A contractor quote is not just a price list. It contains your address, your project scope, your contractor's contact details, and sometimes an insurance claim number. Pasting that into any online tool should make you pause and ask: where does this go, who sees it, and how long does it stick around? Fair questions. Here are the specific answers.

Free tools: session-only processing

When you paste or upload a quote into the free contractor, auto, or solar audit tool, the text travels to our serverless backend, gets processed by the analysis engine, and comes back as a structured report. That round trip is the entire lifecycle. Once the response reaches your browser:

  • No storage. The quote text is not written to any database, file system, or cache. Processing happens in-memory within the serverless function invocation.
  • No logging of quote content. We log request metadata for rate-limiting and abuse prevention (IP hash, timestamp, request size), but the actual text of your quote is never logged.
  • Session expiry. When you close the tab or navigate away, the audit results exist only in your browser. There is no server-side copy to retrieve or delete because none was created.
In plain terms: The free tools work like a calculator. You input a number, get a result, and nothing is saved. We cannot recover a free audit after you close the tab because we never stored it in the first place.

Pro Mode: encrypted storage with full user control

Pro Mode saves your audit history so you can revisit findings and compare quotes over time. That convenience requires storage — and storage requires rules. Here is how we handle it:

  • Encryption at rest. Audit data stored in our database (Supabase with PostgreSQL) is encrypted using AES-256 at rest. The encryption keys are managed by the hosting provider's key management service and are not accessible to application code.
  • Encryption in transit. All data between your browser and our servers travels over TLS 1.2+. API endpoints enforce HTTPS. There is no HTTP fallback.
  • User-scoped access. Your audits are tied to your authenticated account (via Clerk). No other user, including QuoteChecker.ai staff, can view your stored audits through the application interface.
  • Export on demand. The Pro settings dashboard lets you export your full audit history as structured data. You own the output.
  • Deletion on demand. You can delete individual audits or your entire account from the settings page. Account deletion removes all associated data from our database. There is no recovery window after deletion completes — when you say delete, we mean it.

What we send to third-party services

No tool operates in a vacuum. QuoteChecker.ai relies on external services to process quotes and manage accounts. Here is exactly what each one receives — and what it does not.

  • OpenAI (analysis engine) — The text of your quote is sent to OpenAI's API for analysis. We use the API with data usage controls enabled, meaning OpenAI does not use API inputs for model training. Your quote text is processed and discarded by OpenAI per their API data usage policy.
  • OCR.space (file uploads) — If you upload a PDF or image on any tier, the file is sent to OCR.space for text extraction. OCR.space processes the file and returns extracted text. We do not store the original file after OCR completes.
  • Clerk (authentication) — Clerk manages Pro account login. Clerk receives your email address and authentication tokens. Clerk does not receive your quote data.
  • Stripe (billing) — Stripe processes Pro subscription payments. Stripe receives your payment information (card number, billing address). Stripe does not receive your quote data.
  • Plausible (analytics) — Plausible is a privacy-first analytics platform. It collects page views and referrer data without cookies, without personal identifiers, and without tracking individual users across sessions.
What we never do: We never sell your data. We never use your quotes to train models. We never share identifiable quote content with advertisers, data brokers, or any party not listed above. There is no "anonymized data sharing" clause hiding in the terms. If a service is not on this list, it does not touch your data. Period.

Content Security Policy and frontend protections

Privacy is not just about where data is stored — it is about who can intercept it on the way there. Every page on QuoteChecker.ai is served through a CSP-aware proxy that injects per-request nonces, which means:

  • No inline script injection. Only scripts with the correct nonce execute. This blocks XSS attacks that attempt to inject malicious JavaScript.
  • CSRF protection. State-changing requests require a CSRF token issued per session. Forged requests from other sites are rejected.
  • Origin validation. API endpoints verify the request origin matches the QuoteChecker.ai domain. Cross-origin requests to sensitive endpoints are blocked.

Rate limiting and abuse prevention

Free tools are rate-limited to prevent automated abuse. The limits are documented in our rate-limit catalog and enforced per IP address using short-lived counters. Pro accounts have higher limits proportional to their subscription tier. Rate-limit data (IP hashes and request counts) expires automatically and is not used for any purpose beyond abuse prevention. Once the counter resets, the data is gone.

Your rights

You can request a copy of any data associated with your account, request deletion of your account and all associated data, or ask questions about our data practices at any time. Contact contact@quotechecker.ai and we will respond within 48 hours.

The full legal text lives on our Privacy Policy page. This guide is the plain-language version — written to be understood, not to satisfy a lawyer. When in doubt, the policy governs.

Questions about how we handle your data?

Read the full privacy policy Back to all guides