Privacy Policy
Last updated: 11 June 2026 · Version 1.2 (pre-launch)
This policy explains how QuotaFlo ("we", "us", "our") collects, uses, shares and protects personal information through our pre-launch website and waitlist. QuotaFlo is a New Zealand–based business building a mobile quoting and invoicing app for tradespeople. We take a minimal-data approach: we collect only what we need to keep you informed about launch, we use trusted processors to handle it, we never sell it, and you can have it deleted at any time.
Because we accept waitlist sign-ups from several countries, this policy includes a region-specific rights section covering New Zealand, Australia, the United Kingdom, the European Union/EEA, the United States, Canada and South Africa. The general sections apply to everyone; your local section adds rights and the regulator you can complain to.
On this page
1. Who we are (the data controller)
QuotaFlo is the controller responsible for your personal information. You can reach us about anything in this policy — including to exercise your rights — at support@quotaflo.com.
We are based in New Zealand. We are not established in the EU/EEA or the UK. Our processing of personal data of people in those regions is limited to this low-volume, occasional waitlist and is unlikely to result in risk to your rights, so we rely on the exemption from appointing an EU/UK representative under Article 27(2) of the EU/UK GDPR. You can still exercise all of your rights by emailing us.
2. What information we collect
- Information you give us — your email address and your region/country, which you submit when you join the waitlist.
- Approximate location (country only) — your country is determined at our hosting provider's edge network (Cloudflare) from your IP address, to pre-select the right region in the form. This is country-level only; your IP is not sent to any separate third party and is not stored — we only use the country result.
- Technical & security data — standard request information (such as browser type and the time of access) that any web server and our hosting/CDN providers process to deliver the site securely. We do not use this to identify you.
- Anti-abuse data — to stop the sign-up form being abused, our waitlist service briefly keeps a one-way hash of your IP address (not the IP itself) for up to 24 hours, used only to rate-limit sign-ups, then deletes it.
We do not collect names, phone numbers, payment details, or any special-category/sensitive information through this site.
3. Why we use it & our legal basis
| Purpose | Information used | Legal basis (GDPR / UK GDPR) |
|---|---|---|
| Add you to the launch waitlist and email you about early access and founding-member pricing | Email, region | Consent (Art. 6(1)(a)) — given when you submit the form |
| Understand which regions are interested so we can prioritise rollout | Region (aggregated) | Legitimate interests (Art. 6(1)(f)) — running and planning our business |
| Pre-select your region in the form | Country from IP | Legitimate interests (Art. 6(1)(f)) — a smoother form; country-level only and not stored |
| Keep the site secure and available | Technical/security data | Legitimate interests (Art. 6(1)(f)) — security and fraud prevention |
Providing your email and region is voluntary — but if you don't, we can't add you to the waitlist or let you know when QuotaFlo launches. Where we rely on consent, you can withdraw it at any time (see Email & consent) without affecting processing done before withdrawal. Where required by your local law (for example New Zealand, Australia, Canada or South Africa), we collect and use your information on the basis of your consent and for the purposes described here.
4. Who we share it with
We do not sell your personal information and we do not share it for anyone else's marketing. We use a small number of service providers (processors) to run this site, who may only process your information on our instructions:
| Provider | What they do | Data involved | Their policy |
|---|---|---|---|
| Supabase | Stores your waitlist sign-up in our own database (under a Data Processing Agreement) | Email, region | Policy ↗ |
| Cloudflare | Hosts and serves the website, provides the country-level location used to pre-select your region, and provides cookieless, aggregated website analytics (page-view counts and referrers) | Technical/security data; IP (for country, not stored) | Policy ↗ |
| Google Fonts | Serves the fonts used on this site | Technical request data | Policy ↗ |
We may also disclose information if required by law, to protect our legal rights, or in connection with a business sale or restructure (in which case it remains subject to this policy).
5. International data transfers
We are in New Zealand. Your waitlist details (email and region) are stored in our own database hosted by Supabase in Singapore, and our other providers may process limited data in other countries, including the United States. This means your information may be transferred outside the country where you live.
When we transfer personal data from the EU/EEA or the UK to a country without an "adequacy" decision, we rely on appropriate safeguards — principally the European Commission / UK Standard Contractual Clauses, which are included in Supabase's Data Processing Agreement and our other providers' terms — or on your explicit consent. For New Zealand (IPP 12), Australia (APP 8) and South Africa (POPIA s.72), we take reasonable steps to ensure overseas recipients protect your information to a comparable standard, or we rely on your authorisation. You can ask us for more detail on these safeguards at support@quotaflo.com.
6. How long we keep it
We keep your waitlist email and region until launch and for up to 12 months afterwards, then delete them — sooner if you ask us to, or if you unsubscribe. Aggregated, non-identifying information (such as counts of interest by region) may be kept longer. Technical/security logs are kept only for as long as our hosting provider needs them for security.
