Privacy Policy

Last updated: 24 April 2026

At a glance

We collect only the data we need to run the marketplace: your contact details, your body measurements and 3D scans (with your explicit consent), your orders, messages, and device/usage data.
Your measurements and 3D body scans are special category data — we treat them with extra care and will not process them without your explicit consent.
We share your measurements and shipping details with the Seller who is making your order, so they can fulfil it. Some Sellers are based outside the UK — we use approved legal mechanisms (SCCs / IDTA) to protect your data when this happens.
We keep data for as long as we need it, and delete it in line with the schedule below.
You have rights: access, correction, deletion, portability, objection, restriction, and the right to complain to the ICO.
To exercise any right, email privacy@bespique.com.

1. Who we are

BESPIQUE LIMITED ("Bespique", "we", "us", "our") is the controller of personal data processed via bespique.com and related services.

Company number: 16939121
Registered office: Platned Ltd, Europa House Gerrards Cross, Marsham Way, Gerrards Cross, United Kingdom, SL9 8BQ
ICO registration: Bespique has applied to register with the Information Commissioner's Office (ICO). Our registration reference will be published here once confirmed. For all data protection queries in the meantime, contact privacy@bespique.com.
Privacy contact: privacy@bespique.com

2. Scope

This Privacy Policy applies to personal data we process about Buyers, Sellers, prospective users, and website visitors. It should be read together with our Cookie Policy and Terms of Service.

3. Data we collect

Category	Examples	Source
Identity	Name, date of birth, profile photo	You
Contact	Email, phone, delivery and billing addresses	You
Account & security	Password hash, 2FA status, IP address, device fingerprint, authentication logs	You / automatic
Commercial	Orders, basket, reviews, messages with Sellers	You / Sellers
Financial	Masked card details (held by Stripe), billing address, refunds	You / Stripe
Measurements (special category)	Manual measurements, standard size selections, 3D body scans and derived measurement fields	You
Preferences	Language, communication opt-ins, saved items	You
Usage	Pages viewed, clicks, referring page, device type, approximate location from IP	Automatic
Correspondence	Emails to support, chat transcripts, complaints	You

4. Special category data (measurements and 3D scans)

4.1 Body measurements and 3D body scans reveal information about your physical characteristics and can, in combination, uniquely identify you. We treat them as special category data under Article 9(1) of the UK GDPR.

4.2 Our lawful basis for processing this data is your explicit consent under Article 9(2)(a). You give this consent at checkout, by ticking the box that confirms you agree to share your measurements and 3D body scan with the Seller fulfilling your Order. You can withdraw consent at any time in your account settings or by emailing privacy@bespique.com. Withdrawal does not affect processing already carried out.

4.3 We do not use measurement data for advertising, profiling for commercial purposes unrelated to your Order, or for any purpose beyond what is described in this Policy.

5. Lawful bases for processing (other than special category data)

Purpose	Lawful basis (Art. 6 UK GDPR)
Creating and operating your account	Contract (Art. 6(1)(b))
Processing Orders, payments, and refunds	Contract (Art. 6(1)(b))
Sharing Order details with Sellers for fulfilment	Contract (Art. 6(1)(b))
Providing customer support	Contract (Art. 6(1)(b)) / Legitimate interests (Art. 6(1)(f))
Sending transactional emails (order updates, security alerts)	Contract (Art. 6(1)(b))
Sending marketing emails	Consent (Art. 6(1)(a)); or soft opt-in under PECR reg 22(3)
Fraud prevention and security	Legitimate interests; legal obligation
Complying with tax, accounting, and marketplace reporting law	Legal obligation (Art. 6(1)(c))
Analytics and Platform improvement	Consent (for non-essential cookies); legitimate interests (for aggregated, anonymised analysis)
Defending legal claims	Legitimate interests / legal obligation

6. How we use your data

We use your data to:

create and maintain your account;
list Products and process Orders;
communicate with you about Orders, disputes, and account activity;
share Order details (including measurements and delivery address) with the Seller fulfilling your Order;
collect payment and pay Sellers;
comply with tax, VAT, HMRC marketplace reporting, and anti-money-laundering obligations;
prevent, detect, and respond to fraud, abuse, and security incidents;
analyse Platform usage and improve the product;
send marketing communications, with your consent.

7. Who we share data with

7.1 Sellers

We share the information necessary to fulfil your Order (name, delivery address, Order items, and — for Bespoke Products — measurements or scan data) with the Seller who is making that Order. Once received, the Seller is an independent controller of that data and must comply with UK GDPR and the Seller Agreement.

