Last updated: January 1, 2026

Privacy Policy

This Privacy Policy describes how Quazlow (“Quazlow,” “we,” “us,” or “our”) collects, uses, and shares information about you when you use our iOS application, our web portal at quazlow.com, and related services (collectively, the “Service”). It applies to all users worldwide.

1. Who we are

Quazlow is a sole-proprietorship operating from the United States. For questions about this policy, our data practices, or to exercise any rights described below, email privacy@quazlow.com.

2. Information we collect

We collect three categories of information directly from you, plus limited usage information collected automatically.

2.1 Account information

• Email address
• Full name
• Company name and trade
• Business address, phone number, license number, and brand colors / logo (used on proposals you send)
• Password (stored as a one-way hash; we never see your plaintext password)

2.2 Job content you create

• Audio recordings of your job-site narration
• Transcripts produced by speech-to-text on your recordings
• Photos you upload from your camera or photo library
• Customer contact details you enter (name, address, email, phone number)
• Pricebook items you create or import
• Generated proposals, including AI-drafted cover letters, scopes of work, terms, and the rendered PDFs
• Records of when proposals were sent, viewed, accepted, or declined

2.3 Usage data

• App and web analytics: page views, feature usage, errors, performance metrics
• Device type, iOS version, app version, and a stable hashed identifier (we do not store your device’s advertising ID or the raw device token visible to APNs)
• IP address and User-Agent header (logged on each API request for abuse prevention and rate limiting; retained for 30 days)
• Payment metadata (subscription plan, status, current period end). We do not see or store your card number — card data is collected and held by Stripe directly.

3. How we use information

We use the information we collect to:

• Provide and operate the Service (transcribe your recordings, extract scope, match items against your pricebook, generate and deliver proposals);
• Process subscription payments through Stripe and, where applicable, Apple In-App Purchase via RevenueCat;
• Send transactional emails (account verification, proposal delivery, billing receipts);
• Send SMS messages when you explicitly send a proposal by SMS;
• Maintain account security, prevent abuse, and enforce our terms;
• Improve the Service by analyzing aggregated usage patterns;
• Comply with legal obligations (e.g., responding to lawful subpoenas).

4. Third parties we share data with

We use the following service providers. We only share what each one needs to perform its function. None of these providers are permitted to use your data for any other purpose.

• OpenAI — voice transcription via Whisper and vector embeddings via text-embedding-3-small. Per OpenAI’s API terms, content sent through their API is not used to train their models.
• Anthropic — scope extraction and proposal narrative generation via Claude. Per Anthropic’s API terms, content sent through their API is not used to train their models.
• Cloudflare R2 — encrypted object storage for audio recordings, photos, and PDF proposals.
• Neon — managed PostgreSQL database hosting (US East region). Data is encrypted at rest and in transit.
• Fly.io — application hosting for our API. Data in transit is TLS-encrypted.
• Vercel — application hosting for our marketing site and public proposal viewer.
• Resend — transactional email delivery.
• Twilio — SMS delivery of proposal links when you explicitly choose to send by SMS.
• Stripe — subscription payment processing.
• RevenueCat — subscription orchestration for Apple In-App Purchase (when enabled).
• Sentry — error tracking. We scrub email, phone, and access tokens from Sentry payloads before transmission.
• PostHog — product analytics. We identify users only by a hashed identifier, never email.

5. Customer data you collect

When you create a proposal, you enter information about your end customer (name, address, email, phone). For that data, you are the data controller and Quazlow acts as your data processor. By using the Service, you represent that:

• You have a lawful basis (typically the legitimate business interest of fulfilling a service request) to collect and process your customer’s contact information;
• Your customers have agreed to receive communications from you by email or SMS, where applicable;
• You will respond to any requests from your customers regarding their information (access, correction, deletion).

If a customer asks Quazlow directly to delete data about them, we will refer them to you as the controller of that data.

6. Data retention

• Account data is retained for as long as your account is active.
• Audio recordings and AI extractions are retained for the life of the associated job unless you delete them.
• Generated proposals are retained for 7 years from the date of creation, in line with common US tax and business-record retention requirements.
• Public proposal links expire automatically 90 days after the proposal is sent or upon decline, whichever is sooner.
• If you delete your account, we remove your data within 30 days, except where retention is required by law (e.g., financial records tied to subscription invoices).
• Webhook event logs are retained for 90 days for debugging.

7. Security

We use industry-standard technical and organizational measures, including TLS in transit, encrypted storage at rest, role-based access controls, and a least-privilege model for internal access. Customer card numbers never reach our infrastructure — they are tokenized by Stripe at the point of collection. We log all authentication events. No system is perfectly secure, and we cannot guarantee absolute security.

8. Your rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete your account and associated data
• Export your data in a portable format
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent

To exercise any of these rights, email privacy@quazlow.com. You can delete your account directly inside the iOS app at any time (Settings → Delete my account).

9. California residents (CCPA / CPRA)

If you are a California resident, you have the rights described in Section 8 above, plus the right to know what categories of personal information we collect (described in Section 2 above) and the right to opt out of any “sale” or “sharing” of your personal information. We do not sell or share your personal information for cross-context behavioral advertising and have no plans to do so.

10. European Economic Area, UK, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, our lawful bases for processing your personal data are:

• Contract: processing necessary to deliver the Service to you;
• Legitimate interests: security, abuse prevention, product improvement;
• Consent: where required (e.g., marketing emails beyond transactional ones);
• Legal obligation: compliance with tax, accounting, and lawful information requests.

You may lodge a complaint with your local data-protection authority. We will respond to data-subject requests within 30 days.

11. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, email privacy@quazlow.com and we will delete it promptly.

12. International data transfers

Quazlow’s infrastructure is hosted in the United States. If you access the Service from outside the United States, you understand that your data will be transferred to and processed in the United States. Our service providers maintain appropriate safeguards for international transfers (e.g., Standard Contractual Clauses).

13. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top. For material changes, we will notify you by email and require acceptance before continued use.

14. Contact

Questions, requests, or complaints? privacy@quazlow.com.

Attorney review status: This policy was drafted to reflect Quazlow’s actual data practices. It has not been reviewed by an attorney admitted to practice in your jurisdiction and is not legal advice. Have qualified counsel review before relying on it for production use.