Privacy Policy

Last updated: 12/5/2025

Privacy Promise: We hash IP addresses before storage. Analytics is opt-in per QR code. We never sell your data.

Introduction

FlexiQR ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our dynamic QR code management service.

Information We Collect

Account Information

When you create an account, we collect your email address and authentication credentials through our authentication provider, Clerk. We may also collect optional profile information you choose to provide.

QR Code Data

We store information about the QR codes you create, including destination URLs, custom slugs, labels, Open Graph metadata (titles, descriptions), UTM tracking parameters, and version history of all destinations.

Uploaded Images

When you upload images for social sharing previews (Open Graph images), they are stored securely in AWS S3 via UploadThing. We store references to these images and any crop settings you apply. Images are subject to UploadThing's privacy policy.

Analytics Data (Opt-In)

When you enable analytics for a specific QR code, we collect privacy-conscious data including: hashed IP addresses (with daily rotating salts), timestamp, referrer URL, user agent, UTM parameters, approximate geographic location (city/country via Vercel headers), device type, browser information, and operating system. We never store raw IP addresses. Analytics collection is opt-in per QR code and can be disabled at any time.

Payment Information

When you subscribe to a paid plan, payment processing is handled securely by Paddle. We do not store credit card information. We receive and store subscription status, billing cycle information, transaction history, and Paddle customer IDs to manage your subscription.

Security Logs

For security and fraud prevention, we may log rate limit violations, blocked domain attempts, and other security events with associated IP addresses (stored as hashes), user agents, and timestamps.

How We Use Your Information

•Provide and maintain our QR code management and redirect service

•Generate privacy-conscious analytics insights for QR codes where analytics are enabled

•Process payments and manage subscriptions

•Store and deliver your uploaded images via AWS S3

•Enforce rate limits and prevent abuse

•Improve and optimize our platform performance and features

•Communicate with you about service updates, billing, and support

•Detect and prevent fraud, spam, and malicious activity

•Comply with legal obligations and enforce our Terms of Service

Third-Party Service Providers

We work with trusted third-party service providers to deliver our service. These providers have access to certain data only as necessary to perform their functions:

Clerk

Authentication and user management. See their privacy policy at clerk.com/legal/privacy

Convex

Database and backend infrastructure. See their privacy policy at convex.dev/legal/privacy/v2024-03-21

UploadThing

Image upload and AWS S3 storage. See their privacy policy at uploadthing.com/info/privacy-policy

Paddle

Payment processing and subscription management. See their privacy policy at paddle.com/legal/privacy

Vercel

Application hosting and edge network. See their privacy policy at vercel.com/legal/privacy-policy

Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties.

We may share your information only in the following limited circumstances:

•With service providers listed above who assist in operating our platform

•When required by law, court order, or government request

•To protect our rights, property, or safety, or that of our users or the public

•In connection with a merger, acquisition, or sale of assets (you will be notified)

•With your explicit consent or at your direction

Data Security

We implement industry-standard security measures to protect your data:

•All connections use HTTPS/TLS encryption

•IP addresses are cryptographically hashed with daily rotating salts before storage

•Rate limiting to prevent abuse and automated attacks

•Domain blocklist to prevent malicious destinations

•Input validation and SSRF protection on all URLs

•Security audit logging for administrative actions

•Regular security updates and monitoring

No method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Data Retention

We retain your data for as long as your account is active or as needed to provide services. Analytics data is retained indefinitely in hashed form for historical reporting. When you delete a QR code, associated data (destinations, events, rate limits) is permanently deleted. If you close your account, we will delete your personal data within 90 days, except where retention is required for legal compliance, dispute resolution, or fraud prevention.

Cookies and Tracking

We use essential cookies for authentication (managed by Clerk) and session management. We do not use advertising or third-party tracking cookies. Analytics tracking only occurs when you explicitly enable it for specific QR codes, and does not track individual users across the web.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

•Access: Request a copy of your personal data

•Correction: Update inaccurate or incomplete data

•Deletion: Request deletion of your personal data

•Portability: Receive your data in a portable format

•Opt-out: Disable analytics on any QR code at any time

•Object: Object to processing of your data

You can manage most settings through your dashboard. For additional assistance, please contact us using the information below.

International Data Transfers

Your data may be transferred to and processed in countries other than your own. Our service providers (Clerk, Convex, UploadThing, Paddle, Vercel) may store data in various regions. We ensure that all data transfers comply with applicable data protection laws and that appropriate safeguards are in place.

Children's Privacy

FlexiQR is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically. Your continued use of FlexiQR after changes constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email Support:

support [at] flexiqr [dot] link

We will respond to all legitimate requests within 30 days.