Privacy Policy

qr.vu (“qr.vu”, “we”, “us”, or “our service”) provides QR code generation, customization, dynamic redirect hosting, and scan analytics. This Privacy Policy explains what personal data we collect from you and from people who scan your QR codes, and what we do with it.

When you create or use a qr.vu account we collect:

• Account profile: your email address, full name (optional), hashed password, profile photo URL (optional).
• Authentication metadata: last login timestamp, login PIN configuration, trusted-device tokens, refresh tokens.
• Billing data: subscription tier, credit balance, transaction history, and the last 4 digits of the card or the wallet identifier returned by Stripe. We do not store full card numbers.
• Communications: support tickets, in-product feedback, and email notifications we have sent you.
• Operational metadata: IP address of recent sessions, browser/OS reported by your client, and API keys you have provisioned.

When someone scans a dynamic QR code that you own, we collect anonymized scan data so we can show you analytics:

• Timestamp of the scan.
• Approximate geographic region derived from the visitor’s IP address (country / region / city). We do not store the raw IP in scan logs by default.
• Browser family, operating system, and device type derived from the User-Agent header.
• The QR code’s short code and the destination URL the visitor was redirected to at that moment.

We do not store cookies on the scanner’s device. We do not build cross-site profiles of scanners. We do not sell scan data to anyone.

We collect the data above to operate the service you asked for (contractual necessity), to keep it secure and prevent abuse (legitimate interest), and to comply with tax, accounting, and law-enforcement obligations (legal obligation).

We use your data to:

• create and authenticate your account;
• generate, customize, and host QR codes you have asked for;
• process payments, manage credit balances, and issue refunds;
• show you scan analytics for the QR codes you own;
• detect fraud, account takeover, and abusive behavior (the “TrustGuard” and moderation systems);
• send you transactional emails (verification, payment receipts, security alerts) and, with your consent, marketing emails you can unsubscribe from at any time;
• improve the product through aggregate, anonymized usage analytics.

We share data only with the following categories of recipients, and only as much as needed to deliver the service:

• Stripe — to process payments and issue refunds.
• Email and SMS providers — to deliver verification, transactional, and (with consent) marketing messages.
• Cloud and storage providers — to host the application, the database, and uploaded files.
• IP geolocation databases — to translate IP addresses into approximate location for analytics.
• Law enforcement or other government authorities — only when legally compelled and only the minimum data required.

We do not sell personal data to advertisers or data brokers.

Our infrastructure may be located in different regions. When we move data across regions we rely on standard contractual clauses or equivalent safeguards required by applicable data-protection law.

Retention by data type:

• Account and billing data: kept while your account is active, and for up to 7 years after closure to comply with tax / accounting obligations.
• QR codes and analytics: kept while your account is active. When you delete a QR code its analytics are deleted within 30 days.
• Scan logs that include the raw IP address: kept for at most 30 days for fraud detection, then aggregated and anonymized.
• Action and security logs: kept for up to 12 months.
• Support tickets: kept for 24 months after the last interaction.

Depending on where you live, you may have the right to access, correct, delete, or export your personal data, and to object to or restrict certain processing. To exercise these rights, log into your account and use the Profile / Settings page, or contact us via the in-dashboard Support inbox. We will respond within the time frame required by your local law (typically 30 days).

You can also: download a copy of your data, close your account permanently (which deletes your QR codes and analytics on the schedule above), and disable marketing emails from the Notification Settings page.

We hash passwords with bcrypt, encrypt traffic in transit with TLS, encrypt secrets at rest, rotate API keys you can manage from the dashboard, and rate-limit login attempts. We log security events and alert ourselves to suspicious activity through the TrustGuard system. No system is ever 100% secure; if a breach affects you, we will notify you in line with applicable law.

qr.vu is not directed at children under 13. We do not knowingly collect personal data from anyone under 13.

We may update this policy when our product or our legal obligations change. When we do, we will update the “Last updated” date below and notify registered users by email if the changes are material.

Questions about this policy or about your data? Contact us via the in-dashboard Support inbox. If you live in the EU/UK/EEA you can also contact your local data-protection authority.