QuoteCore+

Privacy Policy

Effective date: 9 May 2026

This Privacy Policy explains how QuoteCore+ (“we”, “our”, “us”) handles your personal data when you use our web application at quote-core.comand the related services (collectively, “the Service”).

We are based in Costa Rica but our users are in many countries. We treat every user according to the strictest privacy law that applies to them, which in most cases is the EU/UK GDPR. If you live somewhere with a stronger framework, that framework applies to you too.

Who we are

The data controller for the Service is:

For users in the EU or UK, we have not yet appointed a representative under Article 27 of the GDPR / UK GDPR. Until we do, you can contact us directly at the email above for any privacy queries and we will respond within statutory timeframes.

What we collect

The data we collect falls into these categories:

Account data

  • Your email address and a hashed password (we never see your password in plain text)
  • Your full name and the company name you use on quotes
  • If you sign in with Google: the email address and identity token Google shares with us
  • Two-factor authentication: TOTP secrets (managed by Supabase), recovery code hashes, and bcrypt-hashed answers to any account-recovery questions you set

Profile and workspace data

  • Company logo (if you upload one)
  • Default currency, language, measurement system, profit margins, and tax list
  • Your notification and Copilot preferences

Quote and customer data (data you put into the app)

  • Customer names, email addresses, postal addresses, phone numbers
  • Quote line items, measurements, materials, labour costs, totals
  • Files you upload alongside a quote (plans, supporting documents)
  • Any text you type into quote templates, email templates, or notes

You are the controller of your customers' data. We process it on your behalf as the data processor. If you need a Data Processing Agreement (DPA), email us.

Activity and security data

  • Sign-in history maintained by Supabase Auth
  • Account recovery attempt log (timestamp, IP address, user-agent, outcome) when you use the “Lost access to my email” flow
  • Last email change timestamp (used for our 7-day cooldown)
  • Server logs from our hosting provider (Vercel) and our database (Supabase) which include request paths, IP addresses, and user-agent strings

What we do NOT collect

  • We do not use analytics platforms (no Google Analytics, no Mixpanel, no Plausible)
  • We do not place advertising cookies
  • We do not embed social media tracking pixels
  • We do not buy or sell personal data, ever

Why we use it

  • To run the Service — store your quotes, send acceptance links, generate PDFs, etc.
  • To authenticate you — verify your password, manage 2FA, mint sessions
  • To send transactional emails — quote-accepted alerts, password reset links, security notifications. We do not send marketing email.
  • To keep your account safe — detect suspicious recovery attempts via the audit log, enforce cooldowns on sensitive actions
  • To comply with the law — keep records we are legally required to retain

Lawful basis (GDPR)

If GDPR or UK GDPR applies to you, we rely on:

  • Contract (Art. 6(1)(b)) — to deliver the Service you signed up for
  • Legitimate interests (Art. 6(1)(f)) — to keep the Service secure and working, and to defend against abuse
  • Legal obligation (Art. 6(1)(c)) — to retain records required by law
  • Consent (Art. 6(1)(a)) — only where strictly required (e.g. specific opt-in features added in future)

Who we share with

We share data with the following third-party processors. Each one is contractually bound to handle data only for the purpose we hire them for.

  • Supabase (database, authentication, file storage). Project hosted in the EU (eu-central-1).
  • Vercel (web hosting). Edge network with global presence; data may transit through US infrastructure.
  • Resend (transactional email delivery). US-based.
  • Google (only if you choose Google sign-in). Used purely to verify your identity at sign-in.

We do not sell your data and we do not share it with advertisers, analytics providers, or social platforms. We may disclose data if compelled by a valid legal order, in which case we will tell you unless legally barred from doing so.

Where data is stored

Your primary database and file storage live in the European Union (Supabase eu-central-1, Frankfurt region). Email delivery transits the United States via Resend. Web traffic is served from the closest Vercel edge region to your users. For transfers outside the EEA / UK, we rely on Standard Contractual Clauses (SCCs) where applicable.

How long we keep it

  • Active account data — kept while your account is active and for as long as you use the Service
  • Closed accounts — deleted within 90 days of account closure, unless we have a legal obligation to retain longer
  • Audit logs (account recovery attempts, sign-in events) — kept indefinitely for security purposes; we can review and reduce this retention window on request
  • Server logs from Vercel/Supabase — held by those providers per their own retention policies
  • Email delivery logs at Resend — held per Resend's policy (typically 30-90 days)

Your rights

You have the following rights over your personal data. Contact us at info@quote-core.com to exercise any of them; we'll respond within one month.

  • Access — get a copy of the personal data we hold about you
  • Rectification — correct inaccurate data
  • Erasure (“right to be forgotten”) — delete your account and the associated personal data, subject to any legal retention requirements
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — pause our processing of your data while a dispute is resolved
  • Objection — object to processing based on our legitimate interests
  • Withdraw consent — where we process based on consent, you can withdraw it at any time

If you live in California, you also have rights under the CCPA/CPRA (right to know, right to delete, right to correct, right to opt-out of sale or sharing). We do not sell or share data for advertising purposes, so the opt-out is automatic, but the other rights apply and you can exercise them via the same email.

If you live in Costa Rica, your rights under Law 8968 (PRODHAB) apply. These broadly mirror the GDPR rights above.

If you are unhappy with how we handle a request, you may complain to your local data protection authority (e.g. your national data protection regulator in the EU, the ICO in the UK, or PRODHAB in Costa Rica).

Security

We take reasonable technical and organisational measures to protect your data, including:

  • Passwords hashed by Supabase Auth using industry-standard algorithms
  • Optional two-factor authentication (TOTP)
  • HMAC-signed, short-lived tokens for sensitive flows (e.g. account recovery)
  • Row-level security (RLS) policies on the database so users only see their own data
  • HTTPS-everywhere in transit
  • Encrypted-at-rest storage at our database and storage providers
  • Rate-limiting and audit logging for security-sensitive operations
  • A 7-day cooldown after every successful email change, plus mandatory password reset following the change

No system is perfectly secure, and we don't pretend otherwise. If we ever suffer a breach that affects your data, we will notify you and the relevant regulators within statutory timeframes.

Children's data

QuoteCore+ is a business tool for trades. It is not intended for, and we do not knowingly collect data from, anyone under the age of 16. If you believe a child has signed up, contact us and we will delete the account.

Changes to this policy

When we update this policy materially, we will:

  • Update the “Effective date” at the top
  • Notify you by email if the change affects how we use your data

Older versions are available on request. The current version always lives at /privacy.

Contact us

Privacy queries, requests under your rights, or anything else: info@quote-core.com.