Privacy Policy
Last updated: December 29, 2025
This Privacy Policy explains how Live Oak Workshop LLC ("Live Oak Workshop", "we", "us", or "our") collects, uses, and protects information in connection with the NanoQuote application and related services (collectively, the "Service"). This policy complies with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We know terms pages can be intimidating, so we have tried to keep this one plain and reasonable while covering all necessary legal requirements.
Who we are
NanoQuote is built and operated by Live Oak Workshop LLC, a small fabrication shop based in San Antonio, Texas. We use NanoQuote internally to run our own fiber laser quoting and offer it to other shops as a hosted service.
Data Controller
Live Oak Workshop LLC
San Antonio, Texas, USA
Email: support@nanoquote.app
For GDPR matters: privacy@nanoquote.app
Information we collect
We collect and process information in the following categories:
Personal Information (CCPA Categories A, B, F)
- Account information: Name, email address, organization name, profile information, and authentication credentials (managed by our authentication provider WorkOS).
- Contact details: Business email, phone number, and address for billing and communication purposes.
Commercial Information (CCPA Category D)
- Quote and customer data: Customer names, contact information, quote details, pricing, material specifications, and project files (DXF files).
- Transaction records: Subscription status, billing information, and usage metrics for metered billing.
Technical Information (CCPA Category F)
- Usage data: IP address, browser type, device information, pages viewed, features used, and timestamps of actions taken in the application.
- Log data: Error logs, performance metrics, and activity logs for security, debugging, and service improvement.
Cookies and Tracking
We use essential cookies only - authentication session cookies required for the Service to function. We do not use advertising or cross-site tracking cookies.
Privacy-first analytics: We collect anonymous usage analytics to improve the Service. Our analytics are configured in "cookieless" mode - we do not store persistent identifiers on your device, do not track you across sites, and do not record your session. We analyze aggregate patterns (e.g., which features are used, conversion funnels) without identifying individual users. No cookie banner is required because we don't use tracking cookies.
Legal basis for processing (GDPR)
We process your personal data under the following legal bases:
- Contract performance: Processing necessary to provide the Service you've subscribed to, including quote generation, customer management, and account administration.
- Legitimate interests: Security monitoring, fraud prevention, service improvement, and internal analytics, balanced against your privacy rights.
- Legal obligation: Compliance with tax laws, accounting requirements, and data retention regulations.
- Consent: Where explicitly requested (e.g., optional marketing communications), which you can withdraw at any time.
How we use information
We use the information we collect to:
- Provide, maintain, and improve the NanoQuote Service and its features.
- Generate quotes, manage customers, and facilitate your business operations.
- Authenticate users and secure accounts from unauthorized access.
- Process payments and manage subscriptions through our billing provider.
- Respond to your requests, questions, and support tickets.
- Monitor usage patterns to optimize performance and identify areas for improvement.
- Detect, prevent, and respond to security incidents or fraudulent activity.
- Comply with legal obligations and enforce our Terms of Service.
- Communicate essential service updates, security alerts, and billing notifications. Optional marketing communications are sent only with your consent and you can opt out at any time.
How we share information (Data processors)
We do not sell your personal information to third parties. We share data only with trusted service providers (data processors) who help operate NanoQuote:
| Processor | Purpose | Data Location | Safeguards |
|---|---|---|---|
| Convex | Database hosting and backend infrastructure | US (AWS) | DPA, SOC 2, encryption at rest and in transit |
| WorkOS | Authentication and user management | US | DPA, SOC 2, GDPR compliant |
| Polar | Subscription billing and payment processing | EU/US | DPA, PCI DSS compliant |
| Resend | Transactional email delivery | US | DPA, GDPR compliant |
| PostHog | Privacy-first product analytics (cookieless mode, no session recording) | US | DPA, SOC 2, GDPR compliant, no personal identifiers stored |
All processors are contractually bound through Data Processing Agreements (DPAs) to protect your data and use it only for the specific purposes we authorize. International transfers are protected through Standard Contractual Clauses (SCCs) approved by the European Commission.
We may also disclose information in limited situations:
- Legal requirements: To comply with applicable laws, regulations, legal processes, or governmental requests (e.g., court orders, subpoenas).
- Rights protection: To protect the rights, property, or safety of Live Oak Workshop, our users, or the public, including fraud prevention and security incidents.
- Business transfers: If we undergo a merger, acquisition, bankruptcy, or sale of assets, your data may be transferred as part of that transaction, subject to the protections in this Policy and applicable law.
Data retention
We retain different types of data for specific periods based on business and legal requirements:
| Data Type | Retention Period | Reason |
|---|---|---|
| Active account data | Duration of subscription | Service provision |
| Draft, sent, or rejected quotes | Configurable by organization (default: 3 years from status change) | Organization compliance requirements |
| Accepted/completed quotes | Configurable by organization (default: 7 years from acceptance) | Organization tax and accounting requirements |
| Activity logs and audit trails | 2 years | Security, fraud prevention, support |
| Data export files | 30 days after generation | Download availability |
| Cancelled subscriptions | 90 days after cancellation | Reactivation period, dispute resolution |
| Inactive free accounts | 12 months of no login activity | Resource management; warnings sent at 6 months, 9 months, 14 days, 7 days, and 1 day before deletion |
| Deletion requests | 14-day grace period | Allow cancellation of accidental deletions |
Organization-Controlled Retention
Your organization controls quote retention policies. Organization administrators can configure how long quotes are retained before automatic deletion in Settings → Organization Config → Data Retention Policies. These settings help you meet your specific compliance requirements (tax laws, accounting standards, etc.).
