Poq Privacy Policy Overview

hero-curve

Welcome to Poq!

Last updated: 8 May 2026

At Poq we take the privacy of your information seriously. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over it. We’ve tried to keep the language clear and the structure navigable — particularly the sections covering rights specific to your location.

If you only have a minute, the short version is this:

  • For visitors to our website (poqcommerce.com) and people who contact us for sales, marketing, or careers reasons: we are the controller of your information. This policy tells you how we use it and what rights you have.
  • For end consumers using a mobile app we have built for one of our retail clients (a “Poq-powered app”): the retailer is the controller of your information; we operate as their processor. Your rights with respect to that information are exercised through the retailer in the first instance, with our support.
  • For information we collect about our retail clients themselves (employees of brands we work with): we are the controller of business-contact information.

If you have a question or want to exercise a right, contact us at privacy@poqcommerce.com. We respond within the timeframes required by applicable law.

1. Who we are

Poq Studio Limited (trading as “Poq” or “Poq Commerce”) is a company incorporated in England and Wales with registered number 07791197 and registered office at 9th Floor, 107 Cheapside, London, EC2V 6DN. References to “Poq”, “we”, “us”, and “our” in this Privacy Policy refer to Poq Studio Limited.

For the purposes of UK and EU data protection law, our representative for data protection enquiries is the Data Protection Officer, Jay Johnston (CEO), reachable at privacy@poqcommerce.com or by post at the registered office above.

The Website (poqcommerce.com) is a marketing site and the volume of EU-resident personal data we process as controller through it is below the threshold that would require us to appoint an EU representative under GDPR Article 27. The DPO above is the contact for data-protection enquiries from any jurisdiction.

2. Scope of this Privacy Policy

This Privacy Policy applies to:

  • The website at https://poqcommerce.com and its sub-domains (the “Website”);
  • Marketing and sales communications between Poq and prospective or existing clients, partners, and other business contacts;
  • Information we hold about employees of our retail clients in connection with delivering services;
  • Recruitment activities and applications for employment with Poq.

This Privacy Policy does not cover:

  • Personal information processed by us on behalf of our retail clients (for example, end-consumer information flowing through a Poq-powered mobile app). For that information, the retail client is the controller and that retailer’s privacy policy governs how it is used. Our role is purely as data processor under contract with the retailer.
  • Other websites linked from poqcommerce.com.

If you are unsure whether a particular processing activity is governed by this policy, contact privacy@poqcommerce.com and we will clarify.

3. Definitions

We use these terms in the senses given by the UK GDPR, EU GDPR, and applicable US state laws:

  • Personal information (or “personal data”): any information relating to an identified or identifiable individual.
  • Sensitive personal information (or “special category data” under GDPR): information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health, sex life or sexual orientation, and (under CPRA) precise geolocation, government-issued identifiers, financial account information, and similar.
  • Processing: any operation performed on personal information (collection, storage, use, disclosure, deletion, etc.).
  • Controller: the person or entity that determines the purposes and means of processing.
  • Processor: the person or entity that processes personal information on behalf of a controller.
  • Sub-processor: a processor engaged by another processor.
  • Data subject (UK / EU) or consumer (US): the individual whose personal information is being processed.

4. Information we collect

4.1 Information you give us

When you interact with us — visiting our Website, requesting a demo, contacting sales, applying for a job, signing up for our newsletter, or attending a Poq event — you may give us:

  • Identification and contact information (name, email address, telephone number, postal address);
  • Professional information (job title, employer, business contact details);
  • Application materials if you apply for a role with us (CV, cover letter, references);
  • Any other information you choose to share with us in correspondence.

4.2 Information we collect automatically

When you visit the Website, we automatically collect:

  • Device and connection information (IP address, browser type and version, operating system, device identifiers);
  • Usage information (pages viewed, time spent, referring URLs, search terms used to reach the Website);
  • Cookies and similar technologies — see Section 14.

