Privacy Policy
Last updated 27 May 2026
This policy explains what personal data QuoteBox collects, why we collect it, what we do with it, and the rights you have under UK GDPR. It applies to two groups of people:
- Traders — sole-trader or small-business users who hold a QuoteBox account.
- Customers — the people traders quote to, who interact with QuoteBox by opening a quote or invoice link.
Who we are
QuoteBox is operated by QuoteBox Ltd (“we”, “us” ), a company registered in England and Wales under company number 17248541, with its registered office at [Registered office address].
We are the data controller for personal data collected from traders directly through our website and app, and a data processorin respect of the customer data a trader enters into our system — the trader is the controller of their own customer book and quote history.
We are registered with the Information Commissioner’s Office (ICO) under registration number [ICO reg].
What personal data we collect
From traders
- Account: full name, email address, business name, trade type, password (stored hashed, never in plain text).
- Business profile: phone, address, VAT number, company registration number, brand colour, logo, default payment terms.
- Subscription and payments: Stripe customer and subscription identifiers. Card details are entered directly into Stripe; we never see or store them.
- Voice recordings made through the in-app recorder. Audio is streamed to a third-party transcription service (see “Who we share data with”), the resulting transcript is returned, and the raw audio is then discarded. We do not store voice recordings.
- Quote and invoice content drafted in the app, including line items, totals, and free-text notes.
- Server and audit logs: IP address, user-agent, request timestamps. Kept for security, abuse-prevention, and to help debug issues.
About customers
When a trader uses QuoteBox, they may enter information about their customers: name, address, email, phone number, and details of the work they’ve been quoted for. We process that data on the trader’s instructions to deliver the quote and invoice, send follow-ups, and take payment via Stripe.
The trader is the data controller for this information; this policy describes our role as their processor. Traders should have their own privacy notice for their customers.
From customers directly
When a customer opens a quote or invoice link, we log a “viewed” event with a timestamp and process the IP address for security and fraud-prevention purposes. If they accept, decline, or pay, we record that action and the timestamp.
If a customer pays online by card, the card details are entered directly into Stripe’s hosted checkout — we never receive them. We only see the resulting payment confirmation (amount, method, last four digits of the card).
Why we process it (lawful basis)
Under UK GDPR Article 6 our lawful bases are:
- Contract: most processing is necessary to provide the QuoteBox service the trader has signed up for — running their account, generating quotes, sending invoices, taking subscription payments.
- Legitimate interests: security, fraud prevention, abuse-prevention, and improving the service. We balance these against your right to privacy and don’t use this basis to override your choices.
- Legal obligation: keeping records for tax, accounting, and anti-money- laundering purposes.
- Consent: only used for non-essential cookies (see our Cookie Policy) and any marketing communications you’ve opted in to.
Who we share data with
We use a small set of trusted third-party providers to run QuoteBox. Each is bound by a data-processing agreement and UK-equivalent safeguards for any international transfers.
- Supabase— database, authentication, and file storage. EU region. Personal data is encrypted at rest.
- Vercel— hosting and application delivery. EU and UK edge.
- Stripe— payment processing, both for QuoteBox subscriptions and (via Stripe Connect) the trader’s own customer payments. Stripe is the controller for card data; we never see or store it.
- Resend— transactional email delivery (sending quotes, invoices, follow-ups, response notifications).
- OpenAI— voice transcription only (the “Whisper” API). Audio is processed and discarded; we use OpenAI’s API tier which does not train models on submitted data.
- Anthropic— structuring transcribed quote text into line items (Claude). We use the API tier which does not train models on submitted data.
We do not sell personal data, share it with advertisers, or use it for profiling or automated decision-making that has legal or similarly significant effects.
International transfers
Some providers (Stripe, OpenAI, Anthropic) may transfer data to the United States or other jurisdictions. For each, we rely on the UK Addendum to the EU Standard Contractual Clauses, or the provider’s certification under the UK Extension to the EU-US Data Privacy Framework, to ensure your data has equivalent protection.
How long we keep data
- Account data: for as long as your account is active, plus up to 90 days after closure to handle disputes and chargebacks. You can request earlier deletion (see Your rights).
- Quotes, invoices, customer book: retained for as long as your account is active. After closure, kept for six years to meet UK accounting and tax record requirements.
- Voice recordings: not retained — discarded after transcription.
- Server and audit logs: up to 90 days, then deleted.
- Payment and tax records: six years, as required by HMRC.
Your rights under UK GDPR
You have the right to:
- Access the personal data we hold about you.
- Rectifyinformation that’s inaccurate or incomplete.
- Erase your data, where we no longer have a lawful basis to keep it.
- Restrict certain processing while we look into a request.
- Object to processing based on legitimate interests.
- Portability— receive a copy of the data you’ve provided in a machine-readable format. Traders can export their entire quote and invoice history from Settings.
- Withdraw consent at any time for processing that relies on it.
- Complain to the ICO (ico.org.uk) — though we’d appreciate the chance to resolve any concern first.
To exercise any of these rights, email privacy@quotebox.uk. We’ll respond within one month.
Cookies
QuoteBox uses a small number of essential cookies (mostly for keeping you signed in). We don’t use any advertising or analytics cookies by default. For details and how to control them, see our Cookie Policy.
Children’s data
QuoteBox is a business tool aimed at sole traders and small businesses. We don’t knowingly collect data from anyone under 18. If you believe a child has provided data to us, contact us and we’ll delete it.
Changes to this policy
We may update this policy from time to time. If changes are material we’ll let signed-in traders know by email at least 14 days before they take effect. The “Last updated” date at the top always reflects the current version.
Contact
For privacy questions, data-subject requests, or to report a breach, email privacy@quotebox.uk.