Welcome to the privacy statement of The Digital PO Box (“TDPB”), a trade name of The Bizz Hub LLC-FZ, a company registered in Dubai, United Arab Emirates (license no. 2313890.01)), and its affiliated local partners (collectively, “we”, “us”). This statement explains how we process personal data when you use our services, websites and online portals.
We are committed to transparent data processing: what data we collect, for which purposes, how long we keep it, with whom we share it, and what rights you have.
Applicable frameworks
We comply with the EU General Data Protection Regulation (GDPR) and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL). Where these laws differ, we apply the most protective standard to your situation. Where conflicts exist, the version more protective of your rights prevails.
Roles
The Bizz Hub LLC-FZ acts as Data Controller for processing carried out under the TDPB brand. Our local partners operate as Processors under a written processor agreement. Scanning of envelopes and—only upon the customer’s explicit request—the contents, is performed on our behalf under strict instructions.
Locations & transfers
Our core platform and storage are hosted within the EU; certain support and compliance activities are performed in the UK, EU, and UAE. Where personal data is transferred internationally, we implement contractual, technical, and organizational safeguards to ensure a level of protection that is essentially equivalent to that of the GDPR.
Data Controller
The Digital PO Box is a trade name of The Bizz Hub LLC-FZ, a company registered in Dubai, United Arab Emirates (license no. 2536783.01), with its principal office at The Meydan Grandstand, 6th floor, Meydan Road. The Bizz Hub LLC-FZ is the Data Controller for all personal data processed under the TDPB brand.
Local partners as Processors
Our local partners operate TDPB locations and may handle physical mail on behalf of customers. They act as independent service providers (Processors under contract with TDPB) solely for the limited purpose of receiving, scanning, and forwarding mail as instructed under a written Data Processing Agreement (DPA). Partners only have access to the following information:
They do not have access to payment data, ID documents, phone numbers, e-mail addresses or portal login details. Scans of envelopes (and, only on explicit customer request, of contents) are uploaded through an encrypted channel to our secure EU servers and automatically deleted from the local device immediately after upload.
Joint responsibility and sub-processing
Each partner processes data exclusively under our documented instructions and is contractually bound to strict confidentiality and data-deletion obligations. Where a partner engages a courier or shipping service for forwarding, those carriers act as independent controllers for the transport phase.
Applicable law
The Bizz Hub LLC-FZ ensures that data-processing arrangements comply with both the EU GDPR and the UAE PDPL, applying whichever framework provides the higher level of protection.
Contact?
Questions about your personal data can be directed to [email protected]
When you register for our services, an account is created in our Portal. We process:
Purpose & legal basis
Payments via Stripe
Payments and invoicing are processed via Stripe.
Certain payment details (name, e-mail, billing address, payment method, amount, IP address) are securely transmitted to Stripe to execute the transaction.
For more information about Stripe’s role and data processing, see section 5.3 of this Privacy Statement.
For providing your Digital PO Box, we process:
Purpose & legal basis
Data minimization by local partners:
Local partners only see the customer’s name, unique postbox code and—where applicable—forwarding address.
They do not have access to payment data, ID documents, phone numbers or e-mail addresses.
Scans are created and uploaded through an encrypted channel; local copies are automatically deleted within 24 hours after upload to our secure EU servers.
Data Processing Agreement (DPA)
When we scan mail that contains personal data of third parties, we act as a Processor on your behalf.
In that case, our General Data Processing Agreement (DPA) applies.
You can view and download the current version here:
https://www.thedigitalpobox.com/en/data-processing-agreement/.
To maintain the integrity and security of our platform, we perform a basic identity verification (“KYC-Lite”) when you register for our services. This verification is not performed under any Anti-Money-Laundering (AML) or Counter-Terrorism-Financing (CTF) legislation, and The Digital PO Box is not subject to AML/CTF regulatory obligations.
As part of this voluntary integrity check, we process only the minimum data required to confirm your identity:
No AML or sanctions screening:
We do not perform sanction-list checks, PEP checks, adverse-media screening, or any other AML-governed screening activities. The verification process solely confirms document authenticity and identity validity.
Verification provider:
We use SumSub Ltd (United Kingdom) as our identity-verification provider. SumSub processes your identity documents directly and returns only the verification result to us. All documents are stored on SumSub’s secure infrastructure and are not stored or copied on our systems. Access to the SumSub portal is strictly limited to authorised personnel, and appropriate safeguards apply to EU–UK transfers.
Purpose & legal basis:
Retention:
We do not store copies of identity documents on our servers. Verification data accessible via the SumSub portal is retained for a maximum of 12 months after account termination, unless a shorter period is configured or required for fraud-prevention review. After this period, access to verification data is removed or anonymised by our provider.
Legal basis: legitimate interest (maintaining secure and reliable services).
In some cases we receive data indirectly—for example when another customer forwards mail addressed to you. In such cases, we process that data solely to execute the requested service and do not use it for any other purpose.
These AI practices comply with the GDPR, UK GDPR, UAE PDPL and the transparency obligations of the EU AI Act.
