AI Usage & Compliance Policy

Reviewed: January 2026

Purpose

This policy explains how UK Postbox uses AI responsibly to protect privacy, comply with UK/EU law, and uphold transparency, accountability and trust.

Scope

Applies to: All UK Postbox employees, contractors, suppliers and vendors involved in AI-enabled features or workflows.

Data covered: Customer account/billing/support data; UK Postbox HR/finance/operational data.

Principles

Privacy and security by design; purpose limitation; human oversight; no training on customer data; vendor controls aligned to UK GDPR Arts. 25, 28 and 32.

Lawful basis & accountability

We rely on contractual necessity or legitimate interests under UK GDPR and the Data Protection Act 2018. We conduct DPIAs for higher-risk features before launch.

Where we use AI

Ticket triage, analytics, code assistance. Strict “no training on our data” guarantees.

Permitted vs Prohibited

Permitted

AI for ticket triage, analytics, internal tooling, security and fraud controls (with human oversight, no external training).

Prohibited

Running AI over customer mail content; vendor training on our data or customer data; secondary use of outputs; opaque automated decisions.

Data handling & security

Access controls, encryption in transit/at rest, audit logging, vendor boundary controls.

Vendor controls

Enterprise offerings with tenant isolation, “no training on our data” guarantees, regional processing, retention limits. Contracts include DPAs, sub-processor transparency, incident duties. Quarterly compliance reviews, annual attestations, documented exit strategies.

Human oversight

All AI-generated customer communications are reviewed before dispatch for accuracy, brand consistency and personalised service.

Accuracy & monitoring

Pre-release and ongoing testing for accuracy, bias and failure modes. Accuracy thresholds required for deployment. KPIs: error rates, false positives/negatives, user satisfaction.

Retention

• AI-assisted customer responses: Retained as part of customer communication record

• AI audit logs: 90 days (general), 12 months (flagged/reviewed)

• Internal drafts: 30 days if not incorporated

Incidents & customer rights

Personal-data incidents managed per our Incident Response policy. AI Incident Response Playbook covers hallucinations, unintended disclosure, model changes, prompt injection. Customers can exercise data-subject rights through standard channels.

Glossary

• AI: Artificial Intelligence. Advanced processing for classification, analysis or decision-making. Not used on customer mail content. Used only for approved internal operations with strict controls.

• DPIA: Data Protection Impact Assessment. Identifies and minimises data protection risks.

• Controller/Processor: Controller decides why/how personal data is processed. Processor acts on controller’s instructions.

• Hallucination: When AI generates plausible-sounding but false information.

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom

Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com

Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907