Privacy Policy

QRBliss is a QR code generator and short-link service operated from the United States. Our marketing site lives at qrbliss.com; scans of dynamic QR codes resolve through the same domain.

We collect only the data needed to operate the service. In plain terms:

• Account data if you sign up: email address, optional display name, and password hash. Authentication is handled by Supabase Auth.
• Your QR codes: the destination URL, the visual configuration (colors, logo, frame), and the short-code we mint for dynamic QRs. You can export or delete these at any time.
• Uploaded assets: logos and images you choose to save to your asset library, stored in Supabase Storage under your account.
• Scan analytics for dynamic QRs: derived signals only — device class (mobile / desktop / tablet), OS family parsed from User-Agent, and country plus city resolved from Vercel’s geo headers. We never store the raw scanner IP address.
• Billing data if you subscribe: handled by Stripe. We receive the subscription status and tier, not your card number.

• No raw scanner IPs— they’re salted-and- hashed at the edge, used for abuse-prevention rate limits, and discarded.
• No tracking cookies on a fresh visit — no ad pixels, no third-party trackers, no fingerprinting. The only cookie set without consent is your Supabase auth cookie, and that only appears if you sign in.
• No advertising data brokers— we don’t share data with any advertising network, data broker, or analytics vendor outside the providers listed below in section 5.

• To operate the QR generator and serve your codes.
• To resolve dynamic QR redirects and aggregate the derived scan signals shown in your dashboard.
• To verify destinations against Google Safe Browsing before they go live, and re-scan them periodically so flagged URLs are caught.
• To send transactional emails (auth, receipts, account notifications) and product update emails you can opt out of from your settings.
• To enforce the terms of service and prevent fraud and abuse.

We share data only with the providers strictly needed to run the service. Each handles a narrow slice and is bound by their own data-processing terms.

• Supabase — authentication, application database, and asset storage.
• Vercel — hosting, edge functions, and the geographic headers used to derive scanner country and city.
• Stripe — payment processing for Pro and Business subscriptions.
• Resend — transactional email delivery.
• Google Safe Browsing— destination-URL safety checks. We send the destination URL; we don’t share visitor or scanner data.

We do not sell, rent, or trade your data with anyone. The no-sale commitment is in your subscription contract for paid plans, and it applies to free-tier users the same way.

• Access & export: from your settings, you can export every QR you’ve created and every uploaded asset.
• Correction: update your account email or display name from settings.
• Deletion: a one-click account-delete removes your account, your QR codes, and your assets. We keep the minimum legally required billing records after that, nothing more.
• GDPR / CCPA: residents of the EU, UK, and California have explicit access, deletion, and opt-out rights under their local laws. Email privacy@qrbliss.com to exercise them.

Account data and QR codes are kept while your account is active. After account deletion, we remove your data within 30 days, except billing records we’re required to retain (US tax law: seven years). Aggregated scan-analytics rows for your dynamic QRs are deleted alongside the codes they belong to.

Data is encrypted in transit (TLS 1.2+) and at rest. Account access uses Supabase Auth. Internal access to production data is restricted to a small number of operators on a break-glass basis. We’ll notify affected users within 72 hours of confirming a breach involving their data.

QRBliss is not directed to children under 13 and we do not knowingly collect personal data from them. If we learn we’ve received data from a child under 13, we’ll delete it.

When we make material changes to this policy we’ll email account holders and update the “Last updated” date at the top. Continued use of QRBliss after an update means you accept the revised policy. The previous version stays available on request.

Privacy questions or requests: privacy@qrbliss.com. General support: hi@qrbliss.com.