Privacy Policy

QuotCraft BV is the data controller for all personal data processed through the QuotCraft platform (quotcraft.com and app.quotcraft.com). We are registered in Belgium and subject to Belgian data protection law and the EU General Data Protection Regulation (GDPR: Regulation (EU) 2016/679). You can contact our data protection contact at privacy@quotcraft.com for any questions regarding this policy or your rights.

We collect only the data we need to provide the service to you. Account data: When you create a QuotCraft account, we collect your name, email address, company name, VAT number, and billing address. This data is required to provide the service, process your subscription, and issue invoices to you. Usage data: We collect information about how you use the platform: which features you use, how often, and from which devices. This helps us improve the product and identify performance issues. This data is pseudonymised and never sold. Business data you enter: Quotations, invoices, client details, articles, project information, and documents you create within QuotCraft are processed on your behalf. You remain the data controller for this data. QuotCraft acts as a data processor under Article 28 GDPR. Payment data: Subscription payments are processed by Stripe, Inc. QuotCraft does not store your card details. Stripe's privacy policy applies to payment processing. Communication data: If you contact our support team, we keep records of that communication to provide assistance and improve our service. Technical data: IP addresses, browser type, and device information are collected for security monitoring, fraud prevention, and legal compliance.

We process your personal data under the following legal bases: Contract performance (Article 6(1)(b) GDPR): Processing necessary to provide the service you have subscribed to, including account management, invoicing, and customer support. Legitimate interests (Article 6(1)(f) GDPR): Security monitoring, fraud prevention, service improvement, and direct marketing to existing customers for related products. Legal obligation (Article 6(1)(c) GDPR): Processing required for tax, accounting, and regulatory compliance, including retaining invoice records as required by Belgian commercial law. Consent (Article 6(1)(a) GDPR): Marketing communications sent to prospects, newsletter subscriptions, and optional analytics. You can withdraw consent at any time.

We do not sell your data. We share data only with subprocessors who help us deliver the service: Stripe (payment processing): United States / EU, SCCs applied AWS (cloud infrastructure, EU regions): eu-west-1 (Ireland), eu-central-1 (Frankfurt) Postmark / AWS SES (email delivery): United States / EU, SCCs applied OpenAI / Anthropic (AI features): data is anonymised before sending; no training on customer data Peppol Access Point Provider: for e-invoice routing on the Peppol network Sentry / Datadog (monitoring): anonymised error and performance data only A full list of subprocessors is available on request at privacy@quotcraft.com.

Some of our subprocessors are based outside the European Economic Area. Where we transfer data to third countries, we apply appropriate safeguards: Standard Contractual Clauses (SCCs) as adopted by the European Commission under Article 46(2)(c) GDPR Adequacy decisions where applicable Supplementary technical measures including encryption in transit and at rest We process and store core business data (quotations, invoices, client data) exclusively within the EU (AWS eu-west-1 and eu-central-1 regions).

We keep your personal data only as long as necessary for the purposes described in this policy. Active account data: Retained for the duration of your subscription plus 60 days after cancellation, during which you can export your data. Invoice and financial records: Retained for 7 years as required by Belgian accounting law (Wetboek van Economisch Recht). Support communications: Retained for 3 years after the last interaction. Marketing data (with consent): Retained until you withdraw consent or opt out. After the retention period expires, data is securely deleted or anonymised.

Under GDPR, you have the following rights: Right of access: Request a copy of the personal data we hold about you (Article 15). Right to rectification: Request correction of inaccurate or incomplete data (Article 16). Right to erasure: Request deletion of your data where there is no legal ground to continue processing (Article 17). Right to restriction: Request that we restrict processing of your data in certain circumstances (Article 18). Right to data portability: Receive your data in a machine-readable format for transfer to another service (Article 20). Right to object: Object to processing based on legitimate interests or for direct marketing (Article 21). Right to withdraw consent: Withdraw consent at any time for processing based on consent (Article 7(3)). To exercise any of these rights, email privacy@quotcraft.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) at www.dataprotectionauthority.be.

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful loss, alteration, disclosure, or access. These measures include: TLS encryption for all data in transit, AES-256 encryption for data at rest, role-based access controls with least-privilege principles, two-factor authentication for all QuotCraft staff, regular security audits, penetration testing, and incident response procedures. In the event of a data breach affecting your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours and inform affected users without undue delay, as required by Article 33 and 34 GDPR.

QuotCraft uses cookies and similar technologies on our marketing website (quotcraft.com). Strictly necessary cookies are set without consent as they are required for the site to function. Analytics and marketing cookies require your consent and can be managed via the cookie preference centre shown when you first visit the site. Within the application (app.quotcraft.com), we use session cookies required for authentication and security. These are strictly necessary and cannot be disabled.

QuotCraft is a business service not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that a child's data has been submitted, we will delete it promptly.

We may update this privacy policy to reflect changes in our practices, the service, or legal requirements. When we make material changes, we will notify you by email and display a notice in the application. The date of the last update is shown below. Continued use of the service after the effective date constitutes acceptance of the updated policy.