Privacy Policy
Effective date: 15 June 2026 Last updated: 26 May 2026
This policy covers two different groups of people:
- Freelancers — people who sign up for a Firequote account to create proposals and invoices.
- Clients — people who receive a proposal or invoice through Firequote because a freelancer sent it to them. Clients do not have a Firequote account and have not signed up for anything.
Both groups have data that we handle. We explain how, separately, throughout this document.
Who we are
Firequote is a Dutch eenmanszaak (sole proprietorship) registered in the Netherlands.
KvK number: 76877213 Registered address: Salland 1, 1948 RE Beverwijk, Nederland Correspondence address: Postbus 79055, 1070 NC Amsterdam, Nederland Privacy contact: privacy@firequote.app
We are the data controller for your data when you use Firequote as a freelancer.
When a freelancer enters their client's information into Firequote, the freelancer is the data controller for that client information, and we act as the data processor on the freelancer's behalf. We explain this more below.
We have not appointed a Data Protection Officer.
What data we collect, why, and the legal basis for each purpose
Under GDPR we have to tell you not just what we collect, but exactly why and under what legal basis. Here is the full picture.
If you are a freelancer with a Firequote account
| Data | Why we have it | Legal basis (GDPR Art. 6) |
|---|---|---|
| Email address | Account login, sending you proposal status notifications | Contract performance |
| Business name, contact name, phone, website | We display this on your proposals and invoices | Contract performance |
| Logo image | Displayed on proposals and invoices, also used to extract your brand colour | Contract performance |
| Brand colour | Theming your proposals and invoices | Contract performance |
| Payment / bank details (optional) | Displayed on your invoices so your clients can pay you | Contract performance |
| Default payment terms | Pre-filled into new proposals | Contract performance |
| Subscription status | Determining your access to Pro features | Contract performance + legal obligation (tax records) |
| Country and locale | Showing prices in your currency, applying the correct VAT or sales tax, choosing the right language | Contract performance |
| Push notification token | Sending you push notifications about proposal activity | Consent |
| App usage events linked to your account ID | Understanding which features people use, fixing bugs, improving the product | Legitimate interest |
What is required and what is optional: Your email and business name are required — without them you cannot use Firequote. Phone, website, logo, payment details, and default payment terms are optional and only used if you provide them.
Content you create as a freelancer
| Data | Why we have it | Legal basis |
|---|---|---|
| Raw meeting notes you type or paste | Sent to our AI provider (Anthropic) so it can generate a proposal | Contract performance |
| Generated proposal text | Stored so you can edit, send and reuse it | Contract performance |
| Invoice line items, totals, dates | Stored so you can send and reuse them | Contract performance |
| PDF files we generate | Storage for download and email attachments | Contract performance |
| Signature image (Pro feature, when a client signs) | Embedded into the signed PDF and shown to you as proof of acceptance | Contract performance |
If you are a client receiving a proposal or invoice
This is the unusual part. You did not sign up for Firequote. Your data is in our system because a freelancer entered it to send you a document.
Under GDPR, the freelancer is the controller of your data, and we are the processor acting on their instructions. If you want your data removed, you can either contact the freelancer who sent you the proposal directly, or contact us at privacy@firequote.app and we will help.
| Data | Why we have it | Legal basis |
|---|---|---|
| Your name | Shown on the proposal, used in the acceptance form | Legitimate interest of the freelancer (sending you a business document) |
| Your email | Sending you the proposal, sending acceptance confirmation | Legitimate interest of the freelancer |
| Your company name | Shown on the proposal | Legitimate interest of the freelancer |
| IP address (only if you accept or sign a proposal) | Audit trail proving who accepted and when | Legitimate interest (evidence of contract formation) |
| Browser type / device type (only if you accept or sign) | Same audit trail | Legitimate interest |
| The name you type when signing | Shown on the signed PDF | Contract formation |
| When you viewed the proposal, for how long, and on what device type | Letting the freelancer know their proposal was opened | Legitimate interest of the freelancer |
Source of your data: the freelancer who sent you the proposal. They typed your details in directly, or our AI extracted them from notes the freelancer provided.
If you signed up for Firequote and receive our onboarding emails
When you create a Firequote account, we send you a short series of onboarding emails over your first weeks to help you use the app. Every one of these emails has an unsubscribe link. If you unsubscribe, you keep your account and all transactional emails (proposal sent, viewed, accepted, payment receipts) — only the onboarding sequence stops.
