, we apply appropriate transfer safeguards (e.g., IDTA/UK addendum to SCCs).
- We maintain a live list of sub‑processors and notify customers of material changes where practicable. We obtain written confirmation of deletion from processors and sub-processors upon request or contract termination.
Rights requests (erasure, restriction, portability)
- Submit requests via our privacy webform or email dpo@ukpostbox.com. We respond within one month (30 days) (extendable for complex cases).
- We will honour erasure where applicable and not prevented by legal obligations (e.g., MLR, tax, legal claims).
- For processor data (mail content handled on your instructions), we act per your documented instructions and the DPA.
- We may request ID verification to protect your data. You may object to retention where you believe we are retaining data longer than necessary; we will review your objection and respond within 30 days. Where appropriate, we may anonymise data rather than delete it, allowing us to retain insights for analytics without retaining personal data; anonymisation is irreversible and follows ICO guidance.
Governance, audits & review
- We maintain Records of Processing Activities (ROPA) and document retention justifications.
- We conduct periodic audits of deletion jobs and destruction suppliers.
- This Policy is reviewed annually or after significant legal/operational changes. The Master Retention Schedule is reviewed annually and updated when legal requirements change, new data categories are introduced, or business needs evolve..
UK Postbox Limited
13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom
Support: support@ukpostbox.com
Security: security@ukpostbox.com
Legal notices: legal@ukpostbox.com
Data protection: dpo@ukpostbox.com
Complaints: complaints@ukpostbox.com
Accessibility: accessibility@ukpostbox.com
Website: www.ukpostbox.com
Registered in England and Wales Company Number: 06723381
MLR registration no: XLML00000192390
ICO registration no: ZA038907