Consent Management Policy

Reviewed: 29 January 2026

At a glance

  • We only rely on consent where the law requires it or where it is the most appropriate lawful basis.
  • For non‑essential cookies/trackers, we obtain opt‑in consent under PECR/UK GDPR via a banner and Preferences Centre.
  • For direct marketing, we use consent (opt‑in) where required and soft opt‑in/legitimate interests for existing customers where permitted.
  • Consent must be freely given, specific, informed and unambiguous (UK GDPR Art. 4(11)), and as easy to withdraw as to give (Art. 7).
  • We keep consent logs and honour withdrawals promptly (marketing: within 48 hours; cookies: immediate/next page load).

Purpose

This Policy defines how UK Postbox obtains, records, manages and withdraws user consent for processing personal data where consent is required or chosen as the lawful basis, and how this interacts with PECR and UK GDPR.

Scope

This Policy covers:

  • Cookie/Tracker consent on www.ukpostbox.com and our web apps/portals;
  • Direct marketing via email and in‑platform message centre, and any social media advertising that requires consent;
  • Any other processing activity where consent is the lawful basis.

It does not cover processing we carry out under contract, legitimate interests or legal obligation (e.g., KYC/AML, fraud and sanctions screening).

Definitions

  • Consent: freely given, specific, informed and unambiguous indication by statement or clear affirmative action (UK GDPR Art. 4(11) & Art. 7).
  • Soft opt‑in: PECR permission to market similar products/services to existing customers who obtained services from us, provided they can opt out at any time.
  • Non‑essential cookies: any cookies/trackers not strictly necessary to provide the service requested by the user (e.g., analytics, marketing, some functional).

When we rely on consent (and when we do not)

We do rely on consent for:

  • Non‑essential cookies/trackers (PECR) – opt‑in via banner/Preferences Centre.
  • Direct marketing to non‑customers or where soft opt‑in does not apply.
  • Optional features that are not required for the core service and involve additional data uses.

We do not rely on consent for:

  • KYC/AML (legal obligation; legitimate interests for fraud prevention).
  • Core service delivery (contract), platform security and service analytics where conducted under legitimate interests and with appropriate controls.
  • Any processing where consent would not be freely given (e.g., access to core features conditioned on consent for unrelated tracking).

Collecting consent (how we ask)

  • Consent requests are concise, transparent and layered, presented in plain English.
  • Choices are granular (e.g., separate toggles for analytics and marketing cookies; marketing topics where applicable).
  • We avoid pre‑ticked boxes, silence or inactivity; we avoid dark patterns that nudge acceptance.
  • We provide a link to the relevant policy (e.g., Cookies Policy, Privacy Notice). At the point of collecting consent, we inform users how to withdraw consent (e.g., “You can change your preferences at any time via the Cookie Preferences link in the footer”).
  • For email marketing, we provide clear opt‑in checkboxes (and double opt‑in where appropriate).

Example wording (cookies):

“We’d like to use optional cookies to improve how our site works. You can accept, reject non‑essential, or manage your choices.”

Example wording (email):

“Send me news and offers about UK Postbox’s services.”

Managing preferences and withdrawals

  • Users can withdraw email (marketing) consent via unsubscribe links in messages and via account preferences.
  • We process marketing withdrawals within 48 hours, update all relevant systems and processors, and confirm cessation to the user. If any marketing is sent during the processing window, we apologise and explain the brief delay.
  • We maintain suppression lists indefinitely to ensure opt‑outs are honoured.
  • We acknowledge and action consent withdrawals made by any channel (email to support or DPO, in‑app request, helpdesk ticket) and we will not make withdrawal more difficult than giving consent.

Recording consent (evidence)

We keep verifiable records of consent, including:

  • User identifier (or session), timestamp and source (page/form/bundle).
  • Version of the policy/banners presented.
  • Granular choices selected (e.g., analytics yes/no).
  • Proof of double opt‑in where used (e.g., confirmation email event).
  • Geo context (e.g., country) and device/browser where relevant.

Retention: consent logs are kept for the duration of the active relationship + 24 months; suppression lists are retained indefinitely. For ongoing processing based on consent, we consider refreshing consent at appropriate intervals (e.g., annually for marketing) to ensure it remains valid and reflects current preferences.

Special situations

  • Children: our services are 18+; we do not knowingly seek children’s consent.
  • GPC (Global Privacy Control): where we detect a valid GPC signal, we treat it as an opt-out from non-essential cookies and do not set such cookies unless the user explicitly overrides via our Preferences Centre. Where we rely on legitimate interests rather than consent (e.g., strictly necessary cookies, security logging), GPC signals do not affect this processing, but users may exercise their right to object under Article 21.
  • Do Not Track: we do not change behaviour in response to DNT signals.
  • Third‑party tools: we check that consent strings collected via our CMP meet IAB/industry standards where relevant and that partners respect choices.

Processors, partners and international transfers


  • We require processors who set or read cookies/receive marketing data to honour user choices and to process data only on our instructions. We ensure consent choices are propagated to downstream processors and partners in real-time or near-real-time, so that non-consented processing does not occur.
  • Where data is transferred outside the UK/EEA, we apply appropriate safeguards (e.g., IDTA/UK SCC Addendum) as described in our Privacy Notice.
  • We maintain a live list of sub‑processors and provide change notifications where practicable.

Roles and responsibilities

  • DPO/Privacy Lead: policy owner; ensures compliance with UK GDPR/PECR; oversees audits and complaints (dpo@ukpostbox.com).
  • Marketing: ensures lawful collection and use of marketing consents; maintains suppression lists.
  • Engineering/Product: implements banner, Preferences Centre, consent storage, and APIs for downstream systems; ensures no trackers fire before consent (except strictly necessary).
  • Security: monitors for unauthorised trackers; reviews third‑party tags; ensures access controls for consent logs.
  • All staff: use approved templates; report issues or incidents promptly.

Audits, monitoring and testing

  • Quarterly audits verify: (a) no non-essential cookies/tags fire before consent; (b) withdrawals stop processing within stated timeframes; (c) consent records are complete and retrievable; (d) no dark patterns in consent flows.
  • Automated scans (e.g., tag audit tools) to detect rogue tags/trackers.
  • Periodic A/B testing for usability to ensure consent choices remain freely given and do not use dark patterns.
  • Evidence of audits retained for 24 months. Issues identified in audits are remediated within 7 days for critical issues (non-essential cookies firing without consent) and 30 days for other issues. If we wish to use personal data for a new purpose that requires consent, we will obtain fresh consent before the new processing begins.

Breaches and complaints

  • Suspected breaches (e.g., non‑essential cookies set before opt‑in) are handled via our Incident Response process.
  • Users can complain via support@ukpostbox.com or dpo@ukpostbox.com; we aim to respond within 30 days.
  • Users may also complain to the ICO.

Policy interactions

This Policy sits alongside our Privacy Notice, Cookies Policy, Data Protection Policy, and Data Retention & Deletion Policy. Where there is a conflict, the stricter control applies.

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom


Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com


Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907