7. How we protect it
The site is served over HTTPS, and we keep the personal information we hold to a minimum. Our providers are required to maintain appropriate technical and organisational security measures. No method of transmission or storage is completely secure, but we take reasonable steps to protect your information and will notify you and the relevant regulator of a personal data/privacy breach where the law requires (for example, the NZ Privacy Act's notifiable breach scheme, the Australian Notifiable Data Breaches scheme, and the GDPR's 72-hour rule).
8. Cookies & tracking
This site uses no advertising or tracking cookies, no cross-site trackers, and no analytics that identify you. We don't display a cookie banner because we don't set non-essential cookies. For basic, privacy-first measurement we use Cloudflare Web Analytics, which is cookieless: it counts aggregated page views and referrers without cookies, without local storage, without fingerprinting and without cross-site tracking, and it does not build a profile of you or identify you. The only network calls are to load the page, the fonts, the country lookup described above, the Cloudflare Web Analytics beacon, and (when you submit) the waitlist form.
9. Email & your consent
When you join the waitlist you are asking us to email you about QuotaFlo. We will only send you messages about QuotaFlo's launch, early access, and founding-member pricing — no unrelated marketing, and we won't pass your address to others.
- Every email identifies us as the sender and includes a one-click unsubscribe link that removes you from the list straight away (and we support one-click unsubscribe in email apps like Gmail and Apple Mail). You can also unsubscribe or withdraw consent any time by emailing support@quotaflo.com.
- We rely on your express, opt-in consent — consistent with Canada's Anti-Spam Legislation (CASL), the US CAN-SPAM Act, the GDPR/UK GDPR and the NZ Unsolicited Electronic Messages Act.
10. Your rights (everyone)
Wherever you live, you can ask us to:
- Access the personal information we hold about you;
- Correct information that is wrong or out of date;
- Delete your information / remove you from the waitlist;
- Withdraw consent and stop receiving emails.
To exercise any of these, email support@quotaflo.com. We'll verify your request (usually by confirming you control the email address) and respond within the timeframe your local law requires — and within 30 days at the latest. These rights are free to exercise. Your region below may give you additional rights.
11. Region-specific rights
🇳🇿 New Zealand
We handle your information under the Privacy Act 2020 and its Information Privacy Principles. You have the right to access and correct your information (IPPs 6 & 7). We only disclose information overseas in line with IPP 12. If you're not satisfied with how we've handled your privacy, you can complain to the Office of the Privacy Commissioner — privacy.org.nz.
🇦🇺 Australia
We handle your information consistent with the Privacy Act 1988 and the Australian Privacy Principles (APPs), including notice on collection (APP 5), access and correction (APPs 12 & 13), and accountability for overseas disclosure (APP 8). You can complain to the Office of the Australian Information Commissioner — oaic.gov.au.
🇬🇧 United Kingdom
Under the UK GDPR and Data Protection Act 2018 you have the rights of access, rectification, erasure, restriction, objection, and data portability, plus the right to withdraw consent. You can lodge a complaint with the Information Commissioner's Office (ICO) — ico.org.uk — though we'd appreciate the chance to help first.
🇪🇺 European Union / EEA (incl. Ireland)
Under the GDPR you have the rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, objection, and data portability, and to withdraw consent at any time. Where we rely on legitimate interests, you can object. You can complain to your local supervisory authority; for Ireland that is the Data Protection Commission — dataprotection.ie. We do not carry out automated decision-making or profiling that produces legal effects.
🇺🇸 United States (incl. California)
The only categories of personal information we collect are identifiers (your email address) and coarse geolocation (your country). We use them only for the waitlist purposes described above. We do not sell or "share" your personal information (as those terms are defined under the California Consumer Privacy Act / CPRA), and we have not done so in the past 12 months. If you are a California resident you have the right to know, delete, and correct your personal information, and not to be discriminated against for exercising these rights. To exercise them, email support@quotaflo.com. Our emails comply with the CAN-SPAM Act and always include an unsubscribe link.
🇨🇦 Canada
We handle your information under PIPEDA on the basis of your consent, and our waitlist emails comply with Canada's Anti-Spam Legislation (CASL) — you provide express consent when you sign up, every message identifies us and includes an unsubscribe mechanism, and you can withdraw consent at any time. You may access or correct your information, or complain to the Office of the Privacy Commissioner of Canada — priv.gc.ca.
🇿🇦 South Africa
We process your information under the Protection of Personal Information Act (POPIA) on the basis of your consent and for the purposes described here. You have the right to access, correct, delete, and object to the processing of your information. You can complain to the Information Regulator (South Africa) — inforegulator.org.za.
12. Children
This site and the waitlist are intended for tradespeople and businesspeople and are not directed at children. We do not knowingly collect information from anyone under 16. If you believe a child has given us their information, email us and we'll delete it.
13. Changes & how to contact us
QuotaFlo is pre-launch. We'll publish an updated privacy policy covering the app, accounts and any new processing when we launch, and we'll update the date at the top when we make changes. For any privacy question or request, contact support@quotaflo.com.