1. INTRODUCTION & DATA CONTROLLER INFORMATION
1.1 Purpose of this Privacy Policy
The primary purpose of this Privacy Policy is to provide a comprehensive and transparent explanation of
how My Office Address Limited collects, processes, stores, and protects your personal data. In the
modern digital economy, and particularly within the highly regulated sector of Trust or Company Service
Providers (TCSP), the handling of personal information is not merely an administrative task but a critical
legal and ethical responsibility. We recognise that when you subscribe to our registered office or mail
handling services, you are entrusting us with sensitive detMY OFFICE ADDRESS LIMITED TERMS OF
SERVICEails about your professional identity, your business structures, and your private correspondence.
This policy is drafted to ensure that you understand exactly what happens to that data from the
moment you visit our website to the point at which your business relationship with us concludes.
Furthermore, this document serves to satisfy our “right to be informed” obligations under the UK
General Data Protection Regulation (UK GDPR). As an organisation supervised by HM Revenue &
Customs (HMRC) for anti-money laundering purposes, we are legally required to collect specific types of
high-stakes data, including biometric identity verification and corporate ownership details. The purpose
of this policy is to bridge the gap between these rigorous regulatory requirements and your individual
right to privacy. We aim to clarify the legal bases upon which we process your information, the third
party partners we engage to facilitate our services such as Veriff and Stripe and the stringent security
measures we have implemented to prevent unauthorised access or data breaches. By providing this
level of detail, we ensure that our clients can use our services with the confidence that their data
integrity is a core priority of our business operations.
1.2 Our Role as a Data Controller
Under the UK General Data Protection Regulation, My Office Address Limited acts as a “Data Controller”
for the personal information we collect from you. This means that we are the primary legal entity
responsible for determining the purposes for which, and the means by which, your personal data is
processed. Whether you are an individual director seeking a service address or a corporate entity
establishing a registered office, we take on the legal mantle of ensuring that your data is handled in
accordance with the principles of data protection: lawfulness, fairness, transparency, purpose limitation,
data minimisation, accuracy, storage limitation, integrity, and confidentiality. Our registration with the
Information Commissioner’s Office (ICO) as a fee-paying data controller further solidifies our
commitment to these national standards.
In our capacity as a Data Controller, we make critical decisions regarding which third-party “Data
Processors” we engage to assist in our service delivery. For instance, when we utilise Veriff for identity
verification or Stripe for payment processing, these entities act as processors following our specific
instructions and under strict contractual safeguards. However, the ultimate accountability for the safety
of your journey through our platform rests with us. We have appointed a dedicated internal compliance
lead who oversees our data protection strategy and ensures that our privacy practices are regularly
audited and updated in line with evolving UK legislation. As your Data Controller, we are your primary
point of contact for any enquiries regarding your personal information, and we are committed to
upholding your statutory rights at every stage of our professional engagement.
1.3 Key Definitions and Scope
To ensure that this Privacy Policy is accessible and clearly understood, it is essential to define the specific
scope and terminology used throughout the document. Personal Data refers to any information relating
to an identified or identifiable living individual; this includes obvious identifiers like your name and email
address, but also digital identifiers like your IP address. Special Category Data refers to more sensitive
information that requires a higher level of protection, which in our context specifically includes the
Biometric Data processed during the Veriff liveness check. Processing is a broad term that covers
everything we do with your data, including collecting, recording, organising, storing, retrieving, using,
disclosing, and eventually deleting it. The Services encompasses our full range of professional offerings,
including registered office facilities, director correspondence addresses, and digital mail handling.
The scope of this Privacy Policy extends to all visitors to our website, https://myofficeaddress.co.uk/, as
well as all active and former subscribers to our service plans. It covers data collected through our online
registration forms, our identity verification portal, and any correspondence handled through our mail
scanning and forwarding systems. It is important to note that while our services involve the receipt of
physical mail, the digital “footprint” created by scanning that mail also falls within the scope of this
policy. This framework does not apply to third-party websites or services that you may access through
links on our platform, nor does it govern the privacy practices of Companies House or HMRC, which
operate under their own statutory mandates. By engaging with My Office Address Limited, you
acknowledge that your data will be handled within the defined scope of this policy to ensure a secure
and regulator-compliant business address solution.
2. THE TYPES OF DATA WE COLLECT
2.1 Personal Identification Data
The collection of personal identification data is the foundational step in our relationship with any client.
From the moment you initiate the registration process on our website, we begin collecting information
that allows us to identify you as an individual and as a business operator. This category includes your full
legal name, including any middle names and previous surnames, your current residential address, your
date of birth, and your nationality. We also collect digital contact information, specifically a primary
email address and a telephone number, which are essential for the ongoing administration of your
account, the delivery of scanned mail notifications, and the issuance of statutory compliance alerts.
For corporate clients, this data collection extends to the details of all company officers. We require the
names and residential addresses of all directors, company secretaries, and any Persons with Significant
Control (PSC). It is important to note that while some of this information eventually becomes part of the
public record at Companies House, our collection of this data serves a private contractual and regulatory
purpose. We also collect information regarding your business’s trading name, nature of business, and
registered company number. This data allows us to ensure that the mail we receive is correctly
attributed to your account and that we have a clear understanding of the entity to which we are
providing a professional registered presence.