Legal basis: legitimate interest in helping new users get set up, with clear opt-out as required by CAN-SPAM (US) and GDPR (EU).
We do not run a separate marketing email list. We do not send promotional broadcasts. We do not sell or share your email with anyone for marketing.
A note about AI
This is important because freelancers often type things into Firequote that include client details or business information.
When you create a proposal, the raw notes you type are sent to Anthropic's Claude API to generate the proposal text. This means:
- Your notes leave our servers and are processed by Anthropic in the United States.
- According to Anthropic's API terms, they do not train their models on data sent through the API.
- The generated proposal is sent back to us and stored in your account.
- The raw notes are also stored alongside the proposal so you can regenerate or edit later. They stay there until you delete the proposal or delete your account.
We do not use AI to make decisions about you (for example, scoring you, denying you service, or profiling you). The AI only generates text content that you then edit and send. You always review the output before anything is sent to a client.
A note about subscriptions
Pro subscription payments are processed by Apple (App Store on iOS) or Google (Google Play on Android), depending on the platform you subscribe from. Apple and Google act as the Merchant of Record — they handle the payment, calculate and remit any applicable VAT or sales tax, issue your receipt, and handle refunds and chargebacks.
We never see or store your card details, billing address, or payment information. That data lives with Apple or Google.
We use RevenueCat as a subscription middleware to receive purchase events from Apple and Google and grant you Pro access. When you subscribe:
- We pass your Firequote user identifier to RevenueCat so they can link the purchase to your account.
- Apple or Google sends RevenueCat anonymized purchase events (subscription started, renewed, cancelled, refunded, etc.) using their own server-to-server notification systems.
- RevenueCat forwards the entitlement status (Pro / not Pro, current period end, plan) back to us so we can unlock Pro features.
Apple and Google are their own data controllers for the data you give them at the store. Their privacy policies apply to that data: Apple Privacy and Google Privacy. RevenueCat is a processor acting on our behalf; their privacy policy is at revenuecat.com/privacy.
A note about Stripe (invoice payments)
Separately from your Pro subscription, Firequote lets freelancers connect their own Stripe account so their clients can pay invoices online. This is optional — if you never connect Stripe, none of your data goes there.
If you do connect Stripe:
- You complete Stripe's onboarding directly with Stripe. Stripe collects whatever they need to verify your business (name, address, tax ID, bank details). We never see or store this information — we only store a Stripe account ID so we know your invoices are linked.
- When a client pays an invoice, the client enters their card details on a Stripe-hosted checkout page. We never see or store the client's card details.
- Stripe sends us back a payment status (paid / failed) and a payment reference, which we store on the invoice.
Stripe is the data controller for the data you and your clients give them. Their privacy policy is at stripe.com/privacy.
A note about signing in with Google or Apple
You can sign in to Firequote with your Google account or your Apple ID instead of using a password. This is optional — email/password sign-in is also available.
If you choose Google or Apple sign-in:
- We hand you off to Google or Apple to authenticate.
- They confirm your identity and return your name and email address to us.
- We use that to create or recognise your Firequote account.
- Google and Apple are separate data controllers for the data they hold about you. Their own privacy policies apply.
Who else processes your data
We use a small number of third-party services to run Firequote. We rely on the data processing terms each provider publishes as part of their standard service.
| Service | What they do | Where their servers are |
|---|---|---|
| Supabase | Our database and file storage | United States |
| Anthropic (Claude API) | Generating proposal text from your notes | United States |
| Apple (App Store In-App Purchase) | Processing Pro subscription payments on iOS, calculating and remitting VAT/sales tax, issuing receipts (acts as Merchant of Record) | Global / United States |
| Google (Google Play Billing) | Processing Pro subscription payments on Android, calculating and remitting VAT/sales tax, issuing receipts (acts as Merchant of Record) | Global / United States and Ireland |
| RevenueCat | Subscription state middleware: receives purchase events from Apple/Google linked to your user identifier so we can grant Pro access (does not see card or billing data) | United States |
| Stripe (Stripe Connect) | Optional — when a freelancer connects Stripe to collect payment from their clients on invoices, Stripe processes that payment | United States / European Union |
| Resend | Sending emails (proposals, notifications, onboarding) | United States |
| PostHog | Product analytics (which features get used, where bugs happen) | United States |
| Vercel | Hosting our landing page and proposal/invoice web pages | Global edge network |
| Pexels | Stock image search for cover images — we send your search query to retrieve matching photos | United States |
| Google (Sign in with Google) | Optional — used only if you choose to sign in with your Google account | United States |
| Apple (Sign in with Apple) | Optional — used only if you choose to sign in with your Apple ID | United States |
| Expo (push token routing) + Apple APNs (iOS) / Google Firebase Cloud Messaging (Android) | Push notification delivery to your device | United States |
We do not sell your data. We do not share your data with advertisers. We do not let any of these processors use your data for their own marketing.
