QwotaSign in

Privacy Policy

Last updated 2026-05-10

1. Who we are

Qwota is operated by Arsalan Mohammad Arref (“we”, “us”), a sole trader based in the United Kingdom. You can contact us at [email protected].

2. What data we collect

  • Account data: email address (used for magic-link sign-in), license key if you've purchased a paid plan.
  • Business data you enter: business name, logo, customer details, quote and invoice content. This is your data — we process it on your behalf to provide the service.
  • Session data: a session cookie (qwota_session) to keep you signed in. No third-party analytics or tracking cookies.
  • Server logs: standard request logs (IP, user-agent, timestamp) for security and debugging, retained for 30 days.

3. Lawful basis

  • Contract — to provide the service you've signed up for.
  • Legitimate interest — to keep the service secure and operational.
  • Consent — where applicable (e.g. optional marketing emails, if any).

4. Third parties (sub-processors)

  • Cloudflare — hosting, DNS, edge compute. Data may be processed in any of their global regions.
  • Resend — transactional email (magic links).
  • Microsoft 365 — human-facing email infrastructure for support correspondence.
  • Stripe — payment processing and subscription management for paid plans.

Each processes data only as needed to provide their part of the service. See each provider's privacy policy for their own practices.

5. How long we keep data

Account and business data: while your account is active, plus 30 days after deletion (recovery window). Server logs: 30 days. You can request immediate deletion at any time — see Section 7.

6. International transfers

Some sub-processors are based outside the UK/EEA (notably US-based providers like Cloudflare, Stripe, and Resend). Where personal data is transferred internationally, we rely on the safeguards each provider has in place — typically the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an equivalent mechanism. We only use providers whose published terms commit to one of these safeguards.

7. Your rights

Under UK GDPR you have the right to:

  • Access the data we hold about you (subject access request).
  • Correct inaccurate data.
  • Erase your data (right to be forgotten).
  • Restrict or object to processing.
  • Receive a copy of your data in a portable format.
  • Lodge a complaint with the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email [email protected].

8. Security

Data is encrypted in transit (TLS 1.2+) and at rest (Cloudflare D1 and KV use provider-managed encryption). Authentication uses passwordless magic links — we never store user passwords. Webhook payloads from third parties (e.g. Stripe) are signature-verified before being processed.

In the event of a personal data breach that's likely to affect you, we will notify you and (where required by law) the Information Commissioner's Office within 72 hours of becoming aware, in line with UK GDPR Articles 33 and 34.

9. Changes to this policy

We may update this policy. For material changes that affect how your data is handled, we'll notify you in advance — typically through an in-app notice the next time you sign in, or by email where the change requires it. The “Last updated” date at the top reflects the most recent revision.

10. Contact

Questions, complaints, or rights requests: [email protected].