2.2 Statutory Compliance Data (AML/KYC)
As a regulated entity under the Money Laundering Regulations 2017, My Office Address Limited is
legally compelled to collect specific “Know Your Customer” (KYC) and Anti-Money Laundering (AML)
data. This category of data is more rigorous than standard commercial information and is used to
perform the mandatory “gatekeeper” checks required by HM Revenue & Customs. We collect high
resolution digital copies of your government-issued photographic identification, such as a valid UK or
international passport, a photocard driving licence, or a national identity card. These documents provide
the primary evidence of your identity and are subject to authenticity checks to ensure they have not
been forged or altered.
In addition to photographic ID, we collect secondary verification data to confirm your residential
address. This typically involves processing copies of utility bills, bank statements, or local authority tax
bills issued within the last three months. For corporate entities, we collect and analyse “Proof of
Incorporation” documents and “Shareholder Registers” to map the ultimate beneficial ownership of the
business. We are also required to collect data regarding your status as a Politically Exposed Person (PEP)
or your presence on global financial sanctions lists. This compliance data is stored in a highly secure,
encrypted environment and is used solely for the purpose of risk assessment and regulatory adherence.
Without the collection of this statutory data, we are legally prohibited from activating your business
address services.
2.3 Special Category Data (Biometrics via Veriff)
A distinctive and highly sensitive category of information we process is “Special Category Data,”
specifically in the form of biometric identifiers. To facilitate a secure non-face-to-face onboarding
process, we utilise the services of Veriff, an electronic identification provider. During the verification
phase, you are required to provide a live photograph of your face and, in some cases, a short video
capture. Veriff’s technology then extracts “biometric templates” from these images mathematical
representations of your facial geometry to compare them against the photograph on your identity
document. This process, known as “liveness detection,” ensures that the person applying for the service
is a real, living individual and matches the provided ID.
Under the UK GDPR, biometric data used for identification purposes is classified as special category
data, which warrants the highest level of protection. My Office Address Limited does not store your raw
biometric templates on our local servers; instead, we receive a “verification report” from Veriff
confirming whether the liveness check was successful. However, the initial processing of this data is a
mandatory requirement for our service. We only process this sensitive data with your explicit consent,
which is requested at the start of the Veriff session. You should be aware that the collection of this data
is essential for mitigating the risks of identity fraud and synthetic identity creation, which are prevalent
risks in the virtual office sector.
2.4 Technical and Usage Data
In addition to the information you actively provide, we automatically collect technical and usage data
when you interact with our digital platform. This includes your Internet Protocol (IP) address, login data,
browser type and version, time zone setting, browser plug-in types, operating system, and platform. We
also collect “Usage Data,” which provides insights into how you navigate our website, the duration of
your sessions, and the specific features of the client dashboard you utilise. This data is collected through
the use of cookies and similar tracking technologies, which are essential for maintaining the security of
your logged-in session and ensuring the stability of our integrated APIs, such as Stripe and Google
Address Autofill.
This technical data serves several critical functions. First, it helps us identify and prevent fraudulent login
attempts or unauthorised access to your account. For example, if an account is accessed from an
unusual geographic location or a suspicious device, our system may trigger additional security prompts.
Second, it allows us to optimise the performance of our website and improve the user experience based
on how clients interact with our mail scanning and account management tools. While much of this
technical data is pseudonymised or aggregated, it remains a vital part of our data ecosystem, ensuring
that My Office Address Limited remains a secure and efficient environment for your professional
corporate presence.
3. LEGAL BASES FOR PROCESSING
3.1 Contractual Necessity
The primary legal basis for the majority of our data processing is “Contractual Necessity.” When you
select a service plan and agree to our Terms of Service, a legally binding contract is formed between you
and My Office Address Limited. To fulfil our obligations under this contract namely, providing you with a
registered office address, a director service address, or mail handling facilities we must process certain
personal data. This includes using your contact details to manage your account, your financial data to
process payments via Stripe, and your name and company details to correctly identify and sort the
physical mail that arrives at our premises.
Without processing this data, it would be impossible for us to perform the services you have purchased.
For instance, we cannot notify you of received mail or provide digital scans if we do not process your
email address and digital login credentials. Contractual necessity also extends to the administration of
your account, such as sending renewal reminders or notifying you of changes to your service level. This
basis ensures that our data usage is strictly tied to the professional relationship you have initiated with
us, providing a clear and transparent justification for the day-to-day handling of your business
information.
3.2 Legal and Regulatory Obligations (HMRC/MLR 2017)
As a Trust or Company Service Provider (TCSP), My Office Address Limited operates in a “regulated
sector” subject to oversight by HM Revenue & Customs (HMRC). Under the Money Laundering, Terrorist
Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), we are under
a strict statutory obligation to conduct Customer Due Diligence (CDD) and ongoing monitoring. This legal
mandate provides the basis for our collection and processing of your government-issued identification,
proof of residential address, and information regarding your company’s beneficial ownership.
In this context, your privacy rights are balanced against the public interest in preventing financial crime,
money laundering, and the financing of terrorism. We do not process this high-stakes compliance data
because we want to, but because we are legally compelled to do so to maintain our licence to operate.
