Q Bend Limited (trading as Downsizr)
Company Number: 16792208
Last Updated: 17 April 2026
This Privacy Policy explains what personal information Downsizr collects, how we use it, who we share it with, and what rights you have. Downsizr's mission is to help people catalogue and dispose of personal belongings thoughtfully, and we are committed to protecting your personal information.
This policy applies to everyone who uses the Downsizr website, applications, and services (the "Services"). If you are in the United Kingdom, we comply with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. If you are in the United States, we comply with applicable state privacy law, including (in California) the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").
2.1 The data controller is Q Bend Limited (trading as Downsizr), a company registered in England and Wales under company number 16792208. Our registered office is 71-75 Shelton Street, London WC2H 9JQ.
2.2 If you have questions about this Privacy Policy, your personal data, or your rights, contact us at:
2.3 Our privacy contact is the founder, reachable at privacy@downsizr.com or at the postal address above. We will appoint a dedicated Data Protection Officer when the scale of our processing requires one under UK GDPR Art. 37.
2.4 As Q Bend Limited is established in the United Kingdom, no UK representative under UK GDPR Art 27 is required.
We collect personal information directly from you, automatically when you use the Services, and occasionally from third parties.
When you create an Account:
When you catalogue Items and create listings:
If you are a Giftee:
If you are a Partner or Professional:
When you communicate with us or other Users:
When you make or receive payments:
Usage and device data:
Cookies and similar technologies — see § 14.
Location (approximate) derived from IP address for legal-compliance and fraud-detection purposes. We do not collect precise geolocation from your device without your consent.
We do not routinely collect "special category" personal data (UK GDPR Art 9) or "sensitive personal information" (CCPA/CPRA § 1798.140(ae)). Identity documents submitted for verification are processed by Stripe Identity under Stripe's own safeguards; we do not retain the underlying documents.
The Services are not intended for individuals under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us at privacy@downsizr.com and we will delete it.
We use personal information only for specified, explicit, legitimate purposes. The table below summarises the purposes and the legal basis for each.
| Purpose | UK GDPR legal basis | CCPA/CPRA purpose category |
|---|---|---|
| Creating and managing your Account | Contract (Art 6(1)(b)) | Providing requested services |
| Matching Items to Partners / Marketplaces | Contract | Providing requested services |
| Processing payments and payouts | Contract | Providing requested services |
| Sending transactional emails (confirmations, status, disputes) | Contract | Providing requested services |
| Identity verification where required | Legal obligation (Art 6(1)(c)) + Contract | Compliance |
| Fraud prevention and platform security | Legitimate interest (Art 6(1)(f)) | Security |
| Dispute resolution and administrative mediation | Contract + Legitimate interest | Providing requested services |
| Improving the Services (analytics, product development) | Legitimate interest | Internal operations |
| AI enhancement of Item listings (description generation, categorisation, valuation) | Contract + Legitimate interest | Providing requested services |
| Marketing and promotional communications | Consent (Art 6(1)(a)) | Marketing (opt-out available) |
| Complying with legal obligations (tax, AML, regulatory requests) | Legal obligation | Compliance |
| Record-keeping for dispute evidence and regulatory compliance | Legal obligation + Legitimate interest | Compliance |
| Internal corporate transactions (merger, acquisition) | Legitimate interest | Business transfer |
Downsizr uses artificial-intelligence services to help enhance listings — for example, to identify items from photos, generate descriptions, classify categories, and estimate values.
We may use automated decisions in limited, low-risk contexts:
You have the right to request human review of any significant automated decision. Contact privacy@downsizr.com. None of these automated decisions produce legal effects on you of a type requiring additional safeguards under UK GDPR Art 22 beyond those already in place.
We share personal information only with parties who need it for the purposes listed in § 4.
When you list an Item, request a quote, or complete a Transaction, certain of your personal information is shared with the counterparty. Specifically:
We engage carefully-selected third parties to process personal information on our behalf. Categories include:
Each subprocessor is bound by a written data-processing agreement imposing at least the standard of protection required by UK GDPR Art 28, and each is required to assist us in complying with data-subject rights.
Partners admitted to the Services are separate data controllers for the personal information of Users they interact with through Transactions (see Partner Terms § 20.2). When a Transaction is initiated, you authorise Downsizr to share necessary personal data with the Partner. The Partner's own privacy practices apply to the personal data they hold.
