Skip to main content
by Nomadyr
DE Join the Waitlist
Menu
Currently in Alpha
Join the Waitlist for more »

Privacy Policy

Effective Date: 17 May 2026 (v1.0)

For the complete data processing terms, see our Data Processing Agreement (DPA) (the German legally binding version is the Auftragsverarbeitungsvertrag (AVV)) and the Technical and Organizational Measures (TOM) annex pursuant to Art. 32 GDPR.

1. Who We Are

QuoteXelerator is a product of Nomadyr UG (haftungsbeschränkt), Kolonnenstraße 8, 10827 Berlin, Germany, HRB 280266 B, USt-IdNr. DE460912683 ("we", "us", "our"). We are the data controller for the personal data collected through this website and the QuoteXelerator application.

2. What Data We Collect

2.1 Waitlist and Registration

When you sign up for our waitlist or register for the service, we collect:

  • First name and last name: to address you personally
  • Email address: to contact you about access and product updates
  • Company name: to understand your organization
  • Team size (optional): to understand your organization's scale
  • Biggest quoting pain point (optional): to prioritize product development
  • Email consent and consent timestamp: to document your GDPR consent
  • Submission timestamp: recorded automatically

2.2 Service Usage Data

When you use QuoteXelerator, we process:

  • HubSpot portal ID and user information: provided via HubSpot OAuth to authenticate your account
  • Deal and quote data from HubSpot: processed to generate line items as instructed by your recipes
  • Recipe configurations: the mapping rules you create within the application
  • Audit logs: records of actions taken within the application for compliance purposes
  • Usage metrics: aggregated counts of quotes processed, API calls, and feature usage

We do not store the content of your HubSpot deals or quotes beyond what is necessary for real-time processing and audit logging.

2.3 Payment Data

Payment processing is handled by Stripe Payments Europe, Limited (Dublin, Ireland) as an independent controller under Art. 4(7) GDPR (see §4a). We do not store credit card numbers or bank details. Stripe provides us with:

  • Customer ID and subscription status
  • Billing email and company name
  • VAT ID (if provided for reverse charge)
  • Invoice history and payment status

2.4 ROI Calculator Usage

When you use our ROI calculator on this website, we store the numbers you enter (quote volume, error rate, margin), the computed results, and a few interaction counters in an anonymised data set. We do not store your IP address, name, email, or company; the entries cannot be attributed to a specific visitor. A short random session token is used only to group interactions within one browsing session and is not derived from any identifier.

Legal basis: legitimate interest under Art. 6(1)(f) GDPR for product and pricing-assumption improvement.

3. Why We Collect It (Legal Basis)

We process your data on the following legal bases:

  • Consent (Art. 6(1)(a) GDPR): for waitlist registration and marketing communications
  • Contract performance (Art. 6(1)(b) GDPR): to provide the QuoteXelerator service you subscribed to
  • Legitimate interest (Art. 6(1)(f) GDPR): for service improvement, security, and fraud prevention
  • Legal obligation (Art. 6(1)(c) GDPR): for tax and accounting records retention

4. Recipients (Sub-Processors)

QuoteXelerator relies on the following sub-processors. Each entry mirrors Annex 3 of our Data Processing Agreement (DPA):

  • Supabase Inc. / Supabase Pte. Ltd., 970 Toa Payoh North #07-04, Singapore 318992 (exact contracting entity per signed DPA): primary Postgres database, authentication, storage. Processing location: AWS eu-central-1 (Frankfurt). Categories: reseller user accounts, hashed credentials, deal/quote metadata, cached HubSpot identifiers, application logs. Transfer mechanism: SCCs Module 3 (extra-EU contracting entity), factual data flow remains in the EU.
  • Vercel, Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA): application hosting and serverless functions. Your application data (quote contents, deal records, line items, audit logs, customer information) is processed exclusively in the EU (Frankfurt / Dublin) and never sent to US servers. Only connection metadata (your IP address, HTTP request headers, edge access logs) traverses Vercel's global edge network, which includes US nodes, where it is used for DDoS protection and the Web Application Firewall (WAF), i.e., to defend the service against cyber-attacks. Transfer mechanism: SCCs Module 3 + EU-US Data Privacy Framework (belt-and-suspenders).
  • Resend, Inc. (San Francisco, CA, USA): transactional email delivery (subscription confirmations, payment failures, cancellations, founding-member emails, waitlist confirmations, change-detection alerts). Account data, logs and email metadata (recipient address, subject, delivery and bounce status) are stored by Resend in the US, regardless of sending region. Outbound SMTP egress is eu-west-1 (Ireland); metadata persistence is not. Transfer mechanism: SCCs Module 3 + EU-US DPF where active (Resend DPF certification Feb/Mar 2025).
  • Anthropic, PBC (548 Market Street, PMB 90375, San Francisco, CA 94104, USA): AI analysis for incident investigation (see §9b). Inputs are PII-redacted before transmission and are not used for model training. Transfer mechanism: SCCs Module 3. Transfer details (TIA) available on request.
  • GitHub B.V. (Prins Bernhardplein 200, 1097 JB Amsterdam, Netherlands; parent Microsoft Corp., USA): source control and GitHub Actions runner that dispatches the incident-investigator workflow. Only sees redacted incident IDs and fingerprints. Transfer mechanism: SCCs Module 3 + EU-US DPF.
  • HubSpot Ireland Limited (Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland); dual role:
    • (a) Platform / data source: HubSpot provides the platform on which QuoteXelerator runs as an installed app. For data that remains inside the customer's HubSpot portal, HubSpot is the customer's own processor; not Nomadyr's sub-processor.
    • (b) Sub-processor of Nomadyr UG for portal data cached into Supabase via OAuth-granted access (deal IDs, line-item snapshots, contact emails used for notifications, OAuth and refresh tokens).
    Transfer mechanism: EU-EU under adequacy when the customer portal is EU-resident. For US-resident portals (HubSpot, Inc.): SCCs Module 3 + EU-US DPF.

