Articles on: Privacy Centre

GDPR & Security Compliance

At The Hoxton Mix, we are committed to transparency. This page provides a high-level overview of our security infrastructure and compliance with the UK GDPR, Data Protection Act 2018, and the Data (Use and Access) Act 2025.


Official Policies

For full legal details, please refer to our official documentation:



Compliance Status

Status: Fully Compliant


We have implemented robust technical and organisational measures to ensure the security and privacy of your data.


Hosting & Encryption


  • Data Location: All customer data is securely hosted in London, United Kingdom (AWS Region: eu-west-2).
  • Encryption: We use bank-grade encryption for data in transit (TLS 1.2+) and at rest (AES-256).
  • Certification: Our systems are audited annually and certified under Cyber Essentials Plus.


Security Measures


  • Physical Security: Our mail processing facility is monitored by CCTV and protected by biometric/fob access controls.
  • AI Safety: We use OpenAI for text recognition (OCR) with Zero Data Retention enabled. Your mail content is never used to train AI models.


Sub-Processors & Partners

We use industry-leading providers to deliver our services. You can view the full list in our Privacy Policy.


Key Infrastructure Partners


  • Infrastructure: Amazon Web Services (AWS)
  • Payments: Chargebee, Stripe, PayPal, GoCardless
  • Communication: Twilio (SMS/VoIP), Crisp (Chat), Mailgun (Email)


Important Note on Royal Mail: Postal carriers (including Royal Mail, DHL, and FedEx) act as independent Data Controllers, not sub-processors. Once physical mail enters their network, it is processed according to their own privacy and security policies.


Data Retention & Deletion

You have the right to request the deletion of your data (“Right to Erasure”). However, as a regulated service provider, strict legal exceptions apply.


  • Mail Scans: Automatically deleted after 30 days unless you choose to delete them sooner.
  • The “5-Year Rule” (AML Override): Under the Money Laundering Regulations 2007, we are legally required to retain your Identity and Proof of Address (KYC) documents for 5 years after our business relationship ends.

This legal requirement overrides the GDPR “Right to Erasure”.


Contact Us


  • Data Protection Officer: dpo@hoxtonmix.com
  • Registered Office: 86–90 Paul Street, London, EC2A 4NE (transitioning to 66 Paul Street from Jan 2026)

Updated on: 04/12/2025