The primary purpose of this Privacy Policy is to provide a comprehensive and transparent explanation of how My Office Address Limited collects, processes, stores, and protects your personal data. In the modern digital economy, and particularly within the highly regulated sector of Trust or Company Service Providers (TCSP), the handling of personal information is not merely an administrative task but a critical legal and ethical responsibility. We recognise that when you subscribe to our registered office or mail handling services, you are entrusting us with sensitive details regarding your professional identity, your business structures, and your private correspondence. This policy is drafted to ensure that you understand exactly what happens to that data from the moment you visit our website to the point at which your business relationship with us concludes.
Furthermore, this document serves to satisfy our obligation to uphold your right to be informed under the UK General Data Protection Regulation (UK GDPR). As an organisation supervised by HM Revenue & Customs (HMRC) for anti-money laundering purposes, we are legally required to collect specific types of high-stakes data, including biometric identity verification and corporate ownership details. The purpose of this policy is to bridge the gap between these rigorous regulatory requirements and your individual right to privacy. We aim to clarify the legal bases upon which we process your information, the third-party partners we engage to facilitate our services such as Veriff and Stripe, and the stringent security measures we have implemented to prevent unauthorised access or data breaches.
Under the UK General Data Protection Regulation, My Office Address Limited acts as a data controller for the personal information we collect from you. This means that we are the primary legal entity responsible for determining the purposes for which, and the means by which, your personal data is processed. Whether you are an individual director seeking a service address or a corporate entity establishing a registered office, we take on the legal mantle of ensuring that your data is handled in accordance with the principles of data protection: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality. Our registration with the Information Commissioner’s Office (ICO) as a fee-paying data controller further solidifies our commitment to these national standards.
In our capacity as a Data Controller, we make critical decisions regarding which third-party data processors we engage to assist in our service delivery. For instance, when we utilise Veriff for identity verification or Stripe for payment processing, these entities act as processors following our specific instructions and under strict contractual safeguards. However, the ultimate accountability for the safety of your journey through our platform rests with us. We have appointed a dedicated internal compliance lead who oversees our data protection strategy and ensures that our privacy practices are regularly audited and updated in line with evolving UK legislation. As your Data Controller, we are your primary point of contact for any enquiries regarding your personal information, and we are committed to upholding your statutory rights at every stage of our professional engagement.
Key Definitions and Scope
The collection of personal identification data is the foundational step in our relationship with any client. From the moment you initiate the registration process on our website, we begin collecting information that allows us to identify you as an individual and as a business operator. This category includes your full legal name, including any middle names and previous surnames, your current residential address, your date of birth, and your nationality. We also collect digital contact information, specifically a primary email address and a telephone number, which are essential for the ongoing administration of your account, the delivery of scanned mail notifications, and the issuance of statutory compliance alerts.
For corporate clients, this data collection extends to the details of all company officers. We require the names and residential addresses of all directors, company secretaries, and any Persons with Significant Control (PSC). It is important to note that while some of this information eventually becomes part of the public record at Companies House, our collection of this data serves a private contractual and regulatory purpose. We also collect information regarding your business’s trading name, nature of business, and registered company number. This data allows us to ensure that the mail we receive is correctly attributed to your account and that we have a clear understanding of the entity to which we are providing a professional registered presence.
As a regulated entity under the Money Laundering Regulations 2017, My Office Address Limited is legally compelled to collect specific Know Your Customer (KYC) and Anti-Money Laundering (AML) data. This category of data is more rigorous than standard commercial information and is used to perform the mandatory gatekeeper checks required by HM Revenue & Customs. We collect high-resolution digital copies of your government-issued photographic identification, such as a valid UK or international passport, a photocard driving licence, or a national identity card. These documents provide the primary evidence of your identity and are subject to authenticity checks to ensure they have not been forged or altered.
In addition to photographic ID, we collect secondary verification data to confirm your residential address. This typically involves processing copies of utility bills, bank statements, or local authority tax bills issued within the last three months. For corporate entities, we collect and analyse proof of Incorporation documents and shareholder registers to map the ultimate beneficial ownership of the business. We are also required to collect data regarding your status as a Politically Exposed Person (PEP) or your presence on global financial sanctions lists. This compliance data is stored in a highly secure, encrypted environment and is used solely for the purpose of risk assessment and regulatory adherence. Without the collection of this statutory data, we are legally prohibited from activating your business address services.
