Privacy Policy

Quotae ("we", "our") is responsible for processing your personal data. If you have questions about this policy, you can contact us at use@quotae.app.

We collect different types of data depending on how you use Quotae:

• Account data: name and email address. We use a one-time code (OTP) sent to your email to verify your identity — there is no password.
• Billing and subscription data: payment information processed through Polar. We do not store your card details.
• Business documents: quotes, invoices, client details, and line items you create in the app.
• Bank and payment account details: IBAN, BIC, bank name, Bizum phone number, or PayPal email that you add to your profile for inclusion on your invoices and quotes.
• Voice audio and transcripts: when you use voice quoting, audio is streamed in real time to Deepgram for transcription. The resulting transcript is sent to our server and forwarded to OpenAI for quote extraction. If Deepgram is unavailable, the app falls back to on-device speech recognition (no audio leaves your phone in that case).
• Contact imports: if you choose to import contacts from your phone's address book, we store the names and phone numbers you select.
• Location data: foreground-only location to auto-fill job site addresses on quotes, when you grant permission.
• Company logo: the logo image you upload for PDF branding.
• Push notification tokens: device tokens registered with Expo to deliver push notifications.
• Crash and performance data: error reports and performance traces collected by Sentry.
• Analytics events: anonymized usage events collected by Vexo to help us understand how features are used.
• Technical data: device type, OS version, and app version for diagnostics.

We use your data to:

• Provide the Quotae service — create, manage, and generate PDFs of your quotes and invoices.
• Process voice input into structured quote data.
• Manage your account, authentication, and subscription.
• Send transactional emails (OTP codes, subscription confirmations, quote expiry reminders).
• Deliver push notifications you have opted into.
• Monitor app stability and fix crashes (Sentry).
• Understand feature usage patterns to improve the product (Vexo analytics).
• Comply with legal obligations (tax and invoicing regulations).

The processing of your data is based on:

• Contract performance: to provide the service you signed up for — quotes, invoices, PDFs, and account management.
• Consent: for voice audio processing (you tap the microphone button to start), contact imports, location access, and push notifications. You can withdraw consent at any time from your device settings.
• Legitimate interest: for crash reporting, performance monitoring, and anonymized analytics that help us improve the product.
• Legal obligation: to comply with Spanish tax and invoicing regulations.

We do not sell your data. We share it only with the processors needed to run the service:

• Deepgram — real-time audio transcription via WebSocket streaming. Audio is processed and not stored beyond the transcription session.
• OpenAI — transcript text is sent to extract structured quote data. Transcripts are stored by OpenAI in accordance with their API data usage policy.
• Polar — payment processing for subscriptions. You are redirected to Polar's hosted checkout; we never see your card details.
• Cloudflare R2 — cloud storage for generated PDFs and uploaded logos. Data is encrypted at rest.
• Sentry — crash reports and performance traces. All text and images are masked; PII is scrubbed before transmission.
• Vexo — anonymized analytics events to understand feature usage.
• Expo — push notification delivery via Expo Push API.
• Resend — transactional email delivery (OTP codes, subscription notifications).
• Authorities — when required by law.

Some of our processors are based in the United States: Deepgram, OpenAI, Polar, Cloudflare, Sentry, Vexo, and Expo. These transfers are protected by the EU-US Data Privacy Framework or EU Standard Contractual Clauses (SCCs), ensuring your data receives an adequate level of protection as required by the GDPR.

Retention periods depend on the type of data:

• Account and business data: kept as long as your account is active. If you delete your account, we remove your data within 30 days, except where legal retention applies.
• Billing records: retained for the legally required period (5 years under Spanish tax law).
• Voice transcripts: stored on our servers only for the duration of the extraction request. We do not maintain a library of your recordings or transcripts.
• Crash and analytics data: retained according to each processor's policy (typically 30–90 days for Sentry; anonymized for Vexo).
• PDFs and logos: kept in Cloudflare R2 as long as your account is active, deleted within 30 days of account deletion.

Under the GDPR, you have the right to:

• Access your personal data.
• Rectify inaccurate data.
• Request deletion of your data.
• Restrict or object to processing.
• Data portability.
• Withdraw your consent at any time.

To exercise these rights, contact us at use@quotae.app. We will respond within 30 days.

The Quotae mobile app does not use cookies. The landing website (quotae.app) uses only essential cookies for theme preference and cookie-consent state. We use Umami for privacy-respecting web analytics — it does not use cookies and does not collect personal data. We do not use tracking or advertising cookies anywhere. For full details, see our Cookie Policy.

Quotae is a professional tool designed for construction professionals. The service is not directed at children under 16 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us at use@quotae.app and we will delete it promptly.

We apply technical and organizational measures to protect your data, including:

• Encryption in transit (HTTPS/TLS) for all communications.
• Encryption at rest for files stored in Cloudflare R2.
• Token-based authentication with refresh token rotation.
• Restricted access controls and least-privilege policies for internal systems.

When you tap the microphone button to create a voice quote, here is what happens:

• Primary path (Deepgram): Audio is streamed in real time via a WebSocket connection to Deepgram's servers for transcription. The audio is processed on the fly and is not stored by Deepgram beyond the streaming session.
• Fallback path (on-device): If Deepgram is unavailable or you are offline, the app uses your device's built-in speech recognition. In this case, no audio data leaves your phone.
• Transcript processing: The text transcript is sent to our server, which forwards it to OpenAI to extract structured quote data (line items, quantities, descriptions). OpenAI stores the transcript data in accordance with their API data usage policy.
• No biometric data: Although the app supports FaceID and fingerprint unlock, this authentication happens entirely on your device. We never receive, transmit, or store biometric data.

To keep Quotae stable and improve performance, we collect diagnostic data in production:

• Sentry: captures crash reports and performance traces at a 3% session sample rate. All user-visible text and images in error reports are masked automatically. PII (emails, names) is scrubbed before data is transmitted.
• Vexo: collects anonymized analytics events (e.g., "quote created", "PDF generated") to help us understand which features are used and where users encounter friction. No personal data is included in these events.

Both services are enabled only in production builds. Development and preview builds have observability disabled.

We may update this policy periodically. We will notify you of significant changes through the application or by email.