DashQuote App
Privacy Policy
Last updated: 11 June 2026
1. Who We Are
DashQuote (“we”, “our”, “us”) provides an AI-powered quoting and invoicing tool for UK tradespeople. We are the data controller for personal data collected through this application.
Contact us at: support@dashquote.co.uk
2. Scope
This policy covers all personal data processed through the DashQuote application — including the dashboard, quote and invoice creation, customer-facing quote pages, and all related services. It applies to subscribers (tradespeople) and to the personal data of their customers that subscribers enter into the app.
3. Information We Collect
3.1 Account and profile data
When you register and set up your profile, we collect:
- Email address (used to sign in and receive service notifications)
- Business name, trade type, and phone number
- Business address and logo
- Hourly or daily rate, parts markup percentage, and VAT status
- Bank account details and payment terms (stored for inclusion on invoice PDFs — we do not process payments directly)
- Quote and invoice reference prefixes
3.2 Quote and invoice data
When you create quotes and invoices, we store:
- Job descriptions you type or dictate by voice
- Photos you upload from site
- Voice note recordings and their transcripts
- AI-generated line items, customer summaries, and internal notes
- Quote and invoice totals, status, and response history
3.3 Your customers' data
When you create a quote or invoice, you enter your customers' personal data: name, address, email address, and phone number. See Section 8 for how we handle this data and your responsibilities.
3.4 Payment data
We use Stripe to manage subscriptions. We do not store your card details — Stripe handles all payment processing. We retain a Stripe customer reference to manage your account.
3.5 Technical data
Our authentication provider (Supabase) sets session cookies to keep you signed in. We do not use analytics services, advertising trackers, or third-party tracking scripts of any kind.
4. Lawful Basis for Processing
We process your personal data under the following lawful bases (UK GDPR Article 6):
- Contract (Article 6(1)(b)): providing the DashQuote service, AI quote generation, sending quote and invoice emails to your customers, and managing your subscription.
- Legitimate interests (Article 6(1)(f)): preventing fraud, securing the platform, and improving service reliability. We have assessed that these interests are not overridden by your rights.
- Legal obligation (Article 6(1)(c)): retaining billing records as required by financial regulations.
5. How We Use Your Data
Providing the service
Your profile data personalises your quotes and invoices (business name, logo, payment details). Your job descriptions, photos, and voice recordings are processed to generate itemised quotes.
AI quote generation
When you use “Generate with AI”, your job description, uploaded photos, and voice note transcript are sent to Anthropic's Claude API and OpenAI's Whisper API to generate line items and a customer-facing summary. This is disclosed in the app at the point of generation. See Section 6 for details on these providers.
Sending quotes and invoices
When you send a quote or invoice, your customer's name and email address are shared with Resend (our email delivery provider) to deliver the message on your behalf.
Billing
Your email address and a billing reference are shared with Stripe to manage your subscription and process payments.
6. Third-Party Processors
We use the following sub-processors. Each is bound by a data processing agreement (DPA) and provides sufficient guarantees for personal data protection.
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database, file storage, authentication | All profile, quote, and customer data | EU / US |
| Stripe | Subscription billing | Email, billing reference | US |
| Anthropic (Claude) | AI quote generation | Job descriptions, photos, voice transcripts | US |
| OpenAI (Whisper) | Voice transcription | Voice recordings | US |
| Resend | Email delivery | Customer name, email, quote details | US |
| Vercel | Application hosting | IP addresses, request logs | US |
Note on AI providers: Anthropic and OpenAI do not use API inputs to train their models by default. Data sent via the API (job descriptions, photos, voice recordings) is used only to generate your quote and is not retained by these providers beyond the duration of the request.
7. International Data Transfers
All third-party processors listed in Section 6 are based in, or transfer data to, the United States. These transfers are made under appropriate safeguards:
- Anthropic, OpenAI, Stripe, Resend, and Vercel rely on Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).
- Supabase stores primary data in the EU (Frankfurt) and uses SCCs for any transfers to the US.
8. Your Customers' Data
When you enter your customers' personal data into DashQuote (names, addresses, email addresses, phone numbers), you are the data controller for that data. DashQuote acts as your data processor — we process it only to provide the quoting service to you.
Your responsibilities
- You are responsible for having a lawful basis (such as a contract or legitimate interests) to collect and use your customers' personal data.
- You should have a privacy notice for your own business explaining how you handle customer data.
- If a customer asks you to correct or delete their data held in DashQuote, contact us at support@dashquote.co.uk and we will assist.
Our commitments as your processor (Article 28 UK GDPR)
- We process customer data only on your instructions, to provide DashQuote.
- We do not use your customers' data for our own marketing or analytics.
- We apply the same security measures to customer data as to your own account data.
- We will notify you without undue delay if we become aware of a breach affecting customer data.
- We will assist you in responding to data subject rights requests from your customers.
- Customer data is deleted when you delete your account or an individual quote.
9. Data Retention
- Account and profile data — retained until you delete your account.
- Quotes and invoices — retained until account deletion. We recommend exporting and keeping records for at least 6 years for UK tax purposes (HMRC requirement for self-employed individuals).
- Voice recordings — retained until you delete the associated quote or your account.
- Session cookies — expire when you sign out or the session times out.
- Billing records — retained for 7 years to meet financial record-keeping requirements.
- Deleted account data — permanently purged within 30 days of deletion.
10. Your Rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — delete your account and all associated data at any time from Settings → Delete account.
- Portability — download your data in machine-readable format from Settings → Data export. The export includes a structured JSON file alongside PDFs.
- Restriction — ask us to pause processing while a dispute is resolved.
- Objection — object to processing based on legitimate interests.
To exercise any of these rights, contact support@dashquote.co.uk. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113.
11. Cookies
DashQuote uses only strictly necessary cookies to maintain your login session. These are set by Supabase (our authentication provider) and are required for the service to function — they cannot be disabled without preventing sign-in. We do not use analytics, advertising, or tracking cookies.
12. Security
We take the following measures to protect your personal data:
- All data is transmitted over HTTPS (TLS encryption in transit).
- Data at rest is encrypted by Supabase's infrastructure (AES-256).
- Database access is enforced by row-level security (RLS) — each user can only access their own data.
- Authentication uses passwordless magic links — no passwords are stored.
- API keys and credentials are stored as server-side environment variables and are never exposed to the browser.
13. Data Breach Notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform you without undue delay if the breach is likely to result in a high risk to you personally.
To report a suspected breach, contact support@dashquote.co.uk.
14. Age Restriction
DashQuote is intended for use by UK tradespeople and business owners. You must be at least 18 years old to create an account.
15. Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you by email. The date at the top of this page always reflects the latest revision.
16. Contact
For any privacy questions, data subject rights requests, or concerns:
DashQuote
support@dashquote.co.uk