Privacy policy.
Last updated: 5 June 2026
ForemanQuote is a quoting and invoicing service for trade businesses, currently in early access. This page describes, in plain English, what personal data we collect — on this site, inside the app, and through our outreach — why we collect it, the legal basis for each use, who else sees it, how long we keep it, and how to exercise your GDPR rights. It is written to satisfy Articles 13 and 14 of the EU General Data Protection Regulation (GDPR).
1. Data controller — and when we act as a processor
The data controller for personal data collected on this site and in the ForemanQuote app is ForemanQuote, reachable at team@getforemanquote.com. ForemanQuote operates from the European Union. No Data Protection Officer (DPO) has been appointed because the criteria of GDPR Article 37 do not apply at this scale; the controller handles privacy requests directly. The controller's full legal identity is available on request at the email address above.
One important distinction. When a contractor uses ForemanQuote to store and send quotes or invoices, the personal data of their customers (names, emails, signatures, approvals) is controlled by that contractor, not by us: we process it on the contractor's instructions, as a processor under GDPR Article 28. If you received a quote or invoice through ForemanQuote, address privacy requests to the business that sent it — we support that business in fulfilling every request.
2. What personal data we collect
If you only browse this site: aggregate analytics events, but only after you click Accept in the cookie banner. No analytics cookies or device fingerprints are set before consent. Two first-party attribution cookies are described in Section 10.
If you submit the email form: your email address and the timestamp of submission.
If you pay the €1 reservation hold: your name, email, billing country, and partial card details (last four digits only). Full card numbers are processed by Stripe and never reach our servers.
If you create a contractor account: the business and contact details you enter at onboarding (business name, email, phone, address, VAT and licence numbers, logo), the quotes, invoices and templates you create, your trial and subscription status, your billing history held at Stripe, your Stripe payout-connection status, where you first heard of us, and — only with your cookie consent — product analytics events.
If a contractor sends you a quote or invoice (processed on the contractor's behalf): your name, email, phone and address as entered by the contractor; the name, date and IP address recorded when you approve; your hand-drawn signature plus a tamper-evidence fingerprint of it; and the time, IP address and browser type recorded when the quote page is first opened, so the contractor knows it arrived.
If we contact your business (data not obtained from you — GDPR Art. 14): publicly listed business details — business name, trade, city, website and public email address — collected from public directories and Google's business listings (Google Places). We log whether our message was delivered, clicked, or led to a signup, and we keep a permanent do-not-contact list of addresses that opted out.
Email replies and support requests: the contents of any message you send us at team@getforemanquote.com or via a reply-to address on our emails.
3. Why we collect it (purposes)
We do not sell personal data, we do not share it with advertisers, and we run no third-party ad tracking.
- To provide the service: create, send and track quotes and invoices, and collect deposits, on contractors' instructions.
- To run trials, subscriptions, billing and payment-failure handling.
- To send transactional and lifecycle email (welcome, trial ending, billing problems, cancellation confirmations).
- To send you exactly one launch notification when general access opens, if you opted in.
- To process and, on request, refund the €1 reservation hold.
- To introduce ForemanQuote to trade businesses by email, with a permanent opt-out.
- To respond to your messages.
- To understand traffic patterns and improve the product (only with your cookie consent).
4. Legal basis for processing (GDPR Article 6)
| Operating your account, quotes, invoices and subscription | Performance of a contract (Art. 6(1)(b)) |
| Processing the €1 reservation and any refund | Performance of a contract (Art. 6(1)(b)) |
| Sending the launch notification you opted in to | Consent (Art. 6(1)(a)) |
| Tax, accounting, and anti-fraud records on payments | Legal obligation (Art. 6(1)(c)) |
| Quote-view receipts and the signature audit trail | Contractor's legitimate interest in proof of delivery and approval (Art. 6(1)(f), as processor) |
| Business-to-business introduction emails to published addresses | Legitimate interest in direct marketing (Art. 6(1)(f), Recital 47), with a permanent opt-out |
| Replying to your support messages | Legitimate interest in providing customer service (Art. 6(1)(f)) |
| Aggregate site and product analytics | Consent given through the cookie banner (Art. 6(1)(a)) |
5. Who else sees your data (processors)
We use a small set of GDPR-compliant providers to run the service. Each is a data processor under GDPR Article 28; each has its own privacy policy linked below. We do not sell your data. We do not share it with advertisers. We do not run tracking pixels or third-party ad cookies.
