Privacy

Registered Address Ltd trading as OfficeO is committed to protecting your privacy.

Registered Address Ltd is the controller and responsible for your personal data. Our ICO registration number is ZA059540.

This Privacy Notice explains how we collect, use, store and share your personal data when you use the OfficeO website, register for an OfficeO account, purchase our services, contact us, or use our address service.

OfficeO provides a low cost virtual office address service for HMRC and Companies House mail. We collect and use personal data so that we can provide the service, verify customer identity, comply with legal and regulatory duties, process payments, communicate with customers and protect our address from misuse.

Our website is not intended for children and we do not knowingly collect data relating to children.

This Privacy Notice supplements our Terms and Conditions and is not intended to override them.

If you have questions about this Privacy Notice, including any request to exercise your legal rights, please contact us by emailing info@officeo.com.

You have the right to make a complaint at any time to the Information Commissioner's Office at www.ico.org.uk. We would, however, appreciate the chance to deal with your concerns before you approach the ICO.

It is important that the data we hold about you is accurate and current. Please keep us informed of any changes to your personal data, including your name, email address, telephone number, forwarding address, company details, directors, shareholders, beneficial owners and business activities.

Our website may include links to third party websites, plug ins and applications, including payment providers, Companies House or other relevant websites. By clicking on those links or enabling those connections, you may allow third parties to collect or share your personal data. We are not responsible for the privacy notices or practices of those third parties.

We may collect, use, store and transfer the following types of personal data:

• Identity Data, including first name, last name, title, date of birth, identity documents, proof of address, director details, shareholder details and beneficial owner details.
• Contact Data, including home address, forwarding address, email address and telephone number.
• Company Data, including company name, company number, trading name, business activity, Companies House details and other information relating to the company or business using the service.
• Verification Data, including documents or information provided for identity checks, anti money laundering checks, fraud prevention checks and regulatory compliance.
• Mail Data, including information shown on letters received at the Address, scanned letters, sender details, date received and internal mail processing records.
• Transaction Data, including details about payments to and from you and details of the services purchased from us.
• Technical Data, including internet protocol address, browser type and version, time zone setting, device information, operating system, platform and other technology used to access our website.
• Profile Data, including your account details, service history, preferences, correspondence, support requests and feedback.
• Marketing and Communication Data, including your preferences in receiving marketing and service communications from us.

We may also collect, use and share aggregated data. Aggregated data does not directly identify you. If we combine aggregated data with your personal data so that it can directly or indirectly identify you, we treat it as personal data.

We do not intentionally collect special categories of personal data. If special category data is included in documents or correspondence sent to us, we will only process it where necessary and where the law permits us to do so.

If we are required by law, or under the terms of a contract with you, to collect your personal data and you fail to provide it, we may not be able to provide the service. We may also have to suspend or cancel your account.

For example, if you do not provide satisfactory identity documents or information required for compliance checks, we may not be able to activate your account, scan mail, forward mail or allow use of the Address.

We collect personal data in the following ways:

• Direct interactions. You may provide personal data when you complete online forms, register for an account, purchase services, provide identity documents, contact us by email, telephone or post, or otherwise correspond with us.
• Automated technology. We may automatically collect technical data when you browse or interact with our website, using cookies, server logs and similar technologies.
• Publicly available sources. We may collect personal data from publicly available sources such as Companies House and other public registers.
• Third parties. We may receive personal data from payment providers, identity verification providers, analytics providers, hosting providers, email service providers, IT support providers and other suppliers who help us provide the service.

We will only use your personal data when the law allows us to.

Most commonly, we will use your personal data:

• To perform the contract we are about to enter into or have entered into with you.
• To comply with a legal or regulatory obligation.
• Where it is necessary for our legitimate interests, provided your interests and fundamental rights do not override those interests.
• Where you have given consent, where consent is required.

The lawful bases under the UK GDPR include consent, contract, legal obligation and legitimate interests. The ICO explains that at least one lawful basis is required whenever personal information is handled.

We may use your personal data for the following purposes:

• To register you as a new customer.
• To create and manage your OfficeO account.
• To provide the OfficeO address service.
• To verify your identity and address.
• To carry out anti money laundering, fraud prevention and compliance checks.
• To check company information, directors, shareholders, beneficial owners and business activities.
• To process payments, fees, invoices, receipts and refunds.
• To receive, identify, scan, forward, hold, return or otherwise process eligible mail.
• To send service emails, scanned letters, account updates, renewal reminders and important notices.
• To respond to enquiries, complaints and support requests.
• To administer and protect our website, systems and business.
• To comply with requests from HMRC, Companies House, law enforcement, regulators, courts or other authorities where required or permitted by law.
• To prevent misuse of the Address or our services.
• To enforce our Terms and Conditions.
• To recover debts due to us.
• To improve our website, services, customer experience and internal processes.
• To send marketing communications where permitted by law.

