Articles on: Privacy Centre

Privacy Policy

Version: 2025.11

Last updated: 18-11-25


Welcome to the Privacy Policy of The Hoxton Mix Limited (“Hoxton Mix”, “we”, “us”, “our”).


We are committed to protecting your privacy and handling your personal data lawfully, fairly, and transparently.


This Privacy Policy explains how we collect, use, store, share, and protect your personal data.

It applies to:


  • Visitors to our website
  • Prospective customers
  • Customers of our virtual office and mail-handling services
  • Individuals whose data appears in postal items processed by us
  • Business partners, contractors and suppliers


Please also read our Cookie Policy, which explains how we use cookies and similar technologies.

Contents


  1. Who We Are
  2. How to Contact Us
  3. The Data We Collect
  4. How We Collect Data
  5. Lawful Bases for Processing
  6. How We Use Personal Data
  7. Automated Decision-Making
  8. Sub-Processors and Third Parties
  9. International Data Transfers
  10. Data Retention
  11. Your Rights
  12. Data Security
  13. Data Breaches
  14. Children’s Data
  15. Third-Party Links
  16. Updates to This Policy
  17. Contact Us


1. Who We Are


The Hoxton Mix Limited

Company number: 07212205

Registered office: 86–90 Paul Street, London, EC2A 4NE


We act as a Data Controller for:


  • Customer accounts
  • Identity verification documents
  • Billing information
  • Postal metadata and digital scans
  • Customer communications and support records


We act as a Data Processor only where you instruct us to process or scan your mail.

2. How to Contact Us


Data Protection Officer (DPO)


dataprotection@hoxtonmix.com


For any privacy-related questions or requests, please contact us using the details above.


3. The Data We Collect


We may collect the following categories of personal data:


3.1 Identity & Verification Data (KYC/AML)


  • Passport or driving licence
  • Proof of residential address
  • Date of birth
  • Nationality
  • Company details, PSCs, beneficial owners
  • Identity documents used for AML compliance


3.2 Customer Account & Contact Data


  • Name
  • Company name
  • Postal address
  • Email
  • Phone number
  • Billing data (tokenised; we do not store card numbers)


3.3 Virtual Office & Mail Handling Data


  • Postal logs
  • Sender/recipient details on mail
  • Digital scans of letters (where applicable)
  • Forwarding metadata


3.4 Website & Technical Data


  • IP address
  • Cookies and analytics identifiers
  • Device/browser details
  • Site usage patterns (see Cookie Policy)


3.5 Support & Correspondence Data


  • Crisp chat logs
  • Email correspondence
  • Complaints records


3.6 Special Category Data


Not intentionally collected, but may appear within scanned mail.


Handled securely and incidentally only.


4. How We Collect Data


We collect personal data from:


  • You directly when you sign up or contact us
  • Postal items addressed to you
  • KYC/AML data you provide
  • Business partners (e.g., Crunch, Tide, Ember, Osome, ANNA)
  • Public sources such as Companies House
  • Website analytics
  • Customer-support interactions

5. Lawful Bases for Processing


Under UK GDPR, we process data using the following lawful bases:


5.1 Contractual Necessity


To:


  • Provide your virtual office subscription
  • Receive, scan, store, and forward mail
  • Administer your account
  • Provide customer support



Including compliance with:


  • AML Regulations (2007, 2017)
  • London Local Authorities Act 2007
  • DUAA 2025
  • DPA 2018


5.3 Legitimate Interests


For purposes including:


  • Service security
  • Fraud prevention
  • Maintain accurate records
  • IT system integrity



Used for:


  • Marketing communications
  • Non-essential cookies


You may withdraw consent at any time.


6. How We Use Personal Data


We process personal data to:


  • Verify identity and perform AML checks
  • Create and manage customer accounts
  • Process and handle mail items
  • Provide scanning and forwarding services
  • Deliver customer support
  • Process payments and invoices
  • Improve and secure our services
  • Comply with legal and regulatory obligations
  • Prevent fraudulent or unlawful use of services


We never sell personal data.


7. Automated Decision-Making


We do not make automated decisions that produce legal or significant effects.


8. Sub-Processors and Third Parties


We use trusted service providers to deliver our services. Each is subject to contractual and technical safeguards under UK GDPR.


8.1 Approved Sub-Processors


Sub-Processor

Purpose

Region

Amazon Web Services (AWS)

Hosting, storage, Textract OCR

UK (London)

Crisp IM SARL

Support chat and helpdesk

EU (France)

Chargebee Inc.

Subscription billing

EU/US

Stripe / PayPal (via Chargebee)

Payment processing

EU/US

Mailgun / Amazon SES

Email delivery

EU/US

Google Workspace

Internal email and collaboration

EU/US

Slack

Internal communications

EU/US

Vercel

Website hosting

EU/US

OpenAI

Internal OCR/classification workloads (anonymised)

US

We update this list when sub-processors change.


9. International Data Transfers


Where personal data is transferred outside the UK/EEA, we use appropriate safeguards, including:


  • UK IDTA (International Data Transfer Agreement)
  • Standard Contractual Clauses (SCCs)
  • DUAA-compliant mechanisms


We maintain a register of international transfers.


10. Data Retention


We retain data in accordance with strict internal schedules:

Data Type

Retention

AML/KYC documents

5 years after account closure

Mail scans

30 days (unless user deletes earlier)

Postal logs

24 months

Crisp support logs

Up to 24 months

Billing records

6 years (Companies Act)

Support tickets

24 months

Analytics data

Per Cookie Policy

Data is securely deleted or anonymised after expiry.


11. Your Rights


Under UK GDPR, you have:


  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right not to be subject to automated decision-making


To exercise any right:

dataprotection@hoxtonmix.com


We may request proof of identity.


12. Data Security


We apply stringent technical and organisational measures:


  • Encryption at rest and in transit
  • AWS-certified hosting environments
  • Two-factor authentication
  • Staff access controls
  • Secure development practices
  • Regular penetration testing
  • Backups and disaster recovery
  • Role-based access controls
  • Annual Cyber Essentials/Cyber Essentials Plus compliance


13. Data Breaches


In case of a personal data breach:


  • We assess the risk to individuals
  • Where required, we notify the ICO within 72 hours
  • If high risk, we notify affected individuals without undue delay


We maintain an internal breach register.


14. Children’s Data


Our services are designed exclusively for individuals aged 16 or over, as this is the minimum legal age in the United Kingdom to act as a company director or register as a sole trader. If we discover that personal data relating to an individual under the age of 16 has been collected in error, we will delete it securely unless we are required to retain it by law.


15. Third-Party Links


Our website may link to third-party sites.

We are not responsible for their content or privacy practices.


16. Updates to This Policy


We may update this Privacy Policy from time to time.

The latest version will always appear on this page.


If material changes occur, we will notify customers by email.

17. Contact Us


The Hoxton Mix Limited

86–90 Paul Street

London

EC2A 4NE


Email: dataprotection@hoxtonmix.com

Updated on: 18/11/2025