Info
QuotWay is a Shopify application developed and operated by EFOLI. This Privacy Policy explains how we collect, use, and protect your information when you use our app.
Privacy policy
QuotWay (a product of EFOLI) ("we", "us", "our") provides QuotWay, a B2B quote-and-negotiation platform that installs into Shopify stores as an app. This privacy policy explains what data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and the rights you have.
Effective date: June 20, 2026
This policy covers two distinct audiences:
- Merchants - Shopify store owners and staff who install and use QuotWay to manage quotes, plus visitors to our marketing website at
quotway.com. - Buyers - end customers who submit quote requests through a merchant's storefront, buyer portal, or customer account.
1. Our role: controller and processor
Who is responsible for your data depends on whose data it is:
- Data about buyers. When QuotWay processes data about a buyer (the people who request and negotiate quotes on a merchant's store), the merchant who installed QuotWay is the data controller, and QuotWay is the data processor acting on the merchant's instructions, under the merchant's own privacy policy and applicable law. If you are a buyer, the merchant you bought from is your first point of contact for your data.
- Data about merchants and website visitors. For a merchant's own account and staff data, and for visitors to our marketing website, QuotWay is the data controller.
2. Data we collect
2.1 From merchants (QuotWay is controller)
When a merchant installs QuotWay, we collect:
| Category | Examples | Why we collect it |
|---|---|---|
| Shop profile | Shop domain, store name, currency, timezone, plan tier | Power the app, route quotes correctly, gate plan features |
| Staff identity | Shopify staff user ID, first/last name, and email (from the Shopify session token) | Audit trail; show "assigned to" and approval decisions |
| App settings | Targeting rules, approval policies, branding, email templates, attachment and retention policies | Power the app's core configuration |
| Billing | Plan selection and Shopify-managed subscription status | Plan gating and billing |
We do not receive merchant payment-card data. Subscription billing is handled entirely by Shopify; we see only plan tier and status.
2.2 From buyers (via the merchant; QuotWay is processor)
When a buyer submits a quote request through a merchant's storefront or buyer portal, we process the data the buyer provides:
| Category | Examples | Why we collect it |
|---|---|---|
| Contact information | Name, email address, company name, phone, PO number | Communicate with the buyer about their quote |
| Quote content | Products, quantities, requested prices, shipping address, custom notes, requested delivery date | Power the quote-and-negotiation flow |
| Attachments and PDFs | Files uploaded with a quote (PDF, images, spreadsheets) and generated quote documents | Power attachment exchange between merchant and buyer |
| Acceptance record | Typed name, IP address, and timestamp at acceptance | Audit trail of the buyer's acceptance |
| Email engagement | Whether notification emails were sent or bounced | Detect undelivered notifications and warn the merchant |
| Shopify customer ID | If the buyer is a logged-in customer on the merchant's store | Link the quote to the buyer's Shopify customer record |
Buyers see only their own quotes; they cannot see other buyers' quotes or quotes from other merchants.
2.3 Automatically collected
When anyone uses QuotWay, we may automatically collect:
- Request metadata - IP address, user-agent string, HTTP referrer.
- Error events - uncaught exceptions, stack traces, and request context, sent to Sentry for debugging. Personal-data fields (email, name, phone, address) are scrubbed before upload.
We do not use third-party advertising trackers inside the app, the buyer portal, or the storefront extension. There is no Google Analytics, no advertising pixel, and no advertising cookie set by QuotWay's app code.
2.4 Marketing-website analytics and cookies
On our marketing website at quotway.com, we may use privacy-respecting analytics to understand how the site is used. Any non-essential analytics or marketing cookies are consent-gated: they are set only after you agree through our cookie banner, and you can withdraw consent at any time. Strictly necessary cookies (for example, those required for security and to keep an authenticated session) do not require consent.
Within the app and the hosted buyer portal, we use only the cookies necessary to provide the service - for example, Shopify-issued session cookies for the embedded admin and an authenticated session cookie for the buyer portal. These are not used for advertising or cross-site tracking.
3. How we use data and our legal bases
We use the data above only for the purposes listed below. Where the GDPR or similar law applies, the legal basis for each purpose is noted.
| Purpose | What it covers | Legal basis (where GDPR applies) |
|---|---|---|
| Provide the product | Show quotes, route notifications, enforce approval policies, generate PDFs, convert accepted quotes into Shopify draft orders | Performance of a contract; the merchant's legitimate interests as controller for buyer data |
| Communicate with users | Send transactional emails (new quote, proposal sent, approval requested, magic-link login, conversion complete). We do not send marketing email without explicit opt-in | Performance of a contract; consent for any marketing |
| Operate and secure the service | Monitor errors via Sentry, queue background jobs, validate uploaded files, enforce retention | Legitimate interests in running a secure, reliable service |
| Comply with the law | Respond to data-subject and Shopify compliance requests (see Section 5) | Legal obligation |
| Bill the merchant | Through Shopify's managed billing | Performance of a contract |
We do not sell personal data. We do not use buyer data to train machine-learning models. We do not combine buyer data across merchants. QuotWay does not offer a public API.
