Privacy & cookies
Who we are
Postio is a trading name of Onno Group Limited, registered in England & Wales (company no. 08622799). Registered office: Suite 22 Trym Lodge, 1 Henbury Road, Westbury-On-Trym, Bristol BS9 3HQ. We are the data controller for the information described here. Contact us at postio.co.uk/contact.
What we collect
Account data: name, email, Argon2id password hash, company name. Billing data: Stripe customer id, card brand, last four digits, expiry (the full card number is handled by Stripe — we never see it). Usage data: every API request, stored for 30 days with postcode/email/phone queried, status code, latency, and key used. Nothing else.
What we don't collect
No third-party trackers. No advertising pixels. No session recording. No analytics SDKs. Our site logs are kept for 7 days for debugging and then discarded.
Legal basis
Contract: processing is necessary to deliver the API service you signed up for. Legal obligation: retaining account records for HMRC. Legitimate interest: fraud prevention and service improvement. Consent: the Crisp chat widget, only if you open it.
Where it lives
All data is hosted in the UK (AWS eu-west-2, London region). Nothing is replicated outside the UK. Royal Mail PAF data is licensed and held under the terms of our PAF distributor agreement.
Sub-processors
We rely on these third parties to deliver the service: Stripe Payments Europe (Ireland) for card processing; Amazon Web Services (London) for infrastructure and email delivery; Cloudflare (UK) for site hosting, caching, DDoS protection; Crisp IM SAS (France) for the optional live chat widget. Each holds data under their own terms and privacy policy.
How long we keep it
Account data: for the life of your account plus 6 years after closure (HMRC requirement). Request logs: 30 days rolling. Card tokens: held by Stripe until you delete them. Audit logs: 1 year.
Your rights
Under UK GDPR you can access, correct, port, or delete your personal data, or object to processing. Send the request via postio.co.uk/contact and we'll respond within 30 days. You can also complain to the Information Commissioner's Office (ico.org.uk).
Cookies
Three essential cookies only: session ID, CSRF token, and a theme preference. No analytics. No advertising. No third parties. That's why there's no cookie banner — we don't need your consent for strictly-necessary cookies.
Crisp chat
If you use the chat widget, Crisp (EU-hosted) processes your messages on our behalf. The widget only loads if you open it — not on page load.
Stripe
Card details are handled by Stripe under their own privacy policy. We store a customer ID, card brand, last four digits, and expiry date, nothing more.
Changes
We post updates here with a new "last updated" date. Material changes are also emailed to you.
Contact
postio.co.uk/contact — privacy enquiries get priority and route to the same inbox as everything else.