Privacy Policy

This Privacy Policy describes how QRCraft ("we," "our," or "us") collects, uses, processes, and protects your personal information when you use our QR code generation service, including our web application, Chrome extension, Android mobile application, and both our free and paid subscription tiers. We are committed to protecting your privacy and ensuring transparency about our data practices.

By using QRCraft (including our web application and Chrome extension), you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with any part of this policy, please do not use our service.

This policy complies with applicable privacy laws including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy regulations.

Interpretation and Definitions

Interpretation

The words with an initial capital letter have meanings defined under the following conditions. These definitions shall have the same meaning whether they appear in singular or plural.

Definitions

For the purposes of this Privacy Policy:

• Account: A unique account created for you to access our Service or certain parts of our Service.
• Chrome Extension: The QRCraft browser extension available through the Chrome Web Store that enables QR code generation directly from your browser.
• Company: (referred to as "QRCraft", "we", "us", or "our") is the provider of this Service.
• Cookies: Small files placed on your device that save details of your browsing history on our Website.
• Data Controller: QRCraft, as the entity that determines the purposes and means of processing personal data.
• Data Processor: Third-party services that process data on our behalf (e.g., Clerk for authentication, Stripe for payment processing, Neon for database services).
• Device: Any device that can access the Service such as a computer, cellphone, or digital tablet.
• Free Tier: Our basic service tier that allows limited QR code generation without payment (8 QR types, unlimited static generation, preview only).
• GDPR: General Data Protection Regulation, the privacy law applicable to EU residents.
• Mobile Application: The QRCraft Android mobile application available on Google Play Store that provides QR code generation and scanning capabilities.
• Personal Data: Any information that relates to an identified or identifiable individual.
• Processing: Any operation performed on personal data, including collection, storage, use, and deletion.
• Service: Refers to the QRCraft website, Chrome extension, and all online services provided by QRCraft.
• Subscription: Our paid service tiers (Basic at $3.99/month and Pro at $7.99/month) that provide additional features and capabilities.
• Usage Data: Data collected automatically, either generated by the use of the Service or from the Service infrastructure itself.
• Website: QRCraft, accessible from https://qrcraft.online.
• You: The individual accessing or using the Service, or the company, or other legal entity on whose behalf such individual is accessing or using the Service.

Information We Collect

Personal Information You Provide

We collect the following personal information when you:

• Create an account: Email address, name, and authentication credentials (managed securely by Clerk)
• Subscribe to paid services: Billing information and payment details (processed securely by Stripe - we never store your payment card information)
• Contact us: Name, email address, and message content submitted through our contact form
• Generate QR codes: Content you input for QR code generation (text, URLs, contact information, WiFi credentials, social media handles, etc.)
• Use the Chrome Extension: URLs or text you choose to encode when using the extension (only when you explicitly trigger QR generation)

Automatically Collected Information

We automatically collect certain information when you use our Service:

• Usage Data: Pages visited, features used, time spent on the service, QR codes generated (count and types), templates and logos used
• Device Information: IP address, browser type and version, operating system, device type
• Performance Data: Page load times, error reports, service availability metrics
• Authentication Data: Login timestamps, session information, security logs (managed by Clerk)
• Chrome Extension Data: Extension version, theme preference (dark/light mode stored locally in your browser only)

Chrome Extension Specific Data

The QRCraft Chrome Extension collects minimal data:

• Current Tab URL: Only when you explicitly click "Generate QR Code for Current Page" - we access the URL of the active tab (e.g., "https://example.com/page") and nothing else from the page
• Selected Content: Only URLs or text you explicitly select and choose to generate QR codes from via right-click menu
• Theme Preference: Your dark/light mode choice, stored locally in chrome.storage.local (never transmitted to our servers)
• Temporary QR Content: When you use the context menu, content is briefly stored in local browser storage to pass to the popup, then immediately cleared after use

What the Chrome Extension Does NOT Collect:

• ❌ Browsing history or websites you visit
• ❌ Page content, DOM elements, or form data
• ❌ Cookies from other websites
• ❌ Location data or GPS coordinates
• ❌ Search queries or keyboard activity
• ❌ Any automatic tracking or analytics within the extension

Subscription and Payment Information

For paid subscribers, we collect:

• Subscription tier (Basic at $3.99/month or Pro at $7.99/month) and status (active, cancelled, expired)
• Payment history and transaction records (stored by Stripe, we only retain transaction IDs and dates)
• Billing preferences and invoicing information
• Usage limits and quota tracking for different subscription tiers (e.g., dynamic QR count, batch generation count)

QR Code Content and Generated Codes

Free Tier Users: We process the content you input for QR code generation in real-time. Static QR codes are generated and delivered to you instantly - we do not permanently store the content or the generated QR code images. Preview-only access means codes are shown in your browser but not saved to our servers.