4a. Independent Controllers (Selbständige Verantwortliche)

The following entity processes personal data as an independent controller under Art. 4(7) GDPR. It is not a sub-processor of Nomadyr UG:

  • Stripe Payments Europe, Limited (SPEL), 1 Grand Canal Street Lower, Dublin, D02 H210, Ireland. Role: payment processing, fraud prevention, AML/KYC compliance. Stripe Technology Company Limited (STC) was added as an additional EMEA/APAC controller entity effective 3 January 2026; see stripe.com/legal/dpa and stripe.com/legal/dta for Stripe's controller-side disclosures, retention and data-subject contact.

4b. External data sources (no personal data transmitted)

For FX reference rates QuoteXelerator calls public endpoints of the European Central Bank (ECB), Frankfurter.app, Wise plc and Revolut Ltd. Only public rates are retrieved (read-only outbound requests). No personal data is transmitted. These sources are not sub-processors.

A versioned list of all sub-processors is available at /legal/dpa (Annex 3).

5. Who Has Access

Only the founder/operator of Nomadyr UG (haftungsbeschränkt) has access to your data. We do not sell, rent, or share your personal data with third parties for marketing purposes. Data processors listed above access data only as necessary to provide their services.

6. How Long We Keep It

  • Waitlist data: until you request deletion or the waitlist is closed
  • Account and subscription data: subscription duration + 90 days, then automatic deletion
  • Audit logs: subscription duration + 90 days, then automatic deletion
  • Billing and invoice records: retained for 10 years per German tax law (§ 147 AO, § 257 HGB)
  • Usage metrics: aggregated and anonymized after 24 months

7. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): obtain a copy of your personal data
  • Right to rectification (Art. 16 GDPR): correct inaccurate data
  • Right to erasure (Art. 17 GDPR): request deletion of your data
  • Right to restriction (Art. 18 GDPR): restrict processing in certain cases
  • Right to data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format
  • Right to object (Art. 21 GDPR): object to processing based on legitimate interest
  • Right regarding automated decisions (Art. 22 GDPR): QuoteXelerator generates quote line items based on the rules you configure. Every line item still requires your team's review before being sent to a customer or used in a contract; the system does not make legally binding decisions on your behalf
  • Right to withdraw consent: at any time, without affecting the lawfulness of prior processing
  • Right to lodge a complaint: with the Berliner Beauftragte für Datenschutz und Informationsfreiheit

To exercise any of these rights, email us at legal@quotexelerator.com.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Industry-standard encryption in transit and at rest
  • Strict data isolation between customers at the database level
  • AES-256-GCM application-level encryption with portal-scoped key derivation, applied to enumerated financially sensitive fields (cost basis amounts, reservation rates, quote snapshots, audit log details, approval request data)
  • No plaintext storage of credentials or access tokens
  • Role-based access controls

The complete set of measures is documented in our Technical and Organizational Measures (TOM), which forms an annex to the DPA.

9. Data Processing Agreement (AVV)

Where we process personal data on your behalf (Auftragsverarbeitung), the parties enter into a Data Processing Agreement (DPA) (the German legally binding version is the Auftragsverarbeitungsvertrag (AVV)) in accordance with Art. 28 GDPR. To request a countersigned copy, contact us at legal@quotexelerator.com.

