Privacy policy
Last updated: 29 June 2026. Applies to all use of
QS Takeoff ("the Service") at
qstakeoff.com
during the public beta.
1. Who we are
The data controller is [YOUR NAME OR COMPANY], of [YOUR ADDRESS], contactable at . We're the people who decide how and why your personal data is processed when you use QS Takeoff.
If we ever need to register with the UK Information Commissioner's Office (ICO), our registration number will be listed here. Sole-trader operators usually only need to register if they process personal data for purposes beyond core service delivery.
2. What data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, display name (optional), hashed password (bcrypt — we never see your password in clear) | You, when you register |
| Project data | The take-off content you save: calibration values, markup geometry, subjects, trade tags, custom column values, project names | You, when you click "Save to cloud" |
| Authentication data | Session identifier (random string), CSRF tokens, password reset tokens | Generated by the Service when you log in or initiate a password reset |
| Technical data | IP address, browser type and version, pages visited, time of visit (server access logs) | Automatically by our hosting provider |
We do not collect:
- Your PDF drawings — they're processed entirely in your browser and never leave your device.
- Analytics data — we don't use Google Analytics or any equivalent.
- Advertising or tracking identifiers.
- Payment data — the beta is free; we don't take card details.
3. Why we use your data and on what legal basis
| Purpose | Legal basis (UK/EU GDPR Article 6) |
|---|---|
| Creating and maintaining your account | Contract (Art. 6(1)(b)) — necessary to provide the service you've signed up to |
| Storing your saved projects against your account | Contract (Art. 6(1)(b)) |
| Sending password-reset emails | Contract (Art. 6(1)(b)) |
| Keeping the service secure (rate limits, CSRF, logging suspicious activity) | Legitimate interests (Art. 6(1)(f)) — our interest in operating a secure service |
| Server access logs for diagnostics | Legitimate interests (Art. 6(1)(f)) |
| Improving the beta based on feedback | Legitimate interests (Art. 6(1)(f)) — only with data you voluntarily share with us |
4. Cookies and similar technologies
QS Takeoff uses only strictly necessary cookies. We do not use tracking cookies, analytics cookies, advertising cookies, or third-party social media cookies. We do not need to display a consent banner because the only cookie we set is essential to the service you've explicitly requested.
| Name | Purpose | When set | Lifetime |
|---|---|---|---|
takeoff_sid |
Maintains your logged-in session and protects login/registration forms against CSRF attacks | Only on authentication pages (login, register, forgot, reset) and any logged-in page | Up to 30 days, or until you log out (whichever is sooner) |
Visiting the public landing page, the user guide, this privacy policy or the terms of service does not set any cookies. This cookie is treated as strictly necessary under regulation 6(4)(b) of the UK Privacy and Electronic Communications Regulations (PECR) and the equivalent provision of the EU ePrivacy Directive, so it is exempt from the consent requirement.
5. Who we share your data with
We share data only with the sub-processors required to run the service:
| Sub-processor | What for | Where |
|---|---|---|
| Our hosting provider | Stores the application files, the MySQL database (account + project data), processes server logs, relays outbound email for password resets | UK / EU data centres |
| jsDelivr (CDN) | Delivers the PDF.js JavaScript library to your browser. They see your IP address and User-Agent for the request, nothing else. They do not set cookies. | Global CDN |
We do not sell or rent your data. We will only disclose it to third parties if required by law (e.g. a valid court order or regulator request).
6. International transfers
Account and project data is stored in our hosting provider's UK or EU data centres. The jsDelivr CDN serves files from the location closest to you. No personal data is transferred to jurisdictions without an adequate level of data protection.
7. How long we keep your data
| Data | Retention |
|---|---|
| Account data | For the life of your account. Deleted when you close your account or after 24 months of inactivity (we'll email you first). |
| Saved projects | Until you delete them, or when your account is closed. |
| Password reset tokens | 1 hour after issue, or immediately on use. |
| Rate-limit records (IP + action) | 24 hours. |
| Server access logs | Held by our hosting provider per their retention policy (typically 30 days). |
8. Your rights
Under the UK GDPR and EU GDPR you have the right to:
- Access a copy of the personal data we hold about you (Art. 15)
- Rectification — correct inaccurate data (Art. 16)
- Erasure — ask us to delete your account and associated data (Art. 17)
- Restriction of processing in certain circumstances (Art. 18)
- Data portability — receive your project data in a structured, machine-readable format (CSV/JSON export inside the app already provides this) (Art. 20)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw consent at any time, where we rely on consent (we don't, currently)
To exercise any of these rights, email . We aim to respond within 30 days.
You also have the right to complain to a supervisory authority. In the UK that's the Information Commissioner's Office (ICO). In the EU, your national data protection authority.
9. Security
Passwords are stored using bcrypt hashing — we cannot read them, even if we wanted to. Sessions use HttpOnly, SameSite=Lax cookies over HTTPS. State-changing requests are protected by CSRF tokens. Account-creation, login and password-reset endpoints are rate-limited per IP. That said, no service is 100% secure; if you suspect a breach of your account, contact us immediately at .
10. Children
QS Takeoff is a professional tool for quantity surveyors and is not directed at children under 16. We do not knowingly collect data from anyone under that age. If you believe a child has signed up, please contact us so we can remove their account.
11. Changes to this policy
Because we're in beta, we may update this policy as the service evolves. Material changes will be communicated by email to registered users at least 14 days before they take effect. The "last updated" date at the top of this page shows the version you're reading.