Privacy Policy
This privacy policy explains how we collect, process and use personal data within the quidly service. The legal basis is the EU General Data Protection Regulation (GDPR) in conjunction with the German Federal Data Protection Act (BDSG).
1. Controller
The data controller within the meaning of Art. 4 No. 7 GDPR is:
Ilana HoferWeidenkamp 6d
25436 Uetersen
Germany
Email for data-protection requests: datenschutz@quidly.de
We have not appointed a data protection officer; there is no statutory obligation to do so.
2. Terms
We use the terminology of the GDPR, in particular „personal data" (Art. 4 No. 1), „processing" (Art. 4 No. 2) and „processor" (Art. 4 No. 8). A detailed definition is available in Article 4 GDPR.
3. Hosting & infrastructure
quidly is hosted by Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA). The app's primary region is Frankfurt am Main. Database, authentication and file storage are provided by Supabase Inc. (970 Toa Payoh North #07-04, Singapore 318992), also with Frankfurt (EU) as the primary region. For DNS and email routing we use Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA).
We have entered into a data processing agreement under Art. 28 GDPR with all three providers. The legal basis is Art. 6 (1) (f) GDPR (legitimate interest in stable, secure operation).
Domain separation: quidly uses three separate domains: quidly.de for the public marketing site (landing page, imprint, privacy, contact, waitlist), app.quidly.de for the logged-in app area (dashboard, quotes, profile, all auth flows) and angebot.quidly.de for the response pages your end customers reach after a quote email. Authentication and session cookies are set exclusively on app.quidly.de; no account cookies are transmitted on angebot.quidly.de, so end customers opening a response link have no link to your account.
Strictly necessary cookies: We only set cookies that are required to operate the service and for which no consent is required under Section 25 (2) (2) TTDSG / Art. 5 (3) ePrivacy Directive:
- Authentication/session cookies (Supabase Auth): Keep you signed in after login. Scope: app.quidly.de. Lifetime: until logout or session expiry.
- Language cookie
NEXT_LOCALE: Stores your chosen display language (German or English) so the service greets you in your preferred language on the next visit. Scope: .quidly.de (all three subdomains). Lifetime: up to 12 months. - Bot-protection cookies (Cloudflare Turnstile): Short-lived cookies to defend against automated attacks on login, registration, contact, and waitlist forms. Details and legal basis in section 10 (Contact) and 6 (Registration).
We do not currently set any other cookies — in particular none for analytics, marketing, or tracking purposes. Should such cookies be introduced in the future (e.g. a privacy-friendly reach measurement), we will first obtain your consent through a cookie banner and update this privacy policy accordingly.
4. Visiting the website
Each time a page is requested, our hosts (Vercel, Cloudflare) automatically process technical information:
- IP address (truncated or kept short-term to defend against attacks)
- Date and time of access
- URL accessed, HTTP status code, amount of data transferred
- Referrer URL, browser type and version, operating system
This data is technically necessary in order to deliver the page and prevent abuse. Legal basis: Art. 6 (1) (f) GDPR. The data is automatically deleted or anonymised at Cloudflare/Vercel after a short time. It is not combined with other data.
5. Waitlist (pre-launch)
While quidly is in its pre-launch phase, you can register your email address on a waitlist. We use a double opt-in process: after signing up you receive a confirmation email; your entry only becomes active once you click the confirmation link.
Data processed: email address, time of signup, time of confirmation, source page.
Purpose: launch notification, capacity planning.
Legal basis: Art. 6 (1) (a) GDPR (consent, given by signup and confirmation).
Withdrawal: you can withdraw your consent at any time by emailing datenschutz@quidly.de. We will then delete your entry promptly.
Automatic deletion of unconfirmed entries: if you do not click the confirmation link within 14 days, we delete your entry automatically. Confirmed entries are retained until the launch notification and for at most 30 days thereafter.
6. Registration & user account
To use quidly you create an account. We process at least your email address and a password of your choice (stored hashed by Supabase Auth). You may optionally add your company name and display name.
Purpose: authentication, provision of the service, association of your data with your business (multi-tenant separation via row-level security).
