Privacy Policy

Account Information

When you create an account via magic link or Google OAuth, we collect your email address and display name. Authentication is handled by Supabase Auth — we do not store passwords.

Page Content

Content you add to instruction pages — including text, links, uploaded PDFs, and video URLs — is stored in our database and associated file storage. Uploaded media (images, PDFs) are stored in Cloudflare R2 object storage.

QR Scan Analytics

When someone scans a QR code linked to your page, we record the scan timestamp, approximate geographic location, device type, and a one-way hash of the scanner’s IP address. We do not store raw IP addresses — we use irreversible hashing to count unique visitors while preserving privacy.

Payment Information

Billing is processed by Stripe. We do not store credit card numbers or full payment details on our servers. We retain your Stripe customer ID and subscription status to manage your account.

• Provide, maintain, and improve the PageQR service
• Authenticate your identity and secure your account
• Process payments and manage subscriptions
• Generate scan analytics for your QR codes
• Send transactional emails (e.g., magic link sign-ins)
• Respond to support requests

We do not sell your personal data. We do not use your data for advertising or marketing profiling.

We use the following third-party services to operate PageQR:

• Supabase — authentication and database hosting
• Stripe — payment processing
• Vercel — application hosting and edge network
• Cloudflare R2 — file and media storage

Each of these providers has their own privacy policy governing how they handle data. We only share the minimum data required for each service to function.

PageQR uses only essential cookies required for authentication (Supabase session cookies). We do not use marketing, analytics, or tracking cookies. No cookie consent banner is needed because we only use strictly necessary cookies.

We retain your account data and page content for as long as your account is active. If you delete your account, we will remove your personal data and page content within 30 days. Anonymized scan analytics may be retained for aggregate reporting.

We implement industry-standard security measures including encrypted connections (TLS), secure authentication flows (PKCE), row-level security policies at the database level, and hashed IP addresses for scan tracking. However, no method of transmission over the Internet is 100% secure.

Depending on your location, you may have the following rights:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your personal data
• Portability — request an export of your data in a machine-readable format
• Objection — object to certain processing of your data

GDPR (EU/EEA): If you are in the EU or EEA, you have rights under the General Data Protection Regulation. Our legal basis for processing your data is contractual necessity (providing the service you signed up for) and legitimate interest (improving our service).

CCPA (California): California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, contact us at privacy@pageqr.io.

PageQR is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date. Your continued use of PageQR after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy, contact us at privacy@pageqr.io.