Data Privacy Notice

Reviewed: 29 January 2026

Who we are and how to contact us

Controller: UK Postbox Limited, 13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom.

Data Protection Officer (DPO): dpo@ukpostbox.com

Support: support@ukpostbox.com

Security: security@ukpostbox.com

Roles: We act as controller for account/profile, billing/payments, support, analytics/telemetry and marketing data. We act as a processor for certain mail‑content scan data (images/metadata) that we handle on your documented instructions via your account settings and our Data Processing Agreement (DPA). We do not act as a joint controller with any third party; where we share data with partners, they act as independent controllers for their own purposes or as our processors under contract.

Children: Our services are for users aged 18+ and are not directed to children.

What data we process (categories)

• Account & identity: name, contact details, login identifiers, recipients you add, preferences.
• KYC/AML: ID document images, biometric and liveness checks, address checks, screening results (soft credit search footprint only).
• Mailbox content: envelope images and scanned contents (no OCR/AI data capture), metadata (timestamps, item IDs) and handling logs (open/scan/forward/shred).
• Payments & billing: payment tokens/identifiers via PCI‑compliant providers; invoices and VAT data.
• Support & complaints: tickets, attachments, and call recordings where used (with notice).
• Analytics/telemetry & cookies: device, browser and usage events (see Cookies Policy).
• CCTV/site security: images from office/handling areas for safety and crime prevention.

Special category data: We do not intentionally solicit special category data; however biometric data is processed for KYC. Mail content may incidentally include special category data; when we act as processor, we handle it on your instructions and under our DPA.

How we collect your data

• Directly from you (sign‑up, account actions, support).
• From identity/verification providers (to meet AML/KYC obligations).
• From service operation (mail intake/scanning metadata, tracking numbers) and from your device (via cookies/telemetry per our Cookies Policy). Third-party sources: We may receive personal data from identity verification providers, credit reference agencies (soft search only), sanctions screening providers, and carriers (delivery confirmation, tracking events).

Purposes and lawful bases

We do not rely on consent for KYC/AML. Where we rely on legitimate interests, we balance our interests against your rights. Where we rely on legitimate interests, we have conducted a balancing test documented in our Legitimate Interests Assessment (LIA) records, which you may request via dpo@ukpostbox.com.

Who we share your data with (recipients)

●  Processors/sub‑processors (cloud hosting, storage/OCR, KYC/biometric verification, email, analytics, payment). We maintain a live list in our Trust Centre and provide change notifications where practicable.

●  Approved service partners operating parts of our service under contract.

●  Regulators and authorities (e.g., HMRC, law enforcement) where required by law, court order, or regulatory requirement. We will notify you where legally permitted.

●  Professional advisers (legal, audit, insurance) under confidentiality.

We require processors to act only on our instructions, keep data secure and not use it for their own purposes.

International transfers

We primarily store and process data in the UK/EEA. Where personal data is transferred outside the UK, we implement appropriate safeguards (e.g., International Data Transfer Agreement (IDTA), the UK addendum to EU SCCs, or other recognised mechanisms). For transfers to countries without adequacy decisions, we conduct Transfer Risk Assessments (TRAs) to evaluate risks and implement supplementary measures where necessary.

Security of your data

We apply layered security, including encryption in transit and at rest, role‑based access controls and MFA for privileged access, logging/monitoring, network segmentation, vulnerability management, supplier due diligence, employee vetting and secure destruction of physical mail and media (BS EN 15713).

Certification: Cyber Essentials Plus. In the event of a personal data breach, we follow our Incident Response & Breach Notification Policy and will notify you where required by law.

How long we keep data (retention)

We keep data only as long as needed for the stated purposes and legal requirements, then delete or anonymise it.

●  KYC/AML: retained as required by Money Laundering Regulations (typically up to 5 years after relationship end).

●  Mail scans (digital): retained for the period you select in your account; then deleted. Deleted scans may persist in encrypted backups for up to 90 days before being purged through scheduled backup rotation (see Retention & Deletion Policy).

●  Physical mail: free storage for 1 month; after that, storage charges apply and items may be securely destroyed unless forwarded/returned.

●  Payments/invoices: 6 years (tax).

●  Support/complaints: typically 3 years from closure.

●  CCTV: typically 30–90 days (longer where linked to an incident).

●  Call recordings (where used): typically 6–12 months.

Full details: Data Retention & Deletion Policy (Trust Centre).

Your rights under UK GDPR

You have rights to access, rectify, erase, restrict, object, and port your data. You can also object to direct marketing at any time. You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

How to exercise your rights: use our privacy webform (Trust Centre) or email dpo@ukpostbox.com. We respond within one month (30 days), extendable by two months for complex requests. We may ask for ID verification. We will not disclose mail content belonging to another person without a lawful basis.

Cookies and similar technologies

We use cookies and similar technologies as described in our Cookies Policy, which explains types, purposes and choices, including consent preferences under PECR.

Automated decision‑making and profiling

We do not carry out solely automated decision-making that produces legal or similarly significant effects about you. KYC outcomes involve human review before any adverse decision (e.g., account rejection or restriction).

Changes to this notice

We may update this notice to reflect legal or service changes. We will post the revised version with a new Reviewed date and, where material changes affect registered users, provide notice (e.g., email or in‑app). Please keep your account details up to date.

Complaints

If you are unhappy about how we handle your data, contact us first via https://www.ukpostbox.com/forms/complaints-form  so we can try to resolve it. You can also complain to the Information Commissioner’s Office (ICO):

• ico.org.uk
• Tel: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom

Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com

Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907