Privacy Policy
Last updated: 23 April 2026
1. Introduction
This Privacy Policy explains how Olea Office Ltd (“Olea”, “we”, “us”, or “our”) collects, uses, stores, shares, and protects your personal data when you:
- visit our website at oleaoffice.com (the “Website”);
- create an account or use our platform (the “Platform”);
- purchase or use our services, including business address, digital mailbox, mail handling, and workspace access (the “Services”); or
- otherwise interact with us, for example through customer support or marketing communications.
Olea is a platform that provides business address and workspace services directly to customers. We partner with workspace operators who provide the physical locations where services are fulfilled, but your contractual relationship is with Olea, not with the operator. Operators are fulfilment partners who receive only the limited data necessary to deliver the services you have purchased from us.
We are committed to protecting your personal data and processing it lawfully, fairly, and transparently. This policy is designed to be read alongside our Cookie Policy and our Customer Terms and Conditions.
If you have any questions about this policy or our data practices, please contact us using the details in Section 15 below.
2. Who we are
Olea Office Ltd is the data controller responsible for your personal data.
| Company name | Olea Office Ltd |
|---|---|
| Registered in | England and Wales |
| Company number | 17108391 |
| Registered office | 66 Paul Street, London, EC2A 4NA |
| Data protection contact | support@oleaoffice.com |
| Website | oleaoffice.com |
As the data controller, we determine the purposes and means of processing your personal data. Where we engage third-party service providers (sub-processors) to process data on our behalf, we remain responsible for ensuring that your data is handled in accordance with applicable data protection law.
Controller and processor roles
- Controller: Olea is the data controller for all personal data collected through the Website, Platform, and in connection with the Services.
- Processor role: For certain elements of the digital mailbox service, Olea acts as a data processor on your behalf — for example, when mail is scanned and uploaded to your portal, the contents of your correspondence are processed at your instruction.
- Operator partners: Our workspace operator partners receive limited personal data for the purpose of fulfilling the services you have purchased from Olea. Operators act as data processors when they process personal data on our documented instructions for location-side service delivery, such as mail handling, workspace access, reception support, and related fulfilment. Where a Location Partner receives or accesses compliance dossier information for its own regulatory, legal, operational, authority-response, or risk-management purposes, it acts as an independent controller.
3. Personal data we collect
We collect and process the following categories of personal data, depending on how you interact with us:
3.1 Account and identity information
When you register for an account or purchase our Services, we collect:
- Full name, date of birth, place of birth, and nationality
- Email address, telephone number, and residential address
- Company name, legal form, registration number, and registered address
- Names of directors, legal representatives, and authorised persons
- Names of persons authorised to collect mail on your behalf
3.2 Identity verification and compliance records
Where required by Applicable Law, where required to support Location Partner obligations, or where necessary to prevent misuse of the Services, we collect identity and compliance information. This may include:
- Copies of government-issued photo identification (e.g. passport, national identity card, driving licence)
- Proof of residential address
- Beneficial ownership information (individuals with more than 25% ownership or control)
- Company registry extracts and beneficial ownership register extracts
- PEP (Politically Exposed Persons) and sanctions screening results
- Risk assessment scores and compliance decision records
- Verification photographs (if a liveness check is used by our KYC verification provider)
3.3 Payment and billing data
- Payment card details — these are processed and tokenised by Stripe, our payment processor. Olea does not store your full card numbers.
- Billing address
- Invoices and transaction history
- Subscription plan details
3.4 Service usage data
- Portal login activity and user preferences
- Mail handling records (scan logs, forwarding records, pickup logs)
- Workspace booking history
- Customer support communications (email, chat)
3.5 Website and technical data
- IP address, browser type, device information, and operating system
- Pages visited, time on page, click behaviour, and scroll depth
- Referral source and search terms
- Cookie identifiers and consent preferences
- Heatmap and session recording data (anonymised where possible)
For full details on cookies and similar technologies, please see our Cookie Policy.
