Privacy & Data Handling
How Fast Estimate Maker protects your privacy and your customers' data
Our Core Privacy Promise
We collect only what we need, we tell you exactly who sees it, and we delete it on a schedule.
Fast Estimate Maker is an AI-powered estimating, invoicing, CRM, and canvassing platform for contractors. Below we explain every category of personal data we collect, the purpose for each, every third-party service that touches your data (listed by name), your rights under GDPR, CCPA, and other privacy laws, and the automatic retention schedules that delete data you no longer need.
What Happens When You Forward an Email
1. You forward a customer email
The email arrives at your unique Fast Estimate Maker forwarding address.
2. Real-time AI extraction (< 3 seconds)
Our AI extracts only the necessary information: client name, contact details, and line items for your estimate.
3. Immediate deletion
The original email is deleted within milliseconds. It never touches a database or long-term storage.
4. Estimate generation
We use only the extracted data (stored temporarily in memory) to generate your branded estimate.
5. You review and send
The estimate appears in your dashboard. You review, edit if needed, and click send.
6. Delivery (via Mailgun)
Only the final estimate PDF and message are sent to our delivery partner. Never the original customer email.
What We DO Store
Your Business Info
Business name, logo, contact details, and branding preferences. You control this in Settings.
Your Phone Number
We collect and verify your phone number during registration to prevent fraud and abuse. Your phone number is stored securely and is never shared with third parties for marketing purposes.
Customer Contact Information
Client names, email addresses, phone numbers, and addresses extracted from estimates are stored securely for the lifetime of your account to support your follow-up workflow, lead tracking, and CRM records. When you delete your account, all customer contact information is permanently deleted after the 72-hour grace period.
Generated Documents
Generated estimate documents may be stored temporarily (up to 48 hours) to enable sharing via QR code or link. These files are automatically deleted after expiration.
Delivery Metadata
Timestamps, recipient emails, and delivery status. Auto-deleted after 30 days.
What We DON'T Store
Original Email Content
The full text, attachments, or conversation threads from your customer emails are never stored.
Email Body/HTML
We don't cache or store the content of emails-only the extracted structured data you approve.
Email Attachments
Files, images, or documents attached to customer emails are not stored by us.
Tracking Pixels/Links on Estimate Emails
We disable email open and click tracking on estimate and invoice delivery emails sent to your customers. Your customers' behavior is not monitored through those communications.
What We DO Track (Service Emails Only)
Service Email Engagement Tracking
For service-related emails sent to you (the account holder) - such as follow-up reminders and onboarding tips - we may track opens and clicks to measure engagement and improve our communications. You can opt out of these emails via your notification settings.
Third-Party Services
We use the following third-party services to operate Fast Estimate Maker. Each service receives only the minimum data necessary for its function. We list every service by name so you know exactly who handles your data.
Stripe (Payment Processing)
We use Stripe to process subscription payments and, optionally, to enable you to accept payments from your clients via Stripe Connect. Stripe receives your name, email address, and payment method details. We never store or have access to your full credit card number - all payment data is handled by Stripe's PCI DSS Level 1 certified infrastructure.
- Data shared: Name, email, payment method, IP address (via Stripe Checkout)
- Purpose: Subscription billing and optional client payment processing
- Compliance: PCI DSS Level 1, SOC 2, GDPR compliant
- Privacy policy: stripe.com/privacy
Square (Alternative Payment Processing)
If you choose to connect Square as your payment processor, payment data flows through Square's platform. OAuth tokens are encrypted at rest using AES-256 encryption.
- Data shared: Name, email, payment information from your clients
- Purpose: Alternative payment processing for your business
- Compliance: PCI DSS compliant
- Privacy policy: squareup.com/legal/privacy
QuickBooks Online - Intuit (Accounting Sync)
If you connect QuickBooks Online, we sync your client contact information and invoice data to your QuickBooks company file. You authorize this transfer through Intuit's OAuth flow. You may disconnect at any time, which immediately revokes our access. Data already synced to QuickBooks is governed by Intuit's privacy policy.
- Data shared: Client name, email, phone, address, invoice line items, amounts, and tax details
- Purpose: Sync estimates and invoices to your accounting software
- Token security: OAuth tokens are encrypted at rest using AES-256 (Fernet) encryption
- Compliance: SOC 2, GDPR compliant
- Privacy policy: intuit.com/privacy
Wave Accounting (Accounting Sync)
If you connect Wave, we sync similar client contact and invoice data via Wave's API. You authorize this transfer through Wave's OAuth flow. You may disconnect at any time.