We may disclose personal information where we are required to do so by law, court order, regulator, or law-enforcement request, and in response to lawful civil disclosures where the requester has demonstrated a legitimate legal basis. We push back on over-broad requests where appropriate.
If Downsizr is involved in a merger, acquisition, reorganisation, or sale of assets, personal information may be transferred to the successor entity. In that event, you will be notified, and the successor entity will be bound by this Privacy Policy unless you are notified of material changes and given an opportunity to opt out.
Listings you publish to Marketplaces (eBay, Etsy) are visible to the public on those Marketplaces. Your Downsizr Account information is not publicly visible unless you choose to make it so.
6.1 Downsizr is based in the United Kingdom. Some of our subprocessors (notably Stripe, Anthropic, Cloudinary, Vercel) operate in the United States. Personal information may therefore be transferred outside the UK or European Economic Area.
6.2 Where personal information is transferred to the United States, we rely on:
(a) for UK-to-US transfers, the UK extension to the EU-US Data Privacy Framework (where the recipient is certified);
(b) the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) as adopted by the UK, supplemented by a transfer impact assessment;
(c) any other lawful transfer mechanism under UK GDPR Art 46 or 49.
6.3 Where personal information is transferred to other non-EEA countries (for example, through a logistics carrier), we ensure appropriate safeguards are in place.
We keep personal information only as long as necessary for the purposes for which it was collected, or as required by law.
| Category | Retention period |
|---|---|
| Account registration data | For the life of the Account, then 30 days after account closure request |
| Transaction records (Items, payments, Disputes) | 7 years (UK tax retention obligations) |
| Financial records (invoices, commission, payouts) | 7 years |
| Dispute and audit-log data | 7 years from Dispute closure (for evidentiary and regulatory purposes) |
| Identity verification evidence | Held by Stripe under its own retention schedule; not retained by Downsizr |
| Marketing preferences and consent records | 3 years after withdrawal of consent |
| Communication logs (support emails, in-platform messages) | 3 years |
| Security and fraud-prevention logs | 2 years |
| Cookies | Varies by cookie; see § 14 |
7.1 After the retention period, personal information is deleted or anonymised, except where we are under a legal obligation to retain it longer.
7.2 You may request earlier deletion of your personal information — see § 8 (UK rights) and § 9 (US rights). Where we are legally required to retain data beyond your request, we will minimise what we hold to what is strictly necessary.
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
Right of access (Art 15). You can request a copy of the personal information we hold about you. We will respond within one month of a validly-identified request.
Right to rectification (Art 16). You can ask us to correct inaccurate or incomplete information.
Right to erasure (Art 17). You can ask us to delete personal information where we no longer need it, where you have withdrawn consent and there is no other legal basis, or where processing is unlawful. Certain retention obligations may prevent deletion; we will explain when they apply.
Right to restriction of processing (Art 18). You can ask us to limit use of your personal information in specific circumstances (for example, during a dispute over accuracy).
Right to data portability (Art 20). You can request an export of the personal information you have provided to us, in a structured, commonly used, machine-readable format. Use the Export Your Data feature in Account settings or contact us.
Right to object (Art 21). You can object to processing based on legitimate interest or for direct-marketing purposes.
Right to withdraw consent. Where we rely on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint. If you believe we have handled your data improperly, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk, tel 0303 123 1113.
8.1 To exercise your rights, contact privacy@downsizr.com. We may need to verify your identity before acting on a request.
California residents have the following rights under the CCPA as amended by the CPRA:
Right to know. You can request that we disclose:
Right to delete. You can request that we delete personal information we have collected from you, subject to legal-retention exceptions under CCPA § 1798.105(d).
Right to correct. You can request correction of inaccurate personal information.
Right to opt-out of sale/sharing. Downsizr does not sell or "share" personal information (as defined by CCPA/CPRA) for cross-context behavioural advertising. No opt-out is therefore required, but if this changes in the future, we will provide the mandatory "Do Not Sell or Share My Personal Information" mechanism.
Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that trigger the limit-use right.
Right to non-discrimination. We will not discriminate against you for exercising your privacy rights. You will not pay a different price, receive a different level of service, or be denied Services for exercising a right.
Right to data portability. The Export Your Data feature in Account settings provides a structured export.
9.1 How to exercise rights. Submit requests through Account settings, email privacy@downsizr.com, or other submission methods as published. We will respond within 45 days, extendable by a further 45 days where reasonably necessary with notice to you.
9.2 Identity verification. We will ask for reasonable information to verify your identity before acting. For sensitive data requests, additional verification may be required.
