FASTQUOTE
Privacy Policy
Version 2026-06-29
About this notice
FastQuote is operated by Harry Doyle (sole trader, trading as "FastQuote"), based in the United Kingdom. This policy explains what personal data we hold, why, and what your rights are. UK GDPR and the Data Protection Act 2018 apply.
Two groups of people
FastQuote handles personal data about two distinct groups:
- You, the tradesperson — you signed up, you have an account, you are our customer. We are the controller of your personal data.
- Your end clients — the homeowners or businesses whose property you are quoting for. Their names, site addresses, and photos enter the system because you upload them. You are the controller of their data. FastQuote is your processor. See our Data Processing Agreement for the detail.
What we collect
About you (the tradesperson):
- Name and email address (from Google when you sign in).
- Business details you enter into your profile: company name, phone, trading address, VAT number, day rate.
- Session cookies so you stay signed in.
- Anonymous pageviews of the marketing site (path + session id, no personal identifier). See "Analytics" below.
About your end clients (uploaded by you):
- Client name, site address, contact details you choose to enter on a quote.
- Job photographs or video walkthroughs of their property.
- Quote content, measurements, and generated documents.
Why we hold it — lawful basis
- Your account data — contract (Article 6(1)(b)): we need it to provide the service you signed up for.
- End-client data you upload — on your behalf, under your lawful basis (typically your contract with that client). FastQuote does not independently determine why this data is processed.
- Learning data (anonymous diffs of AI suggestions vs your confirmed values) — legitimate interests (Article 6(1)(f)): improving the service. Anonymised before storage; no personal data leaks into the learning loop.
- Anonymous pageviews — legitimate interests: understanding which landing pages convert. No identifier, no cross-site tracking, honours
navigator.doNotTrack.
Processors we use
To run the service we send data to these third parties:
- Anthropic, PBC (United States) — job photographs + transcripts are sent to the Claude API for analysis. Per Anthropic's API terms, inputs are not used to train their models and are not retained beyond the API request. Transfer to the US is covered by the UK Addendum to the EU Standard Contractual Clauses.
- OpenAI, LLC (United States) — audio from voice dictation and video walkthroughs is sent to Whisper for transcription. Audio is in-memory only; never persisted. Same transfer safeguards as Anthropic.
- Railway Corp. — hosting + managed Postgres. Production data is currently in Railway's US West region; we are migrating to Railway's EU region (see "Data storage" below).
- Cloudflare R2 — off-platform encrypted backups of the database. Bucket is access-token-scoped; AES256 server-side encryption at rest.
- Auth0 by Okta (Okta, Inc.) — authentication and identity management. We use Auth0 (Okta Inc.) to handle sign-in. Auth0 receives your email and login event records when you authenticate. UK & EU data residency available. Transfer covered by the UK Addendum to the EU Standard Contractual Clauses.
- Google LLC — sign-in only, via Auth0's Google social connection. We receive your name and email. No other Google services used.
- Stripe, Inc. (once billing is live) — payment processing for the £19.99/month subscription. Stripe is the controller for payment data; we never see your full card number.
Data storage and international transfers
Your account database is hosted in Railway's EU West region (Amsterdam, Netherlands), and the Cloudflare R2 backup bucket is also in the EU jurisdiction. No personal data is routinely held outside the EU/UK. Cross-border transfers to the United States are limited to the sub-processors named above (Anthropic, OpenAI, Google sign-in, Stripe) and are covered by the relevant Standard Contractual Clauses and UK Addendum.
Retention
- Account data — for as long as your account is active. On account deletion, account data is removed within 30 days from the live database.
- Quote data — same lifecycle. Anonymous learning data (diffs only, no PII) is retained indefinitely.
- Backups — 7 daily + 4 weekly snapshots. Deleting your account does not surgically edit existing backups; data ages out of backups within ~5 weeks of deletion.
- Pageviews — 30 days rolling.
Your rights
You have the right to access, correct, port, restrict, or delete your personal data, and to object to processing. To exercise any of these, email [email protected]. We respond within 30 days. If you are unhappy with our handling, you can complain to the UK Information Commissioner's Office (ico.org.uk).
What we don't do
- We do not sell or share your data with advertisers.
- We do not use any third-party tracking or analytics SDK on the app (no Google Analytics, no Mixpanel, no Sentry).
- We do not profile end clients for any purpose.
Security
HTTPS-only. Session secrets and database passwords are stored as Railway environment variables, never in code. Database backups are encrypted at rest. We run secret-scanning on every commit. See our Terms of Service for limits on liability.
Contact
Controller: Harry Doyle (sole trader t/a FastQuote), United Kingdom.
Email: [email protected]