A contractor quote is not just a price list. It contains your address, your project scope, your contractor's contact details, and sometimes an insurance claim number. Pasting that into any online tool should make you pause and ask: where does this go, who sees it, and how long does it stick around? Fair questions. Here are the specific answers.

How does free-tool processing work?

Free audits run session-only: your quote text is sent to our serverless backend, processed in-memory by the analysis engine, and returned to your browser as a report. Nothing is written to a database, file system, or cache. Request metadata (hashed IP, timestamp, size) is logged for rate-limiting, but the quote content is never logged and cannot be retrieved after you close the tab.

When you paste or upload a quote into the free contractor, auto, or solar audit tool, the text travels to our serverless backend, gets processed by the analysis engine, and comes back as a structured report. That round trip is the entire lifecycle. Once the response reaches your browser:

  • No storage. The quote text is not written to any database, file system, or cache. Processing happens in-memory within the serverless function invocation.
  • No logging of quote content. We log request metadata for rate-limiting and abuse prevention (IP hash, timestamp, request size), but the actual text of your quote is never logged.
  • Session expiry. When you close the tab or navigate away, the audit results exist only in your browser. There is no server-side copy to retrieve or delete because none was created.
In plain terms: The free tools work like a calculator. You input a number, get a result, and nothing is saved. We cannot recover a free audit after you close the tab because we never stored it in the first place.

How does Pro Mode storage work?

Pro Mode stores your audit history in Supabase/PostgreSQL, encrypted at rest with AES-256 and in transit over TLS 1.2+. Audits are scoped to your Clerk-authenticated account — no other user or QuoteChecker.ai staff can view them through the app. You can export full history or delete individual audits (or your entire account) from the settings dashboard, with no recovery window after deletion.

Pro Mode saves your audit history so you can revisit findings and compare quotes over time. That convenience requires storage — and storage requires rules. Here is how we handle it:

  • Encryption at rest. Audit data stored in our database (Supabase with PostgreSQL) is encrypted using AES-256 at rest. The encryption keys are managed by the hosting provider's key management service and are not accessible to application code.
  • Encryption in transit. All data between your browser and our servers travels over TLS 1.2+. API endpoints enforce HTTPS. There is no HTTP fallback.
  • User-scoped access. Your audits are tied to your authenticated account (via Clerk). No other user, including QuoteChecker.ai staff, can view your stored audits through the application interface.
  • Export on demand. The Pro settings dashboard lets you export your full audit history as structured data. You own the output.
  • Deletion on demand. You can delete individual audits or your entire account from the settings page. Account deletion removes all associated data from our database. There is no recovery window after deletion completes — when you say delete, we mean it.

What does QuoteChecker.ai send to third-party services?

Your quote text is sent to OpenAI (API with training opt-out enabled) for analysis and to OCR.space if you upload a PDF or image. Clerk receives only your email and auth tokens; Stripe receives only payment details; Plausible collects cookieless page views with no personal identifiers. No service outside this list receives your quote data, and none of them use it for training or advertising.

No tool operates in a vacuum. QuoteChecker.ai relies on external services to process quotes and manage accounts. Here is exactly what each one receives — and what it does not.

  • OpenAI (analysis engine) — The text of your quote is sent to OpenAI's API for analysis. We use the API with data usage controls enabled, meaning OpenAI does not use API inputs for model training. Your quote text is processed and discarded by OpenAI per their API data usage policy.
  • OCR.space (file uploads) — If you upload a PDF or image on any tier, the file is sent to OCR.space for text extraction. OCR.space processes the file and returns extracted text. We do not store the original file after OCR completes.
  • Clerk (authentication) — Clerk manages Pro account login. Clerk receives your email address and authentication tokens. Clerk does not receive your quote data.
  • Stripe (billing) — Stripe processes Pro subscription payments. Stripe receives your payment information (card number, billing address). Stripe does not receive your quote data.
  • Plausible (analytics) — Plausible is a privacy-first analytics platform. It collects page views and referrer data without cookies, without personal identifiers, and without tracking individual users across sessions.
What we never do: We never sell your data. We never use your quotes to train models. We never share identifiable quote content with advertisers, data brokers, or any party not listed above. There is no "anonymized data sharing" clause hiding in the terms. If a service is not on this list, it does not touch your data. Period.

What frontend security protections are in place?

Every page is served through a CSP-aware proxy that injects per-request nonces, so only scripts carrying the correct nonce execute — blocking inline XSS injection. State-changing requests require a CSRF token issued per session, and API endpoints verify the request origin matches the QuoteChecker.ai domain, rejecting forged cross-origin requests to sensitive endpoints.

Privacy is not just about where data is stored — it is about who can intercept it on the way there. Every page on QuoteChecker.ai is served through a CSP-aware proxy that injects per-request nonces, which means:

  • No inline script injection. Only scripts with the correct nonce execute. This blocks XSS attacks that attempt to inject malicious JavaScript.
  • CSRF protection. State-changing requests require a CSRF token issued per session. Forged requests from other sites are rejected.
  • Origin validation. API endpoints verify the request origin matches the QuoteChecker.ai domain. Cross-origin requests to sensitive endpoints are blocked.

How does rate limiting work on QuoteChecker.ai?

Free tools are rate-limited to prevent automated abuse. The limits are documented in our rate-limit catalog and enforced per IP address using short-lived counters. Pro accounts have higher limits proportional to their subscription tier. Rate-limit data (IP hashes and request counts) expires automatically and is not used for any purpose beyond abuse prevention. Once the counter resets, the data is gone.

What are my data rights as a QuoteChecker.ai user?

You can request a copy of any data associated with your account, request deletion of your account and all associated data, or ask questions about our data practices at any time. Contact contact@quotechecker.ai and we will respond within 48 hours.

The full legal text lives on our Privacy Policy page. This guide is the plain-language version — written to be understood, not to satisfy a lawyer. When in doubt, the policy governs.

Questions about how we handle your data?

Read the full privacy policy Try a free audit