Privacy Policy
Last updated: May 2026
At QRSync, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our QR code generator service at qrsync.io ("Service"). This policy also describes your rights regarding your personal information under applicable laws including the GDPR (EU/EEA) and CCPA/CPRA (California).
Information We Collect
Information You Provide
When you create an account or use our services, we may collect:
- Account Information: Email address, display name, and profile picture (if signing in with Google)
- QR Code Content: The URLs, text, WiFi credentials, contact details, or other data you encode in QR codes
- Payment Information: When you subscribe to a paid plan, payment details are collected directly by Stripe (our payment processor) and are never stored on our servers. See "Payment Processing" below.
- Contact Information: Information you provide when contacting support via our contact form
Information Collected Automatically
When you use our Service, we automatically collect information in one of two modes depending on your cookie consent (see "Cookies and Similar Technologies" and "Google Consent Mode" below):
- Before / without analytics consent (default): Google Analytics operates in cookieless mode and receives aggregated, anonymous pings only — no cookies are set on your device, no client identifier is generated, and no events are tied to you. Pings include coarse signals such as page URL, referrer, device type, browser, and approximate country. This data is used by Google to model traffic patterns in aggregate.
- After you accept analytics cookies: Google Analytics sets
_ga/_gidcookies, generates a pseudonymous client ID, and records pages visited, features used, and time spent on the Service tied to that ID. - Device and connection information (browser type, operating system, device type) is collected in both modes.
QR Code Scan Tracking
When someone scans a dynamic QR code created on QRSync, we collect: timestamp, user agent string, and approximate operating system. This data is associated with the QR code owner's account for analytics purposes, not with the person scanning.
We do not collect the scanner's IP address, geographic location, or any personally identifiable information of the person scanning.
How We Use Your Information
We use the collected information to:
- Provide and maintain our QR code generation service
- Enable dynamic QR code features and scan analytics
- Process subscription payments and manage billing
- Send transactional emails about your account, billing, and service status
- Respond to your inquiries and provide customer support
- Analyze usage patterns to improve our service (only with cookie consent)
- Detect and prevent fraud or abuse
Payment Processing (Stripe)
We use Stripe, Inc. as our payment processor for subscription billing. When you make a purchase, your payment information (credit card number, billing address) is sent directly to Stripe and is never stored on our servers.
Stripe may collect information about you including via cookies and similar technologies. Their use of your personal information is governed by the Stripe Privacy Policy.
We receive and store from Stripe: your Stripe customer ID, subscription status, plan tier, billing period, and next billing date. We do not receive or store credit card numbers.
Data Storage and Security
Your data is stored securely using industry-standard encryption. We use Firebase (Google Cloud) for authentication and data storage, which provides enterprise-grade security including encryption at rest and in transit.
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.
Data Sharing
We do not sell, rent, or share your personal information for cross-context behavioral advertising. We may share your information only in the following circumstances:
- Service Providers: With trusted third parties who assist in operating our service (listed under "Third-Party Services" below)
- Legal Requirements: When required by law, court order, or to protect our rights, safety, or property
- Business Transfers: In connection with a merger, acquisition, or sale of assets (you will be notified via email or prominent notice)
Your Rights Under GDPR (European Economic Area)
If you are located in the EU/EEA, you have the following rights under the General Data Protection Regulation:
Lawful Basis for Processing
- Account data (email, name): Contract performance (Art. 6(1)(b))
- Payment processing: Contract performance (Art. 6(1)(b))
- Analytics cookies: Consent (Art. 6(1)(a)) — you can accept or decline via our cookie consent banner
- QR scan tracking (timestamps, OS, user agent): Legitimate interest in service delivery (Art. 6(1)(f))
- Transactional emails: Contract performance (Art. 6(1)(b))
Your Rights
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data ("right to be forgotten")
- Restriction: Request restriction of processing
- Data Portability: Receive your data in a structured, machine-readable format
- Objection: Object to processing based on legitimate interest
- Withdraw Consent: Withdraw cookie consent at any time via the "Manage Cookies" link in our footer — withdrawing is as easy as giving consent
You also have the right to lodge a complaint with your local data protection supervisory authority.