We do not retain personal data longer than necessary for the purposes for which it was collected or to comply with applicable law. The following periods apply:
Automatic deletion and certification
Our platform provider operates under ISO 27001 and ISO 27701 certification.
Automated procedures ensure that data is permanently deleted or anonymized once the retention period expires.
We only share personal data with third parties when this is necessary for performing our services, fulfilling legal obligations, or when you have given explicit consent. We do not sell or rent personal data to third parties.
Updates to sub-processors: We may occasionally add or replace sub-processors (for example, hosting or compliance providers). Any material change will be announced at least fourteen (14) days in advance via the Customer Portal or by e-mail. Customers who object to a change may terminate the affected service before the new sub-processor becomes active.
We use Stripe Payments Europe Ltd (Ireland) and its affiliate Stripe Payments Middle East LLC (UAE) for payment processing and invoicing. Stripe may process your name, e-mail, billing address, payment method and IP address to execute transactions and comply with financial regulations. Stripe acts as an independent data controller for these operations. See Stripe’s Privacy Policy for details.
When physical mail is forwarded, we share the necessary shipment details with postal or courier services. These carriers act as independent controllers for the delivery process.
Some processing activities are performed in the UK and UAE. In such cases we apply contractual, technical and organizational safeguards (including EU Standard Contractual Clauses, encryption and restricted access) to ensure an equivalent level of protection to that of the GDPR.
We may share data with competent authorities (e.g. tax, customs or judicial authorities) when legally required to do so under EU or UAE law.
We do not disclose personal data for marketing, advertising or profiling purposes to any third party outside The Bizz Hub / TDPB group.
We send essential system e-mails (such as payment confirmations, password resets, and service updates) to perform our contract with you. These messages are sent automatically via our e-mail service provider Postmark (ActiveCampaign LLC, USA) or its EU sub-processor. Such e-mails are not considered marketing and cannot be unsubscribed from, as they are required for account administration.
We may include your first name in newsletters to personalize communication. We also record limited metrics (e.g., open and click rates) to measure effectiveness and avoid sending irrelevant messages. These metrics are stored in pseudonymized form and deleted after 12 months.
You can unsubscribe from any newsletter at any time via the link at the bottom of each message or by contacting [email protected]. We will update your preferences without delay.
Our websites and portals use cookies and similar technologies (such as local storage and tracking pixels) to ensure proper operation, analyse usage and, where permitted, personalise content.
When you first visit our website, you will see a cookie banner where you can choose which categories you allow. You can change or withdraw your consent at any time through the cookie settings link in the footer.
For a detailed overview of all cookies used (including names, purposes, providers and lifetimes), please refer to our separate Cookie Statement. This overview is updated regularly to reflect any changes.
We take the protection of your personal data very seriously. The Bizz Hub LLC-FZ and its suppliers apply strict technical and organisational measures in accordance with international standards (ISO 27001 and ISO 27701).
We maintain an incident response and data breach procedure. In the event of a personal data breach, we will:
Security measures are continuously updated to reflect technological developments and emerging risks. Our goal is to maintain a level of protection that meets or exceeds current international best practices.
You have a number of rights regarding the processing of your personal data. We respect and facilitate these rights in accordance with the EU General Data Protection Regulation (GDPR) and the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL).
You can submit a request via the Portal or by contacting us at [email protected]. For verification purposes, we may ask you to confirm your identity or provide additional information.
We will respond to your request within one month (GDPR standard) or within 30 calendar days (PDPL standard), whichever applies, and may extend this period once when necessary due to complexity or volume. If we are unable to fulfil a request (e.g. due to legal retention obligations), we will inform you of the reason.
Please note that certain data cannot be deleted or restricted if we are legally required to retain it (for example, financial data subject to tax retention obligations or identity-verification records retained for fraud-prevention purposes). In such cases, access will be limited and the data securely archived until the applicable retention period expires.
If you have any questions about the way we process your personal data, or if you believe your privacy rights have been violated, please contact our Privacy Officer first via [email protected]. We aim to respond to all inquiries and complaints within 30 calendar days.
We investigate every complaint carefully and will inform you of the outcome and any measures taken. If the matter cannot be resolved internally, you may contact the competent data protection authority as described below.
Privacy Officer – The Digital PO Box / The Bizz Hub LLC-FZ
E-mail: [email protected]
Postal address: P.O Box Number: 417541, Dubai, UAE
We may update this Privacy Statement from time to time to reflect changes in our services, legal requirements, or internal procedures.
The most recent version of this Privacy Statement is always available at https://www.thedigitalpobox.com/en/privacy-statement/. Each version includes its publication date and version number for reference.
We consider notifications sent to the e-mail address associated with your account or displayed in the Customer Portal as duly received and effective.
By continuing to use our services after the effective date of an updated Privacy Statement, you acknowledge that you have read and understood the new version.
Do you have any questions?
Please contact us at [email protected] or call +44 20 37 69 4391.
Thank you for the trust you place in us — we are dedicated to protecting your privacy in every step of our service.
This document forms part of The Digital PO Box Legal Framework.
Version: 1.4 / Date: 18-11-2025