A distinctive and highly sensitive category of information we process is special category data, specifically in the form of biometric identifiers. To facilitate a secure non-face-to-face onboarding process, we utilise the services of Veriff, an electronic identification provider. During the verification phase, you are required to provide a live photograph of your face and, in some cases, a short video capture. Veriff’s technology then extracts biometric templates from these images mathematical representations of your facial geometry to compare them against the photograph on your identity document. This process, known as liveness detection, ensures that the person applying for the service is a real, living individual and matches the provided ID.
Under the UK GDPR, biometric data used for identification purposes is classified as special category data, which warrants the highest level of protection. My Office Address Limited does not store your raw biometric templates on our local servers; instead, we receive a verification report from Veriff confirming whether the liveness check was successful. However, the initial processing of this data is a mandatory requirement for our service. We only process this sensitive data with your explicit consent, which is requested at the start of the Veriff session. You should be aware that the collection of this data is essential for mitigating the risks of identity fraud and synthetic identity creation, which are prevalent risks in the virtual office sector.
In addition to the information you actively provide, we automatically collect technical and usage data when you interact with our digital platform. This includes your Internet Protocol (IP) address, login data, browser type and version, time zone setting, browser plug-in types, operating system, and platform. We also collect usage data, which provides insights into how you navigate our website, the duration of your sessions, and the specific features of the client dashboard you utilise. This data is collected through the use of cookies and similar tracking technologies, which are essential for maintaining the security of your logged-in session and ensuring the stability of our integrated APIs, such as Stripe and Google Address Autofill.
This technical data serves several critical functions. First, it helps us identify and prevent fraudulent login attempts or unauthorised access to your account. For example, if an account is accessed from an unusual geographic location or a suspicious device, our system may trigger additional security prompts. Second, it allows us to optimise the performance of our website and improve the user experience based on how clients interact with our mail scanning and account management tools. While much of this technical data is pseudonymised or aggregated, it remains a vital part of our data ecosystem, ensuring that My Office Address Limited remains a secure and efficient environment for your professional corporate presence.
The primary legal basis for the majority of our data processing is contractual necessity. When you select a service plan and agree to our Terms of Service, a legally binding contract is formed between you and My Office Address Limited. To fulfil our obligations under this contract namely, providing you with a registered office address, a director service address, or mail handling facilities we must process certain personal data. This includes using your contact details to manage your account, your financial data to process payments via Stripe, and your name and company details to correctly identify and sort the physical mail that arrives at our premises.
Without processing this data, it would be impossible for us to perform the services you have purchased. For instance, we cannot notify you of received mail or provide digital scans if we do not process your email address and digital login credentials. Contractual necessity also extends to the administration of your account, such as sending renewal reminders or notifying you of changes to your service level. This basis ensures that our data usage is strictly tied to the professional relationship you have initiated with us, providing a clear and transparent justification for the day-to-day handling of your business information.
As a Trust or Company Service Provider (TCSP), My Office Address Limited operates in a regulated sector subject to oversight by HM Revenue & Customs (HMRC). Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), we are under a strict statutory obligation to conduct Customer Due Diligence (CDD) and ongoing monitoring. This legal mandate provides the basis for our collection and processing of your government-issued identification, proof of residential address, and information regarding your company’s beneficial ownership.
In this context, your privacy rights are balanced against the public interest in preventing financial crime, money laundering, and the financing of terrorism. We do not process this high-stakes compliance data because we want to, but because we are legally compelled to do so to maintain our licence to operate. This legal obligation also requires us to retain your data for a minimum of five years after our business relationship ends and, where necessary, to disclose relevant information to law enforcement or regulatory bodies without your prior consent. Processing under this basis is non-negotiable; failure to provide the data required for these legal checks will result in the immediate refusal or termination of our services.
In certain circumstances, we process your data based on our legitimate Interests or the legitimate interests of third parties. This applies to activities that are necessary for the smooth and secure operation of our business but do not fall strictly under contractual or legal obligations. For example, we have a legitimate interest in monitoring our website traffic and server logs to identify and prevent cyberattacks, fraud, or unauthorised access to our client dashboard. Using your IP address and technical usage data for security purposes is vital for protecting the data of all our clients and maintaining the integrity of our digital infrastructure.
We also rely on legitimate interests for internal administrative purposes, such as conducting service audits, improving our website functionality based on aggregated user behaviour, and managing our professional relationship with you. We may also use this basis to send you occasional updates about new service features or corporate news that we believe is highly relevant to your use of a UK business address. When relying on this legal basis, we conduct a balancing test to ensure that our business interests do not override your fundamental rights and freedoms. We aim to ensure that any processing under legitimate interests is proportionate, expected, and carries minimal impact on your personal privacy.