- Data shared: Client name, email, phone, address, invoice line items, amounts, and tax details
- Purpose: Sync estimates and invoices to your accounting software
- Token security: OAuth tokens are encrypted at rest using AES-256 (Fernet) encryption
- Privacy policy: waveapps.com/legal/privacy
Google Calendar (Appointment & Task Sync)
If you connect Google Calendar, we create and manage calendar events for your scheduled jobs and tasks. You authorize this through Google's OAuth flow and may disconnect at any time, which immediately revokes our access.
- Scopes requested:
https://www.googleapis.com/auth/calendar.events— allows creating, updating, and deleting events on your calendar - Data we write to Google Calendar: Event title (task or job description), date/time, client name, address, and a link back to your Fast Estimate Maker dashboard
- Data we read from Google Calendar: We do not read or access your existing calendar events. We only interact with events that Fast Estimate Maker created.
- Purpose: Sync your scheduled appointments and tasks to Google Calendar so you can manage your work schedule in one place
- Token storage: Your Google OAuth refresh token is encrypted at rest using AES-256 (Fernet) encryption. It is used only to maintain your calendar connection.
- Data retention: When you disconnect Google Calendar from your account, your OAuth token is immediately and permanently deleted from our systems. Calendar events previously created in your Google Calendar remain in your Google account (you can delete them from Google Calendar directly).
- No advertising use: Data obtained through Google APIs is never used for advertising, retargeting, or any purpose other than providing the calendar sync feature you requested
- Privacy policy: policies.google.com/privacy
Mapbox (Maps & Geocoding)
We use Mapbox to display maps in your lead management dashboard and to convert client addresses into geographic coordinates for route planning.
- Data shared: Client addresses (for geocoding lookups)
- Purpose: Map rendering and address-to-coordinate conversion
- Privacy policy: mapbox.com/legal/privacy
NOAA Weather API (Weather Data)
Our canvass feature uses the National Oceanic and Atmospheric Administration (NOAA) Weather API to display current weather conditions for your canvassing area. This helps you plan outdoor work around weather conditions.
- Data shared: Geographic coordinates (latitude/longitude) derived from the map area you are viewing
- Purpose: Display current weather conditions in your canvassing map view
- No personal data: NOAA receives only geographic coordinates, not your name, email, or any account information
- NOAA privacy policy: weather.gov/privacy
Microsoft Entra External ID (Social Login)
If you sign up or log in using Google, Facebook, or Apple, your authentication is handled by Microsoft's identity platform (Entra External ID). We receive your name and email from the social provider. We do not receive or store your social media password.
- Data shared: Name and email (received from your social login provider)
- Purpose: Account creation and authentication
- Privacy policy: Microsoft Privacy Statement
Cloudflare Turnstile (Bot Protection)
We use Cloudflare Turnstile to protect forms against bots and automated abuse. It works invisibly and does not require CAPTCHAs.
- Data shared: Browser signals (no personal data is transmitted)
- Purpose: Bot detection and abuse prevention
- Privacy policy: cloudflare.com/privacypolicy
Mailgun - Sinch (Email Delivery)
We use Mailgun to deliver transactional emails (estimate deliveries, invoice deliveries, follow-up reminders, and account notifications) and to process inbound emails you receive from your customers.
- Data shared: Recipient email address, sender email address, subject line, message body, and PDF attachments necessary for delivery
- Inbound processing: Customer reply emails are routed through Mailgun and processed in real-time to extract job details - the email content is not stored by us after processing
- What Mailgun does NOT see: Your payment information, account credentials, or accounting data
- Data retention: Mailgun delivery logs are auto-deleted after 30 days
- Compliance: Mailgun is SOC 2 Type II and GDPR compliant
- Privacy policy: Mailgun Privacy Policy
Azure OpenAI (AI Processing)
We use Azure OpenAI to extract information from forwarded emails. According to Microsoft's data handling:
- Data retention: Prompts and completions are NOT stored by Azure OpenAI
- Training: Your data is NOT used to train or improve models
- Encryption: All API calls are encrypted in transit (TLS 1.2+)
- Compliance: Azure OpenAI is GDPR, HIPAA, and SOC 2 compliant
Twilio (SMS Verification & Messaging)
We use Twilio to send SMS verification codes during account registration, to deliver estimate/invoice links, and to send you business notification texts about activity on your account. Here's how your phone number is handled:
- Purpose: Phone verification is used to prevent fraud and abuse of our free trial system. Transactional SMS delivers estimate and invoice links you initiate. Business notification texts alert you when a customer accepts an estimate, books a job, pays an invoice, or submits a new work request.