4.3 Information from third parties

We may receive information about you from:

  • Public sources (LinkedIn, company websites, public registers);
  • Mutual contacts who introduce us;
  • Service providers (analytics) acting under contract;
  • B2B visitor identification and prospect-data enrichment services (Lead Forensics and Clay — see Section 14) which identify the visiting company from the IP address or activity signals, and which may enrich records with publicly-available business data.

We do not purchase or licence personal information from third-party data providers (such as ZoomInfo, Apollo, Cognism, or similar).

4.4 What we do not collect

For clarity, we do not collect or hold:

  • Payment card information (handled by our retail clients’ payment processors; we have no access);
  • End-consumer personal information collected through Poq-powered mobile apps (held by the retail client; we are processor);
  • Special category data unless explicitly necessary (for example, in employment context for accommodations) and with appropriate lawful basis.

5. How we use information

We use the information we collect for the following purposes:

5.1 Operating the Website and providing information about Poq

  • Hosting and securing the Website;
  • Responding to enquiries;
  • Providing materials, demos, and information about our products and services;
  • Compiling aggregated analytics about Website use to improve it.

5.2 Sales, marketing, and partner relationships

  • Responding to demo requests and sales enquiries;
  • Sending marketing communications about Poq products, events, and content (with opt-out always available — see Section 15);
  • Managing partner and client relationships;
  • Hosting and inviting individuals to events.

5.3 Recruitment

  • Reviewing applications;
  • Conducting interviews and assessments;
  • Background and reference checks where lawful;
  • Communicating with applicants.

5.4 Compliance, security, and dispute resolution

  • Complying with legal and regulatory obligations;
  • Detecting, preventing, and responding to security incidents and fraud;
  • Establishing, exercising, or defending legal claims;
  • Maintaining business records and audit trails.

5.5 Improving our services

  • Aggregated and anonymised analytics about Website use;
  • Internal product development and roadmap planning.

We do not sell personal information for monetary or other valuable consideration, and we do not share personal information for cross-context behavioural advertising as those terms are defined under California law. We do not deploy retargeting pixels or advertising cookies on the Website.

6. Lawful bases for processing (UK / EEA)

If you are in the UK or the European Economic Area, we process your personal information on the following lawful bases under UK GDPR / EU GDPR:

PurposeLawful basis
Operating the Website and responding to enquiriesLegitimate interests (running our business) and, where applicable, performance of a contract
Sending marketing communications (where consent is required)Consent — which you can withdraw at any time
Sending marketing communications to existing business contactsLegitimate interests (B2B marketing under the soft-opt-in / business-context exception), with opt-out always available
RecruitmentPerformance of a contract / steps prior to entering a contract; legitimate interests; and, where required, consent
Compliance with legal obligationsLegal obligation
Security, fraud prevention, dispute resolutionLegitimate interests and, where applicable, legal obligation

We perform balancing assessments for legitimate-interests processing and document them as part of our Personal Information Management System (PIMS). You can ask for a copy of the relevant balancing assessment by contacting privacy@poqcommerce.com.

7. How we share information

We share personal information with:

7.1 Sub-processors (service providers)

The following sub-processors host or process information on our behalf:

Sub-processorServiceLocation of processingTransfer mechanism
Microsoft AzureCloud infrastructure (hosting, databases, storage)West Europe (Netherlands) primary; West US, Australia East as configuredStandard Contractual Clauses; Microsoft is certified under the EU-US Data Privacy Framework
CloudflareContent delivery network, web application firewallGlobal edge networkSCCs; Cloudflare is DPF-certified
Google WorkspaceEmail, productivity toolsEU data centres for data at restSCCs; Google is DPF-certified
AtlassianInternal collaboration (Confluence, Jira)EU and US data centresSCCs; Atlassian is DPF-certified
HubSpotMarketing automation, CRM, marketing-email delivery, Website analytics and form handlingUS (primary) and EU regionsSCCs; HubSpot is DPF-certified
ClayWebsite visitor identification and sales-prospect data enrichmentUSSCCs
Lead ForensicsB2B Website visitor identification (IP-based reverse company lookup)UK / EUUK / EU intra-region — no transfer mechanism required
DocuSignElectronic signature for contractsUS and EU regionsSCCs; DocuSign is DPF-certified
CharlieHRHR / people management for Poq employeesUKUK intra-region — no transfer mechanism required
Google LLCGoogle Analytics — anonymised website analyticsUSSCCs; Google is DPF-certified
Slack (Salesforce)Internal team communications and visitor-alert notificationsUSSCCs; Salesforce is DPF-certified

We notify clients of new sub-processors with reasonable notice and our retail clients have the right to object under their data processing agreements. The current sub-processor list is also available on request.