Legal basis: Art. 6 (1) (b) GDPR (performance of contract).
Bot protection (Cloudflare Turnstile): we also use Cloudflare Turnstile on the sign-in and sign-up pages to defend against abuse and automated attacks. Processing and legal basis are analogous to the contact form (section 11).
Sign-in via Google (single sign-on)
As an alternative to email/password sign-in we offer sign-in via your Google account. If you choose this option you are redirected to Google's sign-in page. After successful authentication with Google we receive your email address, your name, your Google account ID and — if available — your profile picture.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for EU users); parent company Google LLC, USA.
Purpose: authentication without a separate password, faster registration, creating or linking the quidly account.
Legal basis: Art. 6 (1) (b) GDPR (performance of contract) for creating and managing your account, plus Art. 6 (1) (a) GDPR (consent) for the initial access you grant via the Google sign-in dialog. You can revoke the link at any time — in your Google account under Security → Apps and services with account access.
Google's role: for this sign-in flow Google acts as an independent controller (no processing on our behalf). Google uses its own data according to its own privacy policy (policies.google.com/privacy); we use the contact data transmitted to us solely to create and manage your quidly account.
International transfers: Google may, for technical reasons, also process data in the USA. The transfer is safeguarded by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.
Storage period: as for email registration (see section 14).
Inviting team members
Administrators of a business can invite further people by email address to join the business as editor or viewer. We process the email address of the invited person and a random, non-personal invitation token to validate the link.
Purpose: sending the invitation email, assigning the person to the business upon acceptance, protecting against unauthorised use of the invitation link.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest of the inviting business in building its team). If you do not accept the invitation as the invited person, your email address is automatically marked as an expired invitation after at most 14 days and fully deleted after a further 90 days.
Storage period: open invitations max. 14 days; accepted, expired and revoked invitations are automatically deleted after 90 days. You may request earlier deletion by emailing datenschutz@quidly.de.
Roles and rights: the business admin can change roles or remove members at any time. When a member is removed, their account is deleted; quotes assigned to them remain with the business and are anonymised (Art. 4 No. 5 GDPR).
7. Processing within the app
Within the app we process the data you enter or upload yourself to systematically follow up on your quotes:
- Customer data (name, company, email, phone, address — as recorded by you)
- Quote data (title, amount, line items, status, follow-up dates, notes)
- Uploaded quote PDFs
- Templates and message drafts
This data is visible only to you (or to people you grant access to your business in the future). Multi-tenant separation is enforced technically through row-level security at the database level.
Legal basis: Art. 6 (1) (b) GDPR (performance of contract) or Art. 6 (1) (f) GDPR (legitimate interest in following up on your own quotes), in conjunction with Art. 28 GDPR for third-party data you, as the controller, enter into the app. For your customers' data you are the controller yourself; quidly acts as a processor in this respect. We provide a data processing agreement between you and quidly on request.
8. AI processing (Google Vertex AI)
For certain convenience features (e.g. extracting quote data from uploaded PDFs, suggesting message drafts) we use Gemini models via Google Cloud / Vertex AI. Processing takes place exclusively in the region europe-west3 (Frankfurt). Your inputs are not used by Google for model training.
Data transmitted: the relevant content you deliberately submit for AI processing. For PDF extraction this is the content of the uploaded document; for the message draft it is exclusively structured quote data (title, customer name, amount, quote and follow-up date, status, follow-up stage) and an optional free-text hint that you enter yourself. Internal notes, colleague comments or the actual content of previous follow-up messages are deliberately not transmitted to the AI.
Legal basis: Art. 6 (1) (b) GDPR (performance of contract) for the actively used feature; additionally Art. 6 (1) (f) GDPR.
We have entered into a data processing agreement with Google. Standard Contractual Clauses (SCCs) form part of it.
Deletion of raw AI responses: the raw data returned by the AI for an upload is automatically removed from our database 90 days after the upload. The upload record itself (file name, file size, association with a quote) remains until you delete it.
