Q Bend Limited (trading as Downsizr)
Company number: 16792208
Version 3.0
Last updated: 10 July 2026
Registered in England and Wales
Registered office: 71-75 Shelton Street, London WC2H 9JQ, United Kingdom
This privacy policy explains what personal information Downsizr collects, how we use it, who we share it with, and what rights you have. Downsizr helps people catalogue and part with treasured belongings thoughtfully, and we take the same care with your personal information as you take with your possessions
This policy applies to everyone who uses the Downsizr website, applications, and services (the "Services"). If you are in the United Kingdom, we comply with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. If you are in the United States, we comply with applicable state privacy law, including (in California) the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA")
2.1 The data controller is Q Bend Limited (trading as Downsizr), a company registered in England and Wales under company number 16792208. Our registered office is 71-75 Shelton Street, London WC2H 9JQ
2.2 If you have questions about this privacy policy, your personal data, or your rights, contact us at:
2.3 Our privacy contact is the founder, reachable at privacy@downsizr.com or at the postal address above. We will appoint a dedicated data protection officer when the scale of our processing requires one under UK GDPR Art 37
2.4 As Q Bend Limited is established in the United Kingdom, no UK representative under UK GDPR Art 27 is required
We collect personal information directly from you, automatically when you use the Services, and occasionally from third parties
When you create an account:
When you catalogue items and create listings:
If you are a giftee:
If you are a partner or professional:
When you communicate with us or other users:
When you make or receive payments:
Usage and device data:
Cookies and similar technologies – see section 14
Location (approximate) derived from IP address for legal-compliance and fraud-detection purposes. We do not collect precise geolocation from your device without your consent
When you connect a marketplace account (eBay or Etsy), we also store the OAuth access and refresh tokens that let us call the marketplace's interface on your behalf. These tokens are encrypted at rest, used only to operate the integration you authorised (creating and managing your listings, and detecting sales to calculate amounts owed), and are never sold or used for advertising. When you disconnect the marketplace account, we stop accessing your account and clear the stored tokens. See section 16 for more on third-party integrations
We do not routinely collect "special category" personal data (UK GDPR Art 9) or "sensitive personal information" (CCPA/CPRA § 1798.140(ae)). Identity documents submitted for verification are processed by Stripe Identity under Stripe's own safeguards; we do not retain the underlying documents
The Services are not intended for individuals under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us at privacy@downsizr.com and we will delete it
We use personal information only for specified, explicit, legitimate purposes. The table below summarises the purposes and the legal basis for each
| Purpose | UK GDPR legal basis | CCPA/CPRA purpose category |
|---|---|---|
| Creating and managing your account | Contract (Art 6(1)(b)) | Providing requested services |
| Matching items to partners and marketplaces | Contract | Providing requested services |
| Processing payments and payouts | Contract | Providing requested services |
| Sending transactional emails (confirmations, status, disputes) | Contract | Providing requested services |
| Identity verification where required | Legal obligation (Art 6(1)(c)) and contract | Compliance |
| Fraud prevention and platform security | Legitimate interest (Art 6(1)(f)) | Security |
| Dispute resolution and administrative mediation | Contract and legitimate interest | Providing requested services |
| Improving the Services (analytics, product development) | Legitimate interest | Internal operations |
| Automated preparation of item listings (description drafting, categorisation, valuation estimates) | Contract and legitimate interest | Providing requested services |
| Marketing and promotional communications | Consent (Art 6(1)(a)) | Marketing (opt-out available) |
| Complying with legal obligations (tax, anti-money-laundering, regulatory requests) | Legal obligation | Compliance |
| Record-keeping for dispute evidence and regulatory compliance | Legal obligation and legitimate interest | Compliance |
| Internal corporate transactions (merger, acquisition) | Legitimate interest | Business transfer |
Downsizr uses automated technology to help prepare your listings – for example, to identify items from photos, draft descriptions, classify categories, transcribe your spoken narration, and estimate values
We may use automated decisions in limited, low-risk contexts:
You have the right to request human review of any significant automated decision. Contact privacy@downsizr.com. None of these automated decisions produce legal effects on you of a type requiring additional safeguards under UK GDPR Art 22 beyond those already in place
We share personal information only with parties who need it for the purposes listed in section 4
We reveal your information to counterparties gradually, and only as far as each stage of a transaction requires:
We engage carefully selected third parties to process personal information on our behalf:
Each subprocessor is bound by a written data-processing agreement imposing at least the standard of protection required by UK GDPR Art 28, and each is required to assist us in complying with data-subject rights
Partners admitted to the Services are separate data controllers for the personal information of users they interact with through transactions (see partner terms § 20.2). When a transaction is initiated, you authorise Downsizr to share necessary personal data with the partner, staged as described in section 5.1. The partner's own privacy practices apply to the personal data they hold
We may disclose personal information where we are required to do so by law, court order, regulator, or law-enforcement request, and in response to lawful civil disclosures where the requester has demonstrated a legitimate legal basis. We push back on over-broad requests where appropriate
If Downsizr is involved in a merger, acquisition, reorganisation, or sale of assets, personal information may be transferred to the successor entity. In that event, you will be notified, and the successor entity will be bound by this privacy policy unless you are notified of material changes and given an opportunity to opt out
