Legal

Privacy Policy

Effective date: 19 June 2026 · Applies to the QuellPod app and booking platform

This policy explains how QuellPod Ltd collects, uses, and protects personal data in connection with the QuellPod mobile and web booking application. It does not cover the quellpod.com marketing website, which is governed by a separate policy. If you have any questions about this document, please contact us at enquiries@quellpod.com.

1. Who we are

QuellPod Ltd is the data controller for personal data processed through the QuellPod app. We are incorporated in England and Wales. Our contact address for data protection matters is enquiries@quellpod.com.

QuellPod Ltd is not currently registered with the Information Commissioner's Office (ICO) as a data controller. If our processing activities require registration under UK data protection law, we will complete registration before processing personal data at scale. If you have questions about our regulatory status, please contact us directly.

2. What data we collect

When you use the QuellPod app, we may collect the following categories of personal data:

Account data: your name and email address, provided when you register. If you sign in via Google, we receive your name and email from Google — we do not receive your Google password.
Booking data: the pod you selected, your chosen date and time slot, booking duration, and booking status (confirmed, completed, cancelled).
Payment data: the amount charged and the transaction reference. We do not store your card number, expiry date, or security code — these are handled entirely by Stripe and are never transmitted to or stored by QuellPod.
Access code data: the time-limited door code generated for each confirmed booking, linked to your booking record.
Device and usage data: your approximate location (if you grant permission, used to show you nearby pods), browser type, and general usage patterns. We do not use persistent tracking technologies for advertising purposes.

We do not collect special category data (such as health, biometric, or ethnicity data) and we do not knowingly collect data from individuals under the age of 18.

3. Why we collect it and our legal basis

We process your personal data on the following legal bases under the UK General Data Protection Regulation (UK GDPR):

Contract performance (Article 6(1)(b)): processing your booking, generating your door code, and sending your confirmation email are all necessary steps to fulfil the service you have purchased.
Legitimate interests (Article 6(1)(f)): keeping records of transactions for operational and financial purposes, preventing fraud and misuse of the service, and improving the booking experience over time.
Consent (Article 6(1)(a)): where we send you optional marketing communications or use location data beyond what is strictly necessary for the booking — in both cases, we ask for your consent separately and you can withdraw it at any time.
Legal obligation (Article 6(1)(c)): retaining certain financial records to comply with tax and accounting requirements under UK law.

4. Third-party services that process your data

Running the QuellPod app requires us to share certain data with the following sub-processors. Each is listed with the category of data they handle and a link to their own privacy information:

Supabase, Inc. (database and authentication) — stores your account profile and booking records on our behalf. Supabase is SOC 2 Type II certified. Privacy policy.
Stripe, Inc. (payment processing) — processes your card payment and retains payment records in accordance with payment industry standards. QuellPod receives a transaction reference only, not your full card details. Privacy policy.
Twilio / SendGrid (email delivery) — sends your booking confirmation email on our behalf. We pass your email address and booking details to SendGrid solely for this purpose. Privacy policy.
Vercel, Inc. (application hosting) — runs the QuellPod app on its infrastructure. Vercel processes connection data (IP addresses, request logs) as part of normal web hosting. Privacy policy.
TTLock / Sciener (smart lock access control) — when a booking is confirmed, we send the booking time window to the TTLock API to generate a time-limited door code for your pod. No personal identifiers beyond the time window are shared with TTLock for this purpose. Privacy information.
Google LLC (sign-in) — if you choose "Sign in with Google," Google authenticates your identity and shares your name and email address with us. Google's use of your data in this context is governed by its own privacy policy. Privacy policy.

We do not sell your personal data to any third party, and we do not share it with third parties for their own marketing purposes.

5. Where your data is stored

Our database infrastructure (Supabase) is hosted in the European Union. Some of the third-party services listed above (including Stripe, SendGrid, and Vercel) may process data in the United States or other countries outside the UK. Where this occurs, we rely on appropriate transfer mechanisms, including the UK International Data Transfer Agreement (IDTA) and standard contractual clauses, as required by UK GDPR.

6. How long we keep your data

Account data: retained while your account is active. If you request account deletion, we will delete your account data within 30 days, subject to the retention requirements below.
Booking and payment records: retained for six years from the date of the transaction to comply with HMRC requirements for financial records (Companies Act 2006 and related tax legislation).
Access codes: deleted or expired automatically at the end of the booked session window.
Marketing consent: retained until you withdraw consent or request deletion.

7. Your rights under UK GDPR

You have the following rights in relation to your personal data:

Access: to request a copy of the data we hold about you.
Rectification: to ask us to correct inaccurate or incomplete data.
Erasure: to ask us to delete your data, subject to our legal retention obligations.
Restriction: to ask us to pause processing in certain circumstances.
Portability: to receive your data in a structured, machine-readable format.
Objection: to object to processing based on legitimate interests.
Withdrawal of consent: to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, email us at enquiries@quellpod.com. We will respond within one calendar month. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk.

8. Cookies and local storage

The QuellPod app uses cookies and browser local storage solely to maintain your signed-in session and to remember your preferences during a visit. We do not use cookies for advertising, tracking across other websites, or analytics that identify you personally. No cookie consent banner is displayed because we only use strictly necessary session cookies.

9. Security

We use industry-standard measures to protect your data, including encrypted connections (HTTPS) for all data in transit, row-level security policies in our database so that each user can only access their own records, and restricted access to systems that process personal data. No method of transmission over the internet is completely secure — if you have concerns about a specific security issue, please contact us immediately at enquiries@quellpod.com.

10. Changes to this policy

We may update this policy from time to time. If we make a significant change — such as adding a new category of data or a new third-party processor — we will notify you by email or by a prominent notice in the app before the change takes effect. The "effective date" at the top of this page reflects when the current version was last updated.

11. Contact

For any questions about this policy or how we handle your personal data, please contact us at enquiries@quellpod.com.