QUEUP LTD
Contact Us

Privacy Policy

Last Updated: May 15, 2026
Effective Date: May 15, 2026

Introduction and Applicable Law

Welcome to queupltd.com (the “Site”), operated by QUEUP LTD (the “Controller”, “we”, “us”). We respect your privacy and are committed to protecting your personal data in accordance with the data-protection laws of the United Kingdom.

This Privacy Notice (the “Notice”) is issued in accordance with:

  • the UK General Data Protection Regulation (UK GDPR) — Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419;
  • the Data Protection Act 2018 (DPA 2018), including Parts 2, 3 and 4;
  • the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended — governing cookies, electronic marketing and similar technologies;
  • guidance issued by the Information Commissioner’s Office (ICO), including the Age Appropriate Design Code;
  • other applicable UK statutes and binding ICO codes of practice.

This Notice tells you what personal data we collect, why we collect it, the lawful bases for processing, how we share and store it, your rights, and how to contact us or the ICO. By using the Site you acknowledge that you have read this Notice.

Data Controller

The data controller responsible for your personal data within the meaning of Article 4(7) UK GDPR is:

QUEUP LTD
Registered office: Flat 103, 20, Flora House Fresh Wharf Road, Barking, IG11 7YJ United Kingdom
General enquiries: info@queupltd.com
Data-protection enquiries: privacy@queupltd.com

Where required by section 137 of the DPA 2018 and the Data Protection (Charges and Information) Regulations 2018, we are registered with (or pay the data-protection fee to) the Information Commissioner’s Office. Our ICO registration entry can be looked up at ico.org.uk/ESDWebPages/Search.

If our processing activities are large-scale, involve regular and systematic monitoring of individuals, or large-scale processing of special-category data, we appoint a Data Protection Officer (DPO) in accordance with Article 37 UK GDPR. You may contact the DPO directly at privacy@queupltd.com.

Information We Collect

We collect personal data that you provide directly, that we collect automatically when you use the Site, and that we obtain from third parties.

Information You Provide Directly

  • Account & contact data: name, email address, username, password (hashed), phone number, mailing address.
  • Communications: messages sent through contact forms, support tickets, surveys, comments, or reviews.
  • Transaction data (if applicable): billing address, products purchased, order history. Payment card details are processed by our PCI-DSS compliant payment processors and are never stored on our servers.
  • User-generated content: any text, images, or files you upload.

Information Collected Automatically

  • Device & technical data: IP address, device type, operating system, browser type and version, screen resolution, language, time zone.
  • Usage data: pages viewed, links clicked, time spent on pages, referring URL, search queries on the Site, scroll depth, session duration.
  • Approximate geolocation: derived from IP address (city/region level). We do not collect precise GPS location unless you explicitly grant permission.
  • Cookies, pixels, SDKs, local storage and similar tracking technologies (see our Cookie Policy for details).
  • Advertising identifiers: cookie IDs, mobile advertising IDs (IDFA/AAID).

Information from Third Parties

  • Authentication providers (e.g., Google Sign-In, Facebook Login) if you choose to log in via them — we receive your name, email, and profile picture.
  • Analytics and advertising partners that share aggregated audience insights with us.
  • Public sources and fraud-prevention services.

Lawful Bases for Processing

Under Article 6(1) UK GDPR, we process personal data only where at least one of the following lawful bases applies:

  • Consent (Art. 6(1)(a)) — for marketing emails, non-essential cookies, and certain optional features. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Performance of a contract (Art. 6(1)(b)) — processing orders, providing the Service, account administration, customer support.
  • Legal obligation (Art. 6(1)(c)) — accounting, tax, anti-money-laundering, responding to lawful requests from public authorities.
  • Vital interests (Art. 6(1)(d)) — in rare circumstances to protect someone’s life.
  • Public interest / official authority (Art. 6(1)(e)) — only where applicable.
  • Legitimate interests (Art. 6(1)(f)) — site security, fraud prevention, network and information security, basic analytics, business development — following a documented Legitimate Interests Assessment (LIA) balancing our interests against your rights and freedoms.

Where we process special category data (Article 9 UK GDPR) or criminal-offence data (Article 10 UK GDPR / Schedule 1 DPA 2018), we identify both an Article 6 lawful basis and an additional Article 9/10 condition (for example, explicit consent or a substantial public interest condition under Schedule 1 DPA 2018), and we maintain an Appropriate Policy Document where required.

Cookies and similar technologies. Storage of and access to information on your device for non-essential purposes requires your consent under Regulation 6 PECR. See our Cookie Policy.

Cookies and Tracking Technologies

We use first-party and third-party cookies, web beacons, pixels, SDKs and similar technologies. Categories include strictly necessary, functional, analytics (e.g., Google Analytics 4), and advertising (e.g., Google Ads, AdSense, Ad Manager, Meta Pixel, Microsoft UET, TikTok Pixel). For full details, see our Cookie Policy.