The processing of special category data specifically the biometric facial recognition data used during the Veriff verification process requires an even higher threshold of legal justification. Under Article 9 of the UK GDPR, we process this sensitive data only when you provide your Explicit Consent. This consent is sought at the beginning of the verification journey, where you are asked to clearly opt-in to the biometric liveness check. This process involves the temporary analysis of your facial geometry to confirm that the person presenting the ID is a live individual and matches the photograph on the document.
Because this data is uniquely personal, your consent must be freely given, specific, informed, and unambiguous. You have the right to refuse to provide biometric data; however, because this is our primary method for secure non-face-to-face identification, refusing consent may mean we are unable to verify your identity to the standard required by HMRC, which would result in our inability to provide you with a service. You may withdraw your consent for the processing of biometric data at any time, although this will not affect the lawfulness of any processing that took place before the withdrawal. Once the verification process is complete, we do not retain your raw biometric templates, ensuring that this sensitive data is handled with the highest level of care and only for the specific purpose for which you granted permission.
The most frequent use of your personal and corporate data occurs within our core mail handling infrastructure. When physical mail arrives at our premises, our administrative team uses your registered business name and the names of your officers to accurately sort and attribute the correspondence to your account. This process requires us to cross-reference the addressee on the envelope against our internal database of active subscribers. Once sorted, your data is used to facilitate our digital-first delivery model. We use your primary email address to send automated mail received alerts, ensuring you are notified of time-sensitive documents, such as legal summons or HMRC notices, the moment they are processed.
Furthermore, our mail scanning service involves the digital reproduction of your correspondence. We use your unique account identifiers to label these PDF scans and upload them to your secure client dashboard. If you have opted for physical mail forwarding, we use your designated forwarding address which may differ from your residential address to print shipping labels and manifest packages with the Royal Mail or third-party couriers. This operational use of your data is continuous and essential; it transforms our physical premises into your virtual office, providing a seamless link between your statutory obligations at Companies House and your daily business operations.
A critical and mandatory use of your data involves the performance of Customer Due Diligence (CDD). We use your government-issued identification, proof of address, and biometric data to conduct a comprehensive risk assessment. This process is not a one-time event at onboarding; it is an ongoing requirement under the Money Laundering Regulations 2017. We use your data to verify that the person seeking our services is exactly who they claim to be and that the business entity is not a shell company designed to facilitate financial crime. The biometric data processed via Veriff is used specifically for liveness detection, ensuring that high-resolution photographs or video captures match the static image on your passport or driving licence.
Beyond simple identification, we use your data to screen against global financial sanctions lists and Politically Exposed Person (PEP) registers. This screening process allows us to assign a risk rating to each client, which determines the level of ongoing monitoring required. For example, a business with a complex international ownership structure may trigger Enhanced Due Diligence (EDD), requiring us to use your data to investigate the source of wealth or the commercial rationale for the business. This use of your information is a legal necessity that protects My Office Address Limited and our broader client base from being inadvertently associated with illicit activities.
Your financial data is used exclusively to facilitate the commercial aspect of our relationship. When you subscribe to a service plan, we use your payment information processed securely through Stripe to execute the initial transaction and set up your recurring billing cycle. We use your billing address and VAT status to generate accurate tax invoices, which are stored in your account for your own accounting purposes. If your service involves pay-as-you-go elements, such as additional scanning fees or international postage credits, we use your stored payment token to settle these ancillary charges as they are incurred.
We also use your transaction history for internal financial auditing and to prevent payment fraud. By monitoring patterns of payment, we can identify suspicious activity, such as multiple failed attempts with different cards, which helps protect both our business and the global financial system. We do not use your financial data for marketing or profiling; its use is strictly limited to the secure and efficient settlement of the fees required to maintain your professional address and mail handling services. In the event of a payment dispute or a request for a refund, we use your transaction records to conduct a fair and transparent review of the financial history of your account.
Finally, we use your contact data to maintain a high-quality support and communication channel. This includes using your email address and telephone number to respond to your technical enquiries, provide assistance with the identity verification process, or resolve issues with mail delivery. We also use your data to send service notifications that are critical to the maintenance of your account, such as alerts regarding an expiring identity document, a failed payment, or an upcoming subscription renewal. These communications are not marketing-based; they are essential administrative updates that ensure you do not inadvertently lose your legal right to use our address.
We may also use your data to gather feedback on our services through optional surveys, allowing us to improve our platform based on real user experiences. If there are significant changes to our Terms of Service or this Privacy Policy, we use your registered contact information to fulfill our legal duty to notify you of these updates. Our communication with you is always professional and purpose-driven, ensuring that you remain fully informed about the status of your virtual office and the security of your data. We maintain a log of these communications to ensure that our support team has the necessary context to assist you effectively whenever you reach out for help.
