Privacy Policy

Account data: email, name, hashed password, referral code if any, plan code, Stripe customer ID. Stored in our PostgreSQL database on Railway.

API usage: we log every API call (timestamp, endpoint, response status, plan, key prefix) for billing and abuse detection. Raw API keys are never stored - only their SHA-256 hashes.

Dynamic QR scans: when someone scans your dynamic QR, we log the timestamp, user-agent class (mobile/desktop/bot), country (via Cloudflare or Vercel edge headers), and the referer. We do not identify the scanner - these are aggregate analytics.

Payment data: we never store card details. Stripe handles payment and we keep only the customer ID and subscription status.

• Provide the Service: render QR codes, redirect dynamic scans, enforce quotas
• Bill paid subscriptions and process upgrades/downgrades
• Send transactional email (invoices, password resets, security alerts)
• Detect and block abuse (spam, malicious destinations, quota circumvention)
• Aggregate, anonymized analytics on Service usage to improve the product

We do not sell your data. We do not use it to train AI models. We do not run advertising on your scan analytics.

We share data only with these processors, all under DPA:

• Railway (US/EU) - hosting and Postgres
• Vercel (US/global edge) - frontend hosting and edge logs
• Cloudflare (global) - DNS and edge IP geolocation
• Stripe (US/EU) - payment processing

We may add additional processors in the future (transactional email delivery, error monitoring, privacy-respecting analytics). When we do, we'll update this list and notify users by email at least 14 days before the change takes effect.

We may share data if legally required (subpoena, court order). We will notify you unless legally prohibited.

• Account data: kept until you delete your account, then 30 days for backup recovery, then purged
• API call logs: 90 days (free), 12 months (paid)
• Dynamic QR scan logs: 12 months (free), 36 months (paid)
• Stripe records: 7 years for tax compliance

You can request earlier deletion at privacy@qrstudio.agency.

Under GDPR, CCPA, and Quebec Law 25, you have the right to:

• Access a copy of your data
• Rectify inaccurate data
• Delete your account and data ("right to be forgotten"). Self-service from /app/account (Danger zone → Delete my account). Your data is deactivated immediately and permanently purged after a 30-day grace window.
• Export your data in a portable format (JSON)
• Object to processing or restrict it
• Withdraw consent at any time
• Lodge a complaint with your local data protection authority

For requests other than self-service deletion, email privacy@qrstudio.agency and we'll process the request within 30 days. We do not charge for reasonable requests.

We use a single first-party session cookie to keep you logged in to the dashboard. No third-party tracking cookies. No advertising pixels. No FLoC. We may add privacy-respecting analytics (Plausible or PostHog with anonymized IPs) and will update this policy if we do.

Data may be stored or processed in the US, EU, and Canada by our processors. We rely on Standard Contractual Clauses (EU) and the Canada-EU adequacy decision for legal transfers.

Material changes will be announced by email at least 14 days before taking effect. Minor wording fixes update the "Last updated" date above without notice.