"Privacy Policy — The X Office"
Last updated 2026-05-22
This Privacy Policy explains how The X Office LLC ("we", "us", "our") collects, uses, discloses, and protects information when you use our virtual office, Private Mailbox, mail-forwarding, scanning, receptionist, and meeting-room services. It is grounded in primary US privacy law — the Florida Information Protection Act Florida Statutes §501.171 — Florida Information Protection Act (FIPA), the California Consumer Privacy Act as amended by the California Privacy Rights Act California Civil Code §1798.100 — California Consumer Privacy Act / CPRA, Section 5 of the FTC Act 15 USC §45 — FTC Act Section 5 (unfair / deceptive acts), the CAN-SPAM Act 15 USC §7701 — Controlling the Assault of Non-Solicited Pornography And Marketing Act, and the Children's Online Privacy Protection Act 15 USC §6501 — Children's Online Privacy Protection Act — and it tells you, in plain English, what we do with your data and what rights you have over it. Effective date: May 22, 2026.
This policy applies to thexoffice.us, to the customer portal, and to every physical interaction at our Miami suite. It does not cover third-party websites we link to. If you find something here that is unclear, write to privacy@thexoffice.us — we read every message and revise the policy when language fails its purpose.
1. Information we collect
We collect only the categories of personal information we need to run the service. The categories below map to the definitions in the California Consumer Privacy Act California Civil Code §1798.100 — California Consumer Privacy Act / CPRA and the Florida Information Protection Act Florida Statutes §501.171 — Florida Information Protection Act (FIPA).
Identifiers. Your legal name as printed on your government identification, your residential address, your email, a phone number for delivery coordination, and the identifier USPS assigns to your Private Mailbox USPS Form 1583 — Application for Delivery of Mail Through Agent. Account holders signing on behalf of a legal entity also provide the entity's legal name and Florida Sunbiz document number when applicable.
Government-issued identification documents. Two forms of identification are required to file PS Form 1583 with USPS USPS Form 1583 — Application for Delivery of Mail Through Agent; one must be photo identification. For non-residents, we typically receive a passport plus a secondary document such as a national identification card or a recent utility bill from the country of residence. We store digital images in our document vault until thirty days after account closure, after which they are purged on a scheduled rotation. We do not retain them indefinitely.
Commercial information. The plan you selected, the dates of your billing cycle, the add-on services you used (extra mail forwarding, certified mail handling, additional scans), and the cancellations and pauses you initiated.
Payment information. When you pay, our payment processor handles the card data; we receive only a transaction reference and a masked card identifier — never the full card number or the security code. Billing address and the email on the receipt are kept on our side for invoicing.
Mail metadata. For each piece of mail that arrives at your PMB we capture the sender (when legible), arrival date, dimensions, weight, and class of service. We log every forwarding instruction you give us. When you turn on mail scanning, the envelope exteriors and (when you request opening) the contents become part of your private file.
Service usage data. The pages you visit on our portal, the device you used, and the time you logged in. We collect this for security investigations and for product analytics. We do not use third-party advertising trackers and we do not fingerprint browsers.
Communications. Emails to support@, billing@, legal@, privacy@, accessibility@, dmca@, the WhatsApp number listed on /contact, and call recordings when you opt into the receptionist service with recording enabled.
We do not knowingly collect categories of "sensitive personal information" as defined by CPRA California Civil Code §1798.100 — California Consumer Privacy Act / CPRA beyond what is strictly required for Form 1583 identification. We do not collect biometric identifiers, racial or ethnic origin, religious or philosophical beliefs, union membership, or genetic data.
2. How we use your information
We use your data only for purposes that are operationally necessary to deliver the service you signed up for, to meet legal obligations, and to defend against fraud — purposes contemplated by the operational-use exception in Florida law Florida Statutes §501.171 — Florida Information Protection Act (FIPA) and the business-purpose category in CCPA §1798.140 California Civil Code §1798.100 — California Consumer Privacy Act / CPRA.
We use identifiers and identification documents to verify your identity and to file the notarized PS Form 1583 with USPS USPS Form 1583 — Application for Delivery of Mail Through Agent. We use commercial and payment information to issue invoices, process payments, and resolve billing disputes. We use mail metadata to route, store, scan, forward, and return your mail per your instructions. We use communications data to respond to your support requests and to maintain a record of consent for actions you authorized.
We use service-usage data to monitor for unauthorized access, to debug, and to plan capacity. We do not use any data to train artificial-intelligence models. We do not profile you for advertising. We do not sell or "share" your personal information as those terms are defined in CCPA / CPRA California Civil Code §1798.100 — California Consumer Privacy Act / CPRA.
Where the law requires retention (tax records, USPS Form 1583 archives, deceptive-trade-practices defenses under FDUTPA Florida Statutes §501.204 — Florida Deceptive and Unfair Trade Practices Act), we keep records for the period the law specifies and no longer.