To satisfy our statutory obligations under the Money Laundering Regulations 2017, we utilise the services of Veriff (Veriff OÜ), a specialist electronic identification and verification provider. When you initiate the identity check on our platform, your personal data including your name, date of birth, identity document images, and biometric facial data is shared with Veriff. Veriff acts as a data processor on our behalf, using advanced AI and liveness detection technology to confirm that your documents are authentic and that you are the rightful owner of those documents.
Veriff processes this data in a highly secure, ISO 27001 certified environment. Under our Data Processing Agreement (DPA) with them, Veriff is strictly prohibited from using your data for any purpose other than the verification service requested by us. They employ robust encryption both in transit and at rest. While Veriff may use anonymised metadata to improve their fraud detection algorithms, your identifiable biometric data is handled with the highest level of sensitivity. Once the verification is complete, we receive a summary report; however, the raw biometric templates generated during the session are not stored permanently by My Office Address Limited, ensuring that your most sensitive data is only processed for the minimum time necessary to establish your identity.
All financial transactions on the My Office Address Limited website are handled by Stripe (Stripe Payments Europe, Ltd.). Stripe is a global leader in payment infrastructure and acts as an independent Data Controller regarding your payment information. When you enter your credit or debit card details, that information is sent directly to Stripe’s secure servers; it never passes through or resides on our local infrastructure. We only receive a token from Stripe which allows us to process your recurring subscription payments without ever seeing your full card number or CVC.
Stripe processes your personal data to facilitate payments, prevent fraud, and comply with financial regulations. This includes the collection of your name, billing address, and transaction metadata. Stripe is PCI-DSS Level 1 compliant, the most stringent security standard in the payments industry. Because Stripe operates globally, your data may be transferred to their US-based parent company, Stripe, Inc.; however, these transfers are protected by the UK Extension to the EU-U.S. Data Privacy Framework, ensuring a level of protection equivalent to UK law. For more information on how Stripe handles your information, we encourage you to review the Stripe Privacy Policy.
As a Trust or Company Service Provider (TCSP), we have a legal duty to share data with UK statutory and regulatory bodies under specific circumstances. Our primary supervisor is HM Revenue & Customs (HMRC). We are required to provide HMRC with access to our client records during routine compliance audits or if they have specific concerns regarding a business relationship. This sharing is mandated by Regulation 66 of the MLR 2017, and your consent is not required for these disclosures as they are a legal obligation.
We also interact with Companies House. Under Regulation 30A of the MLR 2017, we are legally required to report material discrepancies between the information we hold on your beneficial owners and the information recorded on the public register. Furthermore, we will disclose your personal data to Law Enforcement Agencies, such as the National Crime Agency (NCA) or the police, if we know or suspect that a client is involved in money laundering, terrorist financing, or any other criminal act. In such cases, we are legally prohibited from tipping you off about the disclosure. These data-sharing practices are essential to the integrity of the UK’s financial system and are a non-negotiable part of our service.
To ensure our website is functional and user-friendly, we integrate several technical services provided by Google (Google Ireland Limited). Specifically, we utilise the Google Maps API for address validation and the Google Address Autofill feature during the registration process. When you type an address into our forms, Google may process limited technical data, such as your IP address and the text you enter, to provide accurate address suggestions. This processing is based on our legitimate Interest in ensuring that our records are accurate and that your mail is forwarded to a valid location.
We also use Google Analytics to monitor website performance and improve the user experience. This involves the use of cookies to track anonymised usage patterns, such as which pages are visited most frequently. Google acts as a Data Processor for these analytics, and we have configured our settings to ensure that IP addresses are anonymised where possible. Google processes this data in accordance with the UK GDPR and has certified its compliance with international data transfer standards. You can manage your preferences for these technical cookies through our Cookie Consent Manager at any time.
The majority of our core data processing including the management of our primary mail handling database and the storage of your scanned correspondence takes place on secure servers located within the United Kingdom. However, as part of our commitment to operational resilience and high-speed service delivery, we may utilise cloud-based infrastructure and software services that operate across the European Economic Area (EEA). Under the UK’s current data protection framework, all countries within the EEA are officially recognised as providing an adequate level of protection for personal data. This means that when your information is processed in an EEA member state, it is treated with the same legal rigour and subject to the same privacy standards as it would be within the UK.
