[postio]
Get an API key
LEGAL · LAST UPDATED JUNE 3, 2026

Data Processing Addendum

About this addendum

This Data Processing Addendum (DPA) applies whenever, in using Postio, you send us personal data about other people — typically when you call the API to validate an address, email or phone number. It forms part of your agreement with us (see our Terms of service at postio.co.uk/terms) and reflects Article 28 of the UK GDPR. "We", "us" and "Postio" mean Onno Group Limited; "you" means the customer. Where this DPA conflicts with the rest of the agreement on the processing of personal data, this DPA takes precedence.

1. Roles

For the query data you send us, you are the data controller and we are your processor: you decide whose details to look up and why, and we process them only to give you a result. For your own account and billing data we are the controller — that's covered by our Privacy & cookies policy, not this DPA.

2. What we process

The details required by Article 28(3):

  • Subject matter — providing UK address, email and phone validation through the Postio API and dashboard.
  • Duration — for as long as your agreement with us is in force, plus the retention windows below.
  • Nature and purpose — receiving a query, checking it against our datasets, returning a result, and keeping a request log for support, billing and security.
  • Data subjects — the people whose details you choose to look up (typically your customers, contacts or prospects).
  • Personal data — postcodes, addresses, email addresses and phone numbers contained in your queries, and the same values in the request log until they are obfuscated.
  • Special category data — none is required or expected; please don't send it.

3. Our instructions

We process query data only on your documented instructions — which are: your use of the service, your API calls, and this agreement — and as required by law. If a law requires us to process it otherwise, we'll tell you first unless the law forbids that. We never sell query data, profile it, or use it to train models.

4. Confidentiality

Everyone we authorise to process query data is under a duty of confidence.

5. Security

We hold query data in the UK (AWS London) — see section 10 for the one phone-validation exception — encrypted in transit and at rest, behind role-based access control and audit logging. The measures are described in our Privacy & cookies policy and kept appropriate to the risk.

6. Retention and obfuscation

We keep each request log only as long as needed. The queried postcode, email or phone is obfuscated once the log passes its retention window — 30 days by default, and you can set any window from 1 to 999 days per API key from the dashboard. After obfuscation, only de-identified metadata (timestamp, status, latency, key) remains, for usage analytics.

7. Sub-processors

You give general authorisation for us to use sub-processors to deliver the service. For query data these are Amazon Web Services (London) for hosting and Cloudflare (UK) for edge and security, plus Telnyx (Ireland) for live phone-number (HLR) validation. We bind each to data-protection terms no less protective than this DPA and stay responsible for their performance. We'll give you reasonable notice of any new or replacement sub-processor that handles query data, and you may object on reasonable data-protection grounds. Our current list is in our Privacy & cookies policy.

8. Helping you meet your obligations

Taking account of the nature of the processing, we'll give you reasonable help to: respond to data-subject requests (and forward any that reach us); keep the processing secure; notify breaches; and carry out data protection impact assessments and any prior consultation with the ICO.

9. Personal data breaches

If we become aware of a breach affecting your query data, we'll tell you without undue delay and give you the information you reasonably need to meet your own reporting duties.

10. International transfers

Address and email query data are not transferred outside the UK. The one exception is phone validation: to run a live network (HLR) lookup we send the phone number to Telnyx in Ireland (EU). The EEA is covered by the UK's data-adequacy regulations, so no additional transfer mechanism is required; if that position changes we'll put a lawful mechanism in place and tell you.

11. Return and deletion

On the end of your agreement, or on your written request, we'll delete or return query data and delete existing copies, except where law requires us to keep it. In practice, query PII is already obfuscated on the retention schedule above, and account data is handled as set out in our Privacy & cookies policy.

12. Audit

On reasonable notice, and no more than once a year unless a regulator or a breach requires otherwise, we'll make available the information needed to show we comply with this DPA, and allow and contribute to an audit. We may satisfy this with up-to-date documentation where that reasonably does the job.

13. Royal Mail

We do not share your query data with Royal Mail. For PAF licence compliance we share only your business identity and usage volumes, as set out in our Terms of service and PAF End User Terms.

14. Liability and precedence

This DPA is subject to the liability limits in our Terms of service. Nothing in it gives you greater rights than the UK GDPR requires. Except as changed here, the rest of the agreement continues to apply.

15. Governing law

This DPA is governed by the law of England and Wales, and the courts of England and Wales have jurisdiction.