9. WhatsApp as an alternative follow-up channel
In addition to the existing email path, you as a user can optionally send the AI-prepared follow-up text as a WhatsApp message. Technically this is done via a so-called „click-to-chat" link (https://wa.me/…) that we prepare in the browser with the customer's phone number and the prepared text. On click, WhatsApp (app or web) opens with the draft; the actual message is sent from your own WhatsApp account.
Important: at no point does quidly transmit data to WhatsApp or Meta Platforms Ireland Ltd. The phone number and message text remain in your browser only until the click. Only when you actively send the message in your WhatsApp does Meta become a recipient of your data; from that moment the WhatsApp privacy terms apply.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest of the user in efficient follow-up communication within an existing pre-contractual relationship). The channel is intended exclusively for follow-up on specifically requested quotes — not for marketing broadcasts.
No new international transfer by quidly: as the link only goes to Meta on click in your browser (not via our servers), no processor relationship arises between quidly and Meta. The logic is identical to the familiar „open mail" path (no DPA between quidly and Gmail/Outlook/Apple Mail).
10. Email delivery
Transactional emails (waitlist double-opt-in confirmation, launch notification, later also system messages to users) are sent via Resend (Plus Five Five, Inc., 2261 Market Street #4667, San Francisco, CA 94114, USA). The send region is the EU (Ireland).
Data processed: email address, email content, delivery status.
Legal basis: Art. 6 (1) (a) GDPR (consent, for double opt-in) or Art. 6 (1) (b) GDPR (performance of contract, for system mails).
10a. Direct email delivery to your customers
When you, as a quidly user, send quote or follow-up mails directly from the app to your end customers, we transmit the name, email address and the content of your quote to Resend (see above). Resend is also our processor for this (DPA signed on 17 April 2026) and sends the mails on our behalf from EU data centres (Ireland).
Each of these mails contains three response buttons („Accept", „Not interested", „Ask a question") that lead to a signed response page on angebot.quidly.de. Your customers' reply is expressly non-binding and serves only to coordinate with you — a contract is formed only by a separate agreement between you and your customer.
What is stored on click: timestamp, chosen action and an optional free text from the customer. We store no IP address, no user-agent and no device fingerprint of the end customer.
Storage period: send metadata and reply remain attached to the corresponding quote in your account as long as you do not delete the quote yourself or close your account. PDF/image attachments of sent mails are automatically removed from storage one year after the response link's expiry; raw webhook payloads from Resend (delivery events) after 30 days.
Signed response links are valid for 30 days by default (configurable per business in your profile between 7 and 180 days). After expiry the response page shows a hint to contact you directly.
Legal basis: Art. 6 (1) (b) GDPR (pre-contractual relationship between you and your customer). You are the controller for the content of the sent mails within the meaning of the GDPR; quidly acts as a processor.
11. Contact form
On the page /en/kontakt we offer a contact form. Messages are delivered to us by email; the form inputs are not stored in a database.
Data processed: name, email address, subject, message text; technically the IP address for bot protection (only at the moment of the check, no permanent storage on our side).
Purpose: answering your enquiry.
Legal basis: Art. 6 (1) (b) GDPR (initiation / performance of a contract) or Art. 6 (1) (f) GDPR (legitimate interest in communication with prospects). Confirming the consent checkbox documents your acknowledgement of this policy.
Bot protection (Cloudflare Turnstile): to prevent automated spam submissions we use the captcha system Cloudflare Turnstile by Cloudflare, Inc. In doing so Cloudflare processes technical signals from your browser (including IP address, user-agent, short-lived cookies used solely for the challenge) and decides whether you are a human. Cloudflare deploys Turnstile in a deliberately data-minimising manner and does not use the data for advertising. More at cloudflare.com/privacypolicy. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in protecting our form against abuse).
Storage period: messages submitted via the contact form remain in our email inbox until the matter is settled and no statutory retention obligations apply (typically up to 3 years). On request we delete your enquiry earlier.