Basic and Pro Tier Users: When you download or save a QR code, we may temporarily cache the generated QR code image to improve service performance and enable features like download history. QR code content is not stored separately from the QR code record.

Dynamic QR Codes: For dynamic QR codes (which can be edited after creation), we store the destination URL and QR code settings so you can update them later. This data remains in your account until you delete the dynamic QR code or close your account.

Important: We process but do not analyze, read, or use the content you encode in QR codes for any purpose other than generating the QR code itself and providing the service features you've requested.

Tracking Technologies and Cookies

We use Cookies and similar tracking technologies to track activity on our Service and hold certain information. The technologies we use may include:

• Cookies or Browser Cookies: These are small files placed on your device. You can instruct your browser to refuse all cookies, but some parts of our Service may not function properly.
• Web Beacons: Sections of our Service or emails may include small electronic files that help count users and record statistics.

Cookies can either be "Persistent" or "Session" Cookies. Session Cookies exist only during an active session and are deleted when you close your browser, while Persistent Cookies remain until they are manually cleared.

We use Cookies for various purposes, including:

• Necessary / Essential Cookies: These cookies are essential to provide you services and include session cookies and other temporary cookies.
• Preference Cookies: Cookies that enable us to remember user preferences.
• Analytics Cookies: Cookies used to collect information on how our Service is used, aiding us to improve functionality.

How We Use Your Information

We use your personal information for the following purposes, based on legitimate business interests and, where required, your consent:

• Service Provision: To provide, maintain, and improve our QR code generation service
• Account Management: To create and manage your account, including authentication and access control
• Subscription Management: To process payments, manage subscriptions, handle upgrades/downgrades, and send billing-related communications
• Feature Access: To enforce subscription tier limitations and provide appropriate service features
• Customer Support: To respond to your inquiries, provide technical support, and resolve issues
• Service Analytics: To analyze usage patterns, improve service performance, and develop new features
• Security: To protect against fraud, unauthorized access, and security threats
• Legal Compliance: To comply with applicable laws, regulations, and legal processes
• Marketing (with consent): To send promotional emails about new features, updates, and relevant offers (you may opt out at any time)

Legal Bases for Processing (GDPR)

For EU residents, we process your personal data based on:

• Contractual necessity: To provide the service you've requested
• Legitimate interest: For service improvement, security, and business operations
• Consent: For marketing communications and non-essential features
• Legal obligation: To comply with applicable laws

Data Sharing and Third-Party Services

We share your personal information only in the following circumstances:

Service Providers

• Clerk (clerk.com): Authentication and user management services - handles login, signup, session management, and account security. Clerk is SOC 2 Type II certified and GDPR compliant. We share email, name, and authentication credentials with Clerk.
• Stripe (stripe.com): Payment processing and subscription management - PCI DSS Level 1 certified. Stripe handles all payment card information; we never store or have access to your full card details. We receive transaction IDs and payment status from Stripe.
• Neon (neon.tech): PostgreSQL database hosting - stores your account data, QR code records, usage statistics, and subscription information. Neon provides encryption at rest and in transit.
• Vercel (vercel.com): Web hosting and content delivery network (CDN) - hosts our web application and handles HTTPS traffic. Vercel may collect standard web server logs (IP addresses, request URLs, timestamps).
• Vercel Analytics: Privacy-friendly web analytics - tracks page views and basic usage patterns without collecting personal identifiers. Does not use cookies or track across websites.

Legal Requirements

We may disclose your information when required by law, such as:

• In response to valid legal requests or court orders
• To protect our rights, property, or safety, or that of our users
• To prevent fraud or security threats
• To comply with applicable laws and regulations

Business Transfers

In the event of a merger, acquisition, or sale of our business, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

No Sale of Personal Data

We do not sell, rent, or lease your personal information to third parties for their marketing purposes.

Your Privacy Rights

General Rights

You have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal data (subject to legal obligations)
• Portability: Request a copy of your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Restriction: Request limitation of processing in certain circumstances

GDPR Rights (EU Residents)

If you are in the European Union, you have additional rights under GDPR:

• Right to withdraw consent at any time
• Right to lodge a complaint with your local supervisory authority
• Right to data portability for data provided based on consent or contract

CCPA Rights (California Residents)

If you are a California resident, you have rights under the CCPA:

• Right to know what personal information we collect and how it's used
• Right to delete personal information (subject to exceptions)
• Right to opt-out of the sale of personal information (we don't sell data)
• Right to non-discrimination for exercising your privacy rights

How to Exercise Your Rights

To exercise any of these rights, please contact us at support@qrcraft.online or through your account settings. We will respond to your request within the timeframes required by applicable law (typically 30 days).