7.2 Other recipients

We may also share personal information with:

  • Professional advisers — lawyers, accountants, auditors, insurers, where bound by duties of confidentiality;
  • Regulators and law enforcement — where required by law or in response to a valid legal request;
  • Business successors — in connection with a sale, merger, financing, or other corporate transaction, on the same terms as set out in this policy;
  • With your consent — to other recipients you have authorised.

We do not sell personal information for monetary or other valuable consideration.

8. International data transfers

Our services are global, and personal information may be transferred to, stored in, or processed in countries other than your own — including the United Kingdom, European Economic Area, United States, and Australia. Where we transfer information out of the UK or EEA to a country that does not benefit from an adequacy decision, we use:

  • Standard Contractual Clauses (SCCs) approved by the UK ICO or the European Commission;
  • EU-US Data Privacy Framework certification of US recipients (where the recipient is DPF-certified);
  • Other lawful transfer mechanisms permitted by applicable law.

You can request information about the safeguards in place for a specific transfer by contacting privacy@poqcommerce.com.

9. Data retention

We retain personal information only as long as necessary for the purposes for which it was collected, or as required by law. Retention periods vary by category:

CategoryRetention
Website analyticsAnonymised at collection (no personally-identifying analytics retained)
Marketing contacts (where consent is the basis)Until consent is withdrawn, or 3 years of inactivity, whichever is sooner
Sales / partner / business-contact recordsDuration of the relationship plus 6 years (limitation period under English law)
Recruitment — successful applicantsMigrated to employment records on hiring
Recruitment — unsuccessful applicantsDeleted on conclusion of the recruitment process
Server and audit logs90 days rolling
Backups containing personal information35 days rolling
Records required by tax, accounting, or other regulatory lawAs required by the applicable law (typically 6-7 years)

When the retention period for a category expires, we securely delete or fully anonymise the information.

10. Your rights

Your rights vary by jurisdiction. The sub-sections below set out specific rights for the UK / EEA, California, and other US states with comprehensive privacy laws.

To exercise any right, contact privacy@poqcommerce.com. We may need to verify your identity before responding. We will respond within the timeframe required by your applicable law.

10.1 UK and EEA (UK GDPR / EU GDPR)

You have the following rights:

  • Right of access — to be told what personal information we hold about you and to receive a copy.
  • Right to rectification — to have inaccurate or incomplete information corrected.
  • Right to erasure (“right to be forgotten”) — to ask us to delete your information, subject to legal exceptions.
  • Right to restrict processing — to ask us to limit how we use your information in certain circumstances.
  • Right to data portability — to receive your information in a structured, machine-readable format and to ask us to transfer it to another controller where technically feasible.
  • Right to object — to processing based on legitimate interests, including direct marketing (which we will always honour without challenge).
  • Right not to be subject to solely-automated decisions that produce legal or similarly significant effects.
  • Right to withdraw consent at any time, where consent is the lawful basis.
  • Right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner’s Office (https://ico.org.uk/concerns/); in the EEA, the supervisory authority of your country of habitual residence or the place of the alleged infringement.

We will respond to requests within one month (extendable to three months for complex requests, with notice).

