Articles on: Privacy Centre

Privacy Policy

Quick Answer: This Privacy Policy explains how The Hoxton Mix Limited collects, uses, stores, and protects your personal data. For privacy queries, contact dpo@hoxtonmix.com.



Welcome to the Privacy Policy of The Hoxton Mix Limited (“Hoxton Mix”, “we”, “us”, “our”).


We are committed to protecting your privacy and handling your personal data lawfully, fairly, and transparently. This policy applies to visitors, prospective customers, customers, individuals whose data appears in processed mail, and business partners.


Please also read our Cookie Policy.



Contents


  1. Who We Are
  2. How to Contact Us
  3. The Data We Collect
  4. How We Collect Data
  5. Lawful Bases for Processing
  6. How We Use Personal Data
  7. Automated Decision-Making
  8. Sub-Processors and Third Parties
  9. International Data Transfers
  10. Data Retention
  11. Your Rights
  12. Data Security
  13. Data Breaches
  14. Children’s Data
  15. Third-Party Links
  16. Updates to This Policy
  17. Contact Us



Who We Are


The Hoxton Mix Limited

Company number: 07212205

Registered office: 66 Paul Street, London EC2A 4NA


We act as Data Controller for customer accounts, identity verification, billing, postal metadata, digital scans, and support records. We act as Data Processor only where you instruct us to process or scan your mail.



How to Contact Us


Data Protection Officer: dpo@hoxtonmix.com



The Data We Collect


Identity & Verification (KYC/AML) — passport, driving licence, proof of address, DOB, nationality, company details, PSC/UBO information


Account & Contact — name, company name, postal address, email, phone, billing data (tokenised; we do not store card numbers)


Mail Handling — postal logs, sender/recipient details, digital scans, forwarding metadata


Website & Technical — IP address, cookies, device/browser details, usage patterns (see Cookie Policy)


Support — Crisp chat logs, email correspondence, complaint records


Special Category Data — not intentionally collected, but may appear in scanned mail. Handled securely and incidentally only.



How We Collect Data


From you directly (sign-up, contact), postal items, KYC documents, business partners (Crunch, Tide, Ember, Osome, ANNA), public sources (Companies House), analytics, and support interactions.



Lawful Bases for Processing


  • Contractual necessity — providing your subscription, mail handling, account admin, support
  • Legal obligation — AML Regulations, London Local Authorities Act, DUAA 2025, DPA 2018
  • Legitimate interests — service security, fraud prevention, accurate records, IT integrity
  • Consent — marketing communications and non-essential cookies (withdrawable at any time)



How We Use Personal Data


To verify identity, manage accounts, process mail, provide scanning/forwarding, deliver support, process payments, improve services, comply with regulations, and prevent fraud. We never sell personal data.



Automated Decision-Making


We do not make automated decisions that produce legal or significant effects.



Sub-Processors and Third Parties


⚠️ Note: Postal carriers (Royal Mail, DHL, FedEx) act as independent Data Controllers once mail enters their network.


Sub-Processor

Purpose

Region

AWS

Hosting, storage, OCR

UK (London)

Twilio

VOIP/SMS

US (SCCs/Data Bridge)

OpenAI

Internal OCR/classification (zero data retention)

US (Data Bridge)

Crisp IM

Support chat/helpdesk

EU (France)

Chargebee

Subscription billing

EU/US

Stripe / PayPal / GoCardless

Payment processing

UK/EU/US

Mailgun / Amazon SES

Email delivery

EU/US

Google Workspace

Internal email/collaboration

EU/US

Slack

Internal communications

EU/US

Vercel

Website hosting

EU/US

Microsoft (Bing)

Advertising/analytics

US (Data Bridge)

Meta (Facebook)

Advertising/analytics

US (Data Bridge)



International Data Transfers


Where data is transferred outside the UK/EEA, we use UK IDTA, Standard Contractual Clauses, or DUAA-compliant mechanisms.



Data Retention


Data Type

Retention

AML/KYC documents

5 years after account closure

Billing records

6 years

Mail scans

30 days

Postal logs

24 months

Support logs/tickets

24 months

Analytics

Per Cookie Policy


⚠️ Important: AML/KYC retention (5 years) overrides the Right to Erasure under UK GDPR. We cannot delete identity records before this period expires.



Your Rights


Under UK GDPR: access, rectification, erasure, restrict processing, data portability, object, and protection from automated decision-making.


To exercise any right: dpo@hoxtonmix.com (we may request proof of identity).



Data Security


  • Encryption at rest and in transit
  • AWS-certified hosting
  • Two-factor authentication
  • Role-based access controls
  • Regular penetration testing
  • Annual Cyber Essentials Plus compliance



Data Breaches


We assess risk, notify the ICO within 72 hours where required, and notify affected individuals if high risk. We maintain an internal breach register.



Children’s Data


Our services are for individuals aged 16 or over (minimum age to be a UK company director or sole trader). Data collected in error for under-16s will be deleted.



Third-Party Links


Our site may link to third-party sites. We are not responsible for their privacy practices.



Updates to This Policy


We may update this policy from time to time. Material changes will be notified by email.



Contact Us


The Hoxton Mix Limited

66 Paul Street, London EC2A 4NA

Email: dpo@hoxtonmix.com



Contact DPO →

Updated on: 28/03/2026