This legal obligation also requires us to retain your data for a minimum of five years after our business
relationship ends and, where necessary, to disclose relevant information to law enforcement or
regulatory bodies without your prior consent. Processing under this basis is non-negotiable; failure to
provide the data required for these legal checks will result in the immediate refusal or termination of
our services.
3.3 Legitimate Interests
In certain circumstances, we process your data based on our “Legitimate Interests” or the legitimate
interests of third parties. This applies to activities that are necessary for the smooth and secure
operation of our business but do not fall strictly under contractual or legal obligations. For example, we
have a legitimate interest in monitoring our website traffic and server logs to identify and prevent
cyberattacks, fraud, or unauthorised access to our client dashboard. Using your IP address and technical
usage data for security purposes is vital for protecting the data of all our clients and maintaining the
integrity of our digital infrastructure.
We also rely on legitimate interests for internal administrative purposes, such as conducting service
audits, improving our website functionality based on aggregated user behaviour, and managing our
professional relationship with you. We may also use this basis to send you occasional updates about
new service features or corporate news that we believe is highly relevant to your use of a UK business
address. When relying on this legal basis, we conduct a “balancing test” to ensure that our business
interests do not override your fundamental rights and freedoms. We aim to ensure that any processing
under legitimate interests is proportionate, expected, and carries minimal impact on your personal
privacy.
3.4 Explicit Consent for Biometrics
The processing of “Special Category Data” specifically the biometric facial recognition data used during
the Veriff verification process requires an even higher threshold of legal justification. Under Article 9 of
the UK GDPR, we process this sensitive data only when you provide your Explicit Consent. This consent is
sought at the beginning of the verification journey, where you are asked to clearly opt-in to the
biometric liveness check. This process involves the temporary analysis of your facial geometry to confirm
that the person presenting the ID is a live individual and matches the photograph on the document.
Because this data is uniquely personal, your consent must be freely given, specific, informed, and
unambiguous. You have the right to refuse to provide biometric data; however, because this is our
primary method for secure non-face-to-face identification, refusing consent may mean we are unable to
verify your identity to the standard required by HMRC, which would result in our inability to provide you
with a service. You may withdraw your consent for the processing of biometric data at any time,
although this will not affect the lawfulness of any processing that took place before the withdrawal.
Once the verification process is complete, we do not retain your raw biometric templates, ensuring that
this sensitive data is handled with the highest level of care and only for the specific purpose for which
you granted permission.
4. HOW WE USE YOUR INFORMATION
4.1 Service Delivery and Mail Handling
The most frequent use of your personal and corporate data occurs within our core mail handling
infrastructure. When physical mail arrives at our premises, our administrative team uses your registered
business name and the names of your officers to accurately sort and attribute the correspondence to
your account. This process requires us to cross-reference the “Addressee” on the envelope against our
internal database of active subscribers. Once sorted, your data is used to facilitate our “digital-first”
delivery model. We use your primary email address to send automated “Mail Received” alerts, ensuring
you are notified of time-sensitive documents, such as legal summons or HMRC notices, the moment
they are processed.
Furthermore, our mail scanning service involves the digital reproduction of your correspondence. We
use your unique account identifiers to label these PDF scans and upload them to your secure client
dashboard. If you have opted for physical mail forwarding, we use your designated “Forwarding
Address” which may differ from your residential address to print shipping labels and manifest packages
with the Royal Mail or third-party couriers. This operational use of your data is continuous and essential;
it transforms our physical premises into your virtual office, providing a seamless link between your
statutory obligations at Companies House and your daily business operations.
4.2 Identity Verification and Risk Assessment
A critical and mandatory use of your data involves the performance of Customer Due Diligence (CDD).
We use your government-issued identification, proof of address, and biometric data to conduct a
comprehensive risk assessment. This process is not a one-time event at onboarding; it is an ongoing
requirement under the Money Laundering Regulations 2017. We use your data to verify that the person
seeking our services is exactly who they claim to be and that the business entity is not a shell company
designed to facilitate financial crime. The biometric data processed via Veriff is used specifically for
“Liveness Detection,” ensuring that high-resolution photographs or video captures match the “static”
image on your passport or driving licence.
Beyond simple identification, we use your data to screen against global financial sanctions lists and
Politically Exposed Person (PEP) registers. This screening process allows us to assign a “Risk Rating” to
each client, which determines the level of ongoing monitoring required. For example, a business with a
complex international ownership structure may trigger “Enhanced Due Diligence” (EDD), requiring us to
use your data to investigate the source of wealth or the commercial rationale for the business. This use
of your information is a legal necessity that protects My Office Address Limited and our broader client
base from being inadvertently associated with illicit activities.
4.3 Financial Transactions and Billing
Your financial data is used exclusively to facilitate the commercial aspect of our relationship. When you
subscribe to a service plan, we use your payment information processed securely through Stripe to
execute the initial transaction and set up your recurring billing cycle. We use your billing address and
VAT status to generate accurate tax invoices, which are stored in your account for your own accounting
purposes. If your service involves “pay-as-you-go” elements, such as additional scanning fees or
international postage credits, we use your stored payment token to settle these ancillary charges as
they are incurred.
We also use your transaction history for internal financial auditing and to prevent payment fraud. By
monitoring patterns of payment, we can identify suspicious activity, such as multiple failed attempts
with different cards, which helps protect both our business and the global financial system. We do not
use your financial data for marketing or profiling; its use is strictly limited to the secure and efficient
settlement of the fees required to maintain your professional address and mail handling services. In the
event of a payment dispute or a request for a refund, we use your transaction records to conduct a fair
and transparent review of the financial history of your account.
