QuoteQuick

Privacy Policy

Last updated: April 20, 2026

This policy explains how QUOTEQUICK ("we", "us", or "QuoteQuick") collects, uses, stores, and shares personal information when you use our website and app (the "Service"). We're based in Toronto, Ontario, and we follow Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

We take privacy seriously. The short version: we collect what we need to run QuoteQuick for you, we don't sell personal data, and we only share it with processors that help us run the Service.

1. Who this policy applies to

This policy applies to two groups of people:

  • Contractors (our customers) — the people who sign up and use QuoteQuick to send quotes and invoices.
  • End customers — the people that contractors send quotes and invoices to. For this group, the contractor is the primary data controller, and we act as a processor on their behalf. If you're an end customer with a privacy question, please start by contacting the contractor who sent you the document.

2. What information we collect

From contractors (account holders)

  • Account details — name, email, password hash, organization name, role.
  • Business details — business name, address, phone, logo, tax identifiers, brand colour.
  • Billing details — subscription plan, billing email, payment method metadata (card payments are handled by Stripe — we don't store card numbers).
  • Usage data — which features you use, how often, error logs, and aggregated product analytics.
  • Communications with us — support emails and any content you share with us directly.

From end customers (people you quote or invoice)

  • Contact details — name, email, phone number, mailing address, business name (whatever the contractor enters).
  • Document activity — when a quote or invoice was opened, accepted, or paid.
  • Payment metadata — if the end customer pays through Stripe, the payment record (amount, status, timestamp). The card data itself stays with Stripe.

Automatically

  • IP address, browser and device information, pages viewed, and basic analytics events.
  • Cookies or similar technologies needed to keep you signed in and to measure product usage in aggregate.

3. Why we collect it (purposes)

We use personal information to:

  • Provide the Service — create accounts, render quotes and invoices, send follow-ups, record payments
  • Send transactional messages — quote deliveries, invoices, payment receipts, follow-ups — on the contractor's behalf
  • Bill contractors for paid plans and handle taxes
  • Provide support and respond to questions
  • Detect fraud, abuse, and security issues, and keep the Service secure and reliable
  • Improve QuoteQuick based on product analytics (in aggregate — not to profile individuals)
  • Comply with legal obligations (tax, accounting, lawful requests from authorities)

We only use personal information for purposes a reasonable person would consider appropriate in the circumstances, and that we've identified in this policy.

4. Legal basis and consent

Under PIPEDA, we rely on your consent to collect and use personal information. When you create an account or send a document through the Service, you give us consent to use that information for the purposes described above. You can withdraw consent at any time — though doing so may mean we can't continue to provide the Service.

Contractors are responsible for making sure they have the required consent (express or implied under CASL) to send messages to their end customers through QuoteQuick.

5. Who we share information with

We don't sell your personal information. We share it with a small set of service providers ("processors") that help us run QuoteQuick. Each only gets what they need for their function:

  • Stripe — processes payments from end customers to contractors (Stripe Connect) and our subscription billing. Card data is collected and stored by Stripe, not us.
  • Resend — sends transactional email (quote deliveries, invoices, follow-ups, receipts, account emails).
  • Twilio — sends SMS messages when the contractor chooses SMS as a delivery channel.
  • Umami — provides privacy-friendly product analytics. Umami does not use cookies and does not track individuals across websites.
  • Anthropic — provides automated content moderation. Some user- and customer-entered text (such as document content) is sent to Anthropic to flag prohibited content. Anthropic does not use this data to train its models.
  • Cloudflare — provides bot protection (Turnstile) and edge infrastructure. Cloudflare may receive your IP address and basic request metadata.
  • UploadThing — stores files you upload (logos, attachments).
  • Neon — hosts our PostgreSQL database.
  • DigitalOcean — hosts the application infrastructure. Data may be processed in Canada or the United States.

We may also share information when we're legally required to — for example, in response to a valid court order — or as part of a merger, acquisition, or sale of assets, in which case we'll notify affected users.

6. Where your data is stored

Data is stored on servers hosted in Canada or the United States. When personal information crosses borders, it may be subject to the laws of the country it's stored in — including lawful access by that country's authorities. We contractually require processors to protect personal information to a standard equivalent to PIPEDA.

7. How long we keep it

  • Account data — kept while your account is active. If you delete your account, we remove or anonymize personal data within 90 days, except where we need to keep it for legal or tax reasons (typically up to 7 years for financial records).
  • Quote, invoice, and payment records — kept for as long as needed for your records and for legal/tax compliance.
  • Support conversations — kept for up to 2 years after the last interaction.
  • Backups — may persist for up to 30 days after deletion before being overwritten on our standard backup cycle.

8. How we protect it

We use reasonable, industry-standard safeguards, including:

  • Encryption in transit (TLS) and at rest for sensitive fields
  • Role-based access — employees only access data they need to do their jobs
  • Strong authentication and session controls
  • Logging and monitoring of administrative access
  • Regular backups and incident response procedures

No system is perfectly secure. If we ever have a breach involving a real risk of significant harm to you, we'll notify you and the Office of the Privacy Commissioner of Canada as soon as feasible, as required by PIPEDA.

9. Your rights

Under PIPEDA, you have the right to:

  • Know what personal information we hold about you
  • Access a copy of it
  • Ask us to correct information that's inaccurate or incomplete
  • Withdraw consent (subject to legal or contractual restrictions)
  • Make a complaint to us, or to the Office of the Privacy Commissioner of Canada

To exercise a right, email support@quotequick.ca. We'll respond within 30 days. We may need to verify your identity before acting.

If you're an end customer (not an account holder), many of these requests should go to the contractor who sent you the document, since they control the data about you in their account. We'll help the contractor fulfil your request.

10. Cookies and tracking

We use a small set of cookies and similar technologies:

  • Session cookies — needed to keep you signed in. Without these, the Service won't work.
  • Preference cookies — remember small UI choices like theme.
  • Analytics — we use Umami, which doesn't use cookies and doesn't identify individuals.
  • Bot protection — Cloudflare Turnstile may set a short-lived token to confirm you're not a bot when you sign up or sign in.

We don't use third-party advertising trackers.

11. Children

QuoteQuick is a business tool. It's not directed at children, and we don't knowingly collect personal information from anyone under 18. If you think a child has given us personal information, email us and we'll delete it.

12. Changes to this policy

We may update this policy from time to time. If changes are material, we'll give you reasonable notice — by email, an in-app notice, or both — before they take effect. The "Last updated" date at the top always reflects the current version.

13. Contact us

For privacy questions, requests, or complaints, contact our privacy contact:

If we can't resolve your concern, you can contact the Office of the Privacy Commissioner of Canada.