3.6 Marketing data
- Email marketing consent status and preferences
- Newsletter subscription status
4. How we collect your data
We collect personal data from the following sources:
- Directly from you — when you create an account, purchase Services, complete identity verification, contact customer support, or subscribe to our newsletter.
- From your authorised representatives — where a director, legal representative, or authorised person provides information on behalf of your business.
- From third-party verification providers — our KYC/AML provider may return verification results, screening outcomes, and risk scores.
- From public registers — such as company registries and beneficial ownership registers.
- Automatically — through cookies, analytics tools, and similar technologies when you visit our Website (subject to your consent preferences).
- From our payment processor — Stripe provides us with transaction confirmations and billing information (but not full card numbers).
5. Why we process your data and our legal bases
We only process your personal data where we have a lawful basis to do so. The table below sets out each processing activity and its corresponding legal basis under applicable data protection law.
| Processing activity | Legal basis | Details |
|---|---|---|
| Providing business address, digital mailbox, mail handling, and workspace services | Contract performance (Art. 6(1)(b)) | Processing is necessary to fulfil the contract between you and Olea. |
| Payment processing and billing | Contract performance (Art. 6(1)(b)) | Processing is necessary to take payment and manage your subscription. |
| Identity verification, business checks, and beneficial ownership identification | Legal obligation (Art. 6(1)(c)) where required by law; legitimate interest (Art. 6(1)(f)) where necessary to prevent misuse of the Services; consent (Art. 6(1)(a)) where required | We collect and review identity, business, and ownership information where required by Applicable Law, where required to support Location Partner obligations, or where necessary for our legitimate interests in preventing misuse of the Services. |
| PEP and sanctions screening | Legal obligation (Art. 6(1)(c)) where required by law; legitimate interest (Art. 6(1)(f)) where necessary for risk management; consent (Art. 6(1)(a)) where required | Screening may be required by anti-money laundering legislation or used to manage legal, regulatory, and fraud risks. |
| Suspicious activity reporting | Legal obligation (Art. 6(1)(c)) | Where applicable, we may be legally required to report suspicious activity to the relevant Financial Intelligence Unit or competent authority. |
| Fraud prevention and platform security | Legitimate interest (Art. 6(1)(f)) | We have a legitimate interest in protecting our platform, our customers, and our business from fraud and security threats. |
| Website analytics (Google Analytics 4, Microsoft Clarity) | Consent (Art. 6(1)(a)) | Analytics cookies are only placed after you give consent via our cookie banner. See our Cookie Policy for details. |
| Marketing communications (email newsletters, product updates) | Consent (Art. 6(1)(a)) | We only send marketing communications where you have given explicit consent. You can withdraw consent at any time. |
| Customer support | Contract performance (Art. 6(1)(b)) / Legitimate interest (Art. 6(1)(f)) | Processing is necessary to respond to your enquiries and resolve issues related to your account or Services. |
| Sharing limited data with operator partners for service fulfilment | Contract performance (Art. 6(1)(b)) | We share only the data necessary for operators to fulfil the services you have purchased from Olea (e.g. name, company name, mail preferences, authorised pickup persons). |
| Sharing compliance dossier information with Location Partners | Legal obligation (Art. 6(1)(c)) where required by law; legitimate interest (Art. 6(1)(f)) where necessary for service integrity and risk management; consent (Art. 6(1)(a)) where required | We may share a curated subset of compliance information with the Location Partner responsible for your selected Location to support service delivery, identity or status confirmation, local regulatory or inspection requirements, authority enquiries, and related compliance purposes. |
Legitimate interest assessments
Where we rely on legitimate interest as a legal basis, we have carried out a balancing assessment to ensure that our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interest at any time (see Section 10).
6. Who we share your data with
We do not sell your personal data to anyone. We only share your data with third parties where it is necessary for the purposes described in this policy.