Data Retention and Security

Retention Periods

We retain your personal data for the following periods:

• Account Data: Until you delete your account or request deletion, plus 30 days for backup purposes
• Subscription and Payment Data: For 7 years after subscription ends (required for tax compliance and financial auditing)
• Usage Logs and Analytics: Up to 2 years for security monitoring and service improvement
• QR Code Records (Free Tier): Not stored permanently - generated and delivered in real-time only
• QR Code Records (Paid Tiers): Stored until you delete them or close your account
• Dynamic QR Codes: Stored until you delete them or close your account (as they need to remain functional)
• Chrome Extension Local Storage: Theme preference stored indefinitely in your browser until you clear browser data; temporary QR content cleared immediately after use
• Contact Form Messages: Up to 3 years for customer support records

Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption: Data in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Strict access controls and authentication for our systems
• Regular Security Reviews: Ongoing security assessments and updates
• Incident Response: Procedures for detecting and responding to security incidents
• Third-Party Security: We ensure our service providers maintain appropriate security standards

While we strive to protect your personal data, no internet-based service can guarantee 100% security. We encourage you to use strong passwords and enable two-factor authentication where available.

International Data Transfers

Your personal data may be processed in countries other than your country of residence. These countries may have different data protection laws than your country.

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Certification schemes and codes of conduct

Chrome Extension Privacy Practices

The QRCraft Chrome Extension is designed with privacy as a priority. This section explains the extension's specific privacy practices.

Permissions and Why We Need Them

The extension requests the following permissions:

• activeTab: Allows the extension to read the URL of the current tab ONLY when you explicitly click "Generate QR Code for Current Page" from the context menu. The extension cannot read page content, form data, or any information other than the URL. This permission is never used automatically - only when you trigger it.
• contextMenus: Adds three right-click menu options: "Generate QR Code for this Link" (on links), "Generate QR Code from Selected Text" (on selected text), and "Generate QR Code for Current Page" (anywhere on page). This permission does not access any data - it only adds menu items to your browser.
• storage: Saves your theme preference (dark or light mode) in chrome.storage.local. This data stays on your device and is never transmitted to our servers. Also used to temporarily store QR content when you use the context menu (cleared immediately after the QR code is generated).

Host Permissions

The extension can communicate with:

• https://qrcraft.online/*: Our primary API for QR code generation, user authentication, fetching templates/logos, and syncing with your account. This is a first-party service we control.
• https://*.clerk.accounts.dev/*: Clerk's authentication service for secure login and session management. Clerk is our third-party authentication provider (SOC 2 certified, GDPR compliant).

Data Flow in the Extension

Here's exactly what happens with your data when using the Chrome Extension:

1. When you right-click and select "Generate QR Code": The URL or selected text is stored temporarily in chrome.storage.local and passed to the extension popup. After the QR code is generated or you close the popup, this data is immediately cleared.
2. When you click "Generate QR Code" button: The content (URL, text, etc.) is sent via HTTPS to our API at qrcraft.online. The API generates the QR code and returns the image. The content is processed but not stored (unless you're creating a dynamic QR code on a paid plan).
3. Authentication: When you sign in, Clerk handles the authentication flow. Your session token is stored securely and used to communicate with our API for account-specific features (checking your plan, QR count, etc.).
4. Theme preference: Your dark/light mode choice is saved in chrome.storage.local and never leaves your device.

What the Extension Never Does

• ❌ Track your browsing history or websites you visit
• ❌ Read the content of web pages (only URLs when you explicitly request it)
• ❌ Access your form data, passwords, or any sensitive information
• ❌ Use analytics or tracking scripts within the extension
• ❌ Share your data with third parties (except Clerk for authentication and our own API for QR generation)
• ❌ Run any code automatically or in the background without your action
• ❌ Access your location, camera, microphone, or other device features

Extension Updates and Changes

When we update the Chrome Extension, Chrome Web Store will notify you before auto-updating. If we request additional permissions in a future update, Chrome will ask for your explicit approval before the update is installed. We commit to only requesting permissions that are necessary for the extension's functionality.

Mobile Application Privacy Statement

This section describes the specific privacy practices for the QRCraft Android mobile application. The mobile app is designed to provide QR code generation and scanning capabilities with privacy as a top priority.

Permissions and Why We Need Them

The QRCraft Android app requests the following permissions:

You can deny optional permissions and still use the app's core features. The app will request permissions only when needed for specific features.

