QuoteStep
Start for £24/month

Privacy policy

How QuoteStep handles personal data.

This policy explains what personal data QuoteStep collects, why it is used, who it may be shared with, how long it is kept and the choices available to users and clients.

Effective date: 25 June 2026

Who this policy applies to

This policy applies to QuoteStep account holders, workspace users, clients who receive quote, invoice or portal links, and people who contact QuoteStep through the website or support channels.

QuoteStep is intended for business use and is not directed at children.

Who is responsible for your data

QuoteStep acts as a controller for account, billing, website, support and service administration data.

For client records, quote content, invoices, payment records and documents entered by a customer, the customer normally decides why that information is used. QuoteStep processes it to provide the service.

Personal data we collect

  • Account data: name, email address, login and workspace membership details.
  • Business data: business name, contact details, address, logo, tax settings and document preferences.
  • Client data: client names, contact details, addresses and related notes.
  • Commercial records: quotes, line items, approvals, deposits, invoices, payment status, reminders and supporting documents.
  • Communications: sent email history, support messages and website enquiries.
  • Technical data: IP address, browser or device information, security events and service logs.
  • Billing data: subscription and payment status supplied by payment providers. QuoteStep does not need to store full card details.

How we use personal data

  • Provide, administer and secure accounts and workspaces.
  • Create quotes, invoices, PDFs, approval records and client portal links.
  • Send service emails, reminders and account communications.
  • Track payment status and keep the Recovery queue up to date.
  • Respond to support, access and privacy requests.
  • Prevent misuse, investigate security issues and maintain service reliability.
  • Meet legal, accounting and regulatory obligations that apply to QuoteStep.

Lawful bases

Depending on the activity, QuoteStep relies on performance of a contract, legitimate interests in operating and improving a secure business service, legal obligations, or consent where consent is required. Customers are responsible for having a lawful reason to add and use their clients' personal data.

Who data may be shared with

QuoteStep may use carefully selected providers for hosting, storage, email delivery, payment processing, support, security monitoring and service operations. Data may also be shared with professional advisers or public authorities where required by law.

Providers receive only the information needed to perform their service and are expected to protect it appropriately.

International transfers

Some service providers may process data outside the United Kingdom. Where required, QuoteStep will use appropriate contractual or legal safeguards for those transfers.

How long data is kept

Retention depends on the type of record, account status, workspace instructions, security requirements and legal or accounting obligations. Data is not kept longer than reasonably needed for those purposes. Backup and security records may remain for a limited period after deletion.

Security

QuoteStep uses authenticated workspaces, access controls, server-side validation, tokenised client links and protected provider credentials. No internet service can promise absolute security, but practical safeguards are used to reduce unauthorised access, loss and misuse.

Cookies and analytics

QuoteStep uses cookies that are necessary for account sessions and security. If non-essential analytics or marketing cookies are introduced, they will be explained clearly and appropriate consent controls will be provided where required.

Your rights

Depending on the law that applies, you may have rights to access, correct, delete, restrict or receive personal data, and to object to certain uses. You may also withdraw consent where processing relies on consent.

Clients asking about records held in a customer's workspace may need to contact that business first. You may also complain to the UK Information Commissioner's Office at ico.org.uk.

Changes to this policy

This policy may be updated when the service, providers or legal requirements change. The effective date at the top of the page will be updated when material changes are published.

Questions about this policy?

Contact QuoteStep and include enough detail for us to understand your request.

contact@quotestep.co.uk