Google Consent Mode v2

We implement Google Consent Mode v2, which transmits the following consent signals to Google services:

  • ad_storage — consent for advertising-related cookies and storage;
  • analytics_storage — consent for analytics cookies and storage;
  • ad_user_data — consent to send user data to Google for advertising purposes;
  • ad_personalization — consent for personalised advertising.

When a user declines, Google services receive cookieless, anonymised signals only (modelled conversions and basic measurement). You may change your consent at any time via the cookie banner or your account settings.

Advertising Partners and the Google Advertising Ecosystem

  • Google AdSense / Ad Manager / Google Ads: Google, as a third-party vendor, uses cookies (including the DoubleClick DART cookie) to serve ads based on your prior visits to our Site or other websites. You may opt out of personalised advertising by visiting Google Ads Settings.
  • Google Analytics 4: you may install the opt-out browser add-on.
  • Microsoft Advertising (Bing UET), TikTok Pixel, Amazon Advertising, and other partners may also be used.

Privacy Sandbox

As Google transitions away from third-party cookies in Chrome, we may participate in Google’s Privacy Sandbox APIs, including:

  • Topics API — coarse interest-based advertising signals derived locally on your device;
  • Protected Audience API (formerly FLEDGE) — remarketing without third-party cookies;
  • Attribution Reporting API — conversion measurement with privacy preservation.

You can manage these features in Chrome under Settings → Privacy and security → Ad privacy.

Meta (Facebook) Pixel and Conversions API

We use the Meta Pixel and Meta Conversions API for ad measurement, audience targeting, and conversion tracking. As required by Meta, we notify you that third parties (including Meta) may use cookies, web beacons, and similar technologies to collect or receive information from our Site and elsewhere on the internet to provide measurement services and target ads.

You may control how Meta uses your data via your Facebook Ad Preferences.

How We Share Your Personal Data

We do not sell personal data. We share personal data only in the following circumstances:

  • Service providers / processors — hosting (e.g., AWS, Google Cloud, Cloudflare), email delivery, analytics, payment processors. They act as data processors under written Data Processing Agreements (DPAs) and may only process data on our documented instructions.
  • Advertising partners as described in the advertising sections above.
  • Affiliated companies within our corporate group, under this same Policy.
  • Business transfers — in the event of a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, your data may be transferred as a business asset, subject to this Policy.
  • Law enforcement and regulatory authorities when required by valid legal process.
  • With your consent in any other case.

International Data Transfers

Personal data may be transferred to and processed in countries outside the United Kingdom (“third countries”) where our service providers are located. We make such transfers only where one of the following safeguards under Chapter V of the UK GDPR applies:

  • Adequacy regulations made by the Secretary of State under section 17A of the DPA 2018 (Article 45 UK GDPR) — for example, transfers to countries the UK has formally recognised as providing an adequate level of protection (currently including the EEA, Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom Extension to the EU–US Data Privacy Framework, and Uruguay).
  • The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, issued under section 119A DPA 2018 and effective from 21 March 2022, accompanied by a Transfer Risk Assessment (TRA).
  • Binding Corporate Rules approved by the ICO (Article 47 UK GDPR).
  • One of the derogations in Article 49 UK GDPR (such as your explicit consent, contract necessity, or important reasons of public interest), used only on an occasional, non-routine basis.

You may request a copy of the safeguards we rely on for any particular transfer by contacting privacy@queupltd.com.

Retention Periods

In line with the storage-limitation principle (Article 5(1)(e) UK GDPR), we keep personal data only for as long as is necessary for the purposes for which it was collected. Indicative periods we apply:

  • Customer accounts — for the lifetime of the account; up to 12 months after closure for dispute resolution and fraud prevention, then deletion or anonymisation.
  • Accounting and tax records6 years after the end of the relevant accounting period (sections 386–388 Companies Act 2006; Schedule 11 VAT Act 1994; HMRC guidance).
  • Employment-tax records (PAYE) — not less than 3 years after the end of the tax year (Income Tax (PAYE) Regulations 2003, reg. 97).
  • Contract documents — up to 6 years from the end of the contract (Limitation Act 1980, s. 5; 12 years for deeds, s. 8).
  • Marketing-consent records — until withdrawal of consent, plus an audit trail under Article 7(1) UK GDPR.
  • Cookies and similar identifiers — per individual cookie lifetime (see Cookie Policy).
  • Server access logs and security logs — up to 12 months.
  • CCTV footage (where applicable) — typically 30 days, in line with ICO CCTV guidance.

When the retention period expires, data is securely deleted or irreversibly anonymised. Backups containing personal data are deleted on a rolling backup-rotation schedule.

Security and Personal-Data Breach Notification

Under Article 32 UK GDPR we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including pseudonymisation and encryption where appropriate, ongoing confidentiality, integrity, availability and resilience of processing systems, the ability to restore availability and access in a timely manner after an incident, and regular testing and evaluation of effectiveness.