6.1 Sub-processors
We use the following third-party service providers (sub-processors) to help us deliver our Services:
| Provider | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Stripe | Payment processing and fraud prevention | USA | EU SCCs / EU-US Data Privacy Framework |
| ShuftiPro | Identity verification (KYC/AML) | UK (with global processing capabilities) | UK International Data Transfer Agreement |
| Dropscan | Mail scanning and digital mailbox processing | Germany | N/A (within the EEA) |
| HubSpot | CRM, customer communications, and marketing | USA | EU SCCs / EU-US Data Privacy Framework |
| HelpScout | Customer support | USA | EU SCCs |
| Google (GA4) | Website analytics | USA | EU SCCs / EU-US Data Privacy Framework |
| Microsoft Clarity | Heatmaps and session recordings | USA | EU SCCs / EU-US Data Privacy Framework |
| Vercel | Website hosting | USA | EU SCCs |
| Mapbox | Interactive location maps on the Website | USA | EU SCCs |
| Olea (custom-built) | Cookie consent management | UK / Germany (Vercel hosting) | N/A (first-party) |
All sub-processors are bound by data processing agreements that require them to process your data only on our instructions and to implement appropriate security measures.
6.2 Operator partners
Our workspace operator partners receive limited personal data where necessary to fulfil the services you have purchased from Olea and to support compliant operation of the relevant Location.
Location-side service delivery. For mail handling, workspace access, reception support, and related fulfilment, operators receive operational data such as your name, company name, contact details where operationally required, mail handling preferences, names of persons you have authorised to collect mail, visitor records, and workspace booking records. For this processing, operators act as processors on our behalf under a Data Processing Agreement (oleaoffice.com/partner-dpa).
Compliance dossier access. Where required or appropriate, the Location Partner responsible for your selected Location may receive or access a curated compliance dossier. This may include your company name, verified representatives, beneficial owners or equivalent ownership information, verification or review status, date of last review, and supporting verification records or documents. The Location Partner may use this information only for service delivery, identity or status confirmation, local regulatory or inspection requirements, authority enquiries, and related compliance or risk-management purposes. For this processing, the Location Partner may act as an independent controller.
Your contractual relationship is with Olea, not with the operator.
6.3 Customer Data Processing Agreement
Where the Digital Mailbox service involves processing personal data contained in your mail, Olea acts as a data processor on your behalf. A separate Data Processing Agreement applies — see oleaoffice.com/dpa. For all other personal data processing (account data, KYC/AML, billing, analytics), Olea acts as the data controller as described in this Privacy Policy.
6.4 Regulatory and legal disclosures
We may disclose your personal data where required by law, including to:
- Financial Intelligence Units — for suspicious activity reporting as required by anti-money laundering legislation
- AML supervisory authorities — in connection with regulatory inspections or enquiries
- Data protection supervisory authorities — in response to lawful requests
- Beneficial ownership registers — where required by law
- Courts, law enforcement, or other governmental bodies — where required by a court order or applicable law
We will never disclose more data than is legally required.
7. International data transfers
Olea Office Ltd is based in the United Kingdom. Some of our sub-processors are located outside the UK and the European Economic Area (EEA), as indicated in the sub-processor table above.
Where we transfer personal data internationally, we ensure that appropriate safeguards are in place in accordance with applicable data protection law. These safeguards include:
- Standard Contractual Clauses (SCCs) — approved by the European Commission, providing contractual obligations on the data importer to protect your data.
- UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU SCCs — approved by the UK Information Commissioner’s Office (ICO) for transfers from the UK.
- EU-US Data Privacy Framework (DPF) — where the receiving organisation has been certified under the DPF, recognised by the European Commission as providing adequate protection.
- Adequacy decisions — where the destination country has been recognised as providing an adequate level of data protection.
We regularly review our international transfer mechanisms to ensure they remain valid and effective. You may request a copy of the relevant safeguards by contacting us at support@oleaoffice.com.
