Skip to content
Marque

Legal

Privacy policy.

Last updated: 28 May 2026 · Draft v1

This notice explains what personal data Marque collects, how we use it, who we share it with, and the rights you have. It is written for UK and EU data protection law (UK GDPR, the Data Protection Act 2018, and the EU GDPR where it applies).

01Who we are

“Marque” is a trading name of CONFIRM legal entity, a company registered in CONFIRM jurisdiction under company number CONFIRM. Our registered office is at CONFIRM registered address.

For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018) we are the data controller for the personal data described in this notice.

We are registered with the UK Information Commissioner’s Office under registration number CONFIRM ICO number.

We have CONFIRM appointed / not appointed a formal Data Protection Officer. Privacy enquiries should be sent to legal@marque.marketing.

02What personal data we collect

From visitors to this website

Our web server receives your IP address and User-Agent header. These are used to operate the service, protect against abuse, and respond to security incidents. We do not run analytics scripts, third-party trackers, or marketing pixels on this website.

Cookies are described in §09 below — we set exactly one strictly-necessary cookie.

From people who submit a form

When you submit the waitlist, contact-sales, or security-contact form, we collect the information you provide — typically your name, work email, organisation or business description, and the message you write. For spam protection we also record the source IP address and User-Agent of the submission. Submissions are stored so that a named human on our team can read and respond.

From customers who create a Marque account

We collect your name, business email address, the tenant name and URL slug you choose, the tenant type (self-service, agency partner, corporate), the plan selected, and optionally a separate billing email address. For each admin user we store a name, email address, and a bcrypt-hashed password (we never store plaintext passwords; minimum length is 12 characters).

We do not collect telephone numbers or postal addresses at signup.

From paying customers (payment data)

Card number, billing address, CVC and other payment details are collected and processed by Stripe directly. Marque receives only a Stripe customer ID and subscription ID; we do not store card details on our own systems. Stripe is currently wired in code but not yet active in production — paid signup goes live when the founder programme moves off the waitlist.

From use of the Marque app

Material you upload — briefs, brand identity assets, voice/visual/audio fingerprints, campaign content, approvals, comments — is processed and stored to provide the service. Personal data about your team members (names, emails, roles, permission scopes) is processed for access control and audit purposes.

03How we use it (legal bases)

  • Performance of contract — to provide the Marque service to account holders, run the workflows you configure, and deliver the campaigns you create.
  • Legitimate interests — to secure the service, prevent fraud and abuse, respond to enquiries you send us, and conduct internal analysis on aggregate usage to improve the product. We balance these interests against your rights and freedoms.
  • Legal obligation — to keep accounting records, comply with tax law, and respond to lawful disclosure requests.
  • Consent — for any non-essential cookies or marketing communications. We do not currently set non-essential cookies; if we add them we will request consent first.

04Who we share data with

We use the following sub-processors to deliver the service. A current list is maintained on our /security page; we will update that page and notify affected customers in advance of any change.

  • Amazon Web Services — hosting (EC2), database (Postgres), object storage (S3), email sending (AWS SES, where enabled per customer), and routed access to large language models via Amazon Bedrock. Data is held in the EU (Ireland) region.
  • Stripe — payment processing (currently inactive in production; will be live when paid signup opens).
  • IONOS SE — domain DNS for marque.marketing, mailbox hosting for sales@marque.marketing, and SMTP relay for outbound sales-lead notifications from the inbound-lead form. Operates in the United Kingdom and Germany.
  • OpenAI — only when an operator selects an OpenAI image-generation model for a generation task in the Marque app.
  • Google AI Studio — only when an operator selects a Google generative model (Gemini, Imagen, Nano-Banana).
  • Black Forest Labs — only when Flux image models are selected.
  • ElevenLabs — only when voice synthesis is used.
  • Runway · Kling · ByteDance Seedance — only when video generation is used.

