Privacy Policy
Last updated: July 7, 2026
This Privacy Policy explains how Crafty QR ("we", "us", "our") collects, uses, and protects your information when you use our website and QR code services. We act as the data controller for the personal data described below. By using Crafty QR, you agree to the practices described here.
Information we collect
Account information
We use Firebase Authentication to manage sign-in. When you create an account with email and password we collect your email address. If you sign in with Google (OAuth), we also receive your name and profile photo from Google. We do not store your password; it is handled by Firebase Authentication.
Profile information
If you build a hosted link page or landing page, we store the profile details you add to it, such as a display name, bio, links, and any avatar or images you upload for that page.
Billing information
Subscription payments are processed by LemonSqueezy, which acts as the merchant of record for your purchase. Your payment and card details are handled entirely on LemonSqueezy's systems, and we do not collect or store your full card details. We retain only limited billing references, such as a customer ID and subscription ID, that we need to manage your plan.
QR code content and labels
We store the content you put into your QR codes, such as URLs, text, contact details, WiFi credentials, or payment strings, along with the labels you give them and the styling you choose.
Uploaded files
We store files you upload using Firebase Storage. This can include logo images for your QR codes, PDF documents, images and avatars for your link pages and landing pages, and image attachments you add to support tickets. You are responsible for having the right to use any file you upload.
Scan analytics
For dynamic QR codes, each scan passes through a short link we host, which lets us record limited analytics about the scan:
- Hashed IP address.We hash the visitor's IP address with SHA-256 and store only the hash. We never store raw IP addresses.
- Approximate location. Country and city, derived from the network request. We do not use precise GPS location.
- Device, browser, and operating system. Device type (mobile, tablet, or desktop), browser, and operating system.
- Timestamp. The date and time of the scan.
Scan analytics are collected only for dynamic QR codes. Static QR codes encode their content directly and are not tracked.
Support tickets
When you open a support ticket, we store the subject, the messages exchanged, any image attachments, and the ticket status, so that we can help you and keep a record of the conversation.
Contact form
When you message us through our contact form, your message and the email address you provide are delivered to us by email using Resend. We do not store contact form submissions in our database.
Bot protection
To reduce spam and abuse, our sign-up and contact forms are protected by Cloudflare Turnstile, which may process limited technical data to verify that you are not a bot.
Cookies and authentication tokens
We use essential and functional cookies together with authentication tokens stored in your browser to keep you signed in and to operate the site securely. These are necessary for the service to function. We do not use advertising or non-essential tracking cookies, and we do not sell your data.
How we use your information
- To provide, maintain, and improve the QR code service.
- To show you analytics for your dynamic QR codes.
- To process subscriptions and manage your account and plan.
- To respond to your support and contact requests.
- To keep the service secure and to prevent fraud and abuse.
- To comply with our legal obligations.
Legal bases for processing
Where data protection law such as the Turkish Personal Data Protection Law (KVKK) or the GDPR applies, we rely on the following legal bases: performance of our contract with you to provide the service; our legitimate interests in securing, operating, and improving the service, including scan analytics for your own QR codes; your consent where we ask for it; and compliance with legal obligations.
Third-party services
We rely on trusted providers to operate Crafty QR. Each processes data on our behalf or as an independent controller under its own privacy terms:
- Firebase and Google. Authentication, database (Firestore), and file storage.
- Vercel. Website and application hosting.
- LemonSqueezy. Payment processing and subscription management as merchant of record.
- Cloudflare. DNS and bot protection (Turnstile) on our sign-up and contact forms.
- Resend. Delivery of contact form and notification emails.
- OpenStreetMap. Map tiles and place search for the location QR code picker.
Data retention
We keep your account data and saved QR codes for as long as your account is active. Scan analytics are retained based on your plan:
- Free: 7 days of analytics history.
- Pro: 120 days of analytics history.
- Pro+: 365 days of analytics history.
Older analytics data is automatically deleted once it passes your plan's retention window. Contact form messages are not stored in our database. You can delete your QR codes at any time, and you can delete your account as described below.
Your rights
You may request access to, correction of, or deletion of your personal information, and depending on where you live you may also have rights to portability, restriction, and objection. You can delete your account at any time from your account settings, which removes your account and its data, or you can email us to make a request. If you are in the European Economic Area, the United Kingdom, or Turkey, you also have the right to lodge a complaint with your local data protection supervisory authority.
United States privacy rights
Crafty QR is available to users in the United States. If you are a resident of California or another US state with a consumer privacy law, you may have the right to know what personal information we collect, to access, correct, or delete it, and to opt out of the sale or sharing of personal information. We do not sell or share your personal information as those terms are defined under US state privacy laws, and we do not use it for cross context behavioral advertising. We will not discriminate against you for exercising these rights. To make a request, contact us at support@craftyqr.com.
International data transfers
Crafty QR is available internationally, including in the United States, and your information may be processed in countries other than your own. Several of our third-party providers listed above are based in the United States, so your information may be transferred to and processed there and in other countries. Where such transfers happen, we rely on appropriate safeguards required by applicable law.
Security
We take reasonable technical and organizational measures to protect your information, including hashing scanner IP addresses and restricting access to personal data. No method of transmission or storage is completely secure, however, so we cannot guarantee absolute security.
Children's privacy
Crafty QR is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us with personal data, please contact us and we will delete it.
Changes to this policy
We may update this policy from time to time. When we do, we will revise the "Last updated" date above.
Contact
Questions about this policy, or requests about your data, can be sent to support@craftyqr.com.