Oldman Quotes
Legal

Privacy Policy

Last updated: June 12, 2026 · Effective immediately

📋 The short version

  • We collect what's needed to run the Service — your email, what you upload, what you generate, and basic usage metadata.
  • We do not sell your data. Ever.
  • Uploaded documents are sent to OpenAI and Anthropic for AI analysis. Neither provider trains its models on API inputs.
  • We keep your quotes and documents for as long as your account is active. Download anything you want to keep for your own records.
  • You can request a copy, correction, or deletion of your personal data at oldmanaisolutions@gmail.com.

The full policy below controls in case of any discrepancy with this summary.

1. Who we are

This Privacy Policy describes how Oldman AI Solutions ("we," "us," the "Company"), operating the service known as Oldman Quotes (the "Service"), collects, uses, discloses, and protects personal information you provide in connection with the Service. It applies to the web application at https://quotes.oldmanaisolutions.com, any successor domain, and any related mobile or API access.

The Company is based in Alberta, Canada and is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Alberta Personal Information Protection Act (PIPA).

2. What this policy covers

This policy covers personal information processed by the Service. It does not cover:

  • data you choose to input about third parties(your customers, subcontractors, suppliers) — you are the "controller" of that data and are responsible for having an appropriate legal basis to share it with us as a processor;
  • third-party websites the Service may link to, which have their own privacy practices;
  • information collected offline or through any other means.

3. Information we collect

3.1 Information you provide directly

  • Account information: email address, chosen password hash (if using email-password auth), display name, company name, subscription tier.
  • Authentication data: when you sign in with a third-party provider (e.g. Google), we receive your email, name, profile image URL, and a unique provider identifier. We do not receive or store your provider password.
  • Payment information: we do not receive or store full credit-card numbers. Stripe (our payment processor) handles card data directly. We store Stripe-issued customer and subscription identifiers, the last four digits of your card, and billing metadata.
  • Project inputs: text descriptions you type, documents you upload (PDFs, images, spreadsheets, etc.), quote-template data, company pricing sheets, and any scope or assumption notes you add.
  • Generated outputs: quotes, takeoffs, PDF documents, Excel workbooks, and associated metadata produced during your use of the Service.
  • Support correspondence: emails, chat messages, and other communications you send us.

3.2 Information collected automatically

  • Usage data: pages visited, features used, quotes generated, AI-quote allowance consumed, approximate timestamps.
  • Device and connection data: IP address, browser type and version, operating system, screen resolution, language preference, referring URL.
  • Cookies and local storage: authentication session tokens, theme preference, feature-flag state. We do not use third-party advertising cookies.
  • Error and diagnostic data: stack traces, request identifiers, and runtime metrics captured to diagnose malfunctions and improve reliability.

3.3 Information we do not collect

  • Social-security numbers, SIN / SSN, or national identity numbers.
  • Government-issued ID documents.
  • Biometric data, health information, precise GPS location, or content from your device camera, microphone, or contacts.
  • Browsing behavior outside of the Service.

4. How we use your information

We process personal information for the following purposes:

  • Service delivery: authenticating you, generating AI-powered estimates, storing your quotes and documents, processing payments, sending transactional email (magic links, quote-completion notifications, quote-accepted receipts).
  • Service improvement: analyzing aggregated usage patterns to decide which features to prioritize, diagnosing bugs, measuring performance. We do not read individual quote content for product-improvement purposes.
  • Security & fraud prevention: detecting unauthorized access, rate-limiting abuse, investigating security incidents.
  • Legal compliance: responding to lawful requests from governmental authorities, complying with tax and corporate record-keeping obligations, enforcing our Terms.
  • Communication: notifying you of Service changes, policy updates, and — only with your consent, and never as a primary purpose — occasional product update emails. You may unsubscribe at any time.

Legal bases (for users in PIPEDA / GDPR jurisdictions): we rely on (a) performance of a contract with you, (b) our legitimate interests in operating and securing the Service, (c) your consent (for optional communications), and (d) compliance with legal obligations.

5. AI processing & third-party model providers

This is the most important paragraph in this policy. The Service's core functionality requires sending your inputs to third-party AI model providers for analysis:

  • OpenAI, L.L.C.— we send text extracted from uploaded documents, text descriptions you provide, and related project metadata to OpenAI's API for analysis. OpenAI returns structured takeoff data, generated scope language, and pricing inferences. Per OpenAI's API data-usage policy (in effect since March 2023), data submitted via the API is not used to train OpenAI's models. OpenAI retains API data for up to thirty (30) days for abuse monitoring, then deletes it. See OpenAI's Privacy Policy.
  • Anthropic, PBC— we send the same categories of input (text extracted from uploaded documents, your text descriptions, and related project metadata) to Anthropic's Claude API for analysis, which returns structured takeoff data, generated scope language, and document-extraction results. Under Anthropic's commercial API terms, inputs and outputs are not used to train Anthropic's models, and the data is processed in the United States. See Anthropic's Privacy Policy.

We select AI providers that publish clear data-handling policies and offer appropriate processor agreements. We do not authorize any AI provider to use your inputs for training general-purpose models.

Do not submit sensitive data. Because your inputs transit external AI systems, you must not upload or type information subject to special protections (health information, identifying data of third parties collected without consent, confidential legal records, classified information, etc.) into the Service.

