Privacy Policy

Effective Date: November 14, 2025
Last Updated: November 14, 2025

QR Spark ("we," "us," or "our") operates the website https://qrspark.app (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using QR Spark, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

1. Information We Collect

1.1 Information You Provide to Us

When you create an account or use our Service, we collect the following information:

  • Account Information: Email address, password (encrypted), and optionally your name and profile picture if you sign up via Google OAuth.
  • QR Code Content: All data you input when creating QR codes, including URLs, Wi-Fi credentials, contact information (vCards), text, event details, payment information, social media links, PDF files, and any other content types supported by our 22+ QR code types.
  • Customization Data: QR code design preferences such as colors, logos, eye styles, and custom text.
  • Payment Information: When you subscribe to a paid plan, our payment processor handles your payment details. We do not directly store your full credit card information.

1.2 Information Collected Automatically

When someone scans a QR code created with our Service, we automatically collect analytics data to provide you with insights:

  • Scan Logs: Each scan generates a log entry with the following data:
    • Timestamp: The date and time when the QR code was scanned.
    • Hashed IP Address: We collect and store a SHA-256 hashed (anonymized) version of the scanner's IP address. This protects user privacy while allowing us to detect abuse and provide geographic analytics.
    • User-Agent String: The scanner's device type, browser, and operating system (e.g., "iPhone; Safari" or "Android; Chrome").
    • Short Link ID: The unique identifier of the scanned QR code.
  • Usage Data: Information about how you interact with our Service, such as pages visited, features used, and time spent on the platform.

1.3 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to maintain your session, remember your preferences (such as theme selection), and analyze how our Service is used. You can control cookies through your browser settings, but disabling cookies may limit your ability to use certain features of our Service.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To Provide and Maintain the Service: Create, customize, and manage your QR codes; display analytics dashboards with scan statistics, charts, and time-series data.
  • To Improve Our Service: Analyze usage patterns, monitor performance metrics (via Vercel Analytics and Speed Insights), and optimize the user experience.
  • To Communicate with You: Send transactional emails (account verification, password resets, service updates) via our email provider, Resend.
  • To Prevent Abuse and Ensure Security: Implement rate limiting (using Upstash Redis) based on IP addresses to prevent spam, DDoS attacks, and Terms of Service violations; enforce content moderation policies.
  • To Process Payments: Handle subscription payments through our payment processor (details provided at checkout).
  • To Comply with Legal Obligations: Respond to legal requests, enforce our Terms of Service, and protect the rights, property, and safety of QR Spark, our users, and the public.

3. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following circumstances:

  • Service Providers: We use trusted third-party service providers to operate our Service:
    • Supabase: Database hosting, user authentication (including Google OAuth), and backend infrastructure.
    • Vercel: Web hosting, CDN, and performance monitoring (Analytics and Speed Insights).
    • Upstash Redis: Rate limiting and caching to prevent abuse.
    • Resend: Transactional email delivery (account verification, password resets).
    • Payment Processor: Secure payment processing (the specific provider will be disclosed at checkout).
    These providers only have access to the information necessary to perform their functions and are obligated to protect your data.
  • Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas).
  • Business Transfers: If QR Spark is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service before your information is transferred and becomes subject to a different Privacy Policy.

4. Data Retention

We retain your personal information only as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy:

  • Account Data: Retained until you delete your account.
  • QR Code Data: Retained until you delete the QR code or your account.
  • Scan Logs (Analytics):
    • Free Plan: Automatically deleted after 30 days.
    • Pro Plan: Automatically deleted after 1 year.
  • Backups: Data may persist in backups for up to 90 days after deletion.

5. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: All data transmitted to and from our Service is encrypted using HTTPS/TLS. Passwords are hashed using bcrypt before storage.
  • IP Address Privacy: Scanner IP addresses are hashed using SHA-256 before storage, making them irreversible and protecting user anonymity.
  • Access Controls: We use Row-Level Security (RLS) in our database to ensure users can only access their own data.
  • Rate Limiting: Multi-tier rate limiting prevents abuse and brute-force attacks (5 requests per 30 seconds for auth, 20 per 30 seconds for API calls, 50 per 10 seconds for scans).

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

6. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Update or correct inaccurate information via your account settings.
  • Deletion: Delete your account and all associated data at any time via Settings → Account → Delete Account. This action is permanent and cannot be undone.
  • Export: Export your scan logs as a CSV file from the Analytics page.
  • Opt-Out: Unsubscribe from marketing emails (if any) by clicking the unsubscribe link in the email.

To exercise these rights, please contact us at privacy@qrspark.app or use the self-service tools available in your account settings.

7. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

  • Legal Basis for Processing: We process your data based on:
    • Contract Performance: To provide the Service you signed up for.
    • Legitimate Interest: To improve our Service, prevent abuse, and ensure security.
    • Consent: Where you have given explicit consent (e.g., for marketing communications).
  • Data Portability: You have the right to receive your data in a structured, machine-readable format (CSV export).
  • Right to Object: You may object to processing based on legitimate interest by contacting us.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority.

8. CCPA Compliance (California Users)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
  • Right to Delete: Request deletion of your personal information (subject to certain exceptions).
  • Right to Opt-Out: We do not sell your personal information. If this changes, we will provide an opt-out mechanism.
  • Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@qrspark.app.

9. Children's Privacy

Our Service is not intended for children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@qrspark.app, and we will delete that information from our systems.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country. We ensure that such transfers are conducted in accordance with applicable data protection laws and that appropriate safeguards are in place (e.g., Standard Contractual Clauses).

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last Updated" date at the top of this page. If we make material changes, we will notify you via email (if you have provided one) or by displaying a prominent notice on our Service. Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

This Privacy Policy was last updated on November 14, 2025. We are committed to protecting your privacy and ensuring the security of your personal information.