Privacy Policy

QRDyno ("we," "us," "our") provides QR code generation, hosted landing pages, and scan analytics. This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and the rights you have over it.

• What we collect: account information (email, name), subscription metadata from Polar, files you upload, content you publish to hosted QR landing pages, and analytics about people who scan your QR codes (hashed IP, country, city, device, timestamp).
• Why: to operate the service, bill you, prevent abuse, and improve the product.
• Who we share with: the infrastructure providers we use to run QRDyno (Clerk, Polar, Neon, Vercel, Cloudflare R2, Resend, Brevo). We do not sell or share personal data for cross-context advertising.
• How long: account data while your account exists; scan analytics for up to 13 months; billing records as required by tax law.
• Your rights: access, deletion, correction, portability, objection. Contact privacy@qrdyno.com to exercise any right.

QRDyno is operated as a sole proprietorship pending the formation of a U.S. legal entity. The Service is offered primarily to users in the United States but is accessible globally.

For all privacy matters, contact us at privacy@qrdyno.com. We are the data controller for the personal data described in this policy. We do not currently have a designated representative in the European Union or United Kingdom; EU and UK users may direct all data-protection requests to privacy@qrdyno.com.

We collect the categories of personal data described below. Where relevant, we map each category to the statutory categories used by the California Consumer Privacy Act (CCPA/CPRA).

3.1 Account data

Email address, first and last name, profile picture URL, and authentication metadata (OAuth provider identifiers if you sign in via a social provider). Authentication credentials (passwords, MFA secrets, OAuth tokens) are handled by our authentication provider, Clerk, and are never stored on QRDyno servers. CCPA categories: identifiers, customer records.

3.2 Subscription and billing data

When you purchase a Premium subscription, our payment processor, Polar (which acts as Merchant of Record), collects your payment method, billing address, and tax-relevant information directly. QRDyno receives only the subscription metadata required to activate Premium features: Polar customer ID, subscription ID, plan, billing cycle, status, and the email associated with the purchase. We do not see or store full payment-card numbers. CCPA categories: identifiers, commercial information.

3.3 Content you submit

Content you create or upload to operate the Service: QR code names and slugs, redirect URLs, files uploaded to be served on QRDyno-hosted landing pages (PDFs, images, audio), and the configuration of those landing pages. Some QR types let you embed personal data of third parties (for example, an event contact phone number or wedding-page guest information). You are responsible for the lawfulness of including such third-party data. CCPA categories: customer records, commercial information, sometimes sensitive personal information if the third-party data you embed is sensitive.

3.4 Scan analytics

When someone scans a QR code you created and lands on a QRDyno-hosted URL, we collect, for the QR creator's analytics dashboard and our own anti-abuse purposes: a one-way hashed IP address (SHA-256 truncated), the country and city derived from the IP at the edge by our hosting provider, the browser user-agent string, the operating system, device class, and the timestamp. The raw IP address is hashed at write time and is not stored. CCPA categories: internet or other network activity, geolocation data (city-level, not precise).

3.5 Support and contact form data

If you submit a contact form or email us, we retain your name, email, the content of your message, a hashed form of your IP (used only for rate-limit and abuse prevention), and any attachments you provide. CCPA categories: identifiers.

3.6 Logs and security telemetry

We retain technical logs generated by our infrastructure providers (request paths, HTTP status, latency, error fingerprints) for security, debugging, and abuse prevention. These logs may include IP addresses and user-agent strings on transient timescales. CCPA categories: internet or other network activity.

3.7 Team data

If you are part of a team, we store team membership, invitation tokens, invitee email addresses, and per-member roles. Team-owned QR codes, content, and analytics are visible to other authorized team members.

We process your personal data only for the purposes and on the legal bases described below. The legal-basis labels refer to the EU/UK GDPR; equivalent "business purpose" categories apply under CCPA/CPRA.

We do not use your personal data for direct marketing, cross-context behavioral advertising, or sale to third parties. We do not engage in automated decisions that produce legal or similarly significant effects on you within the meaning of GDPR Art. 22.

We share personal data only with infrastructure providers ("subprocessors") that act on our instructions to operate the Service, and with independent third parties where required by law or in narrow circumstances described below.

