GDPR Data Privacy Notice

Reviewed: 30 October 2025

Who we are and how to contact us

Controller: UK Postbox Limited, 13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom.

Data Protection Officer (DPO): dpo@ukpostbox.com

Support: support@ukpostbox.com

Security: security@ukpostbox.com

Roles: We act as controller for account/profile, billing/payments, support, analytics/telemetry and marketing data. We act as a processor for certain mail‑content scan data (images/metadata) that we handle on your documented instructions via your account settings and our Data Processing Agreement (DPA).

Children: Our services are for users aged 18+ and are not directed to children.

What data we process (categories)

  • Account & identity: name, contact details, login identifiers, recipients you add, preferences.
  • KYC/AML: ID document images, biometric and liveness checks, address checks, screening results (soft credit search footprint only).
  • Mailbox content: envelope images and scanned contents (no OCR/AI data capture), metadata (timestamps, item IDs) and handling logs (open/scan/forward/shred).
  • Payments & billing: payment tokens/identifiers via PCI‑compliant providers; invoices and VAT data.
  • Support & complaints: tickets, attachments, and call recordings where used (with notice).
  • Analytics/telemetry & cookies: device, browser and usage events (see Cookies Policy).
  • CCTV/site security: images from office/handling areas for safety and crime prevention.

Special category data: We do not intentionally solicit special category data; however biometric data is processed for KYC. Mail content may incidentally include special category data; when we act as processor, we handle it on your instructions and under our DPA.

How we collect your data

  • Directly from you (sign‑up, account actions, support).
  • From identity/verification providers (to meet AML/KYC obligations).
  • From service operation (mail intake/scanning metadata, tracking numbers) and from your device (via cookies/telemetry per our Cookies Policy).

Purposes and lawful bases

Purpose

Examples

Lawful basis
Account setup & service delivery Sign‑up, account management, opening & scanning letters, digital mailbox Contract (Art. 6(1)(b))
KYC/AML & sanctions ID, biometric/liveness, address checks; sanctions/fraud screening Legal obligation (MLR 2017+) and legitimate interests (fraud prevention)
Payments & invoicing Processing payments, invoices, VAT Contract & legal obligation
Support & complaints Case handling, call recordings (where used) Legitimate interests (service quality/dispute resolution)
Platform security Logging/monitoring, rate limiting, incident response Legitimate interests (security of network and information)
Analytics & improvement Usage metrics, performance tuning Legitimate interests
Marketing (email, message centre, social) Updates/offers Consent where required by PECR, or soft opt‑in for similar products to existing customers
CCTV Safety and crime prevention Legitimate interests

We do not rely on consent for KYC/AML. Where we rely on legitimate interests, we balance our interests against your rights.

Who we share your data with (recipients)

  • Processors/sub‑processors (cloud hosting, storage/OCR, KYC/biometric verification, email, analytics, payment). We maintain a live list in our Trust Centre and provide change notifications where practicable.
  • Approved service partners operating parts of our service under contract.
  • Regulators and authorities (e.g., HMRC, law enforcement) where required by law.
  • Professional advisers (legal, audit, insurance) under confidentiality.

We require processors to act only on our instructions, keep data secure and not use it for their own purposes.

International transfers

We primarily store and process data in the UK/EEA. Where personal data is transferred outside the UK, we implement appropriate safeguards (e.g., International Data Transfer Agreement (IDTA), the UK addendum to EU SCCs, or other recognised mechanisms), and carry out transfer risk assessments where required by law.

Security of your data

We apply layered security, including encryption in transit and at rest, role‑based access controls and MFA for privileged access, logging/monitoring, network segmentation, vulnerability management, supplier due diligence, employee vetting and secure destruction of physical mail and media (BS EN 15713).

Certification: Cyber Essentials Plus.

How long we keep data (retention)

We keep data only as long as needed for the stated purposes and legal requirements, then delete or anonymise it.

  • KYC/AML: retained as required by Money Laundering Regulations (typically up to 5 years after relationship end).
  • Mail scans (digital): retained for the period you select in your account; then deleted. Deleted scans may persist in encrypted backups for a limited window (see Retention & Deletion Policy).
  • Physical mail: free storage for 1 month; after that, storage charges apply and items may be securely destroyed unless forwarded/returned.
  • Payments/invoices: 6 years (tax).
  • Support/complaints: typically 3 years from closure.
  • CCTV: typically 30–90 days (longer where linked to an incident).
  • Call recordings (where used): typically 6–12 months.

Full details: Data Retention & Deletion Policy (Trust Centre).

Your rights under UK GDPR

You have rights to access, rectify, erase, restrict, object, and port your data. You can also object to direct marketing at any time.

How to exercise your rights: email dpo@ukpostbox.com. We respond within one month (30 days), extendable by two months for complex requests. We may ask for ID verification. We will not disclose mail content belonging to another person without a lawful basis.

Cookies and similar technologies

We use cookies and similar technologies as described in our Cookies Policy, which explains types, purposes and choices, including consent preferences under PECR.

Automated decision‑making and profiling

We do not carry out automated decision‑making that produces legal or similarly significant effects about you. KYC outcomes involve human review.

Changes to this notice

We may update this notice to reflect legal or service changes. We will post the revised version with a new Reviewed date and, where material changes affect registered users, provide notice (e.g., email or in‑app). Please keep your account details up to date.

Complaints

If you are unhappy about how we handle your data, contact us first via https://www.ukpostbox.com/forms/complaints-form  so we can try to resolve it. You can also complain to the Information Commissioner’s Office (ICO):

  • ico.org.uk
  • Tel: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom


Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com


Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907