3. How we share your information
We share data only with the categories of recipients listed below, and only to the extent strictly necessary for the disclosed purpose. We do not sell personal information. We do not engage in cross-context behavioral advertising.
United States Postal Service. We provide USPS with the executed PS Form 1583 and the supporting identification documents for every Private Mailbox we issue USPS Form 1583 — Application for Delivery of Mail Through Agent. The agency relationship and our disclosure obligations are defined by federal postal regulation 39 USC §3008 — Prohibition of pandering advertisements (CMRA authority context).
Florida Division of Corporations. When our address is named on a Sunbiz filing, the filing becomes a public record by operation of state law.
Law enforcement, courts, and government agencies. We respond to subpoenas, court orders, search warrants, and valid civil-investigative demands. Where law allows, we notify the affected account holder before producing documents, so you have an opportunity to object.
Business successors. If we sell the business, merge with another company, or transfer assets, your information moves with the service under the same protections you accepted when you signed up.
Service providers (subprocessors). We rely on a small set of vendors that process data on our behalf, under written agreements that bind them to the same security and confidentiality terms we owe you. These obligations are reinforced by the data-security baseline of GLBA where applicable to mail-handling tied to financial services 15 USC §6801 et seq. — Gramm-Leach-Bliley Act.
3.1 Subprocessors
| Subprocessor | Purpose | Data shared | Location |
|---|---|---|---|
| Amazon Web Services | Application hosting, document storage, database | All service data (encrypted at rest) | United States (us-east-1) |
| Stripe, Inc. | Payment processing, invoicing | Card metadata, billing address, payment amount | United States |
| Postmark (ActiveCampaign) | Transactional email | Email address, message body | United States |
We update this list when subprocessors change. If you want to be notified of changes in advance, write to privacy@thexoffice.us and we will add you to the notification list at no charge.
4. Your rights
The rights you can exercise depend on the law that applies to you. Below we describe the three regimes that most often govern our users. Regardless of jurisdiction, you can always access, correct, and delete the data we hold about you by writing to privacy@thexoffice.us. We respond within fifteen business days and never charge a fee for a first request in a twelve-month period.
4.1 California residents (CCPA / CPRA) California Civil Code §1798.100 — California Consumer Privacy Act / CPRA
If you are a California resident, you have the right to know what categories of personal information we have collected about you, the categories of sources, the business and commercial purposes for collection, and the categories of recipients with whom we shared the data. You have the right to obtain a portable copy of your personal information, to correct inaccuracies, and to request deletion subject to the exceptions in CCPA §1798.105 (legal compliance, fraud prevention, exercise of free speech).
You have the right to limit the use of sensitive personal information. We do not use sensitive personal information beyond the limited purposes disclosed in Section 1. You have the right to opt out of the sale or "sharing" of personal information for cross-context behavioral advertising — we never sell or share for that purpose, so there is nothing to opt out of, but we make the right available as the law requires. You have the right to non-discrimination for exercising any of these rights.
To exercise a CCPA / CPRA right, send a verifiable request to privacy@thexoffice.us. We will verify your identity through your account credentials plus one additional factor (a unique reference we send to the email on file).
4.2 Florida residents (FIPA) Florida Statutes §501.171 — Florida Information Protection Act (FIPA)
The Florida Information Protection Act gives you a right to be notified, within thirty days, of any breach of unencrypted personal information affecting more than five hundred Florida residents. The Act defines "personal information" narrowly — name plus a state-issued identifier such as a driver-license number, financial-account number, or specified electronic identifier. Section 501.171(4) imposes operational data-security duties that we have built into our subprocessor selection, our encryption at rest, and our access controls.
In addition to the breach-notification right, Florida consumers retain the protections of FDUTPA Florida Statutes §501.204 — Florida Deceptive and Unfair Trade Practices Act against deceptive trade practices. Nothing in this Policy limits remedies available under Florida or federal consumer-protection law.
4.3 International users (LATAM, EU, UK) GDPR Article 3 — Territorial scope
We serve founders from Colombia, Mexico, Chile, Argentina, Peru, Spain, and Brazil daily. Several of these jurisdictions have data-protection statutes that mirror, in substance, the rights granted by CCPA / CPRA. Where you reside in the European Union or the United Kingdom, the GDPR applies to our processing of your personal data by virtue of its territorial-scope provision GDPR Article 3 — Territorial scope. The European Commission tracks adequacy decisions and standard contractual clauses for cross-border transfers EU Commission — Adequacy decisions for cross-border data transfers; we rely on standard contractual clauses for transfers out of the EU and UK.
EU and UK residents have access, rectification, erasure, restriction, portability, and objection rights under GDPR Articles 15 through 21. Write to privacy@thexoffice.us to exercise them. If we cannot resolve a dispute, you have the right to lodge a complaint with the data-protection authority in your country of residence.