- What they see: Only your phone number and the verification code, document link, or notification we send
- Message frequency: You'll receive one SMS during registration containing a verification code. Additional messages are sent when you choose to text an estimate or invoice to a client, or when account activity triggers a business notification. Message frequency varies with your account activity.
- No marketing: We will never send promotional messages or share your number with marketers
- Data retention: Message logs are retained by Twilio for 30 days for delivery confirmation
- Compliance: Twilio is SOC 2 Type II, ISO 27001, and GDPR compliant
Cookies & Analytics
When you visit our website, we use cookies and similar technologies to understand how you found us and improve your experience. Here's exactly what we use:
Google Analytics (GA4)
We use Google Analytics to understand:
- How visitors find our website (search, ads, direct)
- Which pages are most helpful
- Where visitors drop off in our signup process
- General geographic region (country/city level, not precise location)
What Google Analytics does NOT collect: Your name, email, or any personally identifiable information from your browsing.
Google Ads Conversion Tracking
If you arrived via a Google ad, we track whether you signed up so we can:
- Measure which ads are effective
- Stop showing you ads after you've signed up
- Improve our ad targeting to reach similar businesses
Meta (Facebook) Pixel
Similar to Google Ads, we use the Meta Pixel to:
- Measure ad effectiveness on Facebook and Instagram
- Build audiences of similar businesses who might benefit from our service
Microsoft Clarity
We use Microsoft Clarity to understand how visitors interact with our website through:
- Heatmaps showing where users click and scroll
- Session replays that record mouse movements, clicks, and page navigation
- Behavioral analytics to identify usability issues
What Clarity does NOT collect: Clarity masks sensitive input fields (passwords, payment information) by default. It does not collect keystrokes in form fields. Clarity respects Google Consent Mode v2 - if you decline analytics cookies, Clarity will not activate. See Microsoft's Privacy Statement.
Your Cookie Choices
When you first visit our site, you'll see a cookie consent banner. Your choices:
Note for US visitors: If you are located in the United States (outside California), analytics and advertising cookies are enabled by default before the consent banner appears, consistent with US norms. You may decline or customize these cookies at any time using the banner or the "Manage Cookie Preferences" footer link, and your choice will be applied immediately.
Accept
Enables all analytics and advertising cookies. Helps us improve our service and show you relevant ads.
Decline
Disables analytics and advertising cookies. You can still use the full service - we just won't track your visit.
Essential Cookies
Some cookies are necessary for the site to function and cannot be disabled:
- Authentication: Keeps you logged in to your account
- Security: Protects against cross-site request forgery
- Preferences: Remembers your cookie consent choice
Data Deletion & Retention
You have full control over your data. We also automatically clean up data we no longer need:
Your Account
Cancel anytime. After a 72-hour grace period (during which you can cancel the deletion request), all your data is permanently and irreversibly deleted.
Customer Contact Info
Your customers' personally identifiable information—names, emails, phone numbers, addresses, and estimate descriptions—is retained securely for the lifetime of your account. When you delete your account, all customer data is permanently deleted after the 72-hour grace period.
Estimate PDFs (48 Hours)
Generated PDF documents are automatically deleted 48 hours after creation. Download any PDFs you need before they expire.
Delivery Logs (30 Days)
Email delivery metadata (timestamps, status) is auto-deleted after 30 days.
Legal & Compliance
Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
- Contractual necessity - Processing your business information, client data, and estimate/invoice data is necessary to provide the services you signed up for (account management, estimate generation, email delivery, payment processing).
- Legitimate interest - We track estimate views, delivery status, and CRM activity to help you manage your business. We also use analytics to improve our service. You can object to processing based on legitimate interest (see Your Rights below).
- Consent - Marketing emails, cookie-based tracking (Google Analytics, Google Ads, Meta Pixel), and SMS communications require your explicit consent, which you can withdraw at any time.
Your Rights
Depending on your location, you have the following rights regarding your personal data:
- Right to Access: You can view all data we hold about you. Use the "Export My Data" button in Settings to download a machine-readable (JSON) copy of your data at any time.
- Right to Correction: You can update your business information and customer records directly in the app.
- Right to Deletion: You can request account deletion through Settings. After a 72-hour grace period, all your data—including customer contact information—is permanently deleted.