6. Other sub-processors & service providers

We rely on the following additional third-party providers. Each is contractually bound to protect your data and use it only for the purposes we direct:

  • Supabase, Inc. — authentication, database hosting, and file storage, hosted in a Canadian region where available. Data is stored in encrypted Postgres databases with row-level-security policies.
  • Vercel, Inc. — application hosting and edge serving. Handles HTTP requests and rendered pages.
  • Stripe, Inc. — payment processing and subscription management. PCI-DSS Level 1 certified. We receive subscription and customer identifiers; Stripe receives your card data directly.
  • Resend, Inc. — transactional email delivery (magic-link sign-in, quote notifications, account receipts).

This list may change as we add or replace providers. Material changes will be reflected in an updated version of this Policy.

7. Disclosure of personal information

We do not sell, rent, or trade your personal information. We disclose it only in these circumstances:

  • To sub-processors named in sections 5 and 6, as necessary to operate the Service;
  • With your consent, where you explicitly direct us to (e.g. generating a client-facing share link containing your quote);
  • For legal reasons — to comply with a lawful subpoena, court order, or government request; to enforce our Terms; to protect our rights, property, or safety or that of our users or the public; to investigate fraud or security incidents;
  • In a corporate transaction — if we are acquired, merged, or sell substantially all of our assets, personal information may be transferred as part of that transaction. We will notify you and, where required by law, seek your consent.

8. International data transfers

The Service is operated from Canada. Our database provider (Supabase) stores data in a Canadian region where available; our hosting provider (Vercel) processes data primarily in the United States. Our AI providers (OpenAI and Anthropic) and our payment processor (Stripe) are US-based. By using the Service, you understand and consent to your information being processed in the United States and other jurisdictions.

For users in the European Economic Area, the United Kingdom, or Switzerland, transfers of personal data outside those regions rely on standard contractual clauses approved by the European Commission or equivalent mechanisms our sub-processors have implemented.

9. Security

We implement reasonable technical and organizational measures to protect personal information, including:

  • TLS encryption for data in transit;
  • Encryption at rest for database storage and file storage;
  • Row-level security policies limiting each user's access to only their own records;
  • Principle of least privilege for internal service credentials;
  • Hashed authentication secrets (passwords are never stored in plaintext; service tokens are rotated periodically);
  • Regular review of sub-processor security posture.

No system is perfectly secure. You are responsible for keeping your own credentials confidential. If you suspect unauthorized account access, notify us at oldmanaisolutions@gmail.com immediately. We will notify affected users of a confirmed data breach within the timelines required by applicable law.

10. Retention

Our retention periods align with the Service's data-lifecycle commitments in our Terms:

  • Quotes, generated documents, and uploaded source documents: retained for as long as your account remains active. We recommend downloading copies of anything you want to keep for your own records.
  • Account records (email, subscription metadata): retained for the life of the account plus approximately seven (7) years for tax and regulatory compliance, then deleted or anonymized.
  • Payment records: retained as required by applicable financial regulations (generally about 7 years).
  • Error logs and diagnostic data: retained for up to ninety (90) days.
  • Audit / security logs: retained for up to one (1) year.

You can request early deletion of your account and associated data — see section 11.

11. Your rights

11.1 Universal rights (available to all users)

  • Access: request a copy of the personal information we hold about you.
  • Correction: request correction of inaccurate information.
  • Deletion: request deletion of your account and associated personal data. (Retention of payment and audit records required by law will continue for the applicable statutory period.)
  • Withdraw consent: withdraw consent for optional processing (e.g. product update emails). Withdrawing consent to essential processing will require closing your account.
  • Export: receive a copy of your data in a structured, commonly-used format.

To exercise any of these rights, email oldmanaisolutions@gmail.com from the address associated with your account. We will respond within thirty (30) days or the period required by applicable law, whichever is shorter.

11.2 Additional rights for EU / UK / Swiss residents (GDPR)

If you are located in the EEA, the UK, or Switzerland, you have additional rights to: (a) restrict processing, (b) object to processing based on legitimate interests, (c) not be subject to solely automated decision-making that produces legal or similarly significant effects (note: AI-generated quotes are advisory; they are not binding legal decisions), (d) lodge a complaint with your local supervisory authority.

11.3 Additional rights for California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what categories of personal information we collect, the purposes for which we use it, and to whom we disclose it (see sections 3–7 above). You have the right to request deletion (section 11.1) and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information within the meaning of California law, so no opt-out is required. You have the right to non-discrimination for exercising your CCPA rights.

12. Cookies and tracking technologies

We use a small set of strictly necessary cookies and local-storage entries:

  • Authentication cookies — required to keep you signed in.
  • Theme preference (light / dark / system).
  • Feature-flag state (which experimental features you have seen).

We do not use third-party advertising cookies. We do not use cross-site behavioural tracking. Disabling strictly-necessary cookies will prevent the Service from functioning.

13. Children's privacy

The Service is intended for professional contractors and is not directed to anyone under the age of eighteen (18). We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, contact us and we will delete it promptly.

14. Do Not Track signals

Browsers may send a Do Not Track (DNT) signal. Because there is no industry consensus on how to interpret DNT, we currently do not respond to DNT signals. We do not engage in cross-site behavioural tracking regardless of DNT.

15. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date at the top of this page and, where practicable, by in-app or email notice. Continued use of the Service after an update takes effect constitutes acceptance of the revised Policy.

16. How to contact us

If you have any questions, concerns, or complaints about this Privacy Policy or our handling of your personal information, please contact:

Oldman AI Solutions
Attn: Privacy Officer
Alberta, Canada
Email: oldmanaisolutions@gmail.com

If you are a Canadian resident and we have not resolved your concern to your satisfaction, you have the right to contact the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, if you reside in Alberta, the Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca).

By using Oldman Quotes you acknowledge that you have read and understood this Privacy Policy. This Policy is incorporated by reference into our Terms of Service.