Legal
Last updated: June 3, 2026
QRflo ("we", "our", "the Service") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding that data.
Account information. When you create an account, we collect your email address and a securely hashed version of your password. We never store passwords in plain text.
QR code data. We store the destination URLs, labels, vanity slugs, and generated QR code images associated with your account.
Scan analytics. When someone scans one of your QR codes, we record the scan to power your analytics dashboard. For each scan we store the device type (mobile, tablet, or desktop) and browser family derived from the User-Agent, the referring website's domain (when sent by the browser), and a one-way SHA-256 hash of the IP address used solely to estimate unique visitors. We do not store the raw IP address of the person scanning, their precise location, or their name or contact details, and we do not attempt to identify individual scanners.
Usage data. We may collect basic server logs (IP address, request timestamps, user agent) for security monitoring and abuse prevention. These logs are retained for no more than 90 days.
We use your data exclusively to operate the Service: authenticating your account, serving QR code redirects, displaying scan analytics, and sending transactional emails (password resets, account notifications). We do not use your data for advertising. We do not build user profiles for marketing purposes.
We do not sell, rent, or share your personal data with third parties, except in the following limited circumstances:
Service providers. We use third-party services for email delivery (Resend) and hosting infrastructure. These providers process data on our behalf and are contractually obligated to protect it.
Legal requirements. We may disclose data if required by law, subpoena, or court order, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
Passwords are hashed using Argon2id, a modern memory-hard algorithm resistant to brute-force attacks. All connections to the Service are encrypted via TLS. Session cookies are set with Secure, HttpOnly, and SameSite attributes. We implement rate limiting on authentication endpoints to prevent credential-stuffing attacks.
Account data and QR codes are retained for as long as your account is active. You can permanently delete your account at any time from your dashboard; doing so immediately removes your account, your QR codes, their redirects, and their scan history. Records of payments are retained in anonymized form (unlinked from your account) as required for financial and tax purposes.
Depending on your jurisdiction, you may have the right to access, correct, or delete the personal data we hold about you. You may also have the right to data portability and to object to or restrict certain processing. To exercise any of these rights, contact us at privacy@qrflo.co.
We use a session cookie to keep you logged in. This is a first-party, essential cookie — we do not use tracking cookies, analytics cookies, or any third-party advertising cookies.
The Service is not directed to children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it.
We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service. Continued use after changes take effect constitutes acceptance of the revised policy.
Questions about this policy? Contact us at privacy@qrflo.co or through our contact page.