⚡ Quick Answer: The Hoxton Mix is fully compliant with UK GDPR, DPA 2018, and DUAA 2025. All data is hosted in London (AWS), encrypted with AES-256 at rest and TLS 1.2+ in transit, and certified under Cyber Essentials Plus.

Official Policies

• Privacy Policy (includes full sub-processor list)
• Cookie Policy

Compliance Status

Status: Fully Compliant

Hosting & Encryption

• Data location: London, UK (AWS Region: eu-west-2)
• Encryption in transit: TLS 1.2+
• Encryption at rest: AES-256
• Certification: Cyber Essentials Plus (audited annually)

Security Measures

• Physical security: CCTV, biometric/fob access controls
• AI safety: OpenAI used for OCR with Zero Data Retention — your mail content is never used to train models

Sub-Processors & Partners

Key infrastructure partners: AWS (hosting), Chargebee/Stripe/PayPal/GoCardless (payments), Twilio (SMS/VoIP), Crisp (chat), Mailgun (email).

Full list in our Privacy Policy.

⚠️ Note: Postal carriers (Royal Mail, DHL, FedEx) act as independent Data Controllers once mail enters their network.

Data Retention & Deletion

• Mail scans: Deleted after 30 days (or sooner if you choose)
• KYC/AML documents: Retained for 5 years after the business relationship ends (legally required under Money Laundering Regulations — overrides GDPR Right to Erasure)

Contact

• Data Protection Officer: dpo@hoxtonmix.com
• Registered Office: 66 Paul Street, London EC2A 4NA

Contact DPO →

Updated on: 28/03/2026