Privacy Policy

1. Information We Collect

We collect information in the following categories:

• Account information. When you create an account we collect your email address and a hashed representation of your password. If you sign in via Google OAuth, we receive your email address and display name from Google.
• QR code and configuration data. We store the QR codes you create, including their destination URLs, custom slugs, titles, UTM parameters, color settings, expiry dates, and any retargeting pixel identifiers you configure.
• Scan event data. Each time one of your QR codes is scanned, we record a scan event that includes an approximate timestamp, country, city (Pro/Enterprise tier), device type, operating system, browser family, and referrer header. We do not store the full IP address of scanners beyond what is necessary for rate limiting; IP addresses are not associated with individual scan records.
• Conversion event data (when configured by a QR code owner). Paid-tier QR code owners may connect conversion tracking accounts from Meta, Google, or TikTok to their QR codes. When configured, qr-manager.ai's servers send a conversion event directly to the advertising platform's server-side API — no scripts are loaded on the scanner's device and no cookies are set. The data transmitted includes the scanner's IP address, user-agent, the redirect page URL, and a timestamp. See Section 3 for full details.
• Usage data. We collect standard server logs, including request paths, HTTP status codes, and response times, for the purpose of debugging and service improvement. Logs are retained for 30 days.
• Abuse report data. If you submit an abuse report through our Security page, we collect the information you provide (short link, abuse type, description, and optional contact email) solely to investigate and act on the report.

2. How We Use Information and Lawful Basis

We use the information we collect for the following purposes. Where the General Data Protection Regulation (GDPR) applies, we identify the lawful basis for each:

• Authentication and account management — to create and maintain your account and authenticate your sessions. Lawful basis: performance of contract.
• QR code generation and serving — to generate, store, and serve your QR codes and short links. Lawful basis: performance of contract.
• Scan analytics — to provide analytics to you: scan counts, device breakdowns, geographic distribution, and trend data, visible only to you on your dashboard. Lawful basis: legitimate interests (providing analytics is a core service feature; scanner data is limited in scope and not shared beyond the QR code owner).
• Transactional emails — to send email verification links, password resets, scan milestone alerts, and team invitations you have requested. Lawful basis: performance of contract; legitimate interests for milestone alerts.
• Fraud and abuse prevention — to detect and prevent malicious or abusive use of the Service and investigate abuse reports. Lawful basis: legitimate interests.
• Service improvement — to improve the Service through aggregated, anonymized analysis of usage patterns. Lawful basis: legitimate interests.

3. Server-Side Conversion Tracking

Paid-tier QR code owners may connect conversion tracking accounts from Meta (Facebook), Google, or TikTok to their QR codes through the dashboard. When conversion tracking is configured and a scanner scans the QR code, qr-manager.ai's servers send a conversion event directly to the advertising platform via its server-side API — no scripts are loaded in the scanner's browser and no advertising cookies are set on the scanner's device.

The data transmitted to each platform is limited to what our servers observe from the scan request:

• Meta Conversions API — IP address, user-agent, redirect page URL, and event timestamp.
• Google Measurement Protocol — redirect page URL, event timestamp, and a daily pseudo-identifier derived from a one-way hash of the IP address (the IP itself is not sent; the hash resets every calendar day and is never persisted).
• TikTok Events API — IP address, user-agent, redirect page URL, and event timestamp.

Controller / processor roles. When conversion tracking is active, qr-manager.ai acts as a technical processor transmitting data on behalf of the QR code owner. The QR code owner is the data controller responsible for ensuring they have a lawful basis for this tracking under applicable data protection law. Each platform (Meta, Google, TikTok) processes the data it receives under its own privacy policy and terms of service.

Your choices as a scanner. Because conversion events are sent server-to-server, browser privacy extensions and cookie blockers do not prevent this transmission. To opt out of advertising targeting based on this data, use the opt-out controls provided by each advertising platform (Meta Ad Preferences, Google Ad Settings, TikTok Ad Settings).

Questions about a specific QR code. If you have questions about conversion tracking associated with a particular QR code, contact the QR code owner (the entity or person whose campaign the code belongs to). For general questions about how qr-manager.ai handles this processing, email legal@qr-manager.ai.

