marql ("we", "our", "us") operates the marql platform available at marql.one and platform.marql.one. This Privacy Policy explains how we collect, use, and protect your information when you use our services.

1. Information We Collect

We collect information you provide directly to us when you:

Create an account (name, email address, password)
Sign in via Google or Microsoft OAuth (name, email, profile picture from the provider)
Configure your organization and stores
Connect integrations (POS, ERP, delivery platforms)

We also automatically collect usage data such as log files, IP addresses, browser type, and pages visited to operate and improve the platform.

2. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 GDPR:

Performance of a contract (Art. 6(1)(b)) — to provide the marql service, authenticate your identity, and manage your account.
Legitimate interest (Art. 6(1)(f)) — to ensure platform security, prevent fraud, improve the service through anonymised usage data, and follow up on pre-sales enquiries via HubSpot CRM.
Consent (Art. 6(1)(a)) — to set analytics cookies (Google Analytics 4 and HubSpot tracking script), where you have given explicit consent via our cookie banner.
Legal obligation (Art. 6(1)(c)) — where applicable law requires us to retain or disclose data.

3. How We Use Your Information

To provide, maintain, and improve the marql platform
To authenticate your identity and manage your account
To sync and display your business data (sales, inventory, metrics)
To send service-related communications (account confirmations, alerts)
To detect and prevent fraud or abuse

4. Data Storage and Security

Your data is stored on AWS infrastructure in the EU (Stockholm, eu-north-1 region). We use industry-standard encryption in transit (TLS) and at rest. We do not sell your personal data to third parties.

5. Third-Party Services

We use the following third-party services:

Google / Microsoft OAuth — for authentication only; we receive your name and email
Sentry — for error monitoring (anonymized stack traces)
Railway / AWS — infrastructure hosting (data stored in EU)
Calendly, Inc. — for scheduling demo meetings; Calendly processes your name and email in accordance with its own privacy policy
Google Analytics 4 (Google Ireland Ltd.) — website analytics, only with your consent; data may be transferred to the US under Standard Contractual Clauses and the EU–US Data Privacy Framework
HubSpot Ireland Ltd. (1 Sir John Rogerson's Quay, Dublin 2, Ireland) — CRM and pre-sales communication. When you submit your email address in a sign-up form, we send it to HubSpot to follow up on your request (legal basis: legitimate interest, Article 6(1)(f) GDPR). With your analytics consent, we also load HubSpot's tracking script, which sets the hubspotutk cookie to associate your browsing session with your CRM record. Data may be transferred to the US under Standard Contractual Clauses.

6. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights:

Right of access — to receive a copy of the data we hold about you
Right to rectification — to correct inaccurate data
Right to erasure — to request deletion of your data
Right to restriction — to limit how we use your data
Right to data portability — to receive your data in a structured, machine-readable format
Right to object — to processing based on legitimate interest
Right to withdraw consent — at any time, without affecting the lawfulness of prior processing

To exercise these rights, contact us at [email protected].

7. Data Retention

We retain your data for as long as your account is active. Upon account deletion, personal data is removed within 30 days, unless applicable law requires a longer retention period. You may request deletion of your account and associated data at any time by contacting us.

8. Cookies

We use cookies strictly necessary for authentication and, with your consent, analytics cookies (Google Analytics 4 and HubSpot). See our Cookie Policy for full details.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by email or via the platform at least 30 days before they take effect.

10. Data Protection Officer

Under Article 37 GDPR, appointment of a Data Protection Officer is required only for public authorities, organisations that carry out large-scale systematic monitoring of individuals, or organisations that process special categories of data on a large scale. As marql is a B2B platform that processes business operational data and does not engage in large-scale monitoring of natural persons, we are not required to appoint a DPO.

11. Contact

Questions about this Privacy Policy? Contact us at [email protected].

12. Data Controller

The data controller for this website is KD Bureau SAS, a French company registered at RCS Paris under number 941 575 276 (TVA: FR76941575276), with registered office at 50 avenue des Champs-Élysées, 75008 Paris, France.