Privacy Policy
Last updated: January 31, 2026
1. Introduction
CleanQuote.io ("we," "our," or "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services. By using the Service, you consent to the practices described in this policy.
2. Information We Collect
Account and Profile Information
When you create an account, we collect your email address and password (hashed). We support magic link (passwordless) sign-in via email. You may optionally provide your name or other profile details. Account data is stored by Supabase for authentication.
Organization and Team Data
When you create organizations or subaccounts, we store organization names, slugs, and member associations. When you invite team members by email, we send invite emails via Supabase Auth and/or Resend and store invitation records. Pending invitations include email addresses and role assignments until accepted or expired.
Product and Configuration Data
We store your quote tool configurations, including: pricing tables and structures (including Excel imports); custom survey questions and field mappings; widget and form settings; service area polygons (KML data); HighLevel integration settings (API token, location ID, pipeline/stage mappings, calendar IDs, custom field mappings); tracking codes; and Google Maps API key (when you provide it). This data is stored in Supabase (PostgreSQL) and Vercel KV (Redis) for caching and configuration.
Quote and Lead Data
When your customers submit quote forms, we collect and store: contact information (name, email, phone, address); home details (square footage, bedrooms, baths, pets, condition, frequency); and calculated quote results. This data is stored in Supabase and may be synced to your HighLevel account when you have configured that integration. You are the data controller for this end-user data; we process it on your behalf.
Payment and Billing Information
Payment processing is handled by Stripe. We do not store full credit card numbers. Stripe collects and processes payment details in accordance with their privacy policy. We store Stripe customer IDs and subscription status to manage access.
Email and Communications
We use Resend for transactional emails (magic links, password resets, invite emails, checkout confirmations). If you use a support email address that receives inbound mail via Resend, those emails may be processed, stored, and displayed in our support inbox. Email metadata and content may be temporarily cached.
Technical and Log Data
We collect IP addresses, browser type, device information, referrer URLs, and general usage logs to operate, secure, and improve the Service. When the quote widget is embedded with UTM parameters, we may pass those parameters through for your tracking purposes. Our hosting provider (Vercel) may collect similar technical data.
3. How We Use Your Information
We use the information we collect to: provide and maintain the Service; authenticate users and manage sessions; process payments and manage subscriptions; send transactional emails (magic links, invite emails, password resets, checkout confirmations); store and display quotes and leads; sync data to HighLevel when you configure that integration; perform service area checks using geocoding when enabled; support organization and team management; improve the Service; comply with legal obligations; and communicate with you about the Service. We do not sell your personal information.
4. Third-Party Services and Data Processors
We use the following third-party services to operate the Service. Each processes data as described and has its own privacy policy:
- Supabase — Authentication (email, password hashes, session tokens), user management, PostgreSQL database (accounts, organizations, members, invitations, tools, quotes). Data may be stored in the US or other regions per Supabase.
- Stripe — Payment processing, subscription management, customer billing records. Stripe collects payment details directly; we do not store full card numbers.
- Vercel — Hosting, serverless functions, edge network. Request logs and deployment data may be processed.
- Vercel KV (Upstash Redis) — Caching, configuration storage (pricing, survey, widget settings, HighLevel config, service area polygons). Data may be stored in the US or EU per Upstash.
- Resend — Transactional email delivery (magic links, invite emails, checkout confirmations). Resend may process inbound email if you use a receiving address. Email content passes through their systems.
- HighLevel — When you configure HighLevel integration, we transmit contact and opportunity data to HighLevel on your behalf. HighLevel processes this data per their privacy policy. You are responsible for your HighLevel account.
- Google Maps / Places API — When you provide your own Google Maps API key, address autocomplete and geocoding requests are sent to Google. We do not use a shared Google key; you control this integration and are subject to Google's privacy policy for that usage.
We do not control these third parties. Their practices are governed by their own policies. We select providers that implement appropriate security measures.
5. Data Sharing and Disclosure
We share data only as necessary to provide the Service: with the processors listed above; with HighLevel when you configure that integration (we transmit lead/quote data you instruct us to sync); as required by law or to protect our rights; or with your consent. We do not sell, rent, or trade your personal information. In the event of a merger or acquisition, your data may be transferred as part of that transaction.
6. Cookies and Similar Technologies
We use cookies and similar technologies (e.g., local storage) to: maintain your authentication session (Supabase auth cookies); remember your selected organization (selected_org_id); and support the Service. Essential cookies are required for the Service to function. You can manage cookie preferences in your browser settings; disabling cookies may limit functionality.
7. Data Retention
We retain your account, organization, and product data for as long as your account is active. Quote and lead data is retained for the life of your account. After account termination, we may retain data for a reasonable period for backup, legal, regulatory, or operational purposes. You may request deletion of your data by contacting us; we will process requests in accordance with applicable law.
8. Data Security
We implement reasonable technical and organizational measures to protect your data, including encryption in transit (TLS/HTTPS) and at rest where supported by our processors. Access to production data is restricted. Passwords are hashed; we do not store plaintext passwords. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.
9. Your Rights
Depending on your location, you may have the right to: access your data; correct inaccurate data; request deletion; restrict or object to processing; data portability; withdraw consent; and opt out of certain sales or sharing (we do not sell personal information). California residents: see CCPA section below. EU/EEA residents: you may have additional rights under GDPR, including the right to lodge a complaint with a supervisory authority. To exercise these rights, contact us at support@cleanquote.io.
10. California Privacy Rights (CCPA)
If you are a California resident, you may have the right to: know what personal information we collect and how it is used; request deletion of your personal information; opt out of the "sale" or "sharing" of your information (we do not sell personal information); and non-discrimination for exercising your rights. To make a request, contact us at support@cleanquote.io. We will verify your identity before processing.
11. Data Transfers
Your data may be transferred to and processed in countries other than your own, including the United States. Our processors (Supabase, Stripe, Vercel, Upstash, Resend) may store data in various regions. We take appropriate safeguards, including contractual commitments where applicable, to ensure your data receives an adequate level of protection. By using the Service, you consent to such transfers.
12. End-User Data (Quote Form Submissions)
When your customers submit quote forms, you are the data controller for that end-user data. We process it on your behalf as a data processor to generate quotes, store submissions, and sync to HighLevel when configured. You are responsible for obtaining consent, providing privacy notices, and complying with applicable laws (e.g., CCPA, GDPR) for data collected through your forms. We recommend you have a privacy policy that covers your collection of customer data via our quote widget.
13. Children
The Service is not directed at individuals under 16. We do not knowingly collect personal information from children under 16. If you become aware that we have collected such data, please contact us and we will take steps to delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance. For significant changes, we may provide additional notice (e.g., email).
15. Contact Us
For privacy-related questions, to exercise your rights, or to request data deletion, contact us at support@cleanquote.io.