5. Data security
We treat your data with the standard of care that the Gramm-Leach-Bliley Act Safeguards Rule 15 USC §6801 et seq. — Gramm-Leach-Bliley Act applies to financial information, even where our service is not directly subject to GLBA. Storage encryption uses AES-256 at rest; transport encryption uses TLS 1.3. Access to the document vault is limited to the operations team on a need-to-know basis, audited monthly, and revoked the same day an employee leaves the company.
We test our incident-response plan twice a year. If we detect a breach affecting your personal information, we notify you and the relevant authorities within the windows the law prescribes — thirty days for FIPA Florida Statutes §501.171 — Florida Information Protection Act (FIPA), without undue delay for GDPR Article 33, and as soon as practicable for CCPA where applicable California Civil Code §1798.100 — California Consumer Privacy Act / CPRA. No data-security program is perfect; we will tell you what happened, what we are doing about it, and what we recommend you do.
6. Children's information
Our service is designed for adults running businesses. We do not direct it to children under thirteen, and we do not knowingly collect personal information from a child under thirteen, consistent with the Children's Online Privacy Protection Act 15 USC §6501 — Children's Online Privacy Protection Act. If you believe a child under thirteen has submitted personal information through our service, email privacy@thexoffice.us — we delete the data, close the account, and notify the legal guardian if we can identify them.
7. Marketing email
Transactional emails — billing receipts, mail-arrival notifications, scan completions, Form 1583 reminders — are part of the service and you cannot opt out while the account is active. Marketing emails (product announcements, monthly summaries, special-offer notifications) are sent only when you opt in, and every marketing message includes a one-click unsubscribe link consistent with the CAN-SPAM Act 15 USC §7701 — Controlling the Assault of Non-Solicited Pornography And Marketing Act. The Act requires a working opt-out mechanism, accurate header information, identification as an advertisement, and a valid physical postal address — all four are present in every marketing email we send. We honor unsubscribe requests within ten business days. We do not buy or sell email lists, and we do not engage affiliate networks that would mail on our behalf without your separate consent. Misrepresenting the sender of commercial email is also an unfair or deceptive practice under Section 5 of the FTC Act 15 USC §45 — FTC Act Section 5 (unfair / deceptive acts), and we treat that statute as a backstop to CAN-SPAM compliance.
8. Mail handling and USPS Form 1583
Mail handling is the heart of what we do, and it is the part of the service that depends most directly on a formal agency relationship governed by federal regulation. When you sign PS Form 1583 USPS Form 1583 — Application for Delivery of Mail Through Agent designating us as your authorized mail agent, you authorize us to receive your mail at our Miami address — and only that. The agency does not extend to opening mail unless you have separately consented to mail scanning, does not extend to depositing checks, and does not extend to signing for legal process. USPS authority for the agency is grounded in federal postal statute 39 USC §3008 — Prohibition of pandering advertisements (CMRA authority context) and elaborated in the CMRA regulations.
The retention period for executed Form 1583 records is set by USPS regulation and we follow it. We treat the form and the supporting IDs as restricted-access records inside our document vault; only the operations staff that prepares submissions to USPS can view them, and access events are logged. When the retention period expires, the records are purged from the vault on the next monthly rotation.
If you revoke the agency, we cooperate with the USPS revocation procedure and stop accepting mail in your name on the date the revocation takes effect. Mail that arrives after the revocation date is returned to sender per standard postal procedure.
9. Cookies and tracking
We use a small number of strictly necessary cookies — a session token, a preference cookie that remembers the language you chose, and a CSRF token. We do not use advertising cookies, do not use cross-site tracking pixels, and do not fingerprint your browser to build a behavioral profile. Our portal exposes a single first-party analytics event stream that records page loads and explicit user actions; the data is keyed to your account and stays on our servers.
If you visit a third-party site we link to (a USPS information page, a bank support article, a government statute), that site sets its own cookies and operates under its own privacy policy. We are not responsible for the practices of third-party sites.
10. Changes to this policy
We update this Policy when our practices change. Material changes — changes that meaningfully affect what we collect, why we collect it, or with whom we share it — are announced by email to every account holder at least thirty days before the changes take effect, and the new effective date is posted at the top of this page. Non-material changes (typo fixes, clarifying edits) take effect on publication, and the date stamp at the foot of this page is updated.
We keep a public version history available on request. If you want a copy of the Policy that was in effect on a specific date, write to privacy@thexoffice.us and we will send it to you.
11. Contact
Privacy questions, rights requests, complaints, and breach notifications should go to:
The X Office LLC — Privacy Office privacy@thexoffice.us
Mailing address: see /contact for the current Brickell suite, formatted with the Private Mailbox #NNN notation per USPS DMM §508 USPS Form 1583 — Application for Delivery of Mail Through Agent. For takedown notices under the Digital Millennium Copyright Act 17 USC §512 — Digital Millennium Copyright Act (safe harbor), write to dmca@thexoffice.us; the DMCA process is described in our Terms of Service.
Sources
Last updated: May 22, 2026