Privacy Policy

Last updated: March 2026

QuotArc (“we,” “our,” or “us”) is committed to protecting your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Law 25). This policy explains what we collect, why, and how we protect it — in plain language.

1. Who is responsible for your data

QuotArc is the organization responsible for personal information under our control. Our designated privacy officer can be reached at privacy@quotarc.com. For general inquiries: contact@quotarc.com.

2. What we collect and why

We collect only the information needed to operate QuotArc and provide support:

  • Account information — your name, company name, email address, and province when you sign up. Used to identify your account and apply correct regional defaults (e.g., tax rates).
  • Billing information — subscription and payment details handled by Stripe. We never see or store your full card number — Stripe processes and stores all payment data directly.
  • Business data you create — quotes, invoices, customer records, line items, and notes. This data belongs to you and is used solely to provide the service.
  • Your customers’ information — when you add a customer (name, email, phone, address), you are the data controller for that information. We process it only on your behalf. You are responsible for having a lawful basis to share your customers’ data with us.
  • Voice call data — if you use the AI receptionist, call recordings and transcripts are processed by VAPI. Transcripts are stored in your QuotArc account. Recording retention follows VAPI’s own policies.
  • Usage data — aggregate product analytics (features used, session activity) to improve QuotArc and provide support. This does not identify your end customers.

3. How we use your information

Your information is used only for the purposes it was collected:

  • To create and manage your QuotArc account
  • To deliver, maintain, and improve the QuotArc service
  • To send transactional emails — quote confirmations, invoice notifications, payment receipts, and account alerts
  • To send automated follow-up emails to your customers based on rules you configure
  • To process your subscription payments via Stripe
  • To generate AI-assisted quotes and call summaries using your business data
  • To respond to your support requests
  • To comply with applicable legal obligations

We do not sell your personal information. We do not use your data for advertising.

4. Consent

By creating a QuotArc account, you consent to the collection, use, and disclosure of your personal information as described in this policy. You may withdraw consent at any time by closing your account (see “Your rights” below). Withdrawing consent may limit our ability to provide the service.

5. Third-party service providers and cross-border transfers

We share personal information with service providers only as needed to operate QuotArc. Each provider is contractually required to protect your information and may only use it for the specific purpose disclosed here.

ProviderPurposeLocation
SupabaseDatabase and authenticationUSA (AWS)
StripeSubscription billing and payment processingUSA
ResendTransactional and automated email deliveryUSA
OpenRouter / AnthropicAI quote assistance and suggestionsUSA
VAPIAI voice receptionist and call processingUSA

All providers listed above are located in the United States. By using QuotArc, you acknowledge that your personal information will be transferred to and processed in the United States, where privacy laws may differ from those in your province or territory.

6. Data retention

  • Active account data is retained while your subscription is active.
  • After account cancellation, your data is retained for 30 days then permanently deleted.
  • Billing records may be retained longer where required by law (e.g., 7 years for tax records).
  • Call recordings are subject to VAPI’s own retention schedule — contact VAPI directly for details.
  • You may request immediate deletion at any time — see “Your rights” below.

7. Security

We use reasonable technical and organizational safeguards to protect your personal information: encrypted data transmission (HTTPS/TLS), access controls limited to authorized personnel, and established cloud providers with SOC 2 compliance (Supabase, Stripe). No internet transmission is 100% secure. If you believe your account has been compromised, contact us immediately at privacy@quotarc.com.

8. Breach notification

If we become aware of a security breach that poses a real risk of significant harm to you, we will notify you and the applicable privacy regulator as required under PIPEDA and, where applicable, Quebec Law 25. Notification will describe the nature of the breach, the information involved, and the steps we are taking to address it.

9. Your rights

You have the following rights regarding your personal information:

  • Access — request a copy of the personal information we hold about you.
  • Correction — request correction of inaccurate or incomplete information.
  • Deletion — request deletion of your account and personal data. Some data (e.g., billing records required by law) may need to be retained.
  • Portability (Quebec) — request your personal information in a structured, machine-readable format, or ask us to transmit it to another organization where technically feasible, as required under Quebec Law 25.
  • De-indexation (Quebec) — if information you provided has been made publicly available, you may request that access be restricted or that it be de-indexed from search engines, as provided under Quebec Law 25.
  • Withdraw consent — you may withdraw consent to certain processing. Withdrawal may limit our ability to provide the service.
  • Complaints — you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca, or for Quebec residents, with the Commission d’accès à l’information (CAI) at cai.quebec.ca.

To exercise any of these rights, email our privacy officer at privacy@quotarc.com. We will respond within 30 days.

10. Automated decision-making

QuotArc uses AI to generate quote suggestions and call summaries. These are provided as assistance only and do not constitute automated decisions with legal or similarly significant effects on you. You remain in full control of all quotes, invoices, and communications sent from your account. Quebec residents with questions about automated processing may contact our privacy officer.

11. Cookies

QuotArc uses session cookies required for authentication and to keep you logged in. We do not use third-party advertising or tracking cookies. We may use privacy-respecting analytics (aggregate page views only) to understand product usage.

12. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or in-app notice at least 15 days before they take effect. Continued use of QuotArc after the effective date constitutes acceptance of the updated policy.