We do not use customer-relationship-management software (Salesforce, HubSpot, Intercom, Drift, Crisp), web analytics or marketing tracking tools, third-party error-monitoring services that receive personal data, or transactional email providers other than AWS SES and IONOS SMTP.

05International transfers

Our primary infrastructure runs in the EU (Ireland) region of Amazon Web Services. Personal data of UK data subjects is transferred to the EU under the UK adequacy decision for the European Economic Area.

Some sub-processors (notably OpenAI, Google AI Studio, Black Forest Labs, ElevenLabs, Runway, Kling and ByteDance Seedance) may operate from outside the UK or the EEA, including the United States and other jurisdictions. Where personal data is transferred to a country without an adequacy decision, we rely on UK International Data Transfer Agreements (IDTAs) and / or EU Standard Contractual Clauses, together with any supplementary technical and organisational measures appropriate to the transfer.

06How long we keep it

  • Web-server logs — 30 days.
  • Inbound form submissions (waitlist, sales, security, demo) — 24 months from receipt.
  • Active customer account data — for the duration of the contract, plus 6 years for statutory accounting records.
  • Closed customer account data — 90 days after closure in active systems, then deleted; aggregated or anonymised data may be retained longer.
  • Backup snapshots — rotated on a 7-day cycle.
  • Payment records held by Stripe — governed by Stripe’s retention policy.

You can request a copy or deletion of your personal data at any time — see §08.

07Security

  • All data is transmitted over TLS 1.2 or higher.
  • Data at rest is encrypted with AWS-managed keys. Customer-managed encryption keys (BYOK) are available on enterprise plans.
  • Tenant isolation is enforced at the database row level; data does not cross tenant boundaries.
  • Single sign-on via SAML and OIDC is available on enterprise plans. SCIM provisioning supported.
  • An immutable audit log of every approval, override and configuration change is maintained per tenant and can be exported to your SIEM in real time on enterprise plans.
  • Penetration tests are conducted annually; reports are available under NDA.

SOC 2 Type II and ISO/IEC 27001 certifications are currently underway but are not yet held. Where the /security page references either, those references are forward-looking and should be read as in-progress targets until the certificates are published. We will update this page and the /security page as each certification is awarded.

08Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate personal data corrected.
  • Have your personal data erased (the “right to be forgotten”).
  • Restrict our processing of your data.
  • Object to our processing where we rely on legitimate interests.
  • Receive your personal data in a portable format and have it transmitted to another controller where this is technically feasible.
  • Withdraw consent at any time, where we are processing on the basis of consent.
  • Lodge a complaint with the UK Information Commissioner’s Office.

To exercise any of these rights, email us at legal@marque.marketing. We will respond within one month of receiving your request (extendable by a further two months for complex or numerous requests, in which case we will explain why).

09Cookies

This website sets exactly one cookie: marque_session, used to keep you signed in to the Marque app after login. It is marked httpOnly, sameSite=lax and secure in production, and is not shared with third parties.

We do not set analytics, marketing or third-party tracking cookies, and do not require a cookie-consent banner under UK PECR. If we add any non-essential cookies in future we will introduce a consent banner before they are set.

10Generative AI processing

Text-LLM calls (Claude / Anthropic) are routed through Amazon Bedrock within our AWS EU (Ireland) environment under Bedrock’s zero-data-retention terms — your content is not retained by AWS or Anthropic and is not used to train models.

Generative image, video and audio providers (OpenAI, Google AI Studio, Black Forest Labs, ElevenLabs, Runway, Kling, ByteDance Seedance) are called via their public APIs and are subject to those providers’ published data-handling terms. Operators inside the Marque app control which generation provider is used per-agent and per-tenant.

We do not use customer content to train Marque-owned models.

11Changes to this policy

We may update this notice from time to time. Material changes will be posted on this page and, for active customers, notified by email before they take effect. The date at the top of this page reflects the most recent revision.

12Contact us

For data-protection enquiries, email us at legal@marque.marketing.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office:

  • Web — ico.org.uk
  • Post — Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
  • Phone — 0303 123 1113