8. Data retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. When personal data is no longer needed, we securely delete or anonymise it.
| Data category | Retention period | Reason |
|---|---|---|
| KYC/AML records (identity documents, verification results, screening records, risk assessments) | 5 years from the end of the business relationship, followed by mandatory deletion | Legal obligation under applicable anti-money laundering legislation |
| Contract and billing records (invoices, transaction history, subscription details) | 6 years from end of contract (up to 10 years where required by local tax legislation) | Tax and accounting obligations |
| Customer support communications | 2 years from resolution of the enquiry | Legitimate interest (service improvement, dispute resolution) |
| Marketing consent records | Until withdrawal of consent, plus 1 year | Demonstrating valid consent as required by law |
| Website analytics data | 26 months (Google Analytics 4 default) | Legitimate interest (website improvement) |
| Cookie consent records | 12 months | Regulatory requirements |
| Mail scans (digital mailbox) | As per service terms / customer-controlled | Contract performance — you may delete scanned mail from your portal at any time |
For further detail on jurisdiction-specific retention obligations, see Section 13 (Jurisdiction-Specific Provisions).
9. Data security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:
- Encryption of data in transit (TLS/SSL) and at rest
- Access controls and role-based permissions
- Regular security assessments and vulnerability testing
- Sub-processor due diligence and data processing agreements
- Staff training on data protection and information security
- Incident response procedures
While we take all reasonable steps to protect your data, no method of transmission over the internet or method of electronic storage is completely secure. If you become aware of any security incident affecting your account, please contact us immediately.
10. Your rights
Under applicable data protection law, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exceptions.
10.1 Right of access (Art. 15)
You have the right to request a copy of the personal data we hold about you, together with information about how we process it.
10.2 Right to rectification (Art. 16)
You have the right to request that we correct any inaccurate personal data, or complete any incomplete data.
10.3 Right to erasure (Art. 17)
You have the right to request the deletion of your personal data in certain circumstances, for example where it is no longer necessary for the purposes for which it was collected.
10.4 Right to restriction of processing (Art. 18)
You have the right to request that we restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data.
10.5 Right to data portability (Art. 20)
You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to request that we transmit it to another controller, where technically feasible.
10.6 Right to object (Art. 21)
You have the right to object to processing based on legitimate interest (Art. 6(1)(f)) at any time. We will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests.
You have an absolute right to object to processing for direct marketing purposes at any time.
10.7 Right to withdraw consent (Art. 7(3))
Where we process your data based on consent, you can withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal. You can withdraw marketing consent by clicking the unsubscribe link in any email, or by contacting us directly.
10.8 Right to lodge a complaint
If you believe that we have not handled your personal data properly, you have the right to lodge a complaint with a data protection supervisory authority. We encourage you to contact us first so that we can try to resolve your concern. For details of the relevant supervisory authority in your jurisdiction, see Section 13 (Jurisdiction-Specific Provisions).
How to exercise your rights
To exercise any of the above rights, please contact us at:
- Email: support@oleaoffice.com
- Post: Data Protection, Olea Office Ltd, 66 Paul Street, London, EC2A 4NA
We will respond to your request within one month of receipt. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of your original request.
We may ask you to verify your identity before processing your request, to ensure the security of your personal data.
11. Automated decision-making
Olea does not use fully automated decision-making that produces legal effects or similarly significant effects on you.
Our KYC/AML verification process uses automated tools to assist with identity checks, risk scoring, and screening. However, all compliance decisions are reviewed by a human before being finalised. You will not be subject to a decision based solely on automated processing.
12. Children
Our Services are designed for businesses and business professionals. We do not knowingly collect personal data from children under the age of 16. If you believe that we have inadvertently collected data from a person under 16, please contact us immediately and we will take steps to delete it.
