Privacy Policy

Last updated: 16 June 2026 (self-service deletion disclosure added; sub-processor retention windows clarified)

    
    Quick Lead is designed with privacy first. Your day-to-day app data lives on your own device first, but several categories ARE stored on our servers to make the product work: your account profile, jobs you save (cloud-synced to Firestore), inbound emails routed via Postmark, certificates you save, public booking requests submitted by your clients, encrypted SMS gateway credentials (when you choose to add them), Web Push subscription endpoints, your last-signin IP for abuse detection (24h–90d retention), and short-lived attack-signal logs (CSP reports, honeypot triggers, CORS rejects — 24h retention). Each category is listed below with retention and legal basis. You can export everything via Settings → Export My Data, or request deletion any time.
  

Who we are

Quick Lead is a job management app for tradespeople, operated by Quick Lead. For privacy enquiries contact: support@quicklead.app

What data we collect and why

Your engineer details (name, company, phone, email, Gas Safe / NICEIC number)

Entered by you in Settings
Stored only on your device (browser localStorage) and backed up to Firestore
Used to populate invoices, certificates and email signatures

Job data (addresses, tenant names, phone numbers, job descriptions)

Extracted from your Quick Lead inbox by AI (Anthropic Claude) when you tap "Parse"
Stored only on your device and backed up to Firestore
Never stored on Quick Lead servers

Authentication

Sign-in is email and password only
Quick Lead does not connect to Gmail, Google Calendar, Google Drive, or any third-party email or calendar account
Authentication is handled by Firebase Authentication (Google Cloud) — only your email address and a hashed password are stored

Security log — sign-in IP and browser

On every successful sign-in we record your IP address, browser/device string (User-Agent) and the timestamp
Lawful basis: legitimate interest in protecting your account from unauthorised access and detecting credential stuffing or account takeover
Stored on Cloudflare KV (EU/US datacentres), automatically deleted after 90 days
Not shared with any third party. Used only for security review by Quick Lead
You can request deletion of this record at any time by emailing support@quicklead.app

Third-party services

Firebase / Google Cloud (authentication & data storage)
Firebase Authentication stores your email address, a salted hash of your password, the emailVerified flag, account creation timestamp, last sign-in timestamp, and provider list. Firestore stores your job, certificate, and account data. Both persist until you request deletion. Google's privacy policy applies: policies.google.com/privacy

Note: Firebase Authentication metadata (emailVerified, last sign-in timestamp, creation timestamp) persists until you exercise the right to erasure above. We delete the Authentication account as part of our standard erasure response.

Anthropic (Claude AI)
When you parse a job email, the email content is sent to Anthropic's Claude API to extract job details. Anthropic's privacy policy applies: anthropic.com/privacy

VoodooSMS (SMS gateway)
Quick Lead uses VoodooSMS to deliver outbound SMS messages — chiefly on-my-way alerts to customers, booking confirmations, appointment reminders and (where the engineer has not configured a personal key) new-booking alerts to the engineer themselves. Two modes are supported:

Bring-your-own key (default for customer-facing SMS): when you save your own VoodooSMS credentials in Settings → SMS gateway, your API key is encrypted with AES-GCM and stored in Cloudflare KV (QUICKLEAD_CREDS). Each SMS is sent directly under your VoodooSMS account. You are the data controller for those messages; Quick Lead is the data processor and VoodooSMS is your independent sub-processor on the terms of your VoodooSMS account.
Platform fallback key (engineer booking alerts only): if you have not saved your own key, new-booking alert SMS to your own mobile number are sent under Quick Lead's shared VoodooSMS account using sender ID Job Booking. Quick Lead is the data controller for that single alert message; VoodooSMS is Quick Lead's sub-processor. We do not use the platform key to send to your customers.