4.4 Communications and Support
Finally, we use your contact data to maintain a high-quality support and communication channel. This
includes using your email address and telephone number to respond to your technical enquiries, provide
assistance with the identity verification process, or resolve issues with mail delivery. We also use your
data to send “Service Notifications” that are critical to the maintenance of your account, such as alerts
regarding an expiring identity document, a failed payment, or an upcoming subscription renewal. These
communications are not marketing-based; they are essential administrative updates that ensure you do
not inadvertently lose your legal right to use our address.
We may also use your data to gather feedback on our services through optional surveys, allowing us to
improve our platform based on real user experiences. If there are significant changes to our Terms of
Service or this Privacy Policy, we use your registered contact information to fulfill our legal duty to notify
you of these updates. Our communication with you is always professional and purpose-driven, ensuring
that you remain fully informed about the status of your virtual office and the security of your data. We
maintain a log of these communications to ensure that our support team has the necessary context to
assist you effectively whenever you reach out for help.
5. DATA SHARING & THIRD-PARTY INTEGRATIONS
5.1 Verification Partners (Veriff)
To satisfy our statutory obligations under the Money Laundering Regulations 2017, we utilise the
services of Veriff (Veriff OÜ), a specialist electronic identification and verification provider. When you
initiate the identity check on our platform, your personal data including your name, date of birth,
identity document images, and biometric facial data is shared with Veriff. Veriff acts as a “Data
Processor” on our behalf, using advanced AI and liveness detection technology to confirm that your
documents are authentic and that you are the rightful owner of those documents.
Veriff processes this data in a highly secure, ISO 27001 certified environment. Under our Data Processing
Agreement (DPA) with them, Veriff is strictly prohibited from using your data for any purpose other than
the verification service requested by us. They employ robust encryption both in transit and at rest.
While Veriff may use anonymised metadata to improve their fraud detection algorithms, your
identifiable biometric data is handled with the highest level of sensitivity. Once the verification is
complete, we receive a summary report; however, the raw biometric “templates” generated during the
session are not stored permanently by My Office Address Limited, ensuring that your most sensitive
data is only processed for the minimum time necessary to establish your identity.
5.2 Payment Processors (Stripe)
All financial transactions on the My Office Address Limited website are handled by Stripe (Stripe
Payments Europe, Ltd.). Stripe is a global leader in payment infrastructure and acts as an independent
Data Controller regarding your payment information. When you enter your credit or debit card details,
that information is sent directly to Stripe’s secure servers; it never passes through or resides on our local
infrastructure. We only receive a “token” from Stripe which allows us to process your recurring
subscription payments without ever seeing your full card number or CVC.
Stripe processes your personal data to facilitate payments, prevent fraud, and comply with financial
regulations. This includes the collection of your name, billing address, and transaction metadata. Stripe
is PCI-DSS Level 1 compliant, the most stringent security standard in the payments industry. Because
Stripe operates globally, your data may be transferred to their US-based parent company, Stripe, Inc.;
however, these transfers are protected by the UK Extension to the EU-U.S. Data Privacy Framework,
ensuring a level of protection equivalent to UK law. For more information on how Stripe handles your
information, we encourage you to review the Stripe Privacy Policy.
5.3 Statutory Bodies (HMRC, Companies House, Law Enforcement)
As a Trust or Company Service Provider (TCSP), we have a legal duty to share data with UK statutory and
regulatory bodies under specific circumstances. Our primary supervisor is HM Revenue & Customs
(HMRC). We are required to provide HMRC with access to our client records during routine compliance
audits or if they have specific concerns regarding a business relationship. This sharing is mandated by
Regulation 66 of the MLR 2017, and your consent is not required for these disclosures as they are a legal
obligation.
We also interact with Companies House. Under Regulation 30A of the MLR 2017, we are legally required
to report “material discrepancies” between the information we hold on your beneficial owners and the
information recorded on the public register. Furthermore, we will disclose your personal data to Law
Enforcement Agencies, such as the National Crime Agency (NCA) or the police, if we know or suspect
that a client is involved in money laundering, terrorist financing, or any other criminal act. In such cases,
we are legally prohibited from “tipping you off” about the disclosure. These data-sharing practices are
essential to the integrity of the UK’s financial system and are a non-negotiable part of our service.
5.4 Technical Service Providers (Google APIs)
To ensure our website is functional and user-friendly, we integrate several technical services provided
by Google (Google Ireland Limited). Specifically, we utilise the Google Maps API for address validation
and the Google Address Autofill feature during the registration process. When you type an address into
our forms, Google may process limited technical data, such as your IP address and the text you enter, to
provide accurate address suggestions. This processing is based on our “Legitimate Interest” in ensuring
that our records are accurate and that your mail is forwarded to a valid location.
We also use Google Analytics to monitor website performance and improve the user experience. This
involves the use of cookies to track anonymised usage patterns, such as which pages are visited most
frequently. Google acts as a Data Processor for these analytics, and we have configured our settings to
ensure that IP addresses are anonymised where possible. Google processes this data in accordance with
the UK GDPR and has certified its compliance with international data transfer standards. You can
manage your preferences for these technical cookies through our Cookie Consent Manager at any time.
