DEALFUSION
Postd • Privacy & Security

Privacy Policy

How we collect, use, and protect your information when you use Postd

Last updated: 16 March 2026

1. Introduction

Postd is a virtual business address, mail management, and UK company formation service operated by DealFusion Tech Labs Ltd ("DealFusion", "we", "us", or "our"). We are committed to protecting your privacy and handling your personal data in a transparent, secure, and lawful way.

This Privacy Policy explains how we collect, use, store, and share your information when you use the Postd mobile app and related services (together, the "Service").

Data Controller

DealFusion Tech Labs Ltd
10 Sunningdale Avenue
Darlington, County Durham
DL1 4DA
United Kingdom

Company No. 16864496

Email: support@dealfusion.co.uk

2. Data We Collect

We collect the following categories of personal data when you use Postd:

Account Data

  • Name
  • Email address
  • Phone number
  • Hashed password or third‑party authentication identifier
  • Organisation name (if applicable)

Identity Verification (KYC) Data

To comply with UK Anti‑Money Laundering (AML) regulations, we must verify your identity before providing a virtual address.

  • Government‑issued ID documents (e.g. passport, driving licence)
  • Selfie / liveness images and video
  • Date of birth and nationality
  • Residential address
  • Verification results, risk scores, PEP / sanctions screening results

These checks are processed by our third‑party KYC provider, Sumsub, acting as our data processor.

Business & Company Data

  • Company name and proposed name(s)
  • Company type and SIC codes
  • Registered office and correspondence addresses
  • Director details: name, date of birth, nationality, address, occupation
  • Shareholder details: name, share class, number of shares
  • Formation history, incorporation date, and Companies House reference numbers

Mail & Address Data

  • Assigned suite number at our address (e.g. Suite 101)
  • Scanned mail PDFs, envelope images, and associated metadata (sender, received date, classification, urgency)
  • OCR‑extracted text from mail items
  • Mail actions: viewed, forwarded, downloaded, archived, shredded
  • Forwarding addresses (postal and email)

Payment & Subscription Data

We do not store your full card details. Payments are processed via Apple and Google through RevenueCat.

  • Subscription tier and active products
  • Billing period and renewal dates
  • Payment status and receipts
  • App store identifiers (Apple / Google)

Device & Usage Data

  • Device type, operating system, app version
  • Push notification tokens
  • Log events (log‑ins, feature usage, last active timestamps)
  • Preference settings, notification preferences
  • Approximate region (for fraud prevention and localisation)

3. Legal Bases for Processing

We process your personal data under the following legal bases under UK GDPR:

  • Contract performance: to provide the Postd service, including virtual address, mail handling, notifications, and company formation.
  • Legal obligation: to comply with UK Money Laundering Regulations 2017 and related AML legislation (identity verification, record‑keeping).
  • Legitimate interest: to secure our platform, prevent fraud, improve our product, and perform aggregated analytics.
  • Consent: for optional marketing communications and certain notification types. You may withdraw consent at any time in the app or by contacting us.

4. How We Use Your Data

  • To create and manage your Postd account and authentication.
  • To verify your identity and conduct KYC / AML checks.
  • To provide a virtual business address and receive, scan, classify, and store your mail.
  • To deliver mail to you via forwarding, email, or downloads as you instruct.
  • To process company formation applications and communicate with Companies House.
  • To manage your subscription and payment status.
  • To send service notifications, security alerts, and important updates.
  • To detect fraud, abuse, and misuse of the Service.
  • To understand how Postd is used and improve performance and usability.

5. Third‑Party Processors

We use carefully selected third‑party providers that act as data processors on our behalf:

  • Supabase (EU/US) – database, authentication, and file storage infrastructure.
  • Sumsub (EU) – identity verification and KYC / AML checks.
  • RevenueCat (US) – subscription and purchase management (Apple / Google payments).
  • Apple (US) – App Store payments and push notification delivery.
  • Google (US) – Play Store payments, Firebase Cloud Messaging and device services.
  • n8n (self‑hosted) – workflow automation for internal operational processes.

Each processor is bound by a data processing agreement and may only process your data in accordance with our documented instructions.

6. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy or as required by law:

  • Account data: for the duration of your account and up to 30 days after deletion.
  • KYC / identity data: for 5 years after the end of our business relationship, as required by UK AML regulations.
  • Mail scans: according to your plan – 1 year (Starter), 3 years (Professional), 7 years (Business) from the date of receipt.
  • Formation records: typically for 10 years to comply with UK company law and record‑keeping obligations.
  • Analytics data: for up to 2 years in aggregated or pseudonymised form.

7. Your Rights

Under UK data protection law, you have the following rights in relation to your personal data:

  • Right of access to a copy of your data.
  • Right to rectification of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") in certain circumstances.
  • Right to restriction of processing in certain circumstances.
  • Right to data portability (receive your data in a structured, commonly used format).
  • Right to object to processing based on legitimate interest.
  • Right to withdraw consent for processing where consent is the legal basis.
  • Right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK.

To exercise any of these rights, please contact us at support@dealfusion.co.uk. We may need to verify your identity before fulfilling your request.

8. International Transfers & Security

Some of our processors are based outside the UK and European Economic Area, including in the United States. Where data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent UK transfer mechanisms.

We protect your data using encryption in transit (TLS), row‑level security in Supabase, signed URLs with short expiry for document access, strict access controls, and secure authentication practices.

9. Children

Postd is designed for business users and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Cookies

Postd uses minimal cookies and similar technologies. We primarily use session cookies for authentication and essential security purposes. We do not use third‑party advertising cookies or cross‑site tracking technologies in the app.

11. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or best practice. When we make material changes, we will notify you via email or in‑app notification at least 30 days before the changes take effect.

The latest version of this Policy will always be available at dealfusion.co.uk/postd/privacy.

If you have any questions about this Privacy Policy or how we handle your data, please contact us at support@dealfusion.co.uk.