Privacy Policy
Last updated: 2026-06-21
This Privacy Policy describes how QuillJet ("we", "us", "our") collects, uses, and protects your personal data when you use our Webflow Marketplace App ("Service").
1. Controller
2. What we collect
| Category | Examples | Lawful basis (GDPR) |
|---|---|---|
| Account data | Email, Webflow user ID | Contract performance |
| Site data | Webflow site IDs, site names | Contract performance |
| End-customer data (forwarded) | Names, email addresses, and order or form fields of your store's customers, contained in Webflow events and delivered to the email tools you connect | Processing on your behalf (you are the controller; see the DPA) |
| Usage data | Feature usage, event and delivery counts | Legitimate interest (analytics, abuse prevention) |
| Billing data | Stripe customer ID, payment method (handled by Stripe) | Contract performance |
| Support data | Email content, attachments you send us | Contract performance |
| Technical data | IP address, browser user-agent, session timestamps | Legitimate interest (security) |
3. How we use it
- To provide the Service (receive Webflow events, deliver them to the email tools you connect, render dashboards)
- To bill you and handle payments (via Stripe)
- To send transactional emails (welcome, billing notices, security alerts)
- To respond to support requests
- To improve the Service (aggregate, anonymized analytics)
- To comply with legal obligations
We do NOT sell your data. We do NOT use your data for advertising. We do NOT use your data to train AI models.
4. Sub-processors
We use the following third parties to operate the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | VPS hosting | EU (Germany or Finland) |
| Cloudflare, Inc. | DNS, email routing, edge cache | Global (data at rest in EU) |
| Resend, Inc. | Transactional email | EU region selected |
| Stripe Payments Europe Ltd. | Payment processing | EU (Ireland) |
| Webflow, Inc. | Source of data we process on your behalf | US (with EU adequacy mechanism) |
| Intuit Mailchimp | Email tool you may connect; receives the events you choose to sync | US (with EU adequacy mechanism) |
| Sendinblue SAS (Brevo) | Email tool you may connect; receives the events you choose to sync | EU (France) |
Email tools you connect (Mailchimp, Brevo, and any added later) receive only the events and fields your sync rules send them, under your own agreement with that provider. A current list with DPAs is available at https://quilljet.com/legal/dpa.
5. Data retention
- Account + site data: retained while your subscription is active. Deleted within 30 days of account deletion.
- Billing data: retained per Dutch tax law (7 years for invoices).
- Support data: retained 2 years for quality and audit purposes.
- Webhook event logs: retained 90 days for debugging and abuse prevention.
6. Your rights (GDPR)
- Access: request a copy of all data we hold about you (one-click export from the panel)
- Rectification: correct inaccurate data
- Erasure: delete your account and all associated data (one-click from Account dialog; processed within 30 days)
- Portability: receive your data in machine-readable JSON
- Objection: object to processing based on legitimate interest
- Restriction: limit how we process your data
- Complaint: file a complaint with your local data protection authority (e.g., Autoriteit Persoonsgegevens in the Netherlands)
To exercise any right, email dpa@quilljet.com. We respond within 30 days.
7. International transfers
Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions. See the DPA for specifics.
8. Security
We use AES-256-GCM encryption for stored OAuth tokens. All connections are HTTPS-only. Access to production systems is restricted to authorized personnel via SSH keys and multi-factor authentication.
Vulnerability reports: security@quilljet.com (RFC 9116 security.txt at https://quilljet.com/.well-known/security.txt)
9. Cookies and tracking
The marketing site (https://quilljet.com) uses Plausible Analytics, a privacy-focused analytics service that does not use cookies and does not track individuals. The app panel uses one essential cookie for session authentication.
10. Children
The Service is not directed at children under 16. We do not knowingly collect data from children.
11. Changes
Material changes to this policy will be communicated via email at least 30 days in advance.
12. Contact
General privacy questions: hello@quilljet.com GDPR data requests + DPA: dpa@quilljet.com