Specific measures include:

  • TLS/HTTPS encryption in transit and encryption at rest for sensitive data;
  • role-based access control following the principle of least privilege;
  • multi-factor authentication for administrative access;
  • logging, monitoring and intrusion detection on production systems;
  • vulnerability scanning, patching and a documented Information Security Management System aligned with ISO/IEC 27001 or Cyber Essentials;
  • vetting of processors and written Article 28 data-processing agreements;
  • staff training and confidentiality obligations.

Breach Notification

In the event of a personal-data breach we will:

  • notify the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware, where the breach is likely to result in a risk to the rights and freedoms of natural persons (Article 33 UK GDPR);
  • where the breach is likely to result in a high risk to your rights and freedoms, inform you without undue delay (Article 34 UK GDPR);
  • document all breaches in our internal breach register in accordance with Article 33(5) UK GDPR.

Suspected security issues should be reported to privacy@queupltd.com.

Your Data-Protection Rights

Under the UK GDPR and the DPA 2018 you have the following rights:

  • Right to be informed (Articles 13–14 UK GDPR) — this Notice fulfils this right.
  • Right of access (Article 15 UK GDPR) — obtain confirmation that we process your data, a copy of it, and information about the processing. We will respond within one month, extendable by a further two months for complex requests (Article 12(3)).
  • Right to rectification (Article 16 UK GDPR) — correct inaccurate or incomplete data.
  • Right to erasure / ‘right to be forgotten’ (Article 17 UK GDPR) — in the circumstances listed in Article 17(1).
  • Right to restrict processing (Article 18 UK GDPR).
  • Right to data portability (Article 20 UK GDPR) — receive data you provided in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Right to object (Article 21 UK GDPR) — particularly to processing based on legitimate interests and to direct marketing (an absolute right).
  • Rights related to automated decision-making and profiling (Article 22 UK GDPR) — including the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you.
  • Right to withdraw consent at any time where processing is based on consent (Article 7(3)).
  • Right to lodge a complaint with the Information Commissioner’s Office (Article 77 UK GDPR; section 165 DPA 2018).

To exercise your rights, email privacy@queupltd.com. We may need to verify your identity before responding. There is normally no fee, but we may charge a reasonable fee or refuse a manifestly unfounded or excessive request (Article 12(5)).

Children’s Privacy

The Site is intended for adults. We do not knowingly direct any part of the Site at children, and we do not knowingly collect personal data from children where prohibited.

Under section 9 of the DPA 2018, where we offer an “information society service” directly to a child and rely on consent (Article 6(1)(a) UK GDPR), the consent of a child is valid only if the child is at least 13 years old. Below that age, consent must be given or authorised by the holder of parental responsibility.

Where any of our services are likely to be accessed by children, we apply the standards of the ICO’s Age Appropriate Design Code (the “Children’s Code”), including:

  • completing a Data Protection Impact Assessment (DPIA);
  • providing privacy information in a clear, age-appropriate manner;
  • setting privacy-protective settings (including geolocation and profiling) to high by default;
  • not using nudge techniques to lower privacy protections;
  • limiting data sharing to what is strictly necessary.

If you are a parent or guardian and believe your child has provided personal data without appropriate consent, please contact privacy@queupltd.com and we will delete the data without undue delay.

Do Not Track and Global Privacy Control

Our Site does not currently respond to browser “Do Not Track” (DNT) signals. However, we honour the Global Privacy Control (GPC) signal as an opt-out request from personalised advertising and cross-site tracking, where applicable under the law.

Third-Party Links

Our Site may contain links to third-party websites and services that we do not control. This Policy does not apply to those sites. We encourage you to review their privacy policies before providing them with any personal data.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the “Last Updated” date and, where appropriate, provide additional notice (banner or email). Continued use of the Site after changes constitutes acceptance of the revised Policy.

Contact and Supervisory Authority

For any question relating to this Privacy Notice, to exercise your rights, or to raise a concern about how we handle your personal data, please contact us first so that we can try to resolve the matter:

QUEUP LTD — Data Controller
Address: Flat 103, 20, Flora House Fresh Wharf Road, Barking, IG11 7YJ United Kingdom
Data-protection enquiries / DPO: privacy@queupltd.com
General enquiries: info@queupltd.com

Supervisory Authority — Information Commissioner’s Office (ICO)

You have the right to lodge a complaint with the ICO if you consider that our processing of your personal data infringes UK data-protection law. We would, however, appreciate the chance to address your concerns first.

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
Helpline: 0303 123 1113 (or +44 1625 545 745 from outside the UK)
Online complaint form: ico.org.uk/make-a-complaint/
Website: https://ico.org.uk

You also have the right to seek a judicial remedy under sections 167–169 of the DPA 2018.