6. INTERNATIONAL DATA TRANSFERS
6.1 Processing within the UK and EEA
The majority of our core data processing including the management of our primary mail handling
database and the storage of your scanned correspondence takes place on secure servers located within
the United Kingdom. However, as part of our commitment to operational resilience and high-speed
service delivery, we may utilise cloud-based infrastructure and software services that operate across the
European Economic Area (EEA). Under the UK’s current data protection framework, all countries within
the EEA are officially recognised as providing an “adequate” level of protection for personal data. This
means that when your information is processed in an EEA member state, it is treated with the same
legal rigour and subject to the same privacy standards as it would be within the UK.
This seamless flow of data between the UK and the EEA is supported by mutual adequacy decisions,
which were recently renewed in late 2025 and are currently set to remain in force until 2031. For our
clients, this ensures that using a digital-first service does not compromise their privacy rights. Whether
your data is being processed in London, Dublin, or Frankfurt, the fundamental principles of data
minimisation, purpose limitation, and security are strictly enforced. We continuously monitor the status
of these adequacy regulations to ensure that our internal data mapping remains aligned with the latest
requirements of the Information Commissioner’s Office (ICO).
6.2 Safeguards for Non-UK Transfers
When it is necessary to transfer your personal data to a country outside the UK or the EEA typically to
engage with global service providers like Stripe (for payments) or Veriff (for identity verification) we
implement stringent legal and technical safeguards. We do not transfer your data to any jurisdiction that
does not provide a level of protection “not materially lower” than that provided in the UK. For transfers
to the United States, we primarily rely on the UK Extension to the EU-U.S. Data Privacy Framework
(often referred to as the “UK-US Data Bridge”). This framework allows us to transfer data to US-based
organisations that have self-certified their commitment to a high standard of data privacy and are
subject to the oversight of the US Department of Commerce.
For example, both Stripe and Veriff participate in these certified frameworks, ensuring that your
financial and identification data is handled with a level of care that meets UK regulatory expectations.
Where a third-party provider is not covered by an adequacy decision or a specific data bridge, we
conduct a formal Transfer Risk Assessment (TRA). This assessment evaluates the local laws of the
destination country, particularly concerning government access to data, to ensure that your rights
remain enforceable. By maintaining these rigorous standards, My Office Address Limited ensures that
your professional data is never “exported” into a legal vacuum, but rather remains within a protected
global circuit of compliant service providers.
6.3 Adequacy Decisions and Standard Contractual Clauses
In instances where an adequacy decision is not available, My Office Address Limited utilises the
International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual
Clauses (SCCs). These are legally binding contracts pre-approved by the UK Government and the ICO.
They impose strict obligations on the data importer (the party receiving the data outside the UK) to
provide the same level of protection, security, and individual rights that you are entitled to under the UK
GDPR. These clauses act as a “safety net,” ensuring that even in jurisdictions with less robust privacy
laws, your data is governed by a private contract that grants you the right to legal redress.
We update our contractual arrangements in real-time as the ICO issues new versions of these transfer
tools, such as the scheduled updates in early 2026. This technical and legal layering combining adequacy
decisions, data bridges, and standard contractual clauses forms a “multi-tier” defence for your personal
information. You have the right to request a copy of the specific safeguards we have in place for any
international transfer affecting your account. Our goal is to ensure that while our services benefit from
global technological innovation, your privacy remains firmly anchored in the high standards of United
Kingdom law.
7. DATA SECURITY AND INTEGRITY
7.1 Technical Security Measures (Encryption/Firewalls)
The technical foundation of our security infrastructure is built upon “Security by Design” principles. All
data transmitted between your device and our servers is protected using high-grade Transport Layer
Security (TLS) encryption, typically 256-bit or higher. This ensures that sensitive information including
your identity documents, biometric data, and scanned mail is encrypted in transit, rendering it
unreadable to any unauthorised third parties or “man-in-the-middle” attackers. Once stored on our
servers, your data is “encrypted at rest” using Advanced Encryption Standard (AES) protocols. This dual
layer encryption strategy ensures that even in the highly unlikely event of a physical hardware breach,
your personal information remains securely locked behind cryptographic barriers.
To protect our digital perimeter, we employ enterprise-grade Web Application Firewalls (WAF) and
Intrusion Detection Systems (IDS). These systems act as a 24/7 digital sentry, monitoring incoming traffic
for malicious patterns, SQL injection attempts, and Distributed Denial of Service (DDoS) attacks. Our
server environment is logically isolated, meaning that public-facing website components are separated
from the secure databases that house your compliance and mail records. We also perform regular
vulnerability scanning and penetration testing, conducted by certified third-party cybersecurity
professionals, to identify and patch potential weaknesses before they can be exploited. This technical
rigour is essential for maintaining the trust required to handle the statutory and private correspondence
of thousands of UK businesses.
7.2 Organisational Safeguards (Access Controls)
Technical measures are only effective when supported by strict organisational “Access Controls.” At My
Office Address Limited, we operate on a “Principle of Least Privilege” (PoLP). This means that our staff
members are only granted access to the specific data points required to perform their immediate job
functions. For example, a mailroom administrator can see your business name to sort your post, but
they cannot access your private biometric verification reports or your full residential address unless
specifically authorised for a compliance review. All access to our internal systems is protected by Multi
Factor Authentication (MFA), requiring both a secure password and a unique time-sensitive code from a
physical device or authenticated app.
