Privacy Policy

Last updated: April 01, 2026

1. Who we are

QuoteCrest is operated by QuoteCrest (“we”, “us”, “our”). You can contact our data protection team at privacy@quotecrest.com.

2. What data we collect and why

Data Purpose Legal basis
Name, email address Account registration and communication Contract
Password (hashed) Authentication security Contract
Timezone and locale Localized experience Legitimate interest
Usage data (sessions) Security, fraud prevention, support Legitimate interest
Quote and client data you enter Providing the quoting service Contract
Client payment data (Stripe Connect) Processing client payments when you have connected your Stripe account. Your client's payment method is handled entirely by Stripe — QuoteCrest never stores card details. QuoteCrest collects a platform fee at the time of payment. Contract
Billing information (Stripe) Payment processing Contract / Legal obligation
Quote data (QuickBooks / Xero) Creating invoices in your accounting software when a quote is accepted. Shared only if you connect your QuickBooks or Xero account. Contract
Client and item data (QuickBooks / Xero) Syncing clients and item catalogue between QuoteCrest and your accounting software. Shared only if you connect your QuickBooks or Xero account. Contract
Consent timestamps Recording your agreement to our terms Legal obligation
Analytics data (with consent) Product improvement and usage analytics Consent (can be withdrawn any time in Settings)
IP address (registration and quote-creation forms) Pre-populate country, currency, and region fields using approximate geolocation via ipinfo.io. The IP address is sent to ipinfo.io at the moment the form loads and is not stored by us. Legitimate interest
Derived location identifiers (matrixapi.dev) The country and region code derived from your IP address is used to query matrixapi.dev for reference data (currencies, postal codes, countries) in order to pre-populate form fields. No personally identifiable information beyond the derived location code is sent to matrixapi.dev. Legitimate interest

3. Cookies

We use strictly necessary cookies (a session cookie that keeps you logged in and a CSRF token that protects against cross-site request forgery) and analytics cookies via Google Analytics (GA4) to understand how visitors use our marketing pages. Google Analytics sets cookies that collect anonymised usage data; no personal data from your account is shared with Google. You can opt out at any time using Google's opt-out browser add-on or by managing your preferences in Account Settings.

4. How long we keep your data

Your personal data is held for as long as your account is active. Accounts inactive for more than 3 years are subject to automated deletion after a 30-day warning notice. We retain records of accepted quotes for 7 years to comply with accounting and tax regulations. Anonymized aggregate statistics may be retained indefinitely.

5. Who we share data with

We share data only with the sub-processors required to run the service:

  • Stripe — payment processing (if you subscribe to a paid plan)
  • Stripe Connect — client payment collection (only if you connect your Stripe account via Settings); client payment data is processed directly by Stripe under their Privacy Policy
  • QuickBooks / Xero — accounting sync (only if you connect your account)
  • Amazon Web Services — hosting infrastructure
  • Mailgun — transactional email delivery
  • IPinfo — IP geolocation used to pre-select country, currency, and region in registration and quote-creation forms. No personally identifiable information beyond your IP address is shared.
  • matrixapi.dev — reference data lookups (countries, currencies, postal codes) using the location code derived from your IP address to pre-populate form fields. No personally identifiable information is shared.

We do not sell your data to third parties.

6. Your rights under GDPR

If you are in the European Economic Area (EEA), UK, or Switzerland you have the right to:

  • Access — download a copy of your personal data from Account Settings → Privacy & Data.
  • Rectification — update your name and contact details in Account Settings.
  • Erasure — delete your account and all associated personal data from Account Settings.
  • Restriction — request that we restrict processing while a complaint is being resolved.
  • Portability — export your data in machine-readable JSON format.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email privacy@quotecrest.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

7. Data transfers outside the EEA

Our servers are hosted on AWS in the EU. Some of our sub-processors (e.g. Stripe) operate in the United States. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission.

8. Security

All data is encrypted in transit (TLS) and at rest. Passwords are stored as bcrypt hashes and are never recoverable. We support two-factor authentication and encourage all users to enable it.

9. Children's privacy

QuoteCrest is a business tool and is not directed at children under 16. We do not knowingly collect personal data from anyone under 16.

10. Changes to this policy

We may update this policy. If changes are material, we will notify you by email at least 14 days before they take effect. The “last updated” date at the top of this page always reflects the current version.

11. Contact

Data controller: QuoteCrest
Email: privacy@quotecrest.com

English
Français
Español
Deutsch
Português
Italiano