Privacy Policy

Last updated: April 30, 2026

QuoZend ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, disclose, and protect your information when you use the QuoZend platform ("Service") at quozend.com. It applies to all users globally and has been designed to comply with applicable data protection laws including the General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection, and other applicable privacy legislation.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

QuoZend is the data controller for personal data collected through the Service. If you have any questions about how we handle your data or wish to exercise your privacy rights, please contact us through our contact page.

For users in the European Economic Area (EEA) or the United Kingdom, QuoZend acts as the data controller as defined under GDPR and UK GDPR respectively.

2. Information We Collect

We collect the following categories of personal data:

Account and Profile Data: When you register, we collect your email address and password (stored in hashed form). Through the settings section, you may provide additional information including your company name, logo, contact phone numbers, email addresses, website URLs, and brand colour. This information is used to personalise your quotations.

Quotation and Client Data: We store the quotations you create, which may include client names, email addresses, phone numbers, postal addresses, project descriptions, and financial data (line items, pricing, totals). This data belongs to you; we act as a processor of any personal data relating to your clients.

Payment and Billing Data: If you subscribe to a paid plan, payment is processed by Stripe. We do not store your full card details. We may retain billing records including your name, email, billing address, and subscription status for accounting and legal compliance purposes.

Usage and Technical Data: We collect information about how you interact with the Service, including pages viewed, features used, session duration, browser type, operating system, IP address, and timestamps. This data is used to improve the Service and diagnose technical issues.

Communications: If you contact us through the contact form or by email, we retain the content of your message and your contact details to respond and maintain records of correspondence.

Cookies and Session Data: We use session cookies necessary for authentication. See Section 9 for details.

3. Legal Bases for Processing (GDPR / UK GDPR)

For users in the EEA and United Kingdom, we process your personal data under the following legal bases:

• Contract performance: Processing necessary to create and manage your account, provide the Service, and fulfil our obligations under the Terms & Conditions (e.g. delivering features, sending transactional emails).
• Legitimate interests: Processing for our legitimate business interests such as improving the Service, preventing fraud and abuse, ensuring security, and maintaining internal records — where these interests are not overridden by your rights.
• Legal obligation: Processing necessary to comply with our legal obligations (e.g. tax and accounting requirements, responding to lawful requests from authorities).
• Consent: Where we rely on consent (e.g. for optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

4. How We Use Your Information

We use the information we collect to:

• Create and manage your account and provide access to the Service.
• Process payments and manage subscriptions.
• Send transactional emails including account confirmation, password reset, and quote delivery to your clients on your behalf.
• Respond to your support requests and enquiries.
• Monitor and improve the performance, security, and reliability of the Service.
• Detect, investigate, and prevent fraud, abuse, or violations of our Terms.
• Comply with applicable legal obligations and respond to lawful requests from authorities.
• Send service-related communications (e.g. changes to terms, important product updates).

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5. Marketing Communications

We may send you product updates, tips, and promotional communications if you have opted in to receive them, or where permitted by applicable law. You may opt out of marketing emails at any time by clicking the "unsubscribe" link in any email or by contacting us. Opting out of marketing does not affect transactional emails necessary to provide the Service.

6. How We Share Your Information

We do not sell your personal data. We share your data only in the following circumstances:

• Service providers: We share data with trusted third-party providers who process data on our behalf under appropriate data processing agreements. See Section 10 for the list of providers.
• Legal requirements: We may disclose your data if required to do so by law, court order, or governmental authority, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers: If QuoZend is acquired, merged, or sold, your data may be transferred to the successor entity. We will provide notice before your data is subject to a different privacy policy.
• With your consent: We may share your data in other ways if you have given explicit consent.

7. International Data Transfers

QuoZend uses cloud services that may process your data outside your country of residence, including in the United States and the European Union. When we transfer personal data from the EEA or UK to countries not recognised as providing adequate data protection, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), or other legally recognised transfer mechanisms.

By using the Service, you acknowledge that your data may be transferred internationally in accordance with this Policy.

8. Data Storage and Security

Your data is stored on servers managed by Supabase (our database and authentication provider), which applies industry-standard security measures including encryption at rest and in transit (TLS). The Service is hosted on Vercel with HTTPS enforced on all connections.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. However, no method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.

9. Cookies and Tracking Technologies

Strictly necessary cookies: We use session cookies required for user authentication and to maintain your logged-in state. These cookies are essential for the Service to function and cannot be disabled.

Analytics: We may use basic, privacy-respecting analytics to understand aggregate usage patterns. We do not use advertising cookies, cross-site tracking, or third-party behavioural targeting technologies.

You can configure your browser to block or delete cookies. Blocking strictly necessary cookies will prevent you from logging in to the Service.

10. Third-Party Service Providers

We use the following sub-processors to operate the Service. Each is bound by data processing agreements and their own privacy policies:

• Supabase (supabase.com) — database, authentication, and file storage. Servers located in the EU and/or US.
• Vercel (vercel.com) — application hosting, CDN, and serverless functions.
• Stripe (stripe.com) — payment processing. PCI DSS Level 1 certified.
• Resend (resend.com) — transactional email delivery.
• OpenAI (openai.com) — AI-powered image extraction feature (Professional plan only). Images uploaded for extraction are processed by OpenAI and subject to OpenAI's data usage policies.

11. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete or anonymise your personal data within 30 days, except:

• Where we are required by law to retain data for a longer period (e.g. financial records may be retained for up to 7 years for tax and accounting purposes).
• Aggregated, anonymised data that cannot identify you, which we may retain indefinitely for analytics and product improvement.
• Data that is necessary to resolve disputes or enforce our agreements.

Quotation and client data stored in the Service is deleted within 30 days of account deletion unless you export it before deletion.

12. Your Privacy Rights

Depending on your location, you have the following rights regarding your personal data. To exercise any of these rights, please contact us through our contact page. We will respond within the timeframe required by applicable law (generally 30 days).

Rights available to all users:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to legal retention obligations.
• Data Portability: Request your data in a structured, machine-readable format.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

Additional rights for EEA and UK users (GDPR / UK GDPR):

• Restriction of Processing: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interests, including profiling.
• Complaint: Lodge a complaint with your local data protection authority (e.g. the Information Commissioner's Office in the UK, or your national DPA in the EU).
• Automated Decision-Making: We do not use fully automated decision-making that produces legal or similarly significant effects on you.

UAE users (Federal Decree-Law No. 45 of 2021): You have the right to access, correct, and request deletion of your personal data, and to be informed about how your data is used, consistent with UAE data protection law.

13. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, our business purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioural advertising.
• Right to Limit Use of Sensitive Personal Information: We do not process sensitive personal information beyond what is necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a verifiable consumer request, please contact us through our contact page. We will verify your identity before processing your request.

14. Children's Privacy

The Service is not directed at, and we do not knowingly collect personal information from, children under the age of 18 (or the applicable age of digital consent in your jurisdiction). If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly. If you believe we may have data about a minor, please contact us immediately.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. For material changes, we will provide at least 14 days' prior notice by email or by prominent notice within the Service. The updated date at the top of this page will reflect the date of the latest revision. Your continued use of the Service after the changes take effect constitutes acceptance of the updated Policy.

16. Contact and Complaints

If you have questions about this Privacy Policy, wish to exercise your rights, or have a complaint about how we handle your data, please contact us through our contact page. We take all privacy concerns seriously and aim to respond within 5 business days.

If you are located in the EEA or UK and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.