This seamless flow of data between the UK and the EEA is supported by mutual adequacy decisions, which were recently renewed in late 2025 and are currently set to remain in force until 2031. For our clients, this ensures that using a digital-first service does not compromise their privacy rights. Whether your data is being processed in London, Dublin, or Frankfurt, the fundamental principles of data minimisation, purpose limitation, and security are strictly enforced. We continuously monitor the status of these adequacy regulations to ensure that our internal data mapping remains aligned with the latest requirements of the Information Commissioner’s Office (ICO).
When it is necessary to transfer your personal data to a country outside the UK or the EEA typically to engage with global service providers like Stripe (for payments) or Veriff (for identity verification) we implement stringent legal and technical safeguards. We do not transfer your data to any jurisdiction that does not provide a level of protection not materially lower than that provided in the UK. For transfers to the United States, we primarily rely on the UK Extension to the EU-U.S. Data Privacy Framework (often referred to as the UK-US Data Bridge). This framework allows us to transfer data to US-based organisations that have self-certified their commitment to a high standard of data privacy and are subject to the oversight of the US Department of Commerce.
For example, both Stripe and Veriff participate in these certified frameworks, ensuring that your financial and identification data is handled with a level of care that meets UK regulatory expectations. Where a third-party provider is not covered by an adequacy decision or a specific data bridge, we conduct a formal Transfer Risk Assessment (TRA). This assessment evaluates the local laws of the destination country, particularly concerning government access to data, to ensure that your rights remain enforceable. By maintaining these rigorous standards, My Office Address Limited ensures that your professional data is never exported into a legal vacuum, but rather remains within a protected global circuit of compliant service providers.
In instances where an adequacy decision is not available, My Office Address Limited utilises the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs). These are legally binding contracts pre-approved by the UK Government and the ICO. They impose strict obligations on the data importer (the party receiving the data outside the UK) to provide the same level of protection, security, and individual rights that you are entitled to under the UK GDPR. These clauses act as a safety net, ensuring that even in jurisdictions with less robust privacy laws, your data is governed by a private contract that grants you the right to legal redress.
We update our contractual arrangements in real-time as the ICO issues new versions of these transfer tools, such as the scheduled updates in early 2026. This technical and legal layering combining adequacy decisions, data bridges, and standard contractual clauses forms a multi-tier defence for your personal information. You have the right to request a copy of the specific safeguards we have in place for any international transfer affecting your account. Our goal is to ensure that while our services benefit from global technological innovation, your privacy remains firmly anchored in the high standards of United Kingdom law.
The technical foundation of our security infrastructure is built upon security by design principles. All data transmitted between your device and our servers is protected using high-grade Transport Layer Security (TLS) encryption, typically 256-bit or higher. This ensures that sensitive information including your identity documents, biometric data, and scanned mail is encrypted in transit, rendering it unreadable to any unauthorised third parties or man-in-the-middle attackers. Once stored on our servers, your data is encrypted at rest using Advanced Encryption Standard (AES) protocols. This dual-layer encryption strategy ensures that even in the highly unlikely event of a physical hardware breach, your personal information remains securely locked behind cryptographic barriers.
To protect our digital perimeter, we employ enterprise-grade Web Application Firewalls (WAF) and Intrusion Detection Systems (IDS). These systems act as a 24/7 digital sentry, monitoring incoming traffic for malicious patterns, SQL injection attempts, and Distributed Denial of Service (DDoS) attacks. Our server environment is logically isolated, meaning that public-facing website components are separated from the secure databases that house your compliance and mail records. We also perform regular vulnerability scanning and penetration testing, conducted by certified third-party cybersecurity professionals, to identify and patch potential weaknesses before they can be exploited. This technical rigour is essential for maintaining the trust required to handle the statutory and private correspondence of thousands of UK businesses.
Technical measures are only effective when supported by strict organisational access controls. At My Office Address Limited, we operate on a Principle of Least Privilege (PoLP). This means that our staff members are only granted access to the specific data points required to perform their immediate job functions. For example, a mailroom administrator can see your business name to sort your post, but they cannot access your private biometric verification reports or your full residential address unless specifically authorised for a compliance review. All access to our internal systems is protected by Multi-Factor Authentication (MFA), requiring both a secure password and a unique time-sensitive code from a physical device or authenticated app.
We maintain a comprehensive audit Log of all internal data interactions. Every time a member of our team views a document, scans a letter, or updates a client record, a permanent, timestamped entry is created. This ensures full accountability and allows us to conduct retrospective reviews of data access if any security concerns arise. Furthermore, all employees undergo mandatory data protection training upon hiring and at annual intervals thereafter. This training covers the UK GDPR, the Data Protection Act 2018, and the specific handling requirements for Special Category biometric data. By fostering a culture of security awareness, we ensure that the human element of our business is as resilient as our technical firewalls.