You will only receive marketing communications from us if you have requested information from us, purchased services from us, consented to marketing, or where we have another lawful basis to send the communication.

We will not share your personal data with third parties for their own marketing purposes.

You can opt out of email marketing by clicking the unsubscribe link within a marketing email or by contacting us.

Even if you opt out of marketing, we may still send service related emails, including account notices, renewal reminders, payment notices, compliance requests and mail processing emails.

All credit and debit card payments are processed through secure third party payment providers.

OfficeO currently uses Stripe to process payments.

We do not store or have access to your full card details. Sensitive card and payment information is handled by the payment provider.

Payment providers may process your personal data in accordance with their own privacy notices.

To provide the service and comply with legal and regulatory requirements, we may ask you for identity documents, proof of address, company information and information about the nature and purpose of your business.

We may carry out electronic identity verification checks using CreditSafe or a similar organisation. This may involve checking your identity, address and related information. A record of the search may be retained.

We may use your personal data to comply with anti money laundering requirements, fraud prevention duties and other legal or regulatory obligations.

If we reasonably suspect misuse of the Address, unlawful activity, fraud, false information, disruptive behaviour or activity that may damage the reputation of the Address or the Company, we may use available information to investigate and stop such behaviour. This may include notifying law enforcement, regulators, HMRC, Companies House, Trading Standards or other relevant third parties where required or permitted by law.

Where eligible mail is received for an active account, we may open, scan and email the letter to you.

Mail and scanned letters may contain personal data. We process this data to provide the service, maintain internal records, comply with legal obligations and protect the Address from misuse.

Scanned copies may be sent to the email address held on your account. It is your responsibility to ensure that your email address is accurate and secure.

Hard copies of scanned letters may be securely destroyed after processing, unless the item cannot reasonably be scanned or we decide that it should be forwarded, held, returned to sender or otherwise dealt with.

We may retain records of mail received, sender details, scan dates, account status and internal processing notes.

We may share your personal data with:

• Payment providers.
• Identity verification providers.
• Email service providers.
• Website, hosting, database and IT service providers.
• Analytics providers.
• Professional advisers, including lawyers, accountants, auditors, bankers and insurers.
• HMRC, Companies House, regulators, law enforcement agencies, courts and other authorities.
• Debt recovery agents, where fees are unpaid.
• Third parties to whom we may sell, transfer or merge parts of our business or assets.

We require third party service providers to respect the security of your personal data and treat it in accordance with the law. We do not allow service providers to use your personal data for their own purposes. They may only process personal data for specified purposes and in accordance with our instructions, unless acting as an independent controller.

Some of our service providers may process personal data outside the United Kingdom.

Where personal data is transferred outside the United Kingdom, we will take steps intended to ensure that your personal data receives an appropriate level of protection, including by using appropriate safeguards where required by data protection law.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, accessed, altered or disclosed in an unauthorised way.

We limit access to your personal data to employees, agents, contractors and service providers who have a business need to know. They will only process your personal data on our instructions and will be subject to a duty of confidentiality where appropriate.

We have procedures in place to deal with suspected personal data breaches and will notify you and any applicable regulator where we are legally required to do so.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including legal, regulatory, accounting, tax, reporting, fraud prevention and business record purposes.

We are generally required to keep basic customer information, including contact, identity, financial and transaction data, for six years after a customer ceases to be a customer for tax and business record purposes.

We may retain compliance and identity verification records for as long as required or permitted by law.

We may retain mail processing records, scanned letter records, support correspondence and account notes for as long as necessary for service, compliance, legal, regulatory and dispute resolution purposes.

We may anonymise your personal data so that it can no longer be associated with you. We may use anonymised information indefinitely without further notice to you.

You have rights under data protection law in certain circumstances. You may have the right to:

• Request access to your personal data.
• Request correction of incomplete or inaccurate personal data.
• Request erasure of your personal data.
• Object to processing of your personal data.
• Request restriction of processing.
• Request transfer of your personal data.
• Withdraw consent where we rely on consent.
• Object to direct marketing.

If you wish to exercise any of your rights, please contact us.

You will not usually have to pay a fee to exercise your rights. However, if your request is clearly unfounded, repetitive or excessive, we may charge a reasonable fee or refuse to comply.

We may request specific information from you to help confirm your identity. This is a security measure to ensure that personal data is not disclosed to a person who does not have the right to receive it.

