Privacy Policy — QRCode-Generator

QRCode-Generator ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, APIs, and services (collectively, the "Service"). Please read this policy carefully. If you do not agree with the terms of this policy, please do not access or use the Service.

1. Information We Collect

1.1 Information You Provide

Account Information: When you create an account, we collect your name, email address, and password. If you sign up via a third-party provider (e.g., Google, GitHub), we receive your name and email from that provider.
Profile Information: You may optionally provide additional information such as a profile photo, company name, and job title.
Payment Information: When you subscribe to a paid plan, we collect billing information including your payment card details. Payment processing is handled by Paddle (our Merchant of Record), and we do not store your full card number on our servers.
QR Code Content: We store the data you use to create QR codes, including URLs, text, contact information, and other content types you choose to encode.
Communications: When you contact us for support or provide feedback, we collect the content of those communications.

1.2 Information Collected Automatically

Scan Analytics: When someone scans a QR code created through our Service, we collect data about the scan event, including: IP address (anonymized for GDPR compliance), approximate geographic location (country, city), device type, operating system, browser, referrer URL, and timestamp.
Usage Data: We automatically collect information about how you interact with our Service, including pages visited, features used, actions taken, time spent, and error logs.
Device Information: We collect information about the device you use to access the Service, including device type, operating system, browser type and version, screen resolution, and language preferences.
Log Data: Our servers automatically record information including your IP address, access times, browser type, and referring URL.

1.3 Information from Third Parties

We may receive information about you from third-party services if you choose to connect them to your account, such as OAuth providers (Google, GitHub), analytics services, or integration partners.

2. How We Use Your Information

We use the information we collect for the following purposes:

Provide and Maintain the Service: To create and manage your account, generate and track QR codes, process payments, and deliver the features you request.
Analytics and Insights: To provide you with scan analytics, performance metrics, and insights about your QR code campaigns.
Improve the Service: To understand how users interact with our Service, identify issues, and develop new features and improvements.
Communication: To send you transactional notifications (e.g., scan milestones, billing receipts), security alerts, and, with your consent, marketing communications.
Security: To detect, prevent, and address technical issues, fraud, and security threats.
Legal Compliance: To comply with applicable laws, regulations, and legal processes.

3. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following circumstances:

Service Providers: We share data with trusted third-party service providers who assist us in operating the Service, including cloud hosting (Supabase/AWS), payment processing (Paddle), email delivery (Resend), and analytics. These providers are contractually obligated to protect your data and use it only for the purposes we specify.
Team and Organization Members: If you belong to an organization on our platform, certain account information and QR code data may be visible to other members of that organization, as governed by the organization's settings.
Legal Requirements: We may disclose your information if required to do so by law, or in response to valid legal process (e.g., a subpoena or court order).
Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. We will notify you of any such change.
With Your Consent: We may share your information in other circumstances with your explicit consent.

4. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your activity on our Service. Cookies are small data files stored on your device. We use:

Essential Cookies: Required for the Service to function properly, including authentication and session management.
Analytics Cookies: Help us understand how users interact with the Service to improve our offerings.
Preference Cookies: Remember your settings and preferences, such as theme and language.

For more details, please see our Cookie Policy.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account Data: Retained for as long as your account is active. Upon account deletion, we will delete or anonymize your data within 30 days, except as needed for legal compliance.
Scan Analytics: Retained for the duration of your account plus 90 days after account deletion, after which they are permanently deleted.
Payment Records: Retained for 7 years as required by tax and financial regulations.
Server Logs: Automatically purged after 90 days.

6. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

Right of Access: You have the right to request a copy of the personal data we hold about you.
Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data.
Right to Erasure: You have the right to request that we delete your personal data, subject to certain legal exceptions.
Right to Restrict Processing: You have the right to request that we limit the processing of your personal data under certain circumstances.
Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
Right to Object: You have the right to object to the processing of your personal data for direct marketing purposes or on grounds relating to your particular situation.
Right to Withdraw Consent: Where we rely on your consent to process your data, you have the right to withdraw that consent at any time.

To exercise any of these rights, please contact us at privacy@qrcode-generator.com. We will respond to your request within 30 days. Our legal basis for processing your data includes performance of a contract (providing the Service), legitimate interests (improving and securing the Service), and consent (marketing communications).

7. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Opt-Out: You have the right to opt out of the sale of your personal information. We do not sell personal information.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, please contact us at privacy@qrcode-generator.com or use the data export and account deletion features in your Settings page.

8. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 16, please contact us at privacy@qrcode-generator.com.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that are different from the laws of your country. We take appropriate safeguards to ensure that your personal data remains protected in accordance with this Privacy Policy, including Standard Contractual Clauses approved by the European Commission where applicable.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS) and at rest, regular security assessments, access controls, and employee training. However, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on this page and, for significant changes, sending you an email notification. We encourage you to review this Privacy Policy periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@qrcode-generator.com
Data Protection Officer: dpo@qrcode-generator.com
Mailing Address: QRCode-Generator, Inc., 123 Innovation Drive, Suite 400, Wilmington, DE 19801, United States

If you are located in the EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.