7.2 Service providers ("processors")

Provider	Purpose	Location
Vercel Inc.	Hosting and CDN; cookieless first-party analytics (page views and performance metrics, no cookies or local storage set on your device)	USA (EU/UK data regions where possible)
Supabase, Inc.	Database, authentication, file storage	EU (eu-west-3)
Stripe Payments UK Ltd	Payment processing	UK / EU / USA
Resend, Inc.	Transactional email	USA
Cloudflare, Inc.	Security (Turnstile CAPTCHA), DDoS protection	Global edge
Google (for Google Sign-In)	Authentication (optional)	EU / USA

Each processor is bound by a data processing agreement and acts only on our instructions.

7.3 Authorities and third parties

We may share data with law enforcement, regulators, professional advisers, insurers, or in connection with a merger, sale, or restructuring, where legally permitted.

7.4 We do not sell your data.

8. International transfers

8.1 Some of our Sellers and service providers are located outside the UK, including in jurisdictions without a UK adequacy decision.

8.2 Where we transfer personal data outside the UK, we rely on one of the following safeguards:

UK adequacy regulations (e.g. EEA countries, listed adequate territories);
the International Data Transfer Agreement (IDTA) or, where applicable, the EU Standard Contractual Clauses (SCCs) supplemented by the UK Addendum; or
another transfer mechanism permitted under Chapter V of the UK GDPR.

8.3 Where measurement data or 3D scans are transferred to an overseas Seller, we carry out a transfer impact assessment and impose contractual, technical, and organisational safeguards.

8.4 You can request a copy of the safeguards applicable to a specific transfer by emailing privacy@bespique.com.

9. Retention

We keep personal data only as long as necessary. Our default retention periods are:

Category	Retention
Account profile	While the account is active, then 3 years after last activity, then anonymised
Orders and transactions	6 years from the date of the last transaction (UK tax/HMRC requirement)
Messages between Users	6 years (to enable dispute resolution within the statutory limitation period)
Body measurements and 3D scans	Deleted 1 year after last use or on withdrawal of consent, whichever is sooner
Marketing preferences	Until withdrawn
Security logs	90 days rolling
Support correspondence	3 years
Anti-fraud decisions	Up to 6 years where needed for loss-prevention and claims defence

10. Your rights

Under the UK GDPR you have the right to:

Access a copy of your personal data (Article 15);
Rectification of inaccurate data (Article 16);
Erasure ("right to be forgotten") in certain circumstances (Article 17);
Restriction of processing (Article 18);
Portability of data you provided to us (Article 20);
Object to processing (Article 21), including for marketing (which you can opt out of at any time);
Withdraw consent where processing is based on consent;
Not be subject to solely automated decisions with legal or similarly significant effects (we do not currently make such decisions).

To exercise a right, email privacy@bespique.com. We will respond within one calendar month. In rare cases, we may extend that period by up to two further months.

You also have the right to complain to the Information Commissioner's Office at ico.org.uk or 0303 123 1113. We would appreciate the chance to resolve your concern first.

11. Marketing

11.1 We will only send you marketing emails with your consent, unless the "soft opt-in" exception in regulation 22(3) of the Privacy and Electronic Communications Regulations 2003 (PECR) applies — that is, where we obtained your details in the course of the sale of a similar product, you did not opt out at that time, and every message gives you a simple opt-out.

11.2 Every marketing email contains an unsubscribe link and an email opt-out address. You can also change preferences in your account settings.

12. Cookies and similar technologies

See our Cookie Policy.

13. Security

13.1 We use encryption in transit (TLS), encryption at rest (where provided by our processors), hashed and salted passwords, rate limiting, 2FA on administrative accounts, and structured access controls.

13.2 No system is perfectly secure. If we become aware of a personal data breach likely to result in a risk to you, we will notify the ICO within 72 hours and you without undue delay where required by law.

14. Children

The Platform is not intended for children under 18. We do not knowingly collect personal data from children. If you believe we have, contact privacy@bespique.com and we will delete it.

15. Changes to this policy

We may update this policy. Material changes will be notified by email or prominent Platform notice at least 30 days before they take effect.

16. Contact

Privacy queries / rights requests: privacy@bespique.com
Postal: BESPIQUE LIMITED, Platned Ltd, Europa House Gerrards Cross, Marsham Way, Gerrards Cross, United Kingdom, SL9 8BQ
Information Commissioner's Office: ico.org.uk

Material changes to this policy will be notified under section 15.