If you want the most recent list of subprocessors, email us.
Sending data outside the EU
Most of our processors above are based in the United States or the United Kingdom. To make these transfers legal under GDPR, we rely on:
- Standard Contractual Clauses (SCCs) that each processor includes in their standard terms, where applicable
- The EU–US Data Privacy Framework for processors that are certified under it
- The EU's adequacy decision for the United Kingdom, which allows transfers to the UK without additional safeguards
- For Anthropic specifically: they process data per their API terms which include appropriate safeguards
If you want copies of the safeguards we rely on for any specific transfer, email us and we will share what we have.
How long we keep your data
We keep data only as long as we need it. Specifics:
- Your account data — until you delete your account.
- Draft proposals and invoices — until you delete them, or until you delete your account.
- Proposals manually marked as accepted by you (no client action) — you can delete these at any time. Otherwise they stay until you delete your account.
- Proposals accepted by a client (whether through a simple accept click or a signature) — cannot be deleted while your account is active. Both you and your client have a legitimate interest in keeping the record of what was agreed. The only way to remove a client-accepted proposal is to delete your entire account (see Account deletion below).
- Raw meeting notes — kept with the proposal. Deleted when the proposal is deleted, or when the account is deleted (in the case of client-accepted proposals, the notes are stripped out and only the accepted PDF + acceptance record remain).
- View tracking data on proposal pages — kept with the proposal, deleted when the proposal or account is deleted.
- Onboarding email records — kept for as long as you have an account.
- Analytics data in PostHog — retained for the period defined by our current PostHog plan (currently 30 days), then automatically deleted.
- Payment records — Detailed payment data (card details, billing address, transaction logs, receipts) lives with Apple or Google as Merchant of Record, under their own retention policies. We only store a subscription summary linked to your account (status, plan, current period end, store transaction reference, RevenueCat user identifier). We retain this summary for 7 years because Dutch tax law requires retention of records used for income recognition, even when the merchant of record is a third party.
Account deletion
You can delete your Firequote account from inside the app at any time. Apple and Google both require this, and we agree it should be a basic right.
When you delete your account:
- Before you delete: download a PDF copy of any proposal, invoice, or signed agreement you want to keep. Your own bookkeeping or tax retention obligations may require this. Each document has a "Download PDF" option in the editor and on the shareable link.
- All your account data, draft proposals, proposals you manually marked as accepted, view tracking, push tokens, and uploaded files are deleted within 30 days.
- Your subscription is cancelled.
- Proposals that were accepted by a client (simple accept or signature) are stripped down to just the accepted PDF and the acceptance audit trail (IP, browser, timestamp, accepted/signed name). These are kept for 5 years from the date the proposal was accepted, then automatically deleted. We keep this because both you and your client have a legitimate interest in being able to refer back to a contract you both agreed to.
- Invoices that were paid (or that you manually marked as paid) are stripped down to the final PDF and a record of when and how payment was confirmed. These are kept for 5 years from the date the invoice was paid, then automatically deleted. We keep this because both you and your client have a legitimate interest in being able to refer back to the transaction record.
- Your billing data held by Apple or Google (transaction records, receipts, payment method details) remains with them under their own retention policies. We have no power to delete that data — request deletion or correction directly through your Apple ID account or Google account.
- We send a deletion request to PostHog for your analytics data via their API.
