Privacy Policy

Version 2026-07-02 · Last updated 2 July 2026

Draft template pending legal review. Replace bracketed placeholders with your registered company details before publishing, and have this reviewed by a qualified solicitor — it is not legal advice.

1. Who we are

ZepiQ ("we", "us") is operated by [Company Legal Name], a company registered in England and Wales under company number [Company Registration Number], registered office [Registered Address]. We are registered with the UK Information Commissioner's Office (ICO) under registration number [ICO Registration Number]. For data protection queries, contact [DPO/Privacy Contact Email].

2. What we collect

  • Account data: email address, display name, sign-in provider, and (if you sign up with email) a password managed entirely by our authentication provider — we never see or store your password.
  • Usage data: products you search for, save to a wishlist, or set price alerts on; pages you view; affiliate links you click.
  • Consent records: which policy versions you've agreed to and when, and your marketing/cookie preferences.
  • Technical data: IP address, device/browser type, and cookies (see our Cookie Policy).

3. How we use it and our legal basis

  • Providing the service (account creation, price alerts, wishlist) — necessary to perform our contract with you.
  • Improving and securing the service (fraud prevention, analytics on aggregate usage) — our legitimate interest, balanced against your rights.
  • Marketing communications (offers, deals, price-drop digests) — only with your explicit, opt-in consent, which you can withdraw at any time in your profile.
  • Legal compliance (retaining consent records as evidence) — necessary to comply with our legal obligations under UK GDPR.

4. Who we share it with

We share limited data with the following processors, each bound by a data processing agreement:

  • Google Firebase — authentication (account creation and sign-in).
  • Google Cloud Platform — hosting and database infrastructure (UK/EU region).
  • AWIN and Amazon Associates — affiliate click tracking when you follow a "Buy" link to a retailer; we share only an anonymised click reference, never your account details.

We never sell your personal data.

5. International transfers

Our infrastructure runs in UK/EU Google Cloud regions. Where a processor (such as Firebase Authentication) involves a transfer outside the UK/EEA, we rely on the UK International Data Transfer Addendum or the EU Standard Contractual Clauses, as applicable.

6. How long we keep it

We keep account and usage data for as long as your account is active. Consent records are retained for six years after account closure as evidence of the consent you gave, in line with standard UK limitation periods. Deleting your account pseudonymises your profile immediately (see Section 7) rather than erasing consent/audit records outright, which exist specifically to prove what you agreed to and when.

7. Your rights

Under UK GDPR you have the right to:

  • Access a copy of your data (available instantly from your profile page).
  • Correct inaccurate data.
  • Request erasure/anonymisation of your account (available instantly from your profile page).
  • Restrict or object to certain processing.
  • Data portability (your exported data is provided as structured JSON).
  • Withdraw consent at any time, without affecting processing carried out before withdrawal.
  • Lodge a complaint with the ICO (ico.org.uk) if you believe we've mishandled your data.

8. Security

Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted to authorised personnel. We maintain an incident response process and will notify the ICO within 72 hours of becoming aware of a qualifying personal data breach, and affected users without undue delay where required.

9. Changes to this policy

We'll update the version date above whenever this policy changes, and ask for renewed consent where the change is material.