We maintain a comprehensive “Audit Log” of all internal data interactions. Every time a member of our
team views a document, scans a letter, or updates a client record, a permanent, timestamped entry is
created. This ensures full accountability and allows us to conduct retrospective reviews of data access if
any security concerns arise. Furthermore, all employees undergo mandatory data protection training
upon hiring and at annual intervals thereafter. This training covers the UK GDPR, the Data Protection Act
2018, and the specific handling requirements for “Special Category” biometric data. By fostering a
culture of security awareness, we ensure that the human element of our business is as resilient as our
technical firewalls.
7.3 Breach Notification Procedures
Despite our extensive safeguards, we maintain a robust “Data Breach Response Plan” to ensure we can
react with speed and transparency in the event of a security incident. A personal data breach is defined
as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data. If we identify such an event, our internal security team
immediately initiates a “Containment and Recovery” phase to limit the impact and secure our systems.
We then perform a “Risk Assessment” to determine the likelihood and severity of any potential harm to
our clients’ rights and freedoms.
In accordance with the UK GDPR, if a breach is likely to result in a risk to your rights (for example, if
identity documents or financial tokens are compromised), we are legally mandated to notify the
Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the incident.
Furthermore, if the breach is deemed “high risk” to you personally, we will notify you directly via your
registered email address without undue delay. Our notification will include a clear description of the
nature of the breach, the types of data involved, the likely consequences, and the specific steps we are
taking to mitigate the issue. We believe that honesty and rapid communication are the only professional
responses to a security challenge, and we are committed to supporting our clients through any
necessary remedial actions.
8. DATA RETENTION AND DELETION
8.1 Statutory Retention Periods (The 5-Year Rule)
As a Trust or Company Service Provider (TCSP) regulated by HM Revenue & Customs (HMRC), we are
subject to specific “Statutory Retention Periods” that override general data deletion requests. Under the
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations
2017 (MLR 2017), we are legally mandated to retain all records relating to your identity verification and
business relationship for a period of five years. This five-year clock begins on the date that your business
relationship with My Office Address Limited formally ends for example, the date your subscription is
cancelled or terminated.
This “5-Year Rule” applies to the most sensitive data we hold, including copies of your passport or
driving licence, your proof of residential address, the results of your biometric “liveness” check from
Veriff, and the details of your beneficial ownership structure. These records are vital for the UK’s anti
money laundering framework, as they allow HMRC or law enforcement to conduct retrospective audits
if a business is later suspected of financial crime. You should be aware that during this five-year period,
we cannot fulfill a “Request for Erasure” (the Right to be Forgotten) regarding these specific compliance
documents, as our legal obligation to the UK government takes precedence over individual data deletion
preferences.
8.2 Non-Regulated Data Retention
For data that does not fall under the specific “gatekeeper” requirements of the MLR 2017, we apply a
more flexible and privacy-centric retention schedule. This includes technical usage data, general
administrative correspondence, and digital scans of your mail. We typically retain digital scans of your
received mail for a period of six months following the date of scanning, unless you have specifically
requested a longer storage period or a permanent deletion through your dashboard settings. This six
month window provides you with sufficient time to download and archive your documents while
ensuring our servers are not cluttered with outdated personal correspondence.
General enquiries from non-subscribers such as emails sent to our support desk that do not result in a
contract are typically retained for two years. This allows us to maintain a record of our interactions and
provide consistent support if you decide to return to our service at a later date. Financial transaction
records, such as invoices and payment metadata stored within our Stripe integration, are retained for
seven years in accordance with standard UK tax and accounting laws (the Taxes Management Act 1970).
Once these specific operational or financial periods have elapsed, the data is flagged for automated
deletion in our next scheduled system sweep.
8.3 Secure Disposal Protocols
When personal data reaches the end of its designated retention period, My Office Address Limited
employs “Secure Disposal Protocols” to ensure that the information is permanently and irretrievably
destroyed. For digital data, this involves “Cryptographic Erasure,” where the encryption keys for the
specific data blocks are destroyed, rendering the underlying data completely unreadable and
unrecoverable. We also perform “Data Overwriting” on our storage volumes to prevent any forensic
recovery of deleted files. This ensures that your digital “footprint,” including sensitive identity scans and
private mail PDFs, is entirely removed from our digital ecosystem.
Regarding physical documents, we maintain a strict “Zero-Landfill, Total-Shred” policy. Any physical mail
that is not forwarded to you and is marked for disposal as well as any physical copies of identification
documents we may have handled is processed through industrial-grade cross-cut shredding. This
process reduces documents to unidentifiable particles that meet the BS EN 15713 standard for secure
destruction of confidential material. Following the shredding process, the material is securely pulped
and recycled. By combining high-tech digital purging with high-security physical destruction, we ensure
that your data journey with My Office Address Limited ends with a clean and compliant exit.