10.2 California (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to know the categories of personal information we collect about you, the sources, the purposes, the categories of recipients, and the specific pieces of information we hold;
  • Right to delete personal information we have collected from you, subject to limited statutory exceptions;
  • Right to correct inaccurate personal information we hold about you;
  • Right to opt out of sale or sharing of your personal information. Poq does not sell personal information for monetary or other valuable consideration, does not share personal information for cross-context behavioural advertising, and does not deploy retargeting pixels or advertising cookies on the Website. We will continue to honour any opt-out request you submit;
  • Right to limit the use and disclosure of sensitive personal information. We do not process sensitive personal information except where strictly necessary and disclosed to you;
  • Right to non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise these rights, email privacy@poqcommerce.com. We will verify your identity before responding and will respond within 45 days (with one extension permitted for up to 90 days).

If we deny a request, you may appeal to privacy@poqcommerce.com.

Categories of personal information we have collected in the previous 12 months (using CCPA categorisation):

  • Identifiers (name, email address, IP address, online identifiers);
  • Customer records (commercial information about business contacts);
  • Internet or other electronic network activity (Website usage data);
  • Professional or employment-related information (job title, employer);
  • Inferences drawn from the above (for example, to identify B2B prospects).

We have not collected sensitive personal information; biometric information; geolocation data (other than approximate IP-derived location); audio, electronic, visual, thermal, olfactory, or similar information; or genetic information.

Sources of the above are: directly from you (Section 4.1), automatically (4.2), and from third parties (4.3).

Purposes are described in Section 5.

Disclosures in the previous 12 months were limited to the sub-processors listed in Section 7.1 and the categories of recipient listed in Section 7.2.

10.3 Other US states (Colorado, Virginia, Connecticut, Utah, Texas, etc.)

If you are a resident of Colorado, Virginia, Connecticut, Utah, Texas, Oregon, Delaware, or another US state with a comprehensive consumer privacy law, you may have rights similar to those described above for California, including:

  • The right to confirm whether we are processing your personal information and to access it;
  • The right to correct inaccuracies;
  • The right to delete your personal information, subject to exceptions;
  • The right to obtain a portable copy of your personal information;
  • The right to opt out of the sale of personal information, targeted advertising, and certain forms of profiling;
  • (In Colorado and certain other states) the right to require opt-in consent before processing of sensitive data.

To exercise these rights, contact privacy@poqcommerce.com. We will verify your identity and respond within the timeframe applicable in your state (typically 45 days, with one extension permitted).

If we deny a request, you may appeal to the same address; we will respond to appeals within the statutory timeframe.

We do not engage in profiling that produces legal or similarly significant effects without consent.

10.4 Other jurisdictions

If you are in another jurisdiction with applicable privacy law, you may have similar rights. Contact privacy@poqcommerce.com and we will explain how those rights apply.

11. Sensitive information

Poq does not process sensitive personal information (as defined under CPRA) or special category data (as defined under UK / EU GDPR) except where strictly necessary — for example, in the context of employment to provide reasonable accommodations, or where you voluntarily provide such information in correspondence with us. Where we do process such information, we rely on an appropriate lawful basis (typically explicit consent or legal obligation) and apply additional security safeguards.

12. Children’s privacy

The Website and our services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, contact privacy@poqcommerce.com and we will delete it promptly.

For US residents, we comply with the Children’s Online Privacy Protection Act (COPPA): we do not knowingly collect personal information from children under 13.

13. Security

We take the security of personal information seriously. Our security measures include:

  • Encryption in transit using TLS 1.2 or higher for website connections and form submissions (Cloudflare-managed at the edge);
  • Sub-processor diligence — sub-processors handling personal information on our behalf are listed in Section 7.1 and are bound by data-protection agreements with us;
  • Access controls — role-based access and multi-factor authentication for staff accessing systems containing personal information, with quarterly access reviews;
  • Information Security Management System aligned with ISO/IEC 27001 across our company operations;
  • Staff training at onboarding and annually thereafter;
  • Periodic independent security testing of systems that handle personal information.

No system is perfectly secure. While we apply industry-standard safeguards, transmission of information over the internet always carries some risk. If we become aware of a security incident affecting your personal information, we will notify you and the relevant supervisory authorities as required by law (within 72 hours of confirmed breach to the ICO under UK GDPR; equivalent under other jurisdictions).

