What we collect, why, and what you can do about it.

What we collect

Account

Your name, email, and password hash. Authentication is handled by Clerk; we receive only what we need to identify your session and send transactional email.

Billing

For paid plans, your payment method, billing address, and invoice history. Payment is handled by Stripe. We never see your full card number.

QR codes you create

The destination URL or payload, the style options, the type, and any metadata you set. Stored as long as the code is in your account.

Scan data on your codes

For each scan of one of your dynamic codes we record: timestamp, coarse device type (mobile, tablet, desktop), operating system, browser, country and city when geolocation is available, and the referring URL when present. Geolocation uses MaxMind GeoIP and fails closed — when the lookup is uncertain, the city and country are stored as null. We do not show the scanner's IP address in your dashboard, and we do not set cookies on the scanner's device.

Site usage

Privacy-preserving analytics on qrmy.app — page, referrer, country. No persistent identifier. No cross-site profile. No Google Analytics, no Meta Pixel, no Hotjar.

Support

If you email hello@qrmy.app, we keep your message and reply-to address so we can respond and follow up.

How we use it

To run the product, charge for paid plans, answer your support emails, and investigate abuse. That's it. We don't profile you. We don't build advertising audiences. We don't enrich your data from third-party brokers.

Who we share it with

A short list of subprocessors, each handling one specific piece of running QR My. They receive only the data needed for their function and are not permitted to use it for any other purpose.

Clerk

Account authentication and session management.

Stripe

Payment processing and subscription billing.

Resend

Inbound email — messages sent to hello@qrmy.app are received and routed through Resend to the owner's inbox.

MaxMind

IP-to-location lookup for scan analytics. The lookup is performed server-side; the scanner's IP is not stored in your dashboard.

Hosting provider

Server, database, and CDN. Data is stored in the host's infrastructure.

Cookies

qrmy.app sets a single first-party cookie for session continuity if you sign in through this site. We do not use marketing or advertising cookies, and we do not embed third-party trackers on the marketing site. The QR redirect itself does not set any cookie on the scanner's device.

Your rights

You can ask for a copy of your data, ask us to correct anything that's wrong, or ask us to delete your account. Email hello@qrmy.app. We respond within one business day and complete most requests within 30 days. If you're in the EU or UK, you can also complain to your local data protection authority.

How long we keep it

• Accounts and codes — until you delete them. After deletion, soft-deleted records are purged from production within 30 days; backups roll off within 90.
• Scan logs — kept while the parent code is active. Deleted with the code.
• Billing records — kept as long as required by tax and accounting law (typically 7 years).
• Support email — 2 years from the last reply.

Children

QR My is not intended for use by anyone under 13. We don't knowingly collect data from children. If you believe a child has signed up, email hello@qrmy.app and we'll remove the account.

International transfers

Our subprocessors operate in the United States and the European Union. Where data leaves the EU or UK, transfers are covered by the Standard Contractual Clauses or an equivalent safeguard.

Changes

If we make a material change to this policy, we'll email registered accounts and post a notice on the dashboard at least 14 days before it takes effect. Minor edits (clarifying language, fixing a typo) are made in place; the date at the top of the page reflects the most recent change.

Contact

For any privacy question, including data access or deletion: hello@qrmy.app.