9. YOUR LEGAL RIGHTS (UK GDPR)
9.1 Right of Access and Rectification
Under the UK GDPR, you have the fundamental Right of Access, commonly referred to as a Subject
Access Request (SAR). This allows you to request a copy of the personal data we hold about you, along
with a description of how we use it, who we share it with, and how long we intend to keep it. At My
Office Address Limited, we facilitate this right through your secure client dashboard, where much of
your data such as your contact details, service history, and scanned mail is available for immediate
viewing. However, if you require a formal comprehensive export of your full compliance file, you may
submit a request to our Data Protection Lead. We are committed to providing this information free of
charge and within one month of receiving your request, unless the request is particularly complex, in
which case we may extend the period by a further two months.
Accompanying the right of access is the Right to Rectification. We recognise that personal circumstances
change; you may move house, change your legal name, or update your business structure. If you
discover that any of the information we hold is inaccurate or incomplete, you have the right to have that
data corrected without undue delay. For basic contact information, you can perform these updates
directly through your account settings. For more sensitive data, such as a change in your residential
address or a new identity document, we will require you to provide supporting evidence to maintain the
integrity of our Anti-Money Laundering (AML) records. Ensuring the accuracy of your data is a shared
responsibility that protects the legality of your registered office service.
9.2 Right to Erasure and Restriction
The Right to Erasure, often called the “Right to be Forgotten,” allows you to request the deletion of your
personal data when it is no longer necessary for the purposes for which it was collected, or if you
withdraw the consent upon which the processing was based. However, as a regulated Trust or Company
Service Provider, this right is not absolute. As detailed in Section 8, we are legally mandated by HM
Revenue & Customs to retain your core identity and business relationship records for five years after our
contract ends. Therefore, while we can erase non-essential data such as technical usage logs or old
support tickets we cannot delete your statutory compliance files until this mandatory retention period
has elapsed.
In situations where erasure is not immediately possible or appropriate, you may exercise the Right to
Restriction of Processing. This allows you to ask us to “pause” the use of your data, for example, if you
are contesting the accuracy of the information or if you believe our processing is unlawful but you do
not want the data deleted. While processing is restricted, we are permitted to store the data but cannot
use it for any other purpose, such as scanning mail or verifying new services. This right acts as a
safeguard during disputes, ensuring that your information remains static and protected until the
underlying issue is resolved to your satisfaction.
9.3 Right to Data Portability
The Right to Data Portability is designed to give you the flexibility to move your personal information
between different service providers seamlessly. This right applies to data that you have provided to us
directly, which we process based on your consent or for the performance of our contract with you. Upon
request, we will provide this data in a structured, commonly used, and machine-readable format (such
as a CSV or JSON file). This allows you to transfer your business details, contact history, and service
preferences to another professional address provider without having to manually re-enter all your
information.
Data portability is particularly useful for growing businesses that may be transitioning to a physical office
or switching to a different administrative partner. It ensures that you are not “locked in” to our
ecosystem by the weight of your own data. Please note that this right specifically covers the data you
provided to us; it does not necessarily cover the internal “risk scores” or compliance notes generated by
our administrative team during the due diligence process. We aim to process all portability requests
within the statutory one-month timeframe, supporting your business’s agility and your right to choose
your service partners.
9.4 Right to Withdraw Consent
For any processing activity that relies on your consent as a legal basis most notably the Biometric
Identity Verification conducted via Veriff you have the absolute Right to Withdraw Consent at any time.
Withdrawing your consent is as easy as giving it; you can notify us of your decision through your account
dashboard or by contacting our support team. Once consent is withdrawn, we will cease the specific
processing activity immediately. For example, if you withdraw consent for biometric processing during
the onboarding phase, the Veriff session will be terminated, and no biometric templates will be
generated.
It is important to understand the practical implications of withdrawing consent. Because biometric
verification is our primary method for satisfying HMRC’s non-face-to-face identification requirements,
withdrawing this consent may mean we are unable to complete your Customer Due Diligence (CDD). In
such cases, we may be legally prohibited from providing you with a registered office or mail handling
service, leading to the cancellation of your subscription. While the withdrawal of consent does not affect
the lawfulness of any processing that occurred before the withdrawal, it allows you to regain control
over your most sensitive “Special Category” data whenever you choose.
10. COOKIES, TRACKING & AUTOMATED DECISION-MAKING
10.1 Use of Cookies
To provide a secure and functional digital experience, My Office Address Limited uses cookies and
similar tracking technologies (such as pixels and local storage). We categorise our cookies into two
distinct groups to ensure you have granular control over your privacy. Strictly Necessary Cookies are
essential for the operation of our website; they enable core functionality such as secure login to your
client dashboard, the processing of payments via Stripe, and the maintenance of your session state.
Under UK law, these cookies do not require your prior consent, as our services cannot function safely
without them.
Non-Essential Cookies, which include analytical and functional trackers, are only deployed if you provide
your explicit consent through our cookie banner. We use Google Analytics to understand how visitors
interact with our site, which helps us optimise our mail handling workflows and technical performance.
These cookies collect pseudonymised data, such as your browser type and the pages you visit, but they
do not identify you personally. We also utilise Functional Cookies to remember your preferences, such
as your language settings or whether you have already acknowledged our compliance alerts. We
maintain a “Prior Blocking” policy, meaning no non-essential cookies will fire until you have actively
selected your preferences.