We may also disclose personal data to: (a) law-enforcement agencies and courts in response to valid legal process or where we believe in good faith that disclosure is necessary to prevent imminent harm; (b) rights-holders submitting verified copyright or trademark notices, to the limited extent required to act on the notice; (c) a successor entity in the event of a merger, acquisition, sale of assets, or reorganization, subject to advance notice and the privacy commitments in this policy.

We do not sell or share personal data for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We have not sold or shared personal data in the preceding 12 months and have no plans to do so.

Most QRDyno infrastructure is located in the United States. If you access the Service from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with cross- border-transfer restrictions, your personal data will be transferred to the United States.

Where required, we rely on the European Commission's Standard Contractual Clauses (SCCs) as incorporated into our agreements with subprocessors, supplemented by the UK Information Commissioner's International Data Transfer Addendum and the Swiss Federal Data Protection Commissioner's supplementary clauses where applicable. You may request a copy of the relevant transfer mechanism by emailing privacy@qrdyno.com.

We retain personal data only as long as we need to.

QRDyno uses only strictly-necessary cookies. We do not currently use analytics, marketing, or advertising cookies, and we do not load tracking pixels from third parties.

If we ever introduce non-essential cookies (analytics or marketing), we will present a consent banner to EU/UK/Swiss users in compliance with the ePrivacy Directive and honor Global Privacy Control signals for California consumers.

This section is for people who scan a QR code generated through QRDyno and land on a qrdyno.com URL, even if you have never created an account.

When you scan such a QR code, we collect: a one-way hashed version of your IP address (SHA-256 truncated, the raw IP is never stored), the country and city derived from your IP by our hosting provider, your browser user-agent string, the operating system, device class, and the timestamp. We use this data to (i) provide aggregate analytics to the QR creator (who scanned the code, when, and from where at the country/city level), and (ii) enforce free-plan scan limits and detect abuse. We do not attempt to identify individual scanners from this data.

Legal basis: our legitimate interest in operating the analytics product and preventing abuse (GDPR Art. 6(1)(f)). If you do not want to be counted, do not scan QRDyno-generated QR codes; you may also request deletion of scan rows associated with your IP by emailing privacy@qrdyno.com (we will ask for information sufficient to match your scans).

Note to QR creators: if you deploy QRDyno-generated QR codes in jurisdictions that require notice to scanners (for example, in the EU/UK or in California for sensitive contexts), you are responsible for providing any required notice at or near the QR code.

Files you upload to be served on QRDyno-hosted landing pages (PDFs, images, audio) are stored on Cloudflare R2 and served via a qrdyno.com URL. When you upload content that contains personal data about other people (for example, contact information for event attendees or wedding guests), you represent that you have a lawful basis to do so and have provided any required notice to those third parties.

If a third party believes content you uploaded violates their rights or applicable law, they may submit a report to abuse@qrdyno.com or via our abuse report page. Verified reports may result in removal of the content and suspension or termination of the account.

Regardless of where you live, you can ask us to access, correct, update, or delete the personal data we hold about you, and to stop processing it for certain purposes. The specific list of rights below depends on your jurisdiction; we will honor the most generous set that applies to you.

11.1 EU/UK GDPR rights

• Access the personal data we hold about you (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure(the "right to be forgotten") where conditions in Art. 17 apply
• Restriction of processing (Art. 18)
• Portability of your data in a structured, machine-readable format (Art. 20)
• Objection to processing based on legitimate interests (Art. 21)
• Withdraw consent at any time, where consent is the legal basis (Art. 7(3))
• Lodge a complaint with a supervisory authority. You may complain to the data-protection authority in your country of residence; the UK regulator is the Information Commissioner's Office (ico.org.uk).

11.2 California (CCPA/CPRA) rights

California residents have the additional rights set forth in Section 15 below.

11.3 Other jurisdictions

If you reside in Brazil, see Section 16 (LGPD). Other jurisdictions (Canada PIPEDA, Australia APPs, Switzerland revFADP) generally provide analogous rights; we will honor requests on the same terms as our EU/UK process.

Email privacy@qrdyno.com from the address on your account, or from another address with enough detail for us to verify your identity. We may ask for additional information to confirm who you are before acting on a request — this is to protect you against impersonation.

We will respond within 30 days for GDPR/UK GDPR requests and within 45 days for CCPA/CPRA requests (each extendable as permitted by law if the request is complex; we will let you know if we need an extension). There is no charge for honoring a request unless it is manifestly unfounded or excessive.

You may use an authorized agent. We will require the agent to provide proof of authorization and we will independently verify your identity before acting.

