1. Who we are
PartQuote (Dutch Chamber of Commerce [PENDING_KVK], VAT [PENDING_VAT]) brokers between customers with CNC manufacturing needs and CNC suppliers. PartQuote is the data controller (GDPR art. 4(7)) for the processing described here. For privacy questions and GDPR requests reach us at privacy@partquote.eu; we respond within 30 days.
2. What data we process
On signup: name, email address, company details (Chamber of Commerce number, VAT id, billing and shipping address) and optionally a phone number that we use solely to contact you about your order. Authentication is handled by Clerk; we receive only the email and user id from Clerk.
On quote request: the STEP file you upload, machining specifications (material, quantity, tolerance, surface finish, lead time) and your notes.
During order processing: status updates, shipping address and correspondence via the in-platform chat.
For invoicing and payment: payment details (IBAN for SEPA bank transfers; card payments are handled by our payment processor Stripe) and invoice history. Stripe processes card and fraud data partly as an independent controller.
For platform operation and security: IP addresses and login timestamps, request and error logs, and an audit log of administrative actions and file downloads.
3. Purpose and lawful basis
We process your data to (a) manage your account, (b) compute a price via our parser, (c) match your quote request to a suitable supplier, (d) coordinate production and delivery, (e) issue invoices, (f) secure the platform and prevent abuse and (g) comply with legal obligations.
Lawful bases (GDPR art. 6): performance of the contract (point (b)) for account, quoting, orders and communication; legal obligation (point (c)) for accounting (7 years) and sanctions/export-control screening; legitimate interest (point (f)) for security, fraud prevention and audit logging — the balancing test is available on request; and consent (point (a)) for an optional newsletter, withdrawable at any time.
4. Sharing with suppliers
After you accept the quote and payment is confirmed, we publish the job in our secured supplier environment. Vetted, activated suppliers — all bound to confidentiality (NDA) and a data-processing annex (GDPR art. 28) before activation — can view the STEP file and specification there to decide whether to apply. File names are shown anonymised and every download is recorded in an audit log.
The order is then assigned to one supplier; only that supplier receives the shipping address where needed. We never share your identity (name, contact details, company details) with suppliers in any phase.
5. Subprocessors (technical service providers)
We use the following subprocessors, each under a data-processing agreement (GDPR art. 28): Clerk, Inc. (US) — authentication; Supabase Pte. Ltd — database and file storage, with data stored in the EU (AWS eu-west-1, Ireland); Vercel Inc. (US) — web hosting; Stripe Payments Europe, Ltd (Ireland) — payment processing; Plus Five Five, Inc. / Resend (US) — transactional email; Functional Software, Inc. dba Sentry (EU region Frankfurt) — error monitoring, with personal data scrubbed from error reports before transmission; and an internally managed parser server (EU) for price computation.
We do not sell personal data and share nothing with advertising networks. The current subprocessor list is available via privacy@partquote.eu.
6. Transfers outside the EEA
Some subprocessors are established outside the European Economic Area (US, Singapore). For those transfers we rely on the safeguards of GDPR Chapter V: the EU-US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses (SCCs), supported per provider by a Transfer Impact Assessment. Where possible we select EU regions (Supabase eu-west-1, Sentry Frankfurt).
A copy of the applicable safeguards is available on request via privacy@partquote.eu.
7. Retention
Account data: while your account is active, plus 30 days after deletion (anonymised thereafter).
Quote requests and STEP files: 12 months after creation (so you can re-request a previous quote). Earlier deletion on request.
RFQ/order metadata, chat messages and support correspondence: 24 months.
Invoices, orders, accounting records: 7 years (legal retention). Acceptance snapshots (which version of the terms you accepted): 7 years.
Audit logs (admin actions, downloads): 24 months. Login, session and error logs: 90 days.
8. Your GDPR rights
You have the right to access, rectify, erase, restrict processing, port your data and object. Where processing is based on consent, you can withdraw it at any time. Email privacy@partquote.eu; we respond within 30 days (extendable with reasons for complex requests).
Via your account page you can export your data and delete your account; both are also available on request by email. Exercising your GDPR rights is free of charge.
You may also file a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl) or your national equivalent.
9. Automated pricing (parser)
Our parser automatically computes a price and manufacturability indication from your STEP file. It is a rule-based system without profiling. The outcome is a quote that you always accept manually yourself — so there is no automated decision-making with legal effect within the meaning of GDPR art. 22. If in doubt, you can request a manual review by a PartQuote engineer.
10. Security
Files are stored encrypted (TLS in transit, AES-256 at rest) in Supabase Storage with access gated by short-lived signed URLs (max 5 minutes). The parser runs on a private server. Authentication uses Clerk. Access is role-based — customers see only their own data, suppliers only jobs they are eligible for — and administrative actions and downloads are logged. Suspect a data breach or security issue? Report it immediately via security@partquote.eu.
11. Cookies
We use only functional cookies (Clerk session, language preference, cookie consent). No tracking or advertising cookies. As these are strictly functional, no separate cookie statement is required — this section describes every cookie we set.
12. Changes and contact
We may update this policy, for example due to changed legislation or new functionality. Material changes are announced at least 30 days in advance by email or in-app notification.
Contact: privacy@partquote.eu (privacy and GDPR requests) · security@partquote.eu (data breach reports) · support@partquote.eu (general questions).