Your Data, Your Rights

1. Information We Collect

Account Information

When you create an account, we collect:

• Email Address: Required for account creation, login, and service communications
• Password: Securely hashed and stored for account authentication
• Name: Optional first and last name for personalization
• Profile Information: Optional additional details you choose to provide

QR Code Data

For registered users, we store:

• QR Code Content: The data you encode in your QR codes (URLs, text, contact info, etc.)
• QR Code Metadata: Creation date, type, customization settings
• Usage Analytics: Scan counts and basic analytics (when available)
• Custom Logos: Images you upload for QR code customization

Subscription and Billing Data

For paid subscriptions, we collect:

• Subscription Information: Plan type, billing cycle, status
• Payment Data: Processed and stored by Stripe (not directly by us)
• Billing History: Transaction records and invoice data
• Usage Metrics: QR code generation counts for plan limit enforcement

Technical and Usage Data

We automatically collect:

• IP Address: For security, abuse prevention, and analytics
• Browser Information: User agent, browser type and version
• Device Information: Operating system, screen resolution (for optimization)
• Session Data: Login times, session duration, feature usage
• API Usage: API calls, endpoints used, rate limiting data
• Performance Data: Page load times, error logs for service improvement

Anonymous User Data

For users without accounts, we collect minimal data:

• Session Limits: Temporary session data to enforce anonymous usage limits
• Basic Analytics: Aggregated usage statistics (no personal identification)
• Security Data: IP addresses for abuse prevention (automatically deleted after 7 days)

2. How We Use Your Information

Service Provision

• Account Management: Creating and maintaining your account
• QR Code Generation: Creating, storing, and managing your QR codes
• Dashboard Services: Providing usage analytics and account information
• Subscription Management: Processing payments and managing plan features
• API Services: Providing programmatic access to QR generation

Communication

• Service Updates: Important platform updates and maintenance notices
• Billing Notifications: Payment confirmations, invoice delivery, billing issues
• Support Communications: Responding to your questions and support requests
• Security Alerts: Notifications about account security or suspicious activity

Platform Improvement

• Usage Analytics: Understanding how features are used to improve the platform
• Performance Optimization: Identifying and fixing performance issues
• Feature Development: Developing new features based on usage patterns
• Security Enhancement: Detecting and preventing abuse or security threats

Legal and Compliance

• Legal Compliance: Meeting regulatory requirements and legal obligations
• Fraud Prevention: Detecting and preventing fraudulent activity
• Policy Enforcement: Ensuring compliance with our Terms of Service

3. Cookies and Tracking Technologies

Essential Cookies

We use essential cookies and similar technologies for:

• Session Management: Keeping you logged in and maintaining your session
• Security: CSRF protection and security feature implementation
• Preferences: Remembering your language and display preferences
• Functionality: Enabling core platform features to work properly

Analytics Cookies

We use privacy-focused analytics to understand platform usage. These cookies help us improve the service but do not identify you personally. You can opt out of analytics tracking in your account settings.

Third-Party Services

We integrate with these third-party services:

• Stripe: Payment processing (subject to Stripe's privacy policy)
• CDN Services: Fast content delivery (minimal data collection)
• Email Service: Transactional email delivery

4. Data Sharing and Disclosure

We Do Not Sell Your Data

Limited Sharing Scenarios

We may share your information only in these specific circumstances:

• Service Providers: Trusted partners who help operate our platform (hosting, payment processing, email delivery)
• Legal Requirements: When required by law, court order, or legal process
• Business Transfer: In the event of a merger, acquisition, or sale of assets (with notice to users)
• Security and Safety: To protect the rights, property, or safety of QRStarter, our users, or the public
• With Your Consent: When you explicitly authorize us to share specific information

Data Processing Locations

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international data transfers, including compliance with GDPR adequacy decisions and standard contractual clauses.

5. Data Security

Security Measures

We implement comprehensive security measures to protect your data:

• Encryption: All data transmitted using HTTPS/TLS encryption
• Password Security: Passwords hashed using industry-standard algorithms
• Access Controls: Strict access controls and employee background checks
• Infrastructure Security: Secure hosting with regular security updates
• Monitoring: 24/7 security monitoring and intrusion detection
• Backups: Regular encrypted backups with tested recovery procedures

Data Breach Response

In the unlikely event of a data breach, we will notify affected users within 72 hours and take immediate steps to secure the platform. We maintain a comprehensive incident response plan and work with cybersecurity experts to minimize any potential impact.

6. Data Retention

Retention Periods

We retain your data for the following periods:

• Account Data: Until you delete your account, plus 30 days for account recovery
• QR Code Data: Until you delete specific QR codes or your account
• Billing Data: 7 years for tax and legal compliance requirements
• Usage Analytics: 2 years in aggregated, anonymized form
• Security Logs: 1 year for security monitoring and incident response
• Support Communications: 3 years for service improvement and legal compliance

Data Deletion

When data retention periods expire or when you request deletion, we permanently delete your data from our active systems and backups, except where required by law to retain certain information.

7. Your Privacy Rights

Universal Rights

Regardless of your location, you have these rights:

• Access: Request access to your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal data
• Data Portability: Export your data in a machine-readable format
• Objection: Object to certain types of data processing

GDPR Rights (EU Residents)

If you're in the EU, you have additional rights under GDPR:

• Restriction: Restrict processing of your personal data
• Withdrawal of Consent: Withdraw consent for data processing
• Supervisory Authority: Lodge complaints with your local data protection authority
• Legal Basis Transparency: Understanding the legal basis for data processing

CCPA Rights (California Residents)

California residents have these additional rights:

• Right to Know: Detailed information about data collection and sharing
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of the sale of personal information (not applicable as we don't sell data)
• Non-Discrimination: Equal service regardless of privacy choices

Exercising Your Rights

To exercise your privacy rights, contact us at privacy@qrstarter.com or use the data controls in your account dashboard. We will respond to verified requests within 30 days (or as required by local law).

8. Children's Privacy

QRStarter is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete such information immediately.

9. International Data Transfers

QRStarter operates globally and may transfer your data to countries with different privacy laws. We ensure appropriate safeguards through:

• Adequacy Decisions: Using countries deemed adequate by the European Commission
• Standard Contractual Clauses: Implementing EU-approved data transfer agreements
• Data Processing Agreements: Requiring all service providers to meet privacy standards

10. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Significant changes will be communicated via email and prominent notice in the platform. We encourage you to review this policy periodically.

11. Contact Us

Questions about this Privacy Policy or our privacy practices? Contact us:

• Privacy Email: privacy@qrstarter.com
• Data Protection Officer: dpo@qrstarter.com
• General Support: qrstarter.com/contact
• Mailing Address: [Your Business Address]