Listings you publish to marketplaces (eBay, Etsy) are visible to the public on those marketplaces. Your Downsizr account information is not publicly visible unless you choose to make it so
To build a marketplace of service providers, we collect publicly available business contact information about local logistics businesses (such as couriers and removals firms) – including business name, address, phone, email, website, and public ratings – from sources such as Google Places and business websites. We use this information to identify and invite those businesses to join the platform
Our lawful basis is legitimate interests (building a marketplace of service providers). A business we contact can opt out or unsubscribe at any time; we then add it to a suppression list and do not contact it again. Business data for organisations that do not register is retained for the duration of our outreach programme, and suppression-list entries (contact details that have opted out) are retained indefinitely to ensure we do not contact them again
5.8.1 When you register via an affiliate's referral link, we create an attribution record linking your account to that affiliate
5.8.2 The affiliate sees only aggregate figures (for example, registration counts and commission totals). The affiliate never sees your personal data, your items, or per-user revenue detail
5.8.3 On deletion of your account, the personal link between you and the affiliate is severed immediately and the attribution record is then retained only in pseudonymised form. Commission records are retained for approximately seven (7) years to meet UK financial and tax record-keeping obligations
6.1 Downsizr is based in the United Kingdom. Some of our subprocessors (notably Stripe, Anthropic, OpenAI, Cloudinary, Shippo and Vercel) operate in the United States. Personal information may therefore be transferred outside the UK or European Economic Area
6.2 Where personal information is transferred to the United States, we rely on:
(a) for UK-to-US transfers, the UK extension to the EU-US Data Privacy Framework (where the recipient is certified);
(b) the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) as adopted by the UK, supplemented by a transfer impact assessment;
(c) any other lawful transfer mechanism under UK GDPR Art 46 or 49
6.3 Where personal information is transferred to other non-EEA countries (for example, through a shipping carrier), we ensure appropriate safeguards are in place
We keep personal information only as long as necessary for the purposes for which it was collected, or as required by law
| Category | Retention period |
|---|---|
| Account registration data | For the life of the account, then deleted 30 days after your deletion request (you can cancel within those 30 days) |
| Transaction records (items, payments, disputes) | 7 years (UK tax retention obligations) |
| Financial records (invoices, commission, payouts) | 7 years |
| Donation records (charity details, confirmed value and country, kept so you have evidence for tax purposes) | 7 years |
| Dispute and audit-log data | 7 years from dispute closure (for evidentiary and regulatory purposes) |
| Identity verification evidence | Held by Stripe under its own retention schedule; not retained by Downsizr |
| Marketing preferences and consent records | 3 years after withdrawal of consent |
| In-platform messages between users | For the life of the accounts involved; removed when the account is deleted, except where dispute retention applies |
| Support correspondence | Held in our support email system and service logs; reviewed and cleared periodically |
| Security and fraud-prevention logs | 2 years |
| Cookies | Varies by cookie; see section 14 |
7.1 After the retention period, personal information is deleted or anonymised, except where we are under a legal obligation to retain it longer
7.2 You may request earlier deletion of your personal information – see section 8 (UK rights) and section 9 (US rights). Where we are legally required to retain data beyond your request, we minimise what we hold to what is strictly necessary: after your 30-day deletion grace period, personal identifiers are removed or redacted while the financial records the law requires us to keep are retained for 7 years and then anonymised
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
Right of access (Art 15). You can request a copy of the personal information we hold about you. We will respond within one month of a validly identified request
Right to rectification (Art 16). You can ask us to correct inaccurate or incomplete information
Right to erasure (Art 17). You can ask us to delete personal information where we no longer need it, where you have withdrawn consent and there is no other legal basis, or where processing is unlawful. Certain retention obligations may prevent deletion; we will explain when they apply
Right to restriction of processing (Art 18). You can ask us to limit use of your personal information in specific circumstances (for example, during a dispute over accuracy)
Right to data portability (Art 20). You can request an export of the personal information you have provided to us, in a structured, commonly used, machine-readable format. Use the export your data feature in account settings or contact us
Right to object (Art 21). You can object to processing based on legitimate interest or for direct-marketing purposes
Right to withdraw consent. Where we rely on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal
Right to lodge a complaint. If you believe we have handled your data improperly, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk, tel 0303 123 1113
8.1 To exercise your rights, contact privacy@downsizr.com. We may need to verify your identity before acting on a request
California residents have the following rights under the CCPA as amended by the CPRA:
Right to know. You can request that we disclose:
Right to delete. You can request that we delete personal information we have collected from you, subject to legal-retention exceptions under CCPA § 1798.105(d)
Right to correct. You can request correction of inaccurate personal information
Right to opt out of sale or sharing. Downsizr does not sell or "share" personal information (as defined by CCPA/CPRA) for cross-context behavioural advertising. No opt-out is therefore required, but if this changes in the future, we will provide the mandatory "Do Not Sell or Share My Personal Information" mechanism
Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that trigger the limit-use right
Right to non-discrimination. We will not discriminate against you for exercising your privacy rights. You will not pay a different price, receive a different level of service, or be denied Services for exercising a right
Right to data portability. The export your data feature in account settings provides a structured export
9.1 How to exercise rights. Submit requests through account settings, email privacy@downsizr.com, or other submission methods as published. We will respond within 45 days, extendable by a further 45 days where reasonably necessary with notice to you
9.2 Identity verification. We will ask for reasonable information to verify your identity before acting. For sensitive data requests, additional verification may be required
9.3 Authorised agents. You may designate an authorised agent to make a request on your behalf. We will verify both the agent's authority and your identity
9.4 Shine the Light (California Civil Code § 1798.83). California residents may annually request information about any sharing of personal information with third parties for direct-marketing purposes. Downsizr does not share personal information with third parties for their direct marketing
9.5 Complaints. You may complain to the California Office of the Attorney General (oag.ca.gov/privacy) or the California Privacy Protection Agency (cppa.ca.gov)
Residents of Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, Virginia, and other states with comprehensive privacy legislation have rights analogous to those in section 9. We will honour requests from residents of any US state with valid privacy legislation in force on the date of the request. Contact privacy@downsizr.com for state-specific exercising of rights
We implement technical and organisational measures appropriate to the risks we face:
No system is completely secure. If we become aware of a personal-data breach affecting your information, we will notify you without undue delay where required by UK GDPR Art 34 or the equivalent US state statute, and we will notify the relevant regulator (the ICO, or the relevant state attorney general) within statutory deadlines
11.1 Third-party marketplace breach notification. Where a breach involves personal data obtained through a marketplace integration (including Etsy or eBay), we will additionally notify the marketplace (for Etsy: dpo@etsy.com) and the affected marketplace seller no later than 24 hours from discovery of the breach or suspected breach
12.1 When an owner grants shared access to another individual (a shared user, including a professional managing the owner's account), the shared user has access to the owner's account data while the shared access is active
12.2 Shared user activity is logged. The owner can see what actions a shared user has taken
12.3 When shared access is revoked, the shared user no longer has access to the owner's data, but data that was shown to them during the access period may have been retained by them outside the Services; we cannot control that
12.4 Professionals acting via shared access are separate controllers in respect of their client owners' personal information, under partner terms § 20.2. The professional's own privacy practices apply
13.1 When you file or respond to a dispute, information you submit (including photos, messages, and supporting documents) is shared with the opposing party and with Downsizr administrators for the purpose of resolution
13.2 Dispute records are retained for 7 years from closure of the dispute, for evidentiary and regulatory purposes, even after account closure
13.3 Independent external alternative-dispute-resolution providers engaged under the dispute resolution policy may receive dispute data. Each is bound by confidentiality obligations and applicable data-protection law
14.1 We use cookies and similar technologies to operate the Services and to understand how they are used. Categories:
14.2 Consent and opt-out. On first visit, we present a cookie banner allowing you to accept or reject the analytics category. Analytics tools default to a no-tracking state (Google Consent Mode v2: `analytics_storage = denied`) until you accept. You can change your choice at any time via the cookie preferences link in the footer. Rejecting analytics does not affect your ability to use the Services
14.3 California and US privacy rights. California residents may opt out of the "sale" or "sharing" of personal information under the CCPA/CPRA by rejecting the analytics category in the cookie banner or by sending a Global Privacy Control signal from your browser. Downsizr does not sell personal information for monetary consideration. Residents of other US states with similar laws (Colorado, Connecticut, Virginia, Utah and others) have equivalent rights
14.4 Most browsers let you control cookies through browser settings. See allaboutcookies.org for guidance
15.1 Transactional communications. We send emails and in-Service notifications required to operate your account and transactions (for example, quote confirmations, payment receipts, dispute notifications). These are not marketing, and you cannot opt out of essential operational messages. Some regular summaries, such as the daily giftee digest, carry their own unsubscribe link so you can switch off just that summary while still receiving essential messages
15.2 Marketing communications. We send marketing communications (product updates, new feature launches) only with your consent, or where permitted by soft-opt-in rules (UK PECR r22(3) for existing customers)
15.3 Unsubscribe. Every marketing email contains an unsubscribe link. You can also update preferences in account settings
15.4 We do not use personal information for cross-context behavioural advertising
The Services include links to third-party websites (marketplaces, shipping carriers, payment providers, Stripe dashboards). When you follow such a link or engage an integration, the third party's privacy policy applies to their handling of your data. Downsizr is not responsible for third-party privacy practices
17.1 We may update this privacy policy from time to time. Material changes will be notified by email to registered users at least 30 days before taking effect. Minor changes (for example, adding a new subprocessor, clarifying existing text) take effect on posting
17.2 The effective date and version are shown at the top of this document
Privacy team:
Supervisory authorities:
Q Bend Limited, 71-75 Shelton Street, London WC2H 9JQ. Company no. 16792208