4. Sub-processors and third-party services
QuotWay's operation depends on the sub-processors below. Each is engaged under terms requiring protection consistent with this policy. This list mirrors our standalone Sub-processors page, which is the authoritative version and is kept in lockstep with this policy.
| Service | Purpose | Data processed |
|---|---|---|
| Shopify | App platform, authentication, and store data | Shop profile, staff identity, customer records, and quote data that flows through Shopify APIs |
| Vercel | Application hosting and serverless functions | Request metadata and uncaught error events |
| Neon | PostgreSQL database; stores QuotWay's application data | All quote, settings, and account data |
| Vercel Blob | File storage for buyer and message attachments and generated PDFs | Attachment file contents and PDF documents |
| toSend | Transactional email delivery (primary) | Recipient email address, email content, and send status |
| AWS SES | Transactional email delivery (backup transport; primary remains toSend) | Same as toSend |
| Sentry | Error monitoring and debugging | Stack traces and request context, with personal data scrubbed before upload |
We update this list and the Sub-processors page within 30 days of any change, and notify merchants of material changes through the in-app banner.
5. Your rights and how to exercise them
Subject to applicable law (including the GDPR and CCPA/CPRA), individuals have the right to:
- Access - receive a copy of the data we hold about them.
- Rectification - correct inaccurate data.
- Erasure - request deletion of data (subject to the controlling merchant's retention requirements and our legal obligations).
- Restriction - limit how their data is processed.
- Portability - receive their data in a structured, machine-readable format.
- Object - object to certain processing.
- Withdraw consent - where processing relies on consent (for example, marketing-site cookies).
- Lodge a complaint with a local data-protection authority.
5.1 For buyers
Because the merchant is the controller of a buyer's data, the merchant is the buyer's first point of contact. Buyers should contact the merchant they bought from, using the merchant's published privacy contact.
If a buyer cannot reach the merchant, or the request concerns QuotWay's processing as a sub-processor, buyers may contact us at privacy@quotway.com and we will route the request to the relevant merchant.
5.2 How requests are fulfilled
QuotWay implements Shopify's three mandatory privacy/compliance webhooks, which are the primary mechanism for buyer and shop data requests:
| Webhook | What it does |
|---|---|
customers/data_request |
A buyer requests a copy of their data; QuotWay supports producing a buyer data export. |
customers/redact |
A buyer requests erasure; QuotWay supports erasing the buyer's data (built). |
shop/redact |
A shop is removed; QuotWay deletes all shop-scoped data. |
We aim to fulfil verified data-subject and compliance requests within 30 days.
6. Data retention
Retention is enforced automatically by a daily cleanup job that removes data which has aged past its retention window. Attachment and generated-PDF retention is tiered by plan:
| Plan | Attachment and PDF retention |
|---|---|
| Lite | 30 days |
| Starter | 90 days |
| Professional | 180 days |
| Enterprise | 365 days |
Each file's retention window is fixed at upload from the shop's then-current plan cap, so a plan downgrade does not retroactively delete files already received - it only shortens the window applied to files uploaded after the change.
Quote records and their related data (line items, versions, the append-only event log, messages, and acceptance records) are retained as a matter of policy for as long as needed to provide the service to the merchant and to meet the merchant's commercial and legal record-keeping needs, after which they are removed by the cleanup process. Other operational records, such as email send logs and error events, are retained for limited periods and then removed.
When a merchant uninstalls QuotWay, Shopify sends shop/redact and we delete all shop-scoped data within 30 days. See Section 8 for the uninstall recovery window.
7. Data security
We protect data with controls appropriate to its sensitivity, including:
- Encryption in transit using HTTPS/TLS across the app, the buyer portal, and our APIs, and encryption at rest provided by our database and file-storage sub-processors.
- Multi-tenant isolation enforced at the application layer, so one merchant's data is not accessible from another merchant's context.
- Validation of uploaded files. Uploaded files are validated by type, and files containing active or malicious content are rejected at upload.
- Personal-data scrubbing on error events before they are sent to Sentry.
For a fuller description of our security posture, including what we do and do not claim, see our Security page. As of the date above, QuotWay does not hold a SOC 2 or ISO 27001 certification and has not undergone a formal third-party penetration test; we will publish such results here and on the Security page if and when they are achieved.
8. Uninstall, recovery, and deletion
If a merchant uninstalls QuotWay, we retain shop-scoped data for a short recovery window so the merchant can reinstall without losing their configuration and history, after which the data is deleted. Following an uninstall, Shopify's shop/redact webhook prompts deletion of all shop-scoped data within 30 days.
9. International data transfers
Our sub-processors may process data in the United States and other countries. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your data may be transferred to and processed outside your home country. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum.
10. Children and eligibility
QuotWay is a B2B platform intended for business use and is not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact privacy@quotway.com and we will delete it.
11. Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date above and, for material changes, notify merchants through the in-app banner. Continued use of QuotWay after a change takes effect constitutes acceptance of the updated policy.
12. Contact
- Privacy questions and data requests:
privacy@quotway.com - Controller: QuotWay (a product of EFOLI)
- Postal address: Dhaka, Bangladesh
- Governing law / jurisdiction: Dhaka