9b. AI-supported Incident Investigation (AI Act Art. 50)

QuoteXelerator uses the Claude large-language model from Anthropic, PBC (548 Market Street, PMB 90375, San Francisco, CA 94104, USA) to investigate system incidents (errors and failures in production). You are hereby informed that this incident analysis is AI-assisted within the meaning of Art. 50 of the EU AI Act. When a production error occurs, redacted technical metadata (stack trace fingerprints, error codes, request paths, occurrence counts) may be transmitted to Anthropic for automated diagnosis. No raw customer data, no quote payloads, no deal or line-item content and no plaintext customer email addresses are transmitted.

Before any incident payload leaves the system, it passes through multiple layers of automated controls that strip personal data and secrets from incident logs before any transmission to the AI model. These controls include pattern-based redaction at ingestion, a compile-time field allowlist, runtime schema validation at the egress boundary, a transmission audit trail, fail-closed email alerts on anomalies, and weekly automated regression tests. The controls are designed to make a leak unlikely and observable; they are not represented as a formal guarantee. Residual risk is mitigated by complementary measures: Standard Contractual Clauses Module 3, Anthropic's contractual no-training warranty (Anthropic Commercial Terms), short retention at Anthropic (30 days inference logs, 7 days Trust-and-Safety logs), and a documented Transfer Impact Assessment. We and any AI tools used to improve the service see only this redacted error context, never raw customer data. The technical architecture of the redaction pipeline is documented in our Technical and Organisational Measures (TOM) §3a.

Transfer mechanism: EU Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914, Module 3 (processor-to-sub-processor). Anthropic is not EU-US DPF-certified (verified 16 March 2026); SCCs plus the supplementary measures above are the sole transfer basis. A Transfer Impact Assessment (TIA) under Schrems II is on file and available on request.

10. Cookies

We do not currently set cookies on this website. Anonymous page views are measured cookielessly via Vercel Web Analytics and Speed Insights: no IP storage, no visitor re-identification.

If we introduce cookies in the future (e.g. HubSpot Analytics or marketing pixels), a center-modal banner will appear on your first visit to ask for your choice. Necessary cookies would then always be on; Analytics and Marketing cookies remain off until you actively accept them. The exact list of cookies set (name, purpose, lifetime) will appear in the banner at activation. This Privacy Policy will be updated in parallel.

11. International Data Transfers

Several sub-processors are headquartered in or process data outside the EEA. Each transfer is covered by its own mechanism:

  • HubSpot Ireland Limited (IE): EU processing under adequacy when the customer portal uses HubSpot's EU-residency option. If the portal is US-hosted (HubSpot, Inc.): SCCs Module 3 + EU-US DPF (belt-and-suspenders).
  • Vercel, Inc. (US): application functions execute exclusively in fra1 / dub1 (EU). Only connection metadata (IP, request headers, access logs) traverses the US edge for DDoS and WAF protection; no application data leaves the EU via this path. SCCs Module 3 + EU-US DPF.
  • Resend, Inc. (US): account data, logs and email metadata are stored in the US. Outbound SMTP egress is EU-routable. SCCs Module 3 + EU-US DPF.
  • Anthropic, PBC (US): AI inference for the incident investigator (see §9b). SCCs Module 3; inputs PII-redacted pre-transmission; no training use. Transfer details (TIA) available on request.
  • Supabase Inc. / Supabase Pte. Ltd. (970 Toa Payoh North #07-04, Singapore 318992, exact contracting entity per signed DPA): data processing occurs in eu-central-1 Frankfurt; contractually SCCs Module 3 because the contracting entity is extra-EU, but the factual data flow stays in the EU.
  • GitHub B.V. (NL) / Microsoft Corp. (US): SCCs Module 3 + EU-US DPF.
  • Stripe processes payment data as an independent controller in Dublin (IE); SCCs are not contracted by Nomadyr UG for this flow (see §4a).

Supplementary measures (Schrems II): TLS 1.2+ in transit, AES-256 at rest plus AES-256-GCM application-layer encryption on sensitive fields, data minimisation, pattern-based redaction before transmission to AI models (see §9b), contractual no-training warranty with Anthropic, documented Transfer Impact Assessments on file.

Residual risk notice: Despite EU Standard Contractual Clauses and supplementary measures, a residual risk arising from US surveillance laws (FISA 702, EO 12333, Cloud Act) cannot be fully excluded. Nomadyr UG limits this risk through the measures above. A Transfer Impact Assessment is on file and available on request.

12. Changes to This Policy

We may update this policy as the product develops. Material changes will be communicated to registered users via email. Any changes will be posted on this page with an updated date.

13. Contact

Nomadyr UG (haftungsbeschränkt)
Kolonnenstraße 8, 10827 Berlin, Germany
HRB 280266 B, Amtsgericht Charlottenburg
USt-IdNr. DE460912683
E-Mail: legal@quotexelerator.com