Data Controller: QRSync. Contact: privacy@qrsync.io
Your Rights Under CCPA/CPRA (California)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know: Request what personal information we collect, use, and disclose
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale: We do not sell or share your personal information for cross-context behavioral advertising, so this right is not applicable
- Non-Discrimination: We will not discriminate against you for exercising any of these rights
To exercise your rights, email privacy@qrsync.io. We will respond within 45 days.
International Data Transfers
Your data is processed in the United States via Google Cloud (Firebase) and Stripe.
For users in the European Economic Area (EEA) and United Kingdom, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the EU-U.S. Data Privacy Framework for the lawful transfer of personal data outside the EEA. See Firebase Data Processing and Security Terms and Firebase Standard Contractual Clauses.
Data Retention
- Account data: Retained until you delete your account
- QR code data: Retained until you delete your account or delete individual QR codes
- Scan analytics: Retained per your plan's analytics retention period (30 days for Free/Essential, 90 days for Pro, 365 days for Business, unlimited for Enterprise)
- Billing and payment records: 3 years after subscription ends, or 1 year after account termination, whichever is longer (required by California Automatic Renewal Law)
- Consent records (ToS acceptance, auto-renewal consent, cookie consent): 3 years from date of consent, or 1 year after contract termination, whichever is longer
- Contact form submissions: 2 years
Cookies and Similar Technologies
We use cookies and browser storage to provide and improve the Service. Analytics cookies (_ga, _gid, _ga_<container>) are only set on your device after you click "Accept" on our cookie banner. Strictly necessary and functional storage items listed below are not subject to consent.
Google Consent Mode v2
QRSync uses Google's Consent Mode v2 in advanced configuration. This means our Google Analytics tag loads on every page in a default "denied" state. The effects:
- Before you make a choice, or if you decline: Google Analytics sets no cookies and generates no identifier for you. It sends Google "cookieless pings" containing only aggregated, non-identifying signals (page URL, referrer, device class, browser, approximate country). Google uses these in aggregate to model overall site traffic; the pings cannot be linked back to you.
- After you accept: Google Analytics sets the cookies described below, generates a pseudonymous client ID, and records user-level analytics events tied to that ID. You can revoke this at any time via the "Manage Cookies" link in our footer; doing so deletes the cookies and returns the tag to cookieless mode for future page loads.
This approach lets us understand aggregate site performance while ensuring that no personal data or identifiers are stored on your device without your prior consent, in compliance with the ePrivacy Directive Article 5(3) and the GDPR.
| Cookie / Storage | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
_ga |
Google Analytics | Distinguishes unique users | 2 years | Analytics (requires consent) |
_gid |
Google Analytics | Distinguishes unique users | 24 hours | Analytics (requires consent) |
_ga_<container> |
Google Analytics | Persists session state | 2 years | Analytics (requires consent) |
| Firebase Auth tokens | Firebase | Authentication session | Session | Strictly necessary |
qrsync-auth (localStorage) |
QRSync | Auth state sync for static pages | Persistent | Strictly necessary |
theme-mode (localStorage) |
QRSync | Dark/light mode preference | Persistent | Functional |
qrsync-cookie-consent (localStorage) |
QRSync | Cookie consent preference | Persistent | Strictly necessary |
You can manage your cookie preferences using the "Manage Cookies" link in our footer. Strictly necessary cookies cannot be disabled as they are essential for the Service to function.
Third-Party Services
Our service integrates with the following third parties, each with their own privacy policies:
- Firebase (Google Cloud): Authentication, Firestore database, Cloud Functions, Hosting — data processed in the US. Firebase Privacy
- Google Analytics: Usage analytics — data processed in the US — requires cookie consent. Google Privacy Policy
- Stripe: Payment processing — data processed in the US. Stripe Privacy Policy
- Google reCAPTCHA v3: Fraud prevention — active in production only. Google Privacy Policy
Children's Privacy
QRSync is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page, updating the "Last updated" date, and (for registered users) sending a notification email. Your continued use of the Service after changes constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us at:
- Email: privacy@qrsync.io
- Contact form: qrsync.io/contact