14. Cookies and tracking technologies

We use cookies and similar technologies on the Website. A cookie is a small text file placed on your device that lets a website recognise you on return visits or while navigating between pages.

14.1 Categories of cookies and tracking we use

  • Strictly necessary cookies — required for the Website to function (for example, session management and security). These are always active.
  • Performance / analytics cookies — help us understand how visitors use the Website. Used only with your consent. We use Google Analytics (configured to anonymise data at collection) and HubSpot analytics.
  • Functional cookies — remember preferences (for example, language or region). Used only with your consent.
  • Marketing / advertising cookies — we do not deploy retargeting pixels or advertising cookies on the Website.

We also use the following additional tracking technologies for B2B sales prospecting:

  • Lead Forensics — derives approximate company information from the IP addresses of Website visitors. Server-side, does not rely on cookies. Identification is at the company level via reverse IP lookup. Processing relies on our legitimate interests in business development.
  • Clay — runs a small JavaScript tag (claydar) on the Website that collects activity signals (page views, referrers, technical fingerprint) which Clay matches against its business-data graph to identify the visiting company and enrich the record with publicly-available business information. Used for B2B sales prospecting under our legitimate interests in business development. Personal information may be transferred to the United States under Standard Contractual Clauses.

14.2 Managing your cookie preferences

When you first visit the Website you will see a cookie banner allowing you to accept, reject, or manage non-essential cookies. You can change your preferences at any time via the cookie preferences link in the Website footer.

Most browsers also allow you to manage or delete cookies through their settings. For more information, see https://www.allaboutcookies.org/.

14.3 Google Analytics

We use Google Analytics, a web analytics service provided by Google LLC, configured to anonymise data at collection. Google Analytics uses cookies to collect information about how the Website is used (page views, session duration, referring sources, approximate location based on IP address — anonymised). The information is transmitted to and stored by Google on servers in the United States and processed under the EU-US Data Privacy Framework and Standard Contractual Clauses.

You can prevent Google Analytics from collecting information about your visit by:

  • Declining analytics cookies in our cookie banner;
  • Installing the Google Analytics opt-out browser add-on at https://tools.google.com/dlpage/gaoptout/;
  • Configuring “Do Not Track” or equivalent preferences in your browser.

Disabling analytics cookies will not affect the core functionality of the Website.

14.4 HubSpot

We use HubSpot for marketing automation, customer relationship management, marketing-email delivery, and certain Website analytics and form-handling functions. HubSpot uses cookies to recognise return visitors and to associate Website activity with form submissions. HubSpot processes data in the United States and EU, under Standard Contractual Clauses and the EU-US Data Privacy Framework.

15. Marketing communications

If you have signed up for our newsletter, requested information from us, or are an existing business contact, we may send you marketing emails about Poq products, events, content, and partner activity. We send marketing communications using HubSpot. You can:

  • Unsubscribe at any time using the link at the foot of any marketing email;
  • Email us at privacy@poqcommerce.com asking us to stop;
  • Update your preferences via the link in our marketing emails.

Unsubscribe requests are processed automatically by HubSpot and take effect immediately. We may continue to send you transactional or service-related emails (for example, in response to your enquiries) — these are not marketing communications.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or the law. When we make a material change, we will:

  • Update the “Last updated” date at the top of this policy;
  • Post a notice on the Website;
  • For significant changes affecting how we use your personal information, contact you directly where we have an email address on file.

Previous versions of this policy are available on request.

17. How to contact us

For any questions, requests, or concerns about this Privacy Policy or how we handle your personal information:

Email: privacy@poqcommerce.com

Post: Data Protection Officer, Poq Studio Limited, 9th Floor, 107 Cheapside, London EC2V 6DN, United Kingdom

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority:

  • UK: Information Commissioner’s Office (ICO) — https://ico.org.uk/concerns/
  • EEA: the supervisory authority of your country of habitual residence
  • California: California Privacy Protection Agency (CPPA) — https://cppa.ca.gov/ — or California Attorney General — https://oag.ca.gov/contact
  • Colorado, Virginia, Connecticut, Utah, Texas, etc.: the office of your state’s Attorney General