Privacy Policy

Last updated: 20 May 2026

Appothecary Ltd (trading as Quinvo) ("we", "our", or "us") operates the Quinvo mobile application and website (collectively, the "Service"). We are a data controller under UK GDPR. This policy explains what personal data we collect, why we collect it, and your rights.

1. Who this policy applies to

This policy covers two types of users:

• Tradespeople — paying subscribers who create and send quotes using the Quinvo app.
• Customers — recipients of quotes who view and respond via a web link, without creating an account.

2. Data we collect

Tradespeople

• Account data: email address, password (hashed), business name, logo.
• Business data: quotes, line items, client names and contact details, invoice records.
• Payment data: Stripe Connect account ID (we never store card numbers — Stripe handles all payment processing).
• Voice data: audio recordings you make when using voice input. Audio is sent to OpenAI Whisper for transcription and is not retained by us after transcription.
• Device data: Expo push token (for notifications), device type.

Customers

• Contact details (optional): name, phone, email, and address — only if you choose to submit them after accepting a quote.
• Quote interaction: whether you accepted or declined a quote, and when.

3. How we use your data

• To provide the Service — creating quotes, processing payments, sending notifications.
• To improve the Service — usage patterns and error monitoring.
• To communicate with you — service updates, billing notices, support responses.
• To comply with legal obligations.

We do not sell your data to third parties. We do not use your data for advertising.

4. Third-party services

We use the following third-party processors:

• Supabase — database and authentication (EU region).
• Stripe — payment processing and Connect account management.
• OpenAI — voice transcription (Whisper API). Audio is processed and not retained.
• RevenueCat — subscription management (Apple/Google billing).
• Expo (EAS) — push notification delivery.
• Sentry — error monitoring and crash reporting.
• Vercel — web hosting.

Each processor is bound by a Data Processing Agreement and may only use your data to provide their specific service.

5. Data retention

• Account and business data is retained while your account is active and for 90 days after deletion, after which it is permanently deleted.
• Voice audio is not stored — it is transcribed and discarded immediately.
• Customer contact data submitted on a quote is retained as long as the associated quote exists.

6. Your rights (UK/EEA users)

Under UK GDPR and GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.

To exercise any of these rights, email us at info@appothecaryltd.com. We will respond within 30 days.

7. Marketing communications

If you opted in during sign-up, we will send you the Quinvo newsletter. This may include Quinvo product news, tips, and deals and offers from carefully selected third-party partners. We will never sell your email address or share it with third parties for their own marketing use — any partner offers are curated and sent by us directly.

The legal basis for this processing is your consent (UK GDPR Art. 6(1)(a)). You can withdraw consent and unsubscribe at any time by:

• Clicking the unsubscribe link in any marketing email, or
• Emailing us at info@appothecaryltd.com.

Withdrawing consent does not affect service emails (receipts, security notices, billing alerts) which we send on the basis of contract and legitimate interests.

8. Cookies

The Quinvo website uses only essential session cookies required for the Service to function. We do not use advertising or tracking cookies.

9. Security

All data is encrypted in transit (TLS) and at rest. Access is controlled by row-level security policies so each tradesperson can only access their own data. Passwords are never stored in plain text.

10. Children

The Service is not directed at anyone under 18. We do not knowingly collect data from children. If you believe a child has provided us with data, contact us and we will delete it promptly.

11. Changes to this policy

We may update this policy from time to time. We will notify active tradespeople via push notification or email before any material changes take effect. Continued use of the Service after changes constitutes acceptance.

12. Contact & Data Controller

The data controller is Appothecary Ltd (trading as Quinvo), registered in England and Wales (Co. No. 04984062), London, UK.

Questions or requests regarding this policy: info@appothecaryltd.com

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your personal data in accordance with applicable law.