12. Recipients / data processors
We use carefully selected service providers as processors under Art. 28 GDPR:
| Provider | Purpose | Region |
|---|---|---|
| Supabase Inc. | Database, auth, file storage | EU (Frankfurt) |
| Vercel Inc. | Hosting, edge infrastructure | EU (Frankfurt), global edge |
| Cloudflare, Inc. | DNS, email routing | global |
| Plus Five Five, Inc. (Resend) | Transactional email delivery | EU (Ireland) |
| Google Ireland Ltd. / Google LLC | AI processing (Vertex AI / Gemini) | EU (Frankfurt) |
| Upstash, Inc. | Sign-in rate limit for the platform admin login (short-term IP counters only, 15-minute window) | EU (Frankfurt) |
A current list of sub-processors of each provider can be found in their own subprocessor lists (see the respective provider websites).
13. International data transfers
To the extent that the providers listed above are headquartered in the USA (Vercel, Cloudflare, Resend, Google LLC), personal data transfers to the USA may occur in the context of support, global routing or central account management. As safeguards, Standard Contractual Clauses (SCCs) of the European Commission have been concluded; several providers are additionally certified under the EU-US Data Privacy Framework (DPF).
14. Storage period
- Waitlist: until withdrawal or 30 days after launch, then deletion.
- User account and app data: until you delete the account, or automatically after 180 days without sign-in (see next paragraph).
- Technical server logs (Vercel, Cloudflare): a few days to a few weeks, depending on the provider.
- Email-delivery metadata (Resend): according to the provider's retention configuration, typically 30 days.
Automatic deletion on inactivity
To implement the principle of storage limitation (Art. 5 (1) (e) GDPR), we delete user accounts that have not been used for an extended period. The decisive point is the last sign-in time — regardless of which authentication method (email/password, in future possibly Google/Apple) was used.
- After 30 days without sign-in you will receive an email warning with the planned deletion date.
- After 90 days a reminder follows.
- After 180 days your account, your business record, all stored quotes, uploaded PDFs and associated activity entries are permanently deleted.
A single sign-in resets these deadlines completely — no separate reactivation is required. The process runs automatically once a day and is documented in an internal audit log (retained for 90 days).
15. Your rights
You have the following rights with respect to the personal data that concerns you:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing (Art. 21 GDPR)
- Right to withdraw consent given, with effect for the future (Art. 7 (3) GDPR)
To exercise your rights, please contact datenschutz@quidly.de.
Self-service deletion via the app (Art. 17 GDPR): Logged-in users can delete their account at any time under „My profile" → „Danger zone". Login access is removed and your name in already-created quotes and activity entries is anonymised to „Deleted user" (pseudonymisation under Art. 4 No. 5 GDPR); the business content of the company itself remains. Admins can additionally delete the entire business — this irreversibly removes all quotes, uploads (including files in storage), invitations, settings and the accounts of all members. Affected members receive an info mail. The last administrator of a business can only delete their account alone if another person was previously promoted to admin — otherwise only the „delete entire business" option remains.
Right to lodge a complaint with the supervisory authority: you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority is the Independent State Centre for Data Protection Schleswig-Holstein (ULD), Holstenstraße 98, 24103 Kiel, Germany.
16. Platform administration by the provider
For the operation and support of the service the provider („platform administration") accesses, to a limited extent, metadata of accounts — such as business name, admin email address, number of members, quote and upload counts, last sign-in timestamp, inactivity status and entries of an internal audit log (account and business deletions, inactivity sweeps).
Through its admin dashboard the platform administration has no access to quote contents, third-party customer data, notes, activity histories or raw AI responses of individual tenants. The code that feeds the dashboard is deliberately aggregating only; there is no UI path to such contents.
Legal basis: Art. 6 (1) (b) GDPR (performance of contract — provision of a functioning platform) in conjunction with Art. 6 (1) (f) GDPR (legitimate interest in secure, abuse-free platform operation).
Technical safeguards: access exclusively via a separate sign-in path with two-factor authentication (TOTP) and a sign-in rate limit (5 attempts per IP in 15 minutes). The rate-limit counters are kept by a service provider in the EU region Frankfurt (see section 12) and automatically deleted after 15 minutes. Access is restricted to people listed in an internal whitelist table.
17. Changes to this policy
We update this privacy policy when processing changes — for example with new features, new providers or changes in the legal landscape. The version applicable at the time of your use is the binding one. The current version is shown by the date at the top of this page.