- Right to Data Portability: You can export your data in JSON format via Settings, suitable for transfer to another service.
- Right to Object: You can object to processing based on legitimate interest by contacting us. We will cease processing unless we have compelling legitimate grounds.
- Right to Restrict Processing: You can request that we limit how we process your data while a dispute or objection is being resolved.
- Right to Withdraw Consent: Where processing is based on consent (marketing emails, cookies, SMS), you can withdraw consent at any time via your Settings page or by contacting us. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
- Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence. For example, in the UK you may contact the Information Commissioner's Office (ICO); in France, the CNIL; or in Germany, your state data protection authority. A full directory of EU/EEA supervisory authorities is available at edpb.europa.eu.
- Right to Appeal: If we deny a data rights request (access, deletion, correction, or opt-out), you may appeal by emailing [email protected] with the subject line "Privacy Appeal." We will review your appeal and respond within 45 days. If we deny your appeal, we will explain the reason and inform you of your right to lodge a complaint with the relevant supervisory authority.
To exercise any of these rights, use the in-app controls in Settings or contact us at [email protected]. We will respond within 30 days (or 45 days for complex requests, with notice).
CCPA - California Residents
- Right to Know: You have the right to know what personal information we collect, use, and disclose. This policy describes all categories of personal information we process.
- Right to Delete: You can request deletion of your personal information. Use the "Export My Data" button in Settings to first download your data, then request account deletion. After a 72-hour grace period, all data is permanently deleted.
- Right to Opt Out of Sale/Sharing: We do not sell your personal information. If our use of advertising cookies (Google Ads, Meta Pixel) constitutes a "sale" or "sharing" under CCPA, you can opt out by clicking the "Do Not Sell or Share My Personal Information" link in the site footer, or by declining cookies via the consent banner.
- Non-Discrimination: We will not discriminate against you for exercising any CCPA rights.
This policy is reviewed and updated at least annually as required by CCPA. See the "Last updated" date below.
International Data Transfers
Global Privacy Control (GPC)
We honor the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we treat it as a valid opt-out request under CCPA/CPRA, VCDPA, CPA, and similar state privacy laws. When GPC is detected, we automatically suppress all non-essential cookies — including analytics, advertising, and personalization tracking — without requiring further action from you.
International Data Transfers
Your data is stored and processed in the United States. If you are located outside the U.S. (including the EU/EEA or UK), your data is transferred to the U.S. for processing. We rely on the following safeguards for international data transfers:
- Our third-party processors (Stripe, Mailgun, Microsoft/Azure, Google, Mapbox) maintain Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms approved by the European Commission.
- Microsoft Azure (our primary infrastructure provider) complies with the EU-U.S. Data Privacy Framework.
Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users by email within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Describe the nature of the breach, the data affected, and the steps we are taking to address it
- Provide guidance on steps you can take to protect yourself
- Report the breach to relevant supervisory authorities where required by law
Data Processing Agreements
We maintain Data Processing Agreements (DPAs) with our subprocessors as required by GDPR Article 28. A DPA is available upon request for enterprise customers. Contact [email protected].
Security
- All connections use HTTPS with modern TLS encryption
- Passwords are hashed with bcrypt
- OAuth tokens for third-party integrations (QuickBooks, Wave, Square, Google Calendar) are encrypted at rest using AES-256 (Fernet) encryption
- Personally identifiable information is masked in application logs
- Webhook signatures are verified for Stripe and Mailgun to prevent spoofing
Children's Privacy
Fast Estimate Maker is a business tool and is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we discover that we have collected data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal information, contact us at [email protected].
We Don't Store Your Email Threads
Your customer emails are processed in real-time and immediately deleted. We extract only the information needed for your estimate-client details and line items. The original email content is never stored in our systems or sent to third parties.
Real-Time Processing
Emails are processed instantly and deleted within milliseconds.
Zero Third-Party Access
Your customer emails never reach our delivery partner.
Minimal Metadata Only
We only retain delivery logs for 30 days. Tracking is disabled on client-facing emails.
Privacy Contact
For any questions about this privacy policy, to exercise your data rights, or to submit a privacy inquiry:
Email: [email protected]
We aim to respond to all privacy-related requests within 30 days.
Changes to This Policy
We may update this privacy policy from time to time. For material changes - such as new third-party processors, changes to data retention periods, or changes to your rights - we will notify you by email at least 14 days before the changes take effect. For non-material changes, we will update the "Last updated" date below. We review this policy at least annually.
Last updated: June 11, 2026