Privacy Policy

Last updated: 16 June 2026 | Quick Lead, England & Wales

1. Who we are

Quick Lead ("we", "us", "our") is a job and booking management tool for tradespeople and salons, operated in England & Wales. Our contact address is [email protected].

2. What data we collect and why

Quick Lead is a device-first application. Your job records are stored locally on your own device using browser localStorage, with cloud backup to Firestore where backup/sync is enabled.

When you sign up or use the app we may process:

Account credentials — your email address and a hashed password, used to sign you in. We never store your password in plain text.
Job emails — emails sent to your dedicated yourname@mail.quicklead.app address by lead agencies, customers or your own forwarding rules. We parse these so the AI can extract job details into your Quick Lead account.
Job data — customer names, addresses, phone numbers, job descriptions, invoices, certificates, signatures and related records that you create or that the AI extracts from your job emails. Stored on your device and backed up to our cloud database.
Contact email address — used to send you account information and, with your consent, product updates.

3. Legal basis for processing (UK GDPR)

Contract — processing your account details to provide the service.
Legitimate interests — product improvement, fraud prevention and security.
Consent — marketing emails (you can unsubscribe at any time).

4. Third-party services

The app integrates with the following third-party services, each with their own privacy policy:

Firebase / Google Cloud (authentication & data storage) — Firebase Authentication stores your email address and hashed password. Firestore stores your job records as a cloud backup. Google Privacy Policy
Postmark (email processing) — Postmark receives inbound emails sent to your @mail.quicklead.app address, parses them, and forwards the contents to Quick Lead so the AI can extract job details. Postmark Privacy Policy
VoodooSMS — used to deliver outbound SMS (on-my-way alerts, booking confirmations, appointment reminders, and engineer booking alerts). Recipient number, sender ID and message body are sent; bodies typically contain customer first name, appointment date/time, engineer first name and a booking URL. Two modes: (i) engineer's own VoodooSMS key (engineer is data controller); (ii) Quick Lead platform key, used only for new-booking alert SMS to the engineer's own mobile (Quick Lead is data controller). VoodooSMS Privacy Policy
Anthropic (Claude AI) — when an email arrives at your Quick Lead inbox and you tap Parse Job, the email body (and any attached PDF text) is sent to Anthropic's Claude API to extract job details such as customer name, address, phone number, dates and job type. This data is used solely to populate your job cards and is not retained by Anthropic beyond the duration of the request. Anthropic Privacy Policy

5. Cookies

This marketing website (quicklead.app) does not use tracking, analytics or advertising cookies. We use a single localStorage key to remember your cookie notice preference.

The Quick Lead app (app.quicklead.app) uses essential session cookies to keep you logged in. No third-party tracking cookies are used.

6. Data retention

Job data on your device — stored in browser localStorage until you clear it from your browser.
Job data in cloud backup — mirrored to Firestore so you can sign in from another device. Retained until you delete the records, your account, or request erasure.
Inbound emails received at your @mail.quicklead.app address — stored in Firestore alongside your jobs so you can re-parse, search and quote them. Retained until you delete them or delete your account.
Booking requests submitted by your clients — stored on Cloudflare for up to 30 days then automatically deleted.
Push notification tokens and SMS credentials — stored for up to 2 years or until you remove them.
Account deletion — when you delete your account, we remove all server-side records (Firestore documents, inbound emails, KV entries) within 30 days.

7. Your rights (UK GDPR)

You have the right to: access, rectify or erase your personal data; restrict or object to processing; data portability; and to withdraw consent at any time. To exercise these rights, email [email protected].

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

7a. Self-service account deletion

You can delete your Quick Lead account at any time from inside the app — no email required.

How to delete your account

Sign in at app.quicklead.app and open Settings
Scroll to the Close my account section
Tap the red Delete my account button
Type the word DELETE (capital letters) into the confirmation box
Tap Delete permanently

You are signed out automatically. The action is rate-limited to three attempts per hour per account and requires a recent password sign-in.

What we delete

Your sign-in account (email and hashed password)
Your profile, business details and settings
Every job you have saved — customer names, addresses, phone numbers and notes
Every invoice, CP12, EICR, Minor Works, Visual Condition, Emergency Lighting, Fire Alarm and Work Completion certificate
Every inbound email routed through your @mail.quicklead.app address
Every file you have uploaded — business logo, accreditation logos, invoice PDFs, before/after job photos, signatures and photo metadata records
Your pending public booking requests and your booking-link handle (released back to the pool)
Your push notification subscription
All your active sign-in sessions on every device
Your 90-day sign-in security log (IP address and browser/device record)
Your saved SMS gateway credentials

What may persist briefly after deletion

A small anonymous tombstone flag (60 days) that lets us politely reject any public booking shortlink that was already in circulation. It contains no personal data.
Any individual booking shortlinks issued in the last 30 days before deletion (they expire on their own TTL; the tombstone above blocks them in the meantime).
Anonymous rate-limit and abuse-protection counters keyed by IP address (expire within 1 hour to 24 hours).
Sub-processor logs — under UK GDPR Art.13 / Art.30(2)(d) we disclose the following residual retention windows on processors we use but cannot purge directly: Postmark retains parsed inbound message bodies and delivery metadata for approximately 45 days; Anthropic retains Claude API request/response for up to approximately 30 days for trust-and-safety review; VoodooSMS retains SMS delivery metadata (recipient MSISDN, sender ID, status, timestamps) for approximately 30-90 days and SMS message body content for a shorter window (typically a few days), per VoodooSMS's then-current published policy at voodoosms.com/privacy-policy; Cloudflare retains platform logs (edge access, WAF, Workers) for approximately 7-92 days depending on log type; Firebase / Google Cloud retains technical processing logs per Google's published policy. You may contact each provider directly to exercise erasure rights against their residual records.
A hashed processor deletion-audit row, kept for 6 years as required by UK GDPR Art.30(2)(d).

Can I sign up again?

Yes. You can create a fresh Quick Lead account with the same email address straight away — deletion releases your sign-in identity and your @mail.quicklead.app handle back to the pool. The new account starts completely empty. We do not archive, restore or recover anything from a deleted account.

Your customers' data

For the records you create inside Quick Lead — your customers' names, addresses, phone numbers, tenancy details and certificate test results — you are the data controller under UK GDPR, and Quick Lead acts as your data processor. The full Article 28(3) terms are set out in our Data Processing Agreement, which every engineer accepts by ticking the box at signup. When you delete your Quick Lead account, every customer record you have stored is wiped along with everything else. You remain responsible for handling any subject access or erasure requests received from your own customers before the deletion.

8. Security

We use HTTPS encryption for all connections. Sign-in uses Firebase Authentication — passwords are hashed and salted before storage; we never see or store your plain-text password. Your data is processed on your own device wherever possible.

9. Children

Quick Lead is intended for use by adults (18+) running a business or trade. We do not knowingly collect data from children under 13.

10. Changes to this policy

We may update this policy from time to time. The date at the top of this page reflects when it was last changed. Continued use of the service after changes constitutes acceptance.

Questions about your privacy? Email us at [email protected] and we'll respond within 5 business days.