We try to respond to all legitimate requests within one month. It may take longer if your request is complex or you have made several requests. In that case, we will notify you and keep you updated.

Contact Data means home address, forwarding address, email address and telephone number.

Identity Data means first name, last name, title, date of birth, identity documents, proof of address and similar identifiers.

Company Data means company name, company number, trading name, business activity, directors, shareholders, beneficial owners and public register information.

Verification Data means information used for identity checks, address checks, anti money laundering checks, fraud prevention and compliance checks.

Mail Data means information relating to mail received at the Address, scanned letters, sender details, date received and mail processing records.

Marketing and Communication Data means your preferences in receiving marketing and service communications from us.

Profile Data means your account details, services purchased, preferences, feedback, correspondence and support records.

Technical Data means internet protocol address, login data, browser type and version, time zone setting, location, browser plug in types and versions, operating system, platform and other technology on devices used to access our website.

Transaction Data means details about payments to and from you and other details of services purchased from us.

To register you as a new customer, we use Identity Data, Contact Data and Company Data. The lawful basis is contract.

To process and deliver your order, manage payments, fees, charges and refunds, we use Identity Data, Contact Data, Company Data, Transaction Data and Marketing and Communication Data. The lawful bases are contract and legitimate interests.

To verify your identity, complete compliance checks and prevent misuse of the Address, we use Identity Data, Contact Data, Company Data and Verification Data. The lawful bases are legal obligation, contract and legitimate interests.

To process mail and scanned letters, we use Identity Data, Contact Data, Company Data, Mail Data and Profile Data. The lawful bases are contract, legitimate interests and legal obligation.

To manage our relationship with you, including notifying you about changes to our Terms or Privacy Notice, we use Identity Data, Contact Data, Profile Data and Marketing and Communication Data. The lawful bases are contract, legal obligation and legitimate interests.

To administer and protect our business and website, including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting, we use Identity Data, Contact Data and Technical Data. The lawful bases are legitimate interests and legal obligation.

To deliver relevant website content and measure the effectiveness of advertising, we use Technical Data, Usage Data, Profile Data and Marketing and Communication Data. The lawful basis is legitimate interests.

To use analytics to improve our website, services, marketing, customer relationships and experiences, we use Technical Data and Usage Data. The lawful basis is legitimate interests.

To send marketing communications, we use Identity Data, Contact Data, Profile Data and Marketing and Communication Data. The lawful basis may be consent or legitimate interests, depending on the circumstances.

Access your data. You can ask for access to and a copy of your personal data and check that we are lawfully processing it.

Correction. You can ask us to correct any incomplete or inaccurate personal data we hold about you.

Erasure. You can ask us to delete or remove your personal data where there is no good reason for us continuing to process it, where you have successfully exercised your right to object, where we may have processed your information unlawfully, or where we are required to erase your personal data to comply with law.

We may not always be able to comply with your request for specific legal reasons, which will be notified to you at the time of your request.

Object. You can object to processing where we rely on legitimate interests and you feel it impacts your fundamental rights and freedoms. You can also object to direct marketing.

Restrict processing. You can ask us to suspend or restrict processing of your personal data in certain circumstances.

Request transfer. You can request transfer of your personal data in a structured, commonly used, machine readable format where this right applies.

Withdraw consent. You can withdraw consent at any time where we rely on consent. This does not affect the lawfulness of processing carried out before you withdraw consent.

Service providers, acting as processors or controllers, who provide payment processing, email, hosting, database, analytics, IT, identity verification, website support and system administration services.

Professional advisers, including lawyers, bankers, auditors, accountants and insurers based in the United Kingdom who provide consultancy, banking, legal, insurance and accounting services.

HM Revenue and Customs, Companies House, regulators, courts, law enforcement agencies and other authorities who require reporting or disclosure in certain circumstances.

Third parties whom we may choose to sell, transfer or merge parts of our business or assets with. If a change happens to our business, the new owners may use your personal data in the same way as set out in this Privacy Notice.

Aggregated Data means statistical or demographic data which may be derived from personal data but cannot by itself identify a data subject.

Controller means a body that determines the purposes and means of processing personal data.

Data Subject means an individual living person identified by personal data.

ICO means the Information Commissioner's Office, the UK's supervisory authority for data protection issues.

Personal Data means information identifying a data subject from that data alone or with other data we may hold. It does not include anonymised or aggregated data.

Processor means a body that processes personal data on behalf of a controller.

Special Categories of Personal Data means information about race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health, genetic data, biometric data, sex life or sexual orientation.