- Default retention: 3 years for draft/sent/rejected quotes, 7 years for accepted quotes
- Configurable range: 1 day to 10 years per quote type
- Automated enforcement: Quotes are automatically deleted after their retention period expires
- Important: When you delete your organization, ALL quotes are deleted immediately, regardless of retention settings
After retention periods expire, we permanently delete or anonymize data. Aggregated, anonymized statistics (e.g., dashboard metrics) may be retained indefinitely as they cannot identify individuals. Some data may be retained longer where required by law (e.g., tax records) or to defend legal claims.
Security
We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:
- Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256).
- Authentication: Industry-standard authentication via WorkOS with support for SSO, MFA, and secure session management.
- Access controls: Role-based access control (RBAC) with least-privilege principle and multi-tenant data isolation.
- Infrastructure: SOC 2 compliant hosting providers with regular security audits and compliance certifications.
- Monitoring: Continuous security monitoring, activity logging, and automated anomaly detection.
- Incident response: Documented procedures for detecting, responding to, and recovering from security incidents.
While we implement strong security measures, no system is completely secure. We encourage you to use strong passwords, enable multi-factor authentication where available, and report any security concerns promptly.
Data breach notification
In the unlikely event of a data breach that poses a risk to your rights and freedoms:
- Authority notification (GDPR): We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
- User notification: If the breach is likely to result in a high risk to your rights, we will notify you without undue delay via email to your registered address.
- Transparency: Our notification will describe the nature of the breach, the likely consequences, and the measures we've taken or propose to take to mitigate it.
- Remediation: We will take immediate steps to contain the breach, assess the damage, and prevent future incidents.
To report a suspected security issue: security@nanoquote.app
Your privacy rights
Depending on your location, you have specific rights regarding your personal information. We respect these rights and provide tools to exercise them.
GDPR Rights (EU/EEA/UK Residents)
- Right of access (Article 15): Request a copy of your personal data we hold. Use our data export feature in your account settings.
- Right to rectification (Article 16): Correct inaccurate or incomplete personal information. Update directly in your account or contact support.
- Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten"). Use the account deletion feature with a 14-day grace period.
- Right to restriction (Article 18): Request we limit processing of your data in certain circumstances.
- Right to data portability (Article 20): Receive your data in a structured, machine-readable format (JSON). Use our data export feature.
- Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent (Article 7): Withdraw consent for optional processing at any time.
- Right to lodge a complaint (Article 77): File a complaint with your local data protection authority if you believe we've violated GDPR.
CCPA Rights (California Residents)
- Right to know: Request details about the categories and specific pieces of personal information we've collected, used, disclosed, or sold in the past 12 months.
- Right to deletion: Request deletion of your personal information, subject to certain exceptions (legal obligations, fraud prevention, internal uses).
- Right to opt-out of sale: We do not sell personal information, so there is nothing to opt out of.
- Right to non-discrimination: You will not receive discriminatory treatment for exercising your CCPA rights.
How to exercise your rights
- Data export: Log in to your account → Settings → Privacy & Data → Request Export
- Account deletion: Log in to your account → Settings → Privacy & Data → Request Account Deletion (14-day grace period)
- Other requests: Email privacy@nanoquote.app
We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA). We may request additional information to verify your identity before processing requests.
International data transfers
NanoQuote is hosted primarily in the United States. If you're accessing the Service from the EU/EEA, UK, or other regions with data protection laws, your personal information may be transferred to and processed in the United States.
We protect international transfers through:
- Standard Contractual Clauses (SCCs): EU Commission-approved SCCs with all processors handling EU personal data.
- Adequacy decisions: Relying on adequacy decisions where available.
- Additional safeguards: Technical measures (encryption, access controls) and organizational measures (data minimization, retention limits) that supplement SCCs.
Children's privacy
NanoQuote is a business-to-business (B2B) service designed for commercial fabrication shops. The Service is not directed at children under 16 (under 13 in the US), and we do not knowingly collect personal information from children.
If you believe a child has provided us with personal information, please contact us at privacy@nanoquote.app and we will take appropriate steps to delete it promptly.
Changes to this policy
We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or other factors. Material changes will be communicated as follows:
- The "Last updated" date at the top of this policy will be revised.
- For significant changes, we'll notify you via email or a prominent notice in the application at least 30 days before the changes take effect.
- For minor administrative changes, we'll update the policy and the effective date without additional notice.
Your continued use of NanoQuote after changes take effect constitutes acceptance of the updated Policy. If you don't agree with changes, you may exercise your right to deletion before they take effect.
Contact us & complaints
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:
General inquiries and support:
Email: support@nanoquote.app
Privacy and data protection matters:
Email: privacy@nanoquote.app
Security issues:
Email: security@nanoquote.app
Data Controller:
Live Oak Workshop LLC
San Antonio, Texas, USA
Filing a complaint (GDPR)
If you're not satisfied with our response to a privacy concern, you have the right to lodge a complaint with a supervisory authority in your jurisdiction:
- EU residents: Find your data protection authority
- UK residents: Information Commissioner's Office (ICO)
Document Information
Privacy Policy version 2.1
Last updated: December 29, 2025
Effective date: December 29, 2025
This policy complies with GDPR (EU Regulation 2016/679) and CCPA (California Civil Code §§ 1798.100–1798.199).