Privacy Policy

Last updated: 2026-05-11

Quotably ("we", "us", "our") is a quote-generation tool for event-service vendors. This Privacy Policy explains what personal data we collect, how we use it, and your rights under applicable data protection laws — including the EU General Data Protection Regulation (GDPR), Spain's LOPDGDD, and the California Consumer Privacy Act (CCPA/CPRA).

This policy applies to all visitors and users of quotably.app. It was last updated on the date shown above.

Data controller

Quotably is operated by Ramón Carmenaty (sole trader).

NIF: Y9958619R

Registered/professional address: Pintor López Mezquita, 9 3B, 18002 Granada, Spain

Jurisdiction: Spain.

Contact: support@quotably.app

Our dual role

Quotably acts as a data controller for the personal data of its registered users (event vendors). At the same time, Quotably acts as a data processor for the personal data of end-customers whose information is entered by our users to create quotes (e.g. customer name, email, phone, event details). Users remain the controllers of their customers' data and are responsible for their own legal basis for processing it.

Data we collect

We collect the following categories of personal data:

  • Email address — used for account creation, authentication (magic link), and transactional emails.
  • Name (optional) — provided during onboarding or account settings.
  • Business name and brand settings — business name, logo, accent colour, contact email and phone, currency, and pricing defaults.
  • Customer contacts — names, email addresses, phone numbers, and addresses of your clients, entered by you to generate quotes. We process this data on your behalf as a data processor.
  • Quote content — event details (type, date, location), line items, prices, terms, and quote status.
  • Brand assets — logo file uploaded to Vercel Blob storage; the file URL contains your user ID.
  • Billing identifiers — Stripe customer ID and subscription ID. We never see or store payment card data; Stripe handles all card processing.
  • Authentication/session data — Quotably uses strictly necessary authentication/session cookies and related server-side session records to keep you signed in (current session max age: 30 days).
  • IP address and user-agent — processed for authentication, abuse prevention, and service integrity. When someone opens a public quote link, we may store the IP address and user-agent in quote-event records to detect abuse, deduplicate repeated views, and troubleshoot delivery or access issues. Legal basis: legitimate interest (security and service integrity).
  • Locale preference — your preferred language (EN or ES), stored in a browser cookie.
  • Analytics — Vercel Analytics collects page URLs, referrer, approximate geolocation (country/region), browser, OS, and device type. No personal identifiers are collected; visitor hashes are discarded after 24 hours. No cookies are set.

Lawful bases for processing (GDPR Art. 6)

We process personal data under the following lawful bases:

  • Contract performance (Art. 6(1)(b)): account creation, authentication, quote generation, billing, and subscription management — processing necessary to provide the service you have signed up for.
  • Legitimate interests (Art. 6(1)(f)): security logging (Stripe webhook events), fraud prevention, and service stability — where our interests are not overridden by your rights.
  • Consent (Art. 6(1)(a)): not currently required for any processing — we send no marketing emails and use no tracking cookies.

Subprocessors

We use the following third-party subprocessors to deliver the service. Each has a Data Processing Agreement (DPA) in place:

SubprocessorPurposeDPA
StripePayment processing and subscription billing. Stripe stores card data — we only retain the Stripe customer and subscription IDs.DPA ↗
ResendTransactional email delivery — sign-in magic links and quote delivery emails.DPA ↗
NeonPostgres database hosting for all application data.DPA ↗
VercelApplication hosting, edge runtime, Blob storage (logo uploads), and cookieless analytics.DPA ↗

Your rights under GDPR (Arts. 15–22)

If you are based in the European Economic Area or the UK, you have the following rights under GDPR Arts. 15–22:

  • Right of access (Art. 15): obtain a copy of your personal data and information about how we process it.
  • Right to rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): request deletion of your personal data. We review deletion requests manually and may retain data that we must keep for legal, tax, accounting, fraud-prevention, security, or similar compliance reasons.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to restriction of processing (Art. 18): ask us to limit how we use your data while a dispute is resolved.
  • Right to object (Art. 21): object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7): withdraw consent at any time where processing is based on consent (currently not applicable — we process on contract performance).
  • Right to lodge a complaint: you may lodge a complaint with the Spanish Data Protection Authority (AEPD) at https://www.aepd.es, or with the supervisory authority in your country of residence.

AEPD (Spanish Data Protection Agency)

How to exercise your rights

  • Designated request channel: email support@quotably.app with the subject "Privacy rights request" and indicate which right you wish to exercise.
  • Self-serve options: account holders can access most personal data, change their email, and download quote PDFs from Settings → Account.
  • Verification: we will ask you to confirm the email associated with your Quotably account or provide reasonable identifying information. Authorised agents may submit requests on your behalf with written authorisation.
  • Response timeline: we acknowledge requests within 10 business days and respond within 1 month of receipt (extendable by up to 2 additional months for complex or numerous requests, with notice). Responses are provided electronically at no cost up to twice per 12 months.
  • No fee is charged for normal requests. Manifestly unfounded or excessive repeated requests may incur a reasonable fee or be refused, with reasons given.

