Honest QR
Honest QR
Get Started
Back to Home

Privacy Policy

Last updated: February 14, 2026

1. Introduction

Welcome to Honest QR ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our QR code generation and management platform.

2. Information We Collect

We collect information that you provide directly to us when you:

  • Create an account (email address, password)
  • Complete your profile (full name, company name, phone number)
  • Sign in with Google OAuth (email, name, profile picture)
  • Provide your email on the landing page to receive a QR code via email
  • Create and manage QR codes (destination URLs, custom slugs, titles)
  • Submit our contact form (name, email, message)
  • Upgrade to Pro or Business (payment information via Stripe)

Note on free static QR codes: When you use our free static QR code generator on the landing page without providing your email, we do not collect any personal data. Static QR codes are generated entirely in your browser — no data is sent to our servers.

We automatically collect certain information when you use our services, including:

  • QR code scan counts (anonymous analytics)
  • Browser type and operating system
  • IP address and general location
  • Referrer URL and user agent for QR scan events
  • Session cookies for authentication
  • Essential cookieless operational metrics (aggregated pageview counts by path/date/country)
  • Optional analytics cookies and local storage (only if you accept analytics)

If you accept optional analytics and sign in, product analytics events may be associated with your account identifier (such as user ID, email, and plan tier) to support authenticated product insights.

Our essential operational metrics are first-party, aggregated, and do not use persistent client identifiers.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain our QR code platform
  • Authenticate your account and manage your session
  • Process your Lifetime Pro upgrade payments via Stripe
  • Track QR code scan analytics for your dashboard
  • Measure core site reliability and usage with aggregated cookieless operational metrics
  • Respond to your contact form submissions and support requests
  • Send important service notifications (account changes, payment confirmations)
  • Improve our services and develop new features
  • Detect, prevent, and address technical issues or fraudulent activity

4. Third-Party Services

We use the following third-party service providers:

Supabase (Database & Authentication)

Stores your account information, QR code data, and manages authentication. Supabase is SOC 2 Type II certified and GDPR compliant. Data is encrypted at rest and in transit.

Stripe (Payment Processing)

Handles Lifetime Pro payments. We do not store your full credit card information. Stripe is PCI DSS Level 1 certified.

Google OAuth (Authentication)

Provides single sign-on functionality. We only receive your name, email, and profile picture when you choose to sign in with Google.

Resend (Email Notifications)

Sends email notifications for contact form submissions and QR code delivery emails from the landing page. We only share the information necessary to deliver these emails.

PostHog (Product Analytics)

With your consent, we use PostHog to understand product usage (for example, pageviews, feature interactions, and session behavior analytics) so we can improve the service. If you reject analytics, we do not enable PostHog tracking for your browser.

Vercel Analytics & Speed Insights (Performance Analytics)

With your consent, we use Vercel Analytics and Speed Insights to measure site performance and usage trends. If you reject analytics, these optional analytics scripts are not enabled for your browser.

5. Data Security

We implement industry-standard security measures to protect your personal information, including:

  • HTTPS encryption for all data transmission
  • HTTP-only secure cookies for session management
  • Row Level Security (RLS) policies in our database to isolate user data
  • Password hashing using bcrypt
  • Regular security audits and updates

However, no method of transmission over the internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Cookies and Tracking

We use HTTP-only session cookies to authenticate your account and maintain your logged-in state. These cookies are essential for the platform to function and are automatically deleted when you log out or after the session expires (typically 7 days).

We also process first-party aggregated operational metrics without cookies or persistent client identifiers. This limited telemetry helps us monitor service health and page-level usage.

Optional analytics cookies and local storage (PostHog, Vercel Analytics, and Speed Insights) are used to understand traffic sources, feature usage, and performance trends.

In regions that require opt-in consent (such as EU/EEA, UK, and Switzerland), optional analytics stay off until you accept. In other regions, optional analytics may be enabled by default where permitted and can be turned off at any time.

If you reject analytics, we store your choice and do not enable optional analytics tracking for your browser. You can change your choice at any time using the "Cookie settings" button available on the site.

7. Your Privacy Rights

Depending on your location, you may have the following rights under GDPR, CCPA, and similar privacy laws:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Update or correct inaccurate information in your profile
  • Deletion: Request deletion of your account and associated data
  • Data Portability: Receive your data in a structured, machine-readable format
  • Opt-out: Unsubscribe from non-essential communications

To exercise these rights, please contact us using the information in Section 10 below.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. If you request account deletion, we delete account data within 30 days, except where retention is required for legal, tax, security, or fraud prevention obligations.

Contact form submissions and queued email records are retained for operational support and communication history.

QR scan event data (including IP address, location metadata, referrer, and user agent) is retained to provide your analytics dashboard features.

Aggregated operational metrics are retained for trend analysis and service monitoring.

9. Children's Privacy

Our services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately, and we will delete it.

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

Back to Home