Despite our extensive safeguards, we maintain a robust data breach response plan to ensure we can react with speed and transparency in the event of a security incident. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. If we identify such an event, our internal security team immediately initiates a containment and recovery phase to limit the impact and secure our systems. We then perform a risk assessment to determine the likelihood and severity of any potential harm to our clients’ rights and freedoms.
In accordance with the UK GDPR, if a breach is likely to result in a risk to your rights (for example, if identity documents or financial tokens are compromised), we are legally mandated to notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the incident. Furthermore, if the breach is deemed high risk to you personally, we will notify you directly via your registered email address without undue delay. Our notification will include a clear description of the nature of the breach, the types of data involved, the likely consequences, and the specific steps we are taking to mitigate the issue. We believe that honesty and rapid communication are the only professional responses to a security challenge, and we are committed to supporting our clients through any necessary remedial actions.
As a Trust or Company Service Provider (TCSP) regulated by HM Revenue & Customs (HMRC), we are subject to specific statutory retention periods that override general data deletion requests. Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), we are legally mandated to retain all records relating to your identity verification and business relationship for a period of five years. This five-year clock begins on the date that your business relationship with My Office Address Limited formally ends for example, the date your subscription is cancelled or terminated.
This 5-Year rule applies to the most sensitive data we hold, including copies of your passport or driving licence, your proof of residential address, the results of your biometric liveness check from Veriff, and the details of your beneficial ownership structure. These records are vital for the UK’s anti-money laundering framework, as they allow HMRC or law enforcement to conduct retrospective audits if a business is later suspected of financial crime. You should be aware that during this five-year period, we cannot fulfill a request for erasure (the Right to be Forgotten) regarding these specific compliance documents, as our legal obligation to the UK government takes precedence over individual data deletion preferences.
For data that does not fall under the specific gatekeeper requirements of the MLR 2017, we apply a more flexible and privacy-centric retention schedule. This includes technical usage data, general administrative correspondence, and digital scans of your mail. We typically retain digital scans of your received mail for a period of six months following the date of scanning, unless you have specifically requested a longer storage period or a permanent deletion through your dashboard settings. This six-month window provides you with sufficient time to download and archive your documents while ensuring our servers are not cluttered with outdated personal correspondence.
General enquiries from non-subscribers such as emails sent to our support desk that do not result in a contract are typically retained for two years. This allows us to maintain a record of our interactions and provide consistent support if you decide to return to our service at a later date. Financial transaction records, such as invoices and payment metadata stored within our Stripe integration, are retained for seven years in accordance with standard UK tax and accounting laws (the Taxes Management Act 1970). Once these specific operational or financial periods have elapsed, the data is flagged for automated deletion in our next scheduled system sweep.
When personal data reaches the end of its designated retention period, My Office Address Limited employs secure disposal protocols to ensure that the information is permanently and irretrievably destroyed. For digital data, this involves cryptographic erasure, where the encryption keys for the specific data blocks are destroyed, rendering the underlying data completely unreadable and unrecoverable. We also perform data overwriting on our storage volumes to prevent any forensic recovery of deleted files. This ensures that your digital footprint, including sensitive identity scans and private mail PDFs, is entirely removed from our digital ecosystem.
Regarding physical documents, we maintain a strict “Zero-Landfill, Total-Shred” policy. Any physical mail that is not forwarded to you and is marked for disposal as well as any physical copies of identification documents we may have handled is processed through industrial-grade cross-cut shredding. This process reduces documents to unidentifiable particles that meet the BS EN 15713 standard for secure destruction of confidential material. Following the shredding process, the material is securely pulped and recycled. By combining high-tech digital purging with high-security physical destruction, we ensure that your data journey with My Office Address Limited ends with a clean and compliant exit.
Under the UK GDPR, you have the fundamental Right of Access, commonly referred to as a Subject Access Request (SAR). This allows you to request a copy of the personal data we hold about you, along with a description of how we use it, who we share it with, and how long we intend to keep it. At My Office Address Limited, we facilitate this right through your secure client dashboard, where much of your data such as your contact details, service history, and scanned mail is available for immediate viewing. However, if you require a formal comprehensive export of your full compliance file, you may submit a request to our Data Protection Lead. We are committed to providing this information free of charge and within one month of receiving your request, unless the request is particularly complex, in which case we may extend the period by a further two months.