Your rights under CCPA/CPRA (California residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you the following rights:

  • Right to know: you may request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete: you may request deletion of your personal information, subject to certain exceptions.
  • Right to correct: you may request correction of inaccurate personal information.
  • Right to limit use of sensitive PI: not applicable — we do not collect sensitive personal information as defined by the CPRA.
  • Non-discrimination: we will not discriminate against you for exercising your CCPA rights.
  • Do Not Sell or Share My Personal Information: Quotably does not sell or share your personal information for cross-context behavioural advertising. No opt-out mechanism is needed.

Other U.S. state privacy rights

If you are a resident of a U.S. state with a comprehensive consumer privacy law, you may have rights under that state's law in addition to or instead of the California rights above. The states we currently track include Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), and Montana (MCDPA). Coverage may extend to additional states as their laws take effect.

Subject to applicable thresholds and exceptions, residents of these states may have the following rights:

  • Right to access: confirm whether we process your personal data and obtain a copy.
  • Right to correct: request correction of inaccurate personal data.
  • Right to delete: request deletion of personal data we have collected from or about you.
  • Right to data portability: receive your personal data in a structured, commonly used, machine-readable format.
  • Right to opt out of the sale of personal data: Quotably does not sell personal data, so no opt-out is needed.
  • Right to opt out of targeted advertising: Quotably does not engage in targeted advertising, so no opt-out is needed.
  • Right to opt out of profiling for decisions producing legal or similarly significant effects: Quotably does not perform such profiling.
  • Right to limit processing of sensitive data: Quotably does not collect sensitive personal data as defined by these laws.
  • Right to appeal a denied request: if we decline a rights request, you may appeal by replying to our response email; we will review and respond within 60 days (or as required by your state's law).

How to exercise these rights

  • Designated request channel: email support@quotably.app with the subject "Privacy rights request" and indicate the right you wish to exercise and your state of residence.
  • Authenticated rights: account holders can also use the in-app Settings → Account page for self-serve actions where available.
  • Verification: we will ask you to confirm the email associated with your Quotably account or provide reasonable information to verify identity. Authorised agents may submit requests on your behalf with written authorisation.
  • Response timeline: we will acknowledge requests within 10 business days and respond within 45 days (extendable by 45 days where permitted, with notice). Response is provided electronically at no cost up to twice per 12 months.
  • Universal opt-out signals: where applicable, Quotably honours opt-out preference signals such as Global Privacy Control (GPC). Because Quotably does not sell personal data or engage in targeted advertising, no behavioural change is currently triggered by these signals.

Non-discrimination: we will not discriminate against you for exercising any of these rights, including by denying service, charging different prices, or providing a different level of service quality.

Data retention

We retain personal data only for as long as needed for the purposes set out in this policy, or as required by Applicable Law. Specific retention periods:

  • Account profile and billing metadata: retained while your account is active and for 90 days after account closure, unless a longer period is required for tax, accounting, fraud-prevention, or legal-claim reasons.
  • Quotes and customer-contact data entered by you: retained while your account is active; deleted within 30 days of a written deletion request, unless retention is legally required.
  • Security and abuse-prevention logs (authentication events, webhook events, public-quote-link access metadata): retained for 180 days, then deleted or aggregated.
  • Support email threads: retained for 24 months from the last interaction, unless earlier deletion is legally required.
  • Encrypted database backups: overwritten on a 35-day rolling window. Personal data deleted from live systems persists in backups only until the next overwrite cycle.
  • Stripe webhook event records (billing audit trail): retained for the life of the account plus 6 years to meet Spanish accounting and tax-law retention obligations.

When you request deletion, we review the request manually and delete or anonymise the data we can remove, subject to the periods above. Confirmation is sent by email when the request is complete.

International data transfers

Some of our subprocessors process personal data outside the European Economic Area. Per-vendor processing locations and transfer mechanisms:

  • Neon — Postgres database hosting. Primary processing region: United States (AWS US East 2, Ohio). Transfer mechanism: EU Standard Contractual Clauses (SCCs, Commission Decision 2021/914) under Neon's DPA.
  • Vercel — application hosting, edge runtime, Blob storage, cookieless analytics. Processing in the United States and global edge regions. Transfer mechanism: EU SCCs and EU–US Data Privacy Framework (DPF) certification where applicable.
  • Stripe — payment processing and subscription billing. Processing in the United States and Stripe's regional infrastructure. Transfer mechanism: EU SCCs and DPF certification where applicable.
  • Resend — transactional email delivery. Processing in the United States. Transfer mechanism: EU SCCs.

All transfers from the European Economic Area, the United Kingdom, or Switzerland to a country without an EU adequacy decision rely on the EU SCCs (with the UK International Data Transfer Addendum and the Swiss equivalent where required). To request a copy of the executed transfer safeguards, or a description sufficient to demonstrate compliance, email support@quotably.app and we will respond electronically.

Cookies and tracking

Quotably uses strictly necessary cookies for authentication/session and the `NEXT_LOCALE` cookie to remember your language preference. Public quote-link view dedup is performed server-side using a short-lived hash of IP + user-agent — no cookie is set on visitors of public quote links. We do not set non-essential advertising or analytics cookies. Vercel Analytics is cookieless — it does not set cookies.

Contact

For any privacy-related questions, data subject requests, or complaints:

support@quotably.app

We review privacy requests manually and aim to respond within the timelines required by applicable law.