Legal

Privacy Policy

Last updated: 11 May 2026

Qubelis Limited respects your privacy and processes personal data lawfully under the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. This policy explains exactly what we collect, why, how long we keep it, and what rights you have. We've tried to write it in plain English.

§1. Who we are (Data Controller)

The data controller responsible for processing your personal data is:

Qubelis Limited
71-75 Shelton Street, Covent Garden
London WC2H 9JQ, United Kingdom
Company Registration: 16949198
Email: hi@qubelis.com

§2. EU Representative (GDPR Art. 27)

As a UK company processing data of EU residents, we have appointed an EU representative in accordance with Article 27 of the GDPR. EU data subjects may contact our representative for any matter relating to the processing of their personal data:

Axel Pawlowsky (EU Representative for Qubelis Limited)
Neuss, Germany
Email: hi@qubelis.com

You may contact the EU representative directly in German or English.

§3. What we collect & why

We process the following categories of personal data:

Account data

Email address, company name, region of operations. Used to: create and manage your account, authenticate you via magic-link login, and provide the service.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract with you.

Usage data

Records of which retailer profiles you've viewed, reports you've generated, shops you've saved. Used to: provide the service (your Report Wallet), improve features, and identify abuse.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(f) GDPR — legitimate interest (security & product improvement).

Payment data

Subscription tier, billing period, payment status. Note: full card details are processed by our payment provider Creem.io as Merchant of Record — they never touch our servers.
Legal basis: Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(c) GDPR — legal obligation (tax/accounting records).

Communication data

Emails you send us, support tickets, newsletter consent records. Used to: respond to enquiries and provide support.
Legal basis: Art. 6(1)(b) GDPR — pre-contractual or contractual; Art. 6(1)(a) GDPR — consent (newsletters); Art. 6(1)(f) GDPR — legitimate interest (support quality).

Technical data

IP address, browser type, device type, access timestamps, error logs. Used to: secure the service, debug issues, and prevent abuse.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest (security).

§4. How long we keep it

  • Account data: for the duration of your account, plus 30 days after deletion (for restore-from-error scenarios).
  • Usage data: for the duration of your account.
  • Payment data: 10 years after the transaction (statutory retention under UK and German tax law).
  • Communication data: 3 years from the last interaction.
  • Technical logs: 90 days, then automatically purged.
  • Marketing consent: until you withdraw consent or 3 years of inactivity.

§5. Who we share data with (Processors)

We use the following service providers ("data processors") to operate Qubelis. Each is bound by a Data Processing Agreement (DPA) under GDPR Art. 28:

  • Mittwald CM Service GmbH & Co. KG (Germany) — hosting, database, email infrastructure. Mittwald privacy.
  • Sendinblue / Brevo SAS (France) — transactional and marketing emails. Brevo privacy.
  • Bunny.net (BunnyWay d.o.o.) (Slovenia, EU) — content delivery network for static assets. Bunny privacy.
  • Creem.io (operating as Merchant of Record) — payment processing, VAT handling, invoicing. Creem privacy.
  • Anthropic PBC (USA) — AI text generation for retailer reports. Only company-related data (publicly available info about a retailer) is sent; no personal data of Qubelis users. Transfer based on EU Standard Contractual Clauses. Anthropic privacy.

We do not sell your data, share it with advertisers, or use it for profiling beyond what's strictly needed to operate the service.

§6. International data transfers

The Anthropic API is operated in the USA. Transfers to the USA are protected by EU Standard Contractual Clauses (Decision 2021/914/EU) and supplementary measures. All other processors are EU-based or operate under UK adequacy.

§7. Your rights under GDPR

As a data subject, you have the following rights. To exercise any of them, email hi@qubelis.com — we'll respond within 30 days (Art. 12(3) GDPR).

  • Right of access (Art. 15) — request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — delete your data ("right to be forgotten"). Note: this also deletes your Report Wallet permanently.
  • Right to restriction (Art. 18) — limit how we use your data while a complaint is investigated.
  • Right to data portability (Art. 20) — receive your data in a machine-readable format (JSON or CSV).
  • Right to object (Art. 21) — object to processing based on legitimate interest.
  • Right to withdraw consent — for any processing based on consent (e.g. newsletter), at any time.

§8. Right to complain to a supervisory authority

If you believe we have mishandled your personal data, you have the right to file a complaint with a data protection authority. Because our EU representative is based in Neuss (North Rhine-Westphalia, Germany), the competent authority for EU complaints is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2-4, 40213 Düsseldorf, Germany
www.ldi.nrw.de

UK users may complain to the Information Commissioner's Office (ICO): www.ico.org.uk.

You may also complain to any other data protection authority in your country of residence.

§9. Cookies & tracking

We use only essential cookies for authentication and session management:

  • Session cookie — keeps you logged in during a session. Auto-deleted on logout or after 7 days.
  • Magic-link verification token — temporary cookie used to validate login links. Auto-deleted after authentication.

We do not use third-party tracking cookies, advertising pixels, or analytics that identify individual users. We do not currently use Google Analytics, Meta Pixel, or similar.

§10. Data security

We protect your data with industry-standard measures:

  • HTTPS/TLS encryption for all connections (Let's Encrypt or higher);
  • EU-based hosting at Mittwald (ISO 27001 certified);
  • Encrypted database backups with daily rotation;
  • Magic-link authentication (no password stored, no password reuse risk);
  • Access controls limited to operations strictly necessary;
  • Regular security reviews and dependency updates.

§11. Children

Qubelis is a B2B platform and not intended for users under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have done so, contact us and we will delete the data promptly.

§12. Changes to this Privacy Policy

We may update this policy as our service evolves. Material changes will be communicated by email to all active account holders at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

§13. Contact

Questions about your data, or need to exercise a GDPR right?
Email hi@qubelis.com or contact our EU representative (Axel Pawlowsky, Neuss, Germany) at the same address.

Patents pending (UK) EU-hosted (DE) GDPR-compliant Built on 30+ years of German B2B expertise

Stop guessing. Start equipping.

Discovery is free, today. Sourcing matches you with the right buyers when it launches Q3 2026. The Founding 100 lock in Pro at €29/month forever.

Start free with Discovery → Join Founding 100