Privacy Policy

1. Who we are

tracqr ("we," "us," or "our") is a QR code generation and scan analytics service operated at tracqr.io. This policy explains what data we collect, how we use it, and your rights regarding it. Questions? Email support@tracqr.io.

2. Data we collect

Account data

When you create an account we collect your email address and an optional display name. If you set a password we store a bcrypt hash — we never store your password in plain text.

QR code data

When you create a QR code we store the destination URL and optional label you provide, plus the timestamp of creation and a randomly generated short ID.

Scan data

Every time a tracqr QR code is scanned we log:

• Timestamp of the scan
• IP address, which we immediately resolve to a country and city via ipapi.co — the raw IP address is not stored
• User agent string, which we resolve to a device type (mobile, tablet, or desktop) — the raw user agent is not stored

Scan data is collected on behalf of the QR code owner. The person scanning a QR code does not need a tracqr account and is not individually identified — we store derived metadata only, not personally identifiable scan data.

Payment data

Payments are processed by Stripe. We store your Stripe customer ID and subscription status. We do not store your card number, CVV, or billing address — those are held by Stripe under their own privacy policy.

3. How we use your data

• To operate the service: store and serve your QR codes and redirect URLs
• To provide analytics: show you scan counts, geographic breakdowns, and device statistics for your own codes
• To send transactional emails: magic link logins, payment receipts, and milestone notifications (via Resend)
• To manage your subscription: billing, upgrades, and cancellations via Stripe

We do not sell your data to third parties. We do not use your data for advertising.

4. Third-party services

• Stripe — payment processing (privacy policy)
• Resend — transactional email delivery (privacy policy)
• ipapi.co — IP-to-location lookup used at scan time; scan IPs are sent to ipapi.co to determine country and city, then discarded (privacy policy)
• Amazon Web Services (EC2, RDS) — infrastructure hosting

5. Data retention

• Account data is retained until you delete your account
• Pro subscribers: QR codes and scan logs are retained indefinitely for the life of the subscription. If a Pro account downgrades to Free, data transitions to the Free retention window from the cancellation date
• Free accounts: QR codes and their scan logs are retained for 1 year from the date of account creation or the last recorded scan (whichever is later). After 1 year of inactivity the code and its logs are purged and redirects will cease to function. We will email you 30 days before any purge
• Upon account deletion, all your data is permanently removed within 30 days

6. Your rights

You can delete individual QR codes and their scan logs from your dashboard at any time. To delete your account and all associated data, email support@tracqr.io from your registered address. We will process the request within 30 days.

If you are in the EU or UK you may also have rights to access, correct, or port your data under GDPR. Contact us at the email above to exercise these rights.

7. Security

All data is transmitted over HTTPS. Passwords are stored as bcrypt hashes. Database access is restricted to our application servers. We apply industry-standard security practices but cannot guarantee absolute security of data transmitted over the internet.

8. Changes to this policy

We may update this policy from time to time. When we do, we will update the effective date above. For material changes, we will notify you by email. Continued use of tracqr after changes constitutes acceptance of the updated policy.