Accompanying the right of access is the Right to Rectification. We recognise that personal circumstances change; you may move house, change your legal name, or update your business structure. If you discover that any of the information we hold is inaccurate or incomplete, you have the right to have that data corrected without undue delay. For basic contact information, you can perform these updates directly through your account settings. For more sensitive data, such as a change in your residential address or a new identity document, we will require you to provide supporting evidence to maintain the integrity of our Anti-Money Laundering (AML) records. Ensuring the accuracy of your data is a shared responsibility that protects the legality of your registered office service.
The Right to Erasure, often called the Right to be Forgotten, allows you to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or if you withdraw the consent upon which the processing was based. However, as a regulated Trust or Company Service Provider, this right is not absolute. As detailed in Section 8, we are legally mandated by HM Revenue & Customs to retain your core identity and business relationship records for five years after our contract ends. Therefore, while we can erase non-essential data such as technical usage logs or old support tickets we cannot delete your statutory compliance files until this mandatory retention period has elapsed.
In situations where erasure is not immediately possible or appropriate, you may exercise the Right to Restriction of Processing. This allows you to ask us to pause the use of your data, for example, if you are contesting the accuracy of the information or if you believe our processing is unlawful but you do not want the data deleted. While processing is restricted, we are permitted to store the data but cannot use it for any other purpose, such as scanning mail or verifying new services. This right acts as a safeguard during disputes, ensuring that your information remains static and protected until the underlying issue is resolved to your satisfaction.
The Right to Data Portability is designed to give you the flexibility to move your personal information between different service providers seamlessly. This right applies to data that you have provided to us directly, which we process based on your consent or for the performance of our contract with you. Upon request, we will provide this data in a structured, commonly used, and machine-readable format (such as a CSV or JSON file). This allows you to transfer your business details, contact history, and service preferences to another professional address provider without having to manually re-enter all your information.
Data portability is particularly useful for growing businesses that may be transitioning to a physical office or switching to a different administrative partner. It ensures that you are not locked in to our ecosystem by the weight of your own data. Please note that this right specifically covers the data you provided to us; it does not necessarily cover the internal risk scores or compliance notes generated by our administrative team during the due diligence process. We aim to process all portability requests within the statutory one-month timeframe, supporting your business’s agility and your right to choose your service partners.
For any processing activity that relies on your consent as a legal basis most notably the Biometric Identity Verification conducted via Veriff you have the absolute Right to Withdraw Consent at any time. Withdrawing your consent is as easy as giving it; you can notify us of your decision through your account dashboard or by contacting our support team. Once consent is withdrawn, we will cease the specific processing activity immediately. For example, if you withdraw consent for biometric processing during the onboarding phase, the Veriff session will be terminated, and no biometric templates will be generated.
It is important to understand the practical implications of withdrawing consent. Because biometric verification is our primary method for satisfying HMRC’s non-face-to-face identification requirements, withdrawing this consent may mean we are unable to complete your Customer Due Diligence (CDD). In such cases, we may be legally prohibited from providing you with a registered office or mail handling service, leading to the cancellation of your subscription. While the withdrawal of consent does not affect the lawfulness of any processing that occurred before the withdrawal, it allows you to regain control over your most sensitive special category data whenever you choose.
To provide a secure and functional digital experience, My Office Address Limited uses cookies and similar tracking technologies (such as pixels and local storage). We categorise our cookies into two distinct groups to ensure you have granular control over your privacy. Strictly Necessary Cookies are essential for the operation of our website; they enable core functionality such as secure login to your client dashboard, the processing of payments via Stripe, and the maintenance of your session state. Under UK law, these cookies do not require your prior consent, as our services cannot function safely without them.
Non-Essential Cookies, which include analytical and functional trackers, are only deployed if you provide your explicit consent through our cookie banner. We use Google Analytics to understand how visitors interact with our site, which helps us optimise our mail handling workflows and technical performance. These cookies collect pseudonymised data, such as your browser type and the pages you visit, but they do not identify you personally. We also utilise Functional Cookies to remember your preferences, such as your language settings or whether you have already acknowledged our compliance alerts. We maintain a Prior Blocking policy, meaning no non-essential cookies will fire until you have actively selected your preferences.
Scoring As part of our commitment to preventing financial crime, My Office Address Limited utilises automated systems to assist in our Customer Due Diligence (CDD) and risk assessment processes. When you submit your identity documents and biometric data through Veriff, an automated algorithm performs a primary analysis to detect potential fraud, document tampering, or spoofing attempts. This system generates a preliminary compliance score based on the authenticity of your ID and the results of the biometric liveness check. This automated scoring allows us to process the high volume of applications we receive with the speed and accuracy required for a modern virtual office service.
