Who this policy applies to
This policy applies to QuoteStep account holders, workspace users, clients who receive quote, invoice or portal links, and people who contact QuoteStep through the website or support channels.
QuoteStep is intended for business use and is not directed at children.
Who is responsible for your data
QuoteStep acts as a controller for account, billing, website, support and service administration data.
For client records, quote content, invoices, payment records and documents entered by a customer, the customer normally decides why that information is used. QuoteStep processes it to provide the service.
Personal data we collect
- Account data: name, email address, login and workspace membership details.
- Business data: business name, contact details, address, logo, tax settings and document preferences.
- Client data: client names, contact details, addresses and related notes.
- Commercial records: quotes, line items, approvals, deposits, invoices, payment status, reminders and supporting documents.
- Communications: sent email history, support messages and website enquiries.
- Technical data: IP address, browser or device information, security events and service logs.
- Billing data: subscription and payment status supplied by payment providers. QuoteStep does not need to store full card details.
How we use personal data
- Provide, administer and secure accounts and workspaces.
- Create quotes, invoices, PDFs, approval records and client portal links.
- Send service emails, reminders and account communications.
- Track payment status and keep the Recovery queue up to date.
- Respond to support, access and privacy requests.
- Prevent misuse, investigate security issues and maintain service reliability.
- Meet legal, accounting and regulatory obligations that apply to QuoteStep.
Lawful bases
Depending on the activity, QuoteStep relies on performance of a contract, legitimate interests in operating and improving a secure business service, legal obligations, or consent where consent is required. Customers are responsible for having a lawful reason to add and use their clients' personal data.
International transfers
Some service providers may process data outside the United Kingdom. Where required, QuoteStep will use appropriate contractual or legal safeguards for those transfers.
How long data is kept
Retention depends on the type of record, account status, workspace instructions, security requirements and legal or accounting obligations. Data is not kept longer than reasonably needed for those purposes. Backup and security records may remain for a limited period after deletion.
Security
QuoteStep uses authenticated workspaces, access controls, server-side validation, tokenised client links and protected provider credentials. No internet service can promise absolute security, but practical safeguards are used to reduce unauthorised access, loss and misuse.
Your rights
Depending on the law that applies, you may have rights to access, correct, delete, restrict or receive personal data, and to object to certain uses. You may also withdraw consent where processing relies on consent.
Clients asking about records held in a customer's workspace may need to contact that business first. You may also complain to the UK Information Commissioner's Office at ico.org.uk.
Changes to this policy
This policy may be updated when the service, providers or legal requirements change. The effective date at the top of the page will be updated when material changes are published.