13. Jurisdiction-specific provisions
The general provisions of this Privacy Policy apply to all users of our Website and Services worldwide. The following sections contain additional information that applies depending on where you are located. Where a jurisdiction-specific provision conflicts with a general provision, the jurisdiction-specific provision takes precedence for users in that jurisdiction.
13.1 United Kingdom
Applicable law: UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data controller registration: Olea Office Ltd is registered with the Information Commissioner’s Office (ICO) under registration number ZC131792.
AML legislation: In addition to our obligations under German anti-money laundering law, Olea complies with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (UK MLR 2017) where applicable.
Retention — tax records: Contract and billing records are retained for 6 years from the end of the contract, in accordance with HMRC requirements.
International transfers: Transfers from the UK are governed by the UK IDTA or the UK Addendum to the EU SCCs, as approved by the ICO.
Supervisory authority: If you wish to lodge a complaint about our data processing, you may contact:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113
13.2 Germany
Applicable law: EU General Data Protection Regulation (EU GDPR), the Bundesdatenschutzgesetz (BDSG), and the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG).
Business address compliance. For services provided in Germany, business address and office service providers may be subject to obligations under the German Money Laundering Act (GwG). Olea applies customer verification and compliance review procedures to support compliant service delivery, prevent misuse of the Services, and provide relevant compliance information to the Location Partner responsible for the selected address. Where a German Location Partner has obligations under applicable law, it may process compliance dossier information as an independent controller for those purposes.
Compliance checks may include:
- Customer due diligence (KYC) on customers
- Business verification (KYB) on legal entities
- Identification and verification of beneficial owners (wirtschaftlich Berechtigte) with more than 25% ownership or control
- PEP and sanctions screening
- Suspicious activity assessment and, where applicable, reporting to a competent authority
- Retention of compliance records where required by law
Retention — tax records: Contract and billing records may be retained for up to 10 years in accordance with the Handelsgesetzbuch (HGB) §257 and the Abgabenordnung (AO) §147.
Compliance data retention and deletion: Where applicable law requires retention of compliance records, we retain those records for the required period and delete them when the retention period expires, unless other legal provisions require continued retention.
Cookie consent: The TTDSG (§25) requires that cookies and similar technologies that are not strictly necessary for the provision of the service are placed only with your prior explicit consent. See our Cookie Policy for details.
Supervisory authority: If you wish to lodge a complaint about our data processing, you may contact:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219, 10969 Berlin
Website: datenschutz-berlin.de
Telephone: +49 30 13889-0
AML supervisory authority:
Senatsverwaltung für Wirtschaft, Energie und Betriebe
Berlin
(Responsible for AML supervision of Büroserviceunternehmen in Berlin)
13.3 European Economic Area (EEA)
Applicable law: EU General Data Protection Regulation (Regulation (EU) 2016/679).
International transfers: Where personal data is transferred from the EEA to the UK, such transfers are covered by the EU adequacy decision for the UK (adopted 28 June 2021). This adequacy decision is subject to periodic review. Where data is transferred from the EEA to countries outside the EEA that do not benefit from an adequacy decision, we rely on EU Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework (where applicable).
Supervisory authority: If you are located in the EEA and wish to lodge a complaint, you have the right to contact the data protection supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.
A directory of EEA data protection authorities is available on the European Data Protection Board website at edpb.europa.eu.
14. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our Services, or applicable law. Where we make material changes, we will notify you by:
- posting the updated policy on our Website with a revised “Last updated” date;
- sending you an email notification (if you have an account with us); or
- displaying a prominent notice on the Platform.
We encourage you to review this policy periodically. Your continued use of the Website or Services after any changes take effect constitutes your acknowledgement of the updated policy.
15. Contact us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: support@oleaoffice.com
- Post: Data Protection, Olea Office Ltd, 66 Paul Street, London, EC2A 4NA
We aim to respond to all enquiries within one month.
16. Languages
This Privacy Policy is published in English and German. The English version is the source. If anything is unclear, contact us at support@oleaoffice.com.