Privacy Policy

Last updated: April 20, 2026

1. Who we are

CreateYourQR (“we,” “us”) operates a web application for creating and managing dynamic QR codes. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Service at our public website and related endpoints.

2. Information we collect

2.1 You provide directly

  • Account data: email address, name (if provided), and password hash when you register with email and password.
  • OAuth profile data: if you sign in with Google or another provider, we receive identifiers and profile fields that provider shares with us (for example name, email, and profile image URL) according to that provider’s consent screen.
  • QR configuration: destination URLs you enter, optional visual style settings (such as colors and optional logo images encoded for preview), and metadata needed to operate codes (for example slugs and plan tier). Terms of Service define numeric limits for Free vs. Pro (activation window, scan caps, and related behavior).
  • Billing identifiers: when you subscribe through PayPal, we process subscription identifiers and status returned by PayPal; we do not store full payment card numbers on our servers.

2.2 Automatically collected

  • Scan and redirect telemetry: when someone scans a dynamic QR, we may log timestamps and technical data such as IP-derived information (for example a hashed or truncated IP for abuse prevention), coarse location signals if supplied by our hosting environment (for example country), user agent, and referer URL, to show aggregate analytics and protect the Service.
  • Logs and diagnostics: server logs, error reports, and security signals as needed to operate and secure the platform.
  • Cookies and similar technologies: see our Cookie Policy.

3. How we use information

We use personal data to:

  • Create and authenticate accounts and sessions;
  • Provide, maintain, and improve the Service (including dashboards and QR resolution);
  • Process subscriptions and communicate about billing where applicable;
  • Send transactional emails (for example welcome or security messages) through our email provider;
  • Detect, prevent, and respond to fraud, abuse, and security incidents;
  • Comply with legal obligations and enforce our terms.

We do not sell your personal information as “sale” is commonly defined in U.S. state privacy laws. We may use aggregated or de-identified data that cannot reasonably identify you.

4. Legal bases (EEA, UK, Switzerland)

Where the GDPR or similar frameworks apply, we rely on appropriate bases such as contract (providing the Service you request), legitimate interests (security, analytics, product improvement—balanced against your rights), consent where required (for example certain cookies or marketing, if offered), and legal obligation.

5. Sharing and subprocessors

We share data with service providers who assist us, including for example:

  • Hosting and infrastructure (for example Vercel or similar) to run the application and store data;
  • Database providers where your account and QR records are stored;
  • Authentication (for example Google OAuth and NextAuth-compatible flows);
  • Payments (PayPal) for subscription checkout and webhooks;
  • Email delivery (for example Resend) for transactional messages.

These providers process data under contractual terms and only as needed to perform services for us. We may also disclose information if required by law, legal process, or to protect rights, safety, and security.

6. Retention

We retain account and QR data while your account is active and as needed to provide the Service, comply with law, resolve disputes, and enforce agreements. Scan logs may be retained for a shorter operational window or aggregated over time. When data is no longer needed, we delete or de-identify it subject to backup and technical constraints.

7. Security

We implement technical and organizational measures appropriate to the risk, including encryption in transit (HTTPS), access controls, and hashed passwords. No method of transmission or storage is 100% secure; you use the Service at your own risk within reasonable industry standards.

8. International transfers

If you access the Service from outside the country where our servers or providers are located, your information may be transferred across borders. Where required, we use appropriate safeguards (such as standard contractual clauses) or rely on derogations permitted by law.

9. Your rights and choices

Depending on your location, you may have rights to access, correct, delete, or export certain personal data, to object to or restrict certain processing, to withdraw consent where processing is consent-based, and to lodge a complaint with a supervisory authority. You can exercise many choices through your account settings or by contacting us. You may opt out of non-essential cookies as described in our Cookie Policy.

10. Children

The Service is not directed to children under 13 (or the age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have, contact us and we will take appropriate steps to delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version and update the “Last updated” date. Where changes are material, we will provide additional notice as required by law.

12. Contact

For privacy requests or questions, contact us through the support channel published on the website or via the email associated with your account. Before launch, replace this paragraph with a dedicated privacy inbox if you operate one.