Marque Sign in →

Privacy Policy

Last updated: 14 July 2026

UK GDPR & Data Protection Act 2018

We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains how we collect, use, and protect your information.

1. Who We Are (Data Controller)

Marque operates this Service. We are the data controller for personal data collected through this platform. For data protection enquiries, contact us at hello@marquecrm.com.

2. What Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, password (hashed), role within your agency
  • Billing data: payment method details (processed by Stripe — we do not store card numbers), billing address, invoice history
  • Usage data: pages visited, features used, timestamps, IP addresses, browser/device type
  • Communications: emails processed through connected inboxes (with your explicit authorisation), support tickets, messages
  • Business data you upload: client records, project data, invoices, contracts, files, and any other data you input into the Service

3. How We Use Your Data

We process your personal data for the following purposes:

  • Contract performance: providing the Service you have subscribed to, processing payments, managing your account
  • Legitimate interests: improving the Service, detecting and preventing fraud, maintaining security, sending product updates
  • Legal obligation: complying with applicable laws, regulations, and court orders
  • Consent: sending marketing communications (where you have opted in)

4. Data Sharing and Third Parties

We share data only where necessary:

  • Stripe — payment processing (PCI DSS compliant)
  • Amazon Web Services — file storage (encrypted at rest)
  • Mailgun — transactional and inbound email
  • Twilio — SMS notifications
  • OpenAI — AI-powered features (email triage, task suggestions); only the minimum necessary data is sent
  • Sentry — error monitoring (anonymised stack traces)
  • PostHog — product analytics (anonymised usage data)

We do not sell your personal data to any third party. All sub-processors are contractually required to protect your data.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account termination, we retain data for up to 90 days to allow for data export requests, after which it is securely deleted. Billing records may be retained for up to 7 years to comply with legal obligations.

6. Data Transfers

Your data may be processed in countries outside the UK. Where we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions recognised under UK GDPR.

7. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Access: request a copy of your personal data
  • Rectification: correct inaccurate or incomplete data
  • Erasure: request deletion of your data ("right to be forgotten")
  • Restriction: request that we limit how we use your data
  • Portability: receive your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at hello@marquecrm.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Cookies

We use session cookies (essential for the Service to function) and optional analytics cookies. Session cookies are deleted when you close your browser. You can manage cookie preferences through your browser settings. Disabling essential cookies will prevent the Service from working correctly.

9. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS) and at rest, access controls, regular security reviews, and monitoring for unusual activity. Despite these measures, no internet transmission is completely secure.

10. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or within the Service at least 14 days in advance. The updated policy will be effective from the date shown at the top of this page.

12. Contact Us

For any privacy-related questions or to exercise your rights, contact us at:

hello@marquecrm.com