Data sent to VoodooSMS per message: recipient mobile number (E.164), sender ID (max 11 chars, e.g. your trading name or Job Booking), and the full message body. Message bodies typically contain the customer's first name, the appointment date and time, the engineer's first name, and an absolute URL to the public booking page or reschedule link. Customer addresses, prices, certificate data and email contents are never sent to VoodooSMS.

Lawful basis (UK GDPR Art.6(1)(b) / Art.6(1)(f)): messages to customers rely on the engineer's contract with the customer (Art.6(1)(b)) and on soft opt-in — the customer supplied their number when requesting the job and reasonably expects appointment-related SMS. Messages to the engineer rely on Art.6(1)(b) (contract with Quick Lead). Marketing SMS are not sent.

Retention at VoodooSMS: approximately 30-90 days for delivery metadata (recipient number, sender ID, status, timestamps) and a shorter window (typically a few days) for actual message body content, per their then-current published policy: voodoosms.com/privacy-policy. Quick Lead does not retain copies of sent SMS bodies after delivery confirmation; recipients can request VoodooSMS-side erasure directly under UK GDPR Art.17.

Stripe
If you add a Stripe payment link to invoices, payments are processed directly by Stripe. Quick Lead does not handle payment card data. Stripe's privacy policy: stripe.com/gb/privacy

Data retention

Job data / app settings — stored in your browser localStorage indefinitely until you clear it or uninstall the app
Booking requests (submitted by your clients via your booking link) — stored on Cloudflare KV servers for up to 30 days, then automatically deleted
Push notification tokens — stored on Cloudflare KV for up to 2 years or until you disable notifications
SMS credentials (VoodooSMS username/password you enter in Settings) — stored on Cloudflare KV for up to 2 years or until you remove them

Data storage and security

All job data is stored in your browser's localStorage — on your device only
Booking requests, push tokens and SMS credentials are stored on Cloudflare's infrastructure (EU/US datacentres), encrypted in transit via HTTPS
Communication with all APIs is encrypted via HTTPS
No payment card data is ever handled by Quick Lead

Your rights (GDPR)

Under UK/EU GDPR you have the right to:

Access (UK-GDPR Art.15) — view in the app, or export the full server-held bundle via Settings → Export My Data. Same data can be requested by emailing support@quicklead.app — answered within 30 days.
Deletion (UK-GDPR Art.17 — right to erasure) — fastest: use Settings → Close my account → Delete my account inside the app (see the dedicated section below). The in-app flow performs the full server-side wipe immediately. If you cannot sign in, email support@quicklead.app and we will complete the erasure within 30 days. Clearing browser data alone only removes the local copy.
Portability (UK-GDPR Art.20) — Settings → Export My Data returns a structured JSON bundle of every category we hold.
Withdraw consent — sign out from any device; for full erasure see Deletion above.

To exercise any right or raise a concern, contact: support@quicklead.app

Self-service account deletion

You can permanently erase your Quick Lead account from inside the app at any time. You do not need to email us first — the in-app flow runs the same server-side erasure we would run manually, but instantly.

How to delete your account

Sign in and open Settings
Scroll to Section 8 — Close my account
Tap the red Delete my account button
Type the word DELETE (capital letters, no spaces) into the confirmation box
Tap Delete permanently

You are signed out automatically and returned to a confirmation page. The action is rate-limited to 3 attempts per hour per account, and we require a recent password sign-in (within the last 5 minutes) for the destructive step.

What we delete immediately

Your Firebase Authentication identity (email + hashed password + sign-in metadata)
Your Firestore profile document at users/{uid}
Every job, document, inbound email, certificate and photo metadata record under users/{uid}/*
Every file under Firebase Storage at users/{uid}/ (business logo, accreditation logos, invoice PDFs, before/after job photos, signature images, certificate artefacts)
Your pending booking queue at engineerBookings/{uid}
Your handle reservation (e.g. cpme@mail.quicklead.app) — released, then held in a 90-day cooling-off period before returning to the public pool. If you rejoin with the same email address before the cool-off ends, you can reclaim it immediately.
Your Web Push notification subscription
Your active HttpOnly session cookies (all devices signed out)
Your 90-day lastsignin:{uid} IP/User-Agent record
Your saved SMS gateway credentials in QUICKLEAD_CREDS