- Supabase Hosts our database, login system and file storage (quotes, invoices, signatures, logos) in the EU. Privacy policy →
- Stripe Processes subscriptions, the €1 reservation, and the deposits contractors collect from their customers. Handles full card data. Privacy policy →
- Resend Sends quotes, invoices, and our transactional and lifecycle email. Privacy policy →
- Vercel Hosts the site and, after your cookie consent, runs aggregate analytics. Privacy policy →
- PostHog Product analytics on EU servers, only after your cookie consent. Privacy policy →
- Google Google Places, the public business directory we source outreach contacts from. Privacy policy →
- Smartlead Delivers our outreach email and reports bounces, replies and opt-outs. Privacy policy →
- Anthropic Automatically sorts replies to our outreach (interested / not interested / unsubscribe). Reply text is not stored after sorting. Privacy policy →
- Zoho Runs the team@getforemanquote.com support mailbox. Privacy policy →
6. International data transfers
Several providers (Stripe, Resend, Vercel, Smartlead, Anthropic, Google) are headquartered in the United States; Supabase and PostHog store our data in EU regions. Where personal data is transferred outside the European Economic Area, the transfer relies on the European Commission Standard Contractual Clauses (Decision 2021/914) signed with each provider, or on the EU-US Data Privacy Framework where applicable. You may request a copy of the relevant transfer safeguard by writing to team@getforemanquote.com.
7. How long we keep it (retention)
| Email submitted via the signup form, without a paid reservation | Until launch + 90 days, then deleted |
| Reservation and customer record after a €1 payment | Until you convert to a paid account, cancel, or 12 months pass with no activity, whichever is earliest |
| Contractor account, quotes, invoices, signatures | While your account exists; deleted within 90 days of account deletion, except invoice records tax law requires us to keep (up to 10 years) |
| Quote-view receipts (time, IP, browser type) | Kept with the quote they belong to, same lifetime |
| Outreach data on businesses that never responded | Deleted no later than 12 months after our last message |
| Do-not-contact list | Kept indefinitely — that is its purpose |
| Stripe payment records | Held by Stripe under its own retention rules (typically 10 years for tax) |
| Support email correspondence | 24 months from the last reply, then deleted |
| Aggregate analytics events | Per provider policy (Vercel typically 90 days; PostHog under its own policy) |
8. Your rights (GDPR Articles 15 to 22)
At any time you can ask us to do any of the following, free of charge:
- Tell you what personal data we hold about you (right of access, Art. 15).
- Correct anything inaccurate (right of rectification, Art. 16).
- Delete it (right to erasure, Art. 17).
- Restrict processing (Art. 18).
- Export it in a portable machine-readable format (right to portability, Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal (Art. 7(3)).
9. How to exercise your rights and complain
Email team@getforemanquote.com from the address you used with us. We acknowledge within 72 hours and complete the action within 30 days at the latest (usually within 7 business days).
If we emailed your business and you would rather we did not: one reply saying “unsubscribe”, or one click on the opt-out link, puts your address on the do-not-contact list permanently (Art. 21(2)). You will never hear from us again.
If you believe we mishandle your data, you also have the right to lodge a complaint with your national supervisory authority. For Italian residents the authority is the Garante per la protezione dei dati personali (gpdp.it). For Spain, the Agencia Española de Protección de Datos (aepd.es). For France, the CNIL (cnil.fr). For Germany, the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (bfdi.bund.de), or the data protection authority of your federal state.
10. Cookies and on-device storage
We use one piece of localStorage to remember your cookie-banner choice. No analytics cookies are set before you click Accept; until then, analytics run without storing anything on your device. Strictly necessary cookies are set only when needed: login session cookies when you sign in, and Stripe's functional cookies during checkout, which cannot be disabled without breaking the payment flow.
We set two first-party attribution cookies, each lasting 30 days: fq_attr remembers which page or source first brought you here, and fq_ref is set only if you arrive from a link in one of our emails, so we know the message was useful. Both are readable only by us and are never shared with third parties. If you click Reject in the cookie banner, both are deleted immediately and never set again; you can also ask us to delete the associated record at any time.
If you install the app or use it offline, it keeps a copy of your own quotes in your browser's local database (IndexedDB) so it works on site without signal. That copy stays on your device and is removed when you log out or clear site data.
11. Automated decision-making
We do not make decisions about you using solely automated means that produce legal or similarly significant effects. Software — including an AI text classifier — sorts replies to our outreach email into categories such as “interested” or “unsubscribe” so they are routed correctly; a person reads anything substantive, and the reply text is not stored after sorting. Stripe runs its own fraud-prevention checks on payments; you can read about those at stripe.com/privacy.
12. Changes to this policy
If anything material changes, the Last updated date at the top of this page changes with it. Material changes that affect existing reservers or subscribers are also sent by email. Continued use of the service after a change indicates acceptance of the updated policy.