9.3 Authorised agents. You may designate an authorised agent to make a request on your behalf. We will verify both the agent's authority and your identity.
9.4 Shine the Light (California Civil Code § 1798.83). California residents may annually request information about any sharing of personal information with third parties for direct-marketing purposes. Downsizr does not share personal information with third parties for their direct marketing.
9.5 Complaints. You may complain to the California Office of the Attorney General (oag.ca.gov/privacy) or the California Privacy Protection Agency (cppa.ca.gov).
Residents of Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, Virginia, and other states with comprehensive privacy legislation have rights analogous to those in § 9. We will honour requests from residents of any US state with valid privacy legislation in force on the date of the request. Contact privacy@downsizr.com for state-specific exercising of rights.
We implement technical and organisational measures appropriate to the risks we face:
No system is completely secure. If we become aware of a personal-data breach affecting your information, we will notify you without undue delay where required by UK GDPR Art 34 or the equivalent US state statute, and we will notify the relevant regulator (the ICO, the relevant state Attorney General) within statutory deadlines.
11.1 Third-party Marketplace breach notification. Where a breach involves personal data obtained through a Marketplace API integration (including Etsy or eBay), we will additionally notify the Marketplace (for Etsy: dpo@etsy.com) and the affected Marketplace seller no later than 24 hours from discovery of the breach or suspected breach.
12.1 When an Owner grants shared access to another individual (a Shared User, including a Professional managing the Owner's Account), the Shared User has access to the Owner's Account data while the shared access is active.
12.2 Shared User activity is logged. The Owner can see what actions a Shared User has taken.
12.3 When shared access is revoked, the Shared User no longer has access to the Owner's data, but data that was shown to them during the access period may have been retained by them outside the Services; we cannot control that.
12.4 Professionals acting via shared access are separate controllers in respect of their Client Owners' personal information, under Partner Terms § 20.2. Professional's own privacy practices apply.
13.1 When you file or respond to a Dispute, information you submit (including photos, messages, and supporting documents) is shared with the opposing party and with Downsizr Administrators for the purpose of resolution.
13.2 Dispute records are retained for 7 years from closure of the Dispute, for evidentiary and regulatory purposes, even after Account closure.
13.3 Independent external ADR providers engaged under the Dispute Resolution Policy may receive Dispute data. Each is bound by confidentiality obligations and applicable data-protection law.
14.1 We use cookies and similar technologies to operate the Services and to understand how they are used. Categories:
14.2 Consent and opt-out. On first visit, we present a cookie banner allowing you to accept or reject the Analytics category. Analytics tools default to a no-tracking state (Google Consent Mode v2: analytics_storage = denied) until you accept. You can change your choice at any time via the Cookie Preferences link in the footer. Rejecting Analytics does not affect your ability to use the Services.
14.3 California / US privacy rights. California residents may opt out of the "sale" or "sharing" of personal information under the CCPA/CPRA by rejecting the Analytics category in the cookie banner or by sending a Global Privacy Control signal from your browser. Downsizr does not sell personal information for monetary consideration. Residents of other US states with similar laws (Colorado, Connecticut, Virginia, Utah and others) have equivalent rights.
14.4 Most browsers let you control cookies through browser settings. See allaboutcookies.org for guidance.
15.1 Transactional communications. We send emails and in-Service notifications required to operate your Account and Transactions (for example, quote confirmations, payment receipts, Dispute notifications). These are not marketing, and you cannot opt out of essential operational messages.
15.2 Marketing communications. We send marketing communications (product updates, new feature launches) only with your consent, or where permitted by soft-opt-in rules (UK PECR r22(3) for existing customers).
15.3 Unsubscribe. Every marketing email contains an unsubscribe link. You can also update preferences in Account settings.
15.4 We do not use personal information for cross-context behavioural advertising.
The Services include links to third-party websites (Marketplaces, logistics carriers, payment providers, Stripe dashboards). When you follow such a link or engage an integration, the third party's privacy policy applies to their handling of your data. Downsizr is not responsible for third-party privacy practices.
17.1 We may update this Privacy Policy from time to time. Material changes will be notified by email to registered Users at least 30 days before taking effect. Minor changes (for example, adding a new subprocessor, clarifying existing text) take effect on posting.
17.2 The effective date and version are shown at the top of this document.
Privacy team:
Supervisory authorities:
Q Bend Limited, 71-75 Shelton Street, London WC2H 9JQ. Company no. 16792208.