Your rights
If you live in the United States, US state privacy laws (including the California Consumer Privacy Act and similar laws in Virginia, Colorado, Connecticut, Texas, and other states) give you these rights:
- Know what categories of personal information we collect, use, and share
- Request deletion of your personal information
- Correct inaccurate personal information
- Opt out of the sale or sharing of your personal information (we do not sell or share, but the right exists)
- Not be discriminated against for exercising any of these rights
If you live in the EU/EEA or UK, you have these rights under GDPR:
- Access — get a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — ask us to delete your data ("right to be forgotten")
- Restriction — ask us to stop processing your data while a question is being resolved
- Portability — get your data in a machine-readable format you can take elsewhere
- Objection — object to processing based on legitimate interest
- Withdraw consent — for anything we process based on consent, you can withdraw at any time
- Not be subject to automated decision-making — we do not make automated decisions about you, but you have this right anyway
- Lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or with the data protection authority in your own country
To exercise any of these rights, contact us by:
- Email: privacy@firequote.app
- Post: Postbus 79055, 1070 NC Amsterdam, Nederland
We respond within 30 days for GDPR requests and 45 days for US state law requests. We will not charge you for handling your request unless it is clearly excessive or repetitive.
How we keep your data secure
- All data is encrypted in transit using TLS.
- All data at rest in our database and file storage is encrypted by Supabase.
- Passwords are never stored in plain text — we use Supabase's authentication system which hashes them.
- Access to production systems is limited to people who genuinely need it, and protected by strong authentication.
- We do not allow third parties to access your data except through the processors listed above.
- We follow the principle of data minimisation: we collect only what we need.
No system is 100% secure, but we take security seriously and continuously work to improve it.
What happens if there is a data breach
If we become aware of a data breach that affects your personal data, we will:
- Notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware, where required by GDPR
- Notify affected users without undue delay if the breach is likely to result in a high risk to your rights
- Provide clear information about what happened, what data was affected, and what we are doing about it
Cookies and tracking
The Firequote app (iOS and Android) does not use cookies. It is a native app.
The proposal and invoice web pages that your clients visit do not set tracking cookies on the client's device, do not include any third-party trackers, and do no cross-site tracking. View statistics are collected server-side only — we record that the page was loaded, and that information is shared with the freelancer who sent the document. The only cookie we set in this area is a first-party cookie on the freelancer's own browser when they preview their own document, so we can recognise their visits and exclude them from view counts. Clients who receive a link never have this cookie set.
The Firequote landing page and signed-in dashboard (firequote.app) use PostHog for product analytics and session replay. PostHog stores a first-party identifier in your browser (a ph_* cookie and a matching entry in localStorage) so we can recognise return visits and stitch together a session. We do not share this identifier with third parties, do not use it for advertising, and do no cross-site tracking. Input fields are masked in session replays, and replays are turned off entirely on pages that may contain client data (/p, /i, /portal, /stripe). We rely on legitimate interest (GDPR Art. 6(1)(f)) for this analytics processing — it is strictly necessary to understand and improve the product. You can opt out by using a tracker-blocking browser extension (such as uBlock Origin) or by emailing privacy@firequote.app to request that we remove your analytics record.
Children
Firequote is a business tool for freelancers. It is not intended for, marketed to, or designed for anyone under 18. We do not knowingly collect data from anyone under 13 (the threshold under the US Children's Online Privacy Protection Act / COPPA) or under 16 (the threshold under GDPR). If you believe a child has signed up, email us and we will delete the account.
Automated decision-making
We do not make decisions about you using automated systems alone. The only "automation" in Firequote is the AI that generates proposal text from your notes — but that is generating content for you to use, not making a decision about you. You always review and edit before sending anything to a client.
E-signatures
When a client accepts or signs a proposal in Firequote, we record a timestamp, IP address, and browser information as evidence of acceptance. See our Terms of Service for what this acceptance record does and does not legally guarantee.
Changes to this policy
If we change this policy in any meaningful way (new data being collected, new processor added, change to retention, new product feature), we will:
- Update the "Last updated" date at the top
- Notify active users by email and/or in the app at least 14 days before the change takes effect
- Keep a record of previous versions on request
Small fixes (typos, wording improvements, broken links) do not require notice.
Governing law
This policy and any disputes about it are governed by the laws of the Netherlands. Any disputes will be heard by the competent court in Amsterdam.
This does not take away any rights you have under your local consumer protection laws.
Contact us
For anything privacy-related — questions, requests, complaints, or just to understand something better:
Email: privacy@firequote.app Post: Postbus 79055, 1070 NC Amsterdam, Nederland