Privacy Policy

Account data: email, name, hashed password, referral code if any, plan code, Stripe customer ID. Stored in our PostgreSQL database on Railway.

API usage: we log every API call (timestamp, endpoint, response status, plan, key prefix) for billing and abuse detection. Raw API keys are never stored — only their SHA-256 hashes.

Dynamic QR scans: when someone scans your dynamic QR, we log the scan IP, user-agent, country (via Cloudflare or Vercel edge headers), city + lat/lon when available, referer, and the A/B variant served. We do not identify the scanner — these are aggregate analytics.

Payment data: we never store card details. Stripe handles payment and we keep only the customer ID and subscription status.

• Provide the Service: render QR codes, redirect dynamic scans, enforce quotas
• Bill paid subscriptions and process upgrades/downgrades
• Send transactional email (invoices, password resets, security alerts) via Resend
• Detect and block abuse (spam, malicious destinations, quota circumvention)
• Aggregate, anonymized analytics on Service usage to improve the product

We do not sell your data. We do not use it to train AI models. We do not run advertising on your scan analytics.

We share data only with these processors, all under DPA:

• Railway (US/EU) — hosting and Postgres
• Vercel (US/global edge) — frontend hosting and edge logs
• Cloudflare (global) — DNS, custom domains for Agency tier, edge IP geo
• Stripe (US/EU) — payment processing
• Resend (US) — transactional email delivery
• Sentry (US/EU) — error monitoring (no scan data, only crash traces)

We may share data if legally required (subpoena, court order). We will notify you unless legally prohibited.

• Account data: kept until you delete your account, then 30 days for backup recovery, then purged
• API call logs: 90 days (free), 12 months (paid)
• Dynamic QR scan logs: 12 months (free), 36 months (paid)
• Stripe records: 7 years for tax compliance

You can request earlier deletion at hello@qrstudio.agency.

Under GDPR, CCPA, and Quebec Law 25, you have the right to:

• Access a copy of your data
• Rectify inaccurate data
• Delete your account and data ("right to be forgotten")
• Export your data in a portable format (JSON)
• Object to processing or restrict it
• Withdraw consent at any time
• Lodge a complaint with your local data protection authority

Email hello@qrstudio.agency and we'll process the request within 30 days. We do not charge for reasonable requests.

We use a single first-party session cookie to keep you logged in to the dashboard. No third-party tracking cookies. No advertising pixels. No FLoC. We may add privacy-respecting analytics (Plausible or PostHog with anonymized IPs) and will update this policy if we do.

Data may be stored or processed in the US, EU, and Canada by our processors. We rely on Standard Contractual Clauses (EU) and the Canada-EU adequacy decision for legal transfers.

Material changes will be announced by email at least 14 days before taking effect. Minor wording fixes update the "Last updated" date above without notice.