Camera Access

• Camera permission is required to scan QR codes and barcodes
• Camera images are processed locally on your device in real-time
• Photos and videos are NOT uploaded to any server
• No camera data is stored without your explicit consent
• Camera access is only active when you use the QR scanner feature

Storage Access

• Storage permission is requested only when you save a QR code to your device gallery
• The app only writes QR code images you explicitly choose to save
• The app does NOT access, read, or upload any other files from your device
• You can use all QR generation features without granting storage permission

Location Access (Optional)

• Location permission is requested ONLY when you create a Location QR code
• Location data is embedded in the QR code locally on your device
• Location information is NOT sent to our servers
• You can deny location permission and still use all other features
• Location is never tracked in the background

Data Stored Locally on Your Device

The following data is stored locally on your Android device and NOT transmitted to our servers:

• QR code generation history
• QR code scan history
• App settings and preferences (theme, default QR type, etc.)
• Saved QR code templates
• Premium purchase status (verified through Google Play Store)

Data NOT Collected by Mobile App

We want to be clear about what we DO NOT collect:

• ❌ Personally identifiable information (unless you sign in with your QRCraft account)
• ❌ Location tracking or GPS coordinates (except when you explicitly create a Location QR code)
• ❌ Contacts, messages, or call logs
• ❌ Photos or media from your device (we only save QR codes you generate)
• ❌ Browsing history or app usage patterns outside QRCraft
• ❌ Device identifiers for tracking purposes (except as required by Google Play and AdMob)

Third-Party Services in Mobile App

The QRCraft mobile app integrates the following third-party services:

Google Play Services

• Purpose: In-app purchases for premium upgrade
• Data Shared: Google Account information, purchase transaction details
• Privacy Policy: https://policies.google.com/privacy

Google AdMob (Advertising)

• Purpose: Display advertisements in the free version
• When Active: Only in free version; premium users see NO ads
• Data Collected: AdMob may collect device identifiers (Advertising ID), IP address, device model, OS version, and app usage data for ad personalization
• User Control: You can opt-out of personalized ads in your device settings (Settings → Google → Ads → Opt out of Ads Personalization)
• AdMob Privacy Policy: https://policies.google.com/technologies/ads

Premium Upgrade (In-App Purchase)

The mobile app offers a one-time premium upgrade:

• What You Get: Remove all ads, unlock advanced QR types, batch generation, and premium features
• Payment Processing: Handled securely by Google Play Store
• Purchase Verification: Your premium status is verified with Google Play Billing API
• Data Stored: Only your purchase status (premium/free) is stored locally
• Refunds: Subject to Google Play's refund policy

Data Retention (Mobile App)

• All QR code generation and scan history is stored locally on your device
• You can clear your history at any time from Settings → Clear History
• Uninstalling the app removes all locally stored data
• We do NOT maintain copies of your QR codes or scan history on our servers
• Premium purchase records are maintained by Google Play Store according to their policies

Children's Privacy (Mobile App)

The QRCraft mobile app does not knowingly collect personal information from children under 13 years of age. The app is rated for all ages (PEGI 3 / ESRB Everyone) but requires parental guidance for in-app purchases. If you are a parent or guardian and believe your child has provided personal information through the app, please contact us at support@qrcraft.online.

Your Rights (Mobile App Users)

As a mobile app user, you have the right to:

• Access your locally stored data (available in-app under History section)
• Delete your data (Settings → Clear History or uninstall the app)
• Opt-out of personalized ads (Device Settings → Google → Ads → Opt out)
• Revoke permissions at any time (Device Settings → Apps → QRCraft → Permissions)
• Request premium purchase refund (within Google Play's refund policy timeframe)

App Updates and Privacy Changes

When we update the mobile app, Google Play Store will notify you before updating. If we make significant changes to data collection practices or request new permissions, we will:

• Display an in-app notification explaining the changes
• Update this Privacy Policy with the "Last Updated" date
• Require your consent before collecting any new types of data

Continued use of the app after updates constitutes acceptance of the updated privacy policy.

Children's Privacy

Our Service does not target anyone under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at support@qrcraft.online. If we discover that we have collected personal data from a child under 13, we will take steps to delete that information immediately.

Links to Other Websites

Our Service may include links to other websites not operated by QRCraft. Additionally, when you generate QR codes containing URLs, those URLs lead to third-party websites. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We advise you to review the privacy policies of those sites.

When you scan a QR code generated by our service, you will be directed to the destination encoded in the QR code (which may be a third-party website). We are not responsible for the privacy practices of those destinations.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Updating the "Last updated" date at the top of this Privacy Policy
• Posting a prominent notice on our Website homepage
• Sending an email notification to registered users (for significant changes)
• Displaying a notification in the Chrome Extension (for extension-related changes)
• Displaying an in-app notification in the Mobile Application (for mobile-related changes)

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

If you do not agree with any changes, you should discontinue use of the Service and may delete your account at any time.