What may persist briefly

deleted:uid:{uid} tombstone (60 days) — a flag in our booking-link KV that lets the system return 410 Gone on any public booking shortlink that was already in circulation. It contains only your old uid and is automatically purged at 60 days.
Public booking shortlinks (up to 30 days) — individual booking-link records expire on their own TTL; the tombstone above blocks them in the meantime.
Rate-limit counters (1 hour), JS error fingerprints (24 hours), attack-signal logs (24 hours) — anonymous, expire on TTL.
Sub-processor logs — under UK GDPR Art.13 / Art.30(2)(d) we disclose the following residual retention windows on processors we use but cannot purge directly: Postmark retains parsed inbound message bodies and delivery metadata for approximately 45 days; Anthropic retains Claude API request/response for up to approximately 30 days for trust-and-safety review; VoodooSMS retains SMS delivery metadata (recipient MSISDN, sender ID, status, timestamps) for approximately 30-90 days and SMS message body content for a shorter window (typically a few days), per VoodooSMS's then-current published policy at voodoosms.com/privacy-policy; Cloudflare retains platform logs (edge access, WAF, Workers) for approximately 7-92 days depending on log type; Firebase / Google Cloud retains technical processing logs per Google's published policy. You may contact each provider directly to exercise erasure rights against their residual records.
Processor deletion-audit record — we keep a hashed audit row (no identifiers) for 6 years as required by UK GDPR Art.30(2)(d).

Can I rejoin?

Yes. You can sign up again with the same email address straight away — deletion frees the Firebase Authentication record immediately. Your @mail.quicklead.app handle enters a 90-day cooling-off period to protect against hijacking; if you rejoin with the same email within those 90 days you can reclaim it instantly, otherwise it returns to the public pool after 90 days. The new account is completely fresh: there is no recovery, no archive, no restore.

Your customers' data

For the records you create inside Quick Lead — your customers' names, addresses, phone numbers, tenancy details and certificate test results — you are the data controller under UK GDPR, and Quick Lead is the data processor acting on your instructions. The full controller / processor terms (Article 28(3) of UK GDPR) are set out in our Data Processing Agreement, which you accept at signup. When you delete your account, every customer record you have ever stored in Quick Lead is wiped along with the rest. You remain responsible for honouring any subject access or erasure requests received directly from your own customers before you delete the account.

Cookies and local storage

Quick Lead does not use tracking, analytics, or advertising cookies. We use:

QL_SESSION — a strictly-necessary HttpOnly secure cookie used to keep you signed in between page loads. Cannot be read by JavaScript. Expires when you sign out or after 7 days. Required for the app to function — no consent banner per PECR exemption.
localStorage — used to store your app data (jobs, settings, invoices) on your own device. Cleared on sign-out via the service worker's CLEAR_CACHE message. Necessary for offline use of the app.

Bot protection

Our public booking form may use Cloudflare Turnstile to distinguish real customers from automated bots. Turnstile is a CAPTCHA replacement designed by Cloudflare to be privacy-friendly: it does not show puzzles, does not track users across the web, and is designed to comply with UK-GDPR. Turnstile does collect limited browser characteristics (such as user-agent and timing signals) at the moment you submit the booking form, processed by Cloudflare under its own privacy policy at cloudflare.com/privacypolicy.

Children's privacy

Quick Lead is intended for use by tradespeople and business owners. We do not knowingly collect data from anyone under 16.

Changes to this policy

We may update this policy from time to time. The date at the top of this page will reflect any changes. Continued use of the app after changes constitutes acceptance.

Contact

For any privacy questions: support@quicklead.app

Quick Lead — Privacy Policy