10.2 Automated Compliance
Scoring As part of our commitment to preventing financial crime, My Office Address Limited utilises
automated systems to assist in our Customer Due Diligence (CDD) and risk assessment processes. When
you submit your identity documents and biometric data through Veriff, an automated algorithm
performs a primary analysis to detect potential fraud, document tampering, or “spoofing” attempts. This
system generates a preliminary “Compliance Score” based on the authenticity of your ID and the results
of the biometric liveness check. This automated scoring allows us to process the high volume of
applications we receive with the speed and accuracy required for a modern virtual office service.
We recognise that automated decisions can have significant effects on your ability to access our
services. Therefore, in accordance with Section 80 of the Data (Use and Access) Act 2025, we do not rely
on “solely” automated decision-making for any high-stakes outcome. Every application that is flagged as
“High Risk” or “Rejected” by our automated systems is subject to a Meaningful Human Review by our
compliance team. Our officers have the authority to override the automated score, request additional
documentation, or manually approve an application. You have the right to contest any decision made
through these systems, to express your point of view, and to request that a human member of our staff
explains the logic behind the assessment.
10.3 Opt-Out Mechanisms
You have absolute control over the non-essential tracking technologies used on our platform. Our
website features a permanently accessible Cookie Preference Centre, typically located in the footer of
our homepage, which allows you to change or withdraw your consent at any time. If you opt-out of
analytical cookies, we will immediately cease the collection of your usage data. Furthermore, we respect
“Global Privacy Control” (GPC) signals and “Do Not Track” settings sent by your browser, automatically
adjusting our tracking behaviour to match your global privacy preferences where technically possible.
Regarding our automated compliance processes, while you cannot “opt-out” of the initial risk screening
(as it is a statutory requirement for us to provide the service), you can opt-out of having a final decision
made without human intervention. By contacting our Data Protection Lead, you can request that your
application is handled entirely through our manual verification workflow. Please be aware that opting
for manual-only processing may result in longer activation times for your business address. We believe
that by providing these clear opt-out mechanisms and human-in-the-loop safeguards, we strike the
correct balance between technological efficiency and your fundamental rights under the UK GDPR.
11. CHANGES TO THIS POLICY AND CONTACT INFORMATION
11.1 Amendment Process
My Office Address Limited reserves the right to amend this Privacy Policy at any time to reflect changes
in our professional practices, technological integrations, or the regulatory landscape of the UK. As a
supervised Trust or Company Service Provider (TCSP), we must ensure our data handling remains
aligned with the latest guidance from the Information Commissioner’s Office (ICO) and HM Revenue &
Customs (HMRC). Significant updates may be driven by new legislation, such as the Data (Use and
Access) Act 2025, or by changes in the way our third-party partners, like Veriff or Stripe, process
information on our behalf.
When material changes are made to this policy, we will notify you by updating the “Effective Date” at
the top of this document and, where appropriate, by sending a direct notification to the primary email
address associated with your account. We encourage you to review this policy periodically to stay
informed about how we are protecting your information. Your continued use of our registered office or
mail handling services following the publication of an updated policy constitutes your acknowledgement
of the revised practices. If you do not agree with any changes made to this policy, you maintain the right
to terminate your subscription and request the deletion of your non-statutory data in accordance with
our retention schedule.
11.2 Dedicated Privacy Contact (DPO/Compliance Lead)
To ensure the highest level of accountability, My Office Address Limited has appointed a dedicated
Compliance and Data Protection Lead who oversees our privacy strategy and serves as the primary point
of contact for all data-related enquiries. Whether you wish to submit a Subject Access Request (SAR),
exercise your Right to Rectification, or simply seek clarity on how your biometric data is processed
during the identity verification phase, our Compliance Lead is available to assist you. We aim to foster an
open and professional dialogue regarding privacy, ensuring that your concerns are addressed with the
same rigour as our statutory mail handling duties.
You may contact our Compliance Lead directly by emailing admin@myofficeaddress.co.uk with the
subject line “Data Protection Enquiry.” Alternatively, formal written correspondence can be sent to our
physical headquarters: My Office Address Limited, [Insert Physical Office Address], United Kingdom. We
are committed to responding to all legitimate privacy enquiries within one month of receipt. For
complex requests, we will notify you within the initial month if an extension is required. Our goal is to
provide you with clear, concise, and helpful information that allows you to manage your professional
“digital footprint” with absolute confidence.
11.3 Right to Lodge a Complaint with the ICO
While we strive to resolve all privacy concerns through our internal compliance channels, you have the
statutory Right to Lodge a Complaint with the UK’s independent supervisory authority for data
protection. If you believe that My Office Address Limited has not handled your personal information in
accordance with the UK GDPR or the Data Protection Act 2018, or if you are dissatisfied with our
response to a data rights request, you may contact the Information Commissioner’s Office (ICO). The ICO
serves as the national ombudsman for privacy matters and has the power to investigate and take
enforcement action against organisations that fail to uphold their data protection obligations.
We would, however, appreciate the opportunity to address your concerns directly before you approach
the regulator. In many cases, a simple administrative clarification or a review of our internal logs can
resolve a misunderstanding regarding mail scanning or identity verification. If you choose to escalate a
matter to the ICO, you can do so via their official website at https://ico.org.uk/make-a-complaint/ or by
calling their helpline at 0303 123 1113. Our ICO Registration Number is available upon request,
confirming our status as a registered and fee-paying data controller committed to the highest standards
of British data privacy.