4. Data Sharing and International Transfers

We do not sell your personal data. We do not share your personal data with advertising networks or data brokers for our own marketing purposes. We share data only in the following circumstances:

• Service providers. We engage third-party vendors to operate our infrastructure (hosting, database, email delivery, and bot-protection). Each vendor processes data only as necessary to provide their service to us and is bound by a data processing agreement consistent with applicable privacy law.
• Advertising platforms (on behalf of QR code owners). When a QR code owner has configured conversion tracking, qr-manager.ai's servers transmit scan event data to Meta Platforms, Inc., Google LLC, and/or ByteDance Ltd. (TikTok) via their server-side APIs, as described in Section 3. This transmission is initiated by the QR code owner's configuration, not by qr-manager.ai for our own purposes.
• Legal obligations. We may disclose information to comply with applicable law, legal process, or a valid governmental request, or to protect the rights, property, or safety of qr-manager.ai, our users, or the public.
• Business transfers. If qr-manager.ai is acquired or merges with another entity, your data may be transferred as part of that transaction. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

International data transfers. qr-manager.ai is operated from the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data is transferred to and processed in the United States. We rely on the following safeguards for such transfers:

• For transfers to Meta Platforms, Inc. and Google LLC: these companies are certified under the EU-US Data Privacy Framework (DPF), the UK Extension to the DPF, and the Swiss-US DPF, which provide an adequacy-equivalent transfer mechanism.
• For transfers to TikTok / ByteDance Ltd. and other US-based service providers not covered by DPF: we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

5. Data Retention

• Account data is retained for as long as your account is active. When you delete your account, we delete or anonymize your personal data within 30 days, except where retention is required by law.
• Scan events associated with your QR codes are retained for 24 months from the date of the scan. Scan events for deleted QR codes are deleted within 30 days of deletion.
• Server logs are retained for 30 days and then automatically deleted.
• Abuse reports are retained for up to 3 years to support ongoing investigations and legal proceedings.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate personal data.
• Delete your personal data (subject to legal retention requirements).
• Export your data in a machine-readable format (data portability).
• Object to or restrict certain processing of your data.
• Lodge a complaint with a supervisory authority. If you believe we have processed your personal data in breach of applicable data protection law, you have the right to lodge a complaint with your national Data Protection Authority (DPA). EEA residents can find their local DPA at edpb.europa.eu.

To exercise any of these rights, email legal@qr-manager.ai. We will respond within 30 days.

California residents (CCPA / CPRA).

California residents may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell personal information for monetary consideration. If you are a California resident and wish to opt out of having your data shared with advertising networks through retargeting pixels, or to exercise any other CCPA/CPRA right, email legal@qr-manager.ai with "California Privacy Request" in the subject line.

7. Cookies and Tracking Technologies

We use only strictly necessary cookies — no advertising or analytics cookies are set by qr-manager.ai on any page:

• Session cookie — maintains your authenticated account session. Required for the Service to function; not used for tracking or advertising.
• CSRF token — prevents cross-site request forgery attacks on authenticated requests.
• Cloudflare Turnstile — set on login and signup forms to distinguish humans from automated bots. Processed by Cloudflare under their privacy policy; not used to track you across third-party sites.

Conversion tracking for QR code owners is handled server-to-server via advertising platform APIs (see Section 3). No advertising cookies are set on the scanner's device during a scan redirect.

Do Not Track. We do not currently respond to browser Do Not Track (DNT) signals. For opt-out options available to you, see Section 6 (Your Rights).

8. Security

• All data transmitted between your browser and our servers is encrypted via TLS 1.2 or higher.
• Passwords are hashed with bcrypt (cost factor 12) before storage. We never store passwords in plaintext or reversible form.
• API keys are hashed before storage and are never exposed after initial creation.
• Our database is backed up automatically on a daily basis with encrypted, off-site storage.
• We implement rate limiting and CAPTCHA protection on authentication endpoints to reduce the risk of credential-stuffing attacks.

Despite these measures, no system is completely secure. If you discover a security vulnerability, please disclose it responsibly by emailing legal@qr-manager.ai.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where reasonably practicable, provide advance notice via the email address associated with your account. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

10. Contact and Data Controller

The data controller responsible for your personal data is:

Questions about this policy or our privacy practices? Email us at legal@qr-manager.ai.