We recognise that automated decisions can have significant effects on your ability to access our services. Therefore, in accordance with Section 80 of the Data (Use and Access) Act 2025, we do not rely on solely automated decision-making for any high-stakes outcome. Every application that is flagged as High Risk or Rejected by our automated systems is subject to a Meaningful Human Review by our compliance team. Our officers have the authority to override the automated score, request additional documentation, or manually approve an application. You have the right to contest any decision made through these systems, to express your point of view, and to request that a human member of our staff explains the logic behind the assessment.
You have absolute control over the non-essential tracking technologies used on our platform. Our website features a permanently accessible Cookie Preference Centre, typically located in the footer of our homepage, which allows you to change or withdraw your consent at any time. If you opt-out of analytical cookies, we will immediately cease the collection of your usage data. Furthermore, we respect Global Privacy Control (GPC) signals and “Do Not Track” settings sent by your browser, automatically adjusting our tracking behaviour to match your global privacy preferences where technically possible.
Regarding our automated compliance processes, while you cannot opt-out of the initial risk screening (as it is a statutory requirement for us to provide the service), you can opt-out of having a final decision made without human intervention. By contacting our Data Protection Lead, you can request that your application is handled entirely through our manual verification workflow. Please be aware that opting for manual-only processing may result in longer activation times for your business address. We believe that by providing these clear opt-out mechanisms and human-in-the-loop safeguards, we strike the correct balance between technological efficiency and your fundamental rights under the UK GDPR.
My Office Address Limited reserves the right to amend this Privacy Policy at any time to reflect changes in our professional practices, technological integrations, or the regulatory landscape of the UK. As a supervised Trust or Company Service Provider (TCSP), we must ensure our data handling remains aligned with the latest guidance from the Information Commissioner’s Office (ICO) and HM Revenue & Customs (HMRC). Significant updates may be driven by new legislation, such as the Data (Use and Access) Act 2025, or by changes in the way our third-party partners, like Veriff or Stripe, process information on our behalf.
When material changes are made to this policy, we will notify you by updating the effective date at the top of this document and, where appropriate, by sending a direct notification to the primary email address associated with your account. We encourage you to review this policy periodically to stay informed about how we are protecting your information. Your continued use of our registered office or mail handling services following the publication of an updated policy constitutes your acknowledgement of the revised practices. If you do not agree with any changes made to this policy, you maintain the right to terminate your subscription and request the deletion of your non-statutory data in accordance with our retention schedule.
To ensure the highest level of accountability, My Office Address Limited has appointed a dedicated Compliance and Data Protection Lead who oversees our privacy strategy and serves as the primary point of contact for all data-related enquiries. Whether you wish to submit a Subject Access Request (SAR), exercise your Right to Rectification, or simply seek clarity on how your biometric data is processed during the identity verification phase, our Compliance Lead is available to assist you. We aim to foster an open and professional dialogue regarding privacy, ensuring that your concerns are addressed with the same rigour as our statutory mail handling duties.
You may contact our Compliance Lead directly by emailing admin@myofficeaddress.co.uk with the subject line data Protection Enquiry. Alternatively, formal written correspondence can be sent to our physical headquarters: My Office Address Limited, 665 North Circular Road, London, England, NW2 7AX United Kingdom. We are committed to responding to all legitimate privacy enquiries within one month of receipt. For complex requests, we will notify you within the initial month if an extension is required. Our goal is to provide you with clear, concise, and helpful information that allows you to manage your professional digital footprint with absolute confidence.
While we strive to resolve all privacy concerns through our internal compliance channels, you have the statutory Right to Lodge a Complaint with the UK’s independent supervisory authority for data protection. If you believe that My Office Address Limited has not handled your personal information in accordance with the UK GDPR or the Data Protection Act 2018, or if you are dissatisfied with our response to a data rights request, you may contact the Information Commissioner’s Office (ICO). The ICO serves as the national ombudsman for privacy matters and has the power to investigate and take enforcement action against organisations that fail to uphold their data protection obligations.
We would, however, appreciate the opportunity to address your concerns directly before you approach the regulator. In many cases, a simple administrative clarification or a review of our internal logs can resolve a misunderstanding regarding mail scanning or identity verification. If you choose to escalate a matter to the ICO, you can do so via their official website at https://ico.org.uk/make-a-complaint/ or by calling their helpline at 0303 123 1113. Our ICO Registration Number is available upon request, confirming our status as a registered and fee-paying data controller committed to the highest standards of British data privacy.