We will not discriminate against you for exercising any of these rights. We will not deny service, charge a different price, or provide a different level of service because you exercised a privacy right.

QRDyno is not directed to children under 16, and we do not knowingly collect personal data from children under 13 in the United States (in compliance with COPPA) or under the age of digital consent in your jurisdiction. If you are a parent or guardian and believe your child has provided personal data to QRDyno, contact privacy@qrdyno.com and we will promptly delete the data and terminate the account.

We use industry-standard administrative, technical, and physical safeguards to protect personal data:

• TLS encryption for all data in transit
• Encryption at rest for the application database, file storage, and backups (managed by Neon and Cloudflare)
• Authentication and credential management delegated to Clerk; passwords and MFA secrets are not stored on QRDyno servers
• IP addresses in the scan-analytics table are stored as SHA-256-truncated hashes
• Role-based access controls; access to production data is limited to authorized personnel on the principle of least privilege
• Audit logging of administrative actions

No system is impenetrable. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware as required by GDPR Art. 33, and we will notify affected users without undue delay where required by GDPR Art. 34, CCPA, or applicable US state law.

This section provides the additional disclosures required for California residents under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

15.1 Categories of personal information

In the preceding 12 months we have collected the following statutory categories of personal information: identifiers, customer records, commercial information, internet or other network activity, geolocation data (city-level only). We may collect sensitive personal information only to the extent it is contained in content you upload yourself. We do not collect biometric information, precise geolocation, racial or ethnic origin, religious beliefs, health, or sexual-orientation data.

15.2 Sources, purposes, and recipients

Sources, purposes, and recipients are described in Sections 3-5 of this policy.

15.3 Sale and sharing of personal information

QRDyno does not sell and does not sharepersonal information as those terms are defined by the CCPA/CPRA. "Sharing" under the CPRA refers specifically to cross-context behavioral advertising, which we do not engage in. We have not sold or shared personal information in the preceding 12 months and have no plans to do so.

15.4 Your California rights

• Right to know what personal information we have collected, sources, purposes, third parties we disclose to, and specific pieces collected
• Right to delete personal information subject to limited exceptions
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing (we do not sell or share)
• Right to limit use of sensitive personal information (we do not use sensitive PI beyond what is necessary to provide the Service)
• Right to non-discrimination for exercising privacy rights
• Authorized agent requests are accepted

15.5 Shine the Light (Civ. Code § 1798.83)

California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. QRDyno does not disclose personal information to third parties for their direct marketing purposes.

15.6 How to exercise California rights

Email privacy@qrdyno.com with the subject line "California Privacy Request". We will respond within 45 days as required by Cal. Civ. Code § 1798.130(a)(2).

Brazilian residents have the rights set forth in Articles 17–22 of the Lei Geral de Proteção de Dados (LGPD), including confirmation of processing, access, correction, anonymization, portability, deletion, information about with whom we share data, the right to revoke consent, and the right to lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

Our data-protection contact (Encarregado de Proteção de Dados) is reachable at privacy@qrdyno.com. We will respond to LGPD requests within 15 days as required by ANPD guidance.

We do not make decisions about you that are based solely on automated processing and that produce legal or similarly significant effects (GDPR Art. 22).

We do operate some automated processes you should be aware of: (i) free-plan scan limits use hashed IP addresses to count unique scans per month and may block a scan if the monthly limit has been reached; (ii) the link-type smart-rules feature lets QR creators redirect scanners to different destinations based on the country derived from the scanner's IP; (iii) automated abuse-detection systems may flag QR codes, content, or accounts for human review. None of these processes make decisions of legal or similarly significant effect within the meaning of GDPR Art. 22; if our systems suspend an account or disable a QR code, you may appeal the decision by emailing abuse@qrdyno.com.

We may update this Privacy Policy from time to time. When we make a material change, we will update the "Effective" date at the top, notify you via email or an in-product notice before the change takes effect, and post the prior version for reference. Non-material changes (typos, clarifications) may be made without notice.

For privacy questions, data-subject requests, or to exercise any right described in this policy:

• Privacy & data requests: privacy@qrdyno.com
• Report abuse / misuse: abuse@qrdyno.com or qrdyno.com/abuse
• DMCA / copyright: dmca@qrdyno.com
• General contact: contact@qrdyno.com or qrdyno.com/contact