Skip to content

Privacy Policy

Last updated: April 2026

What We Collect

Account data: When you sign in with Google or GitHub, we store your name, email address, and profile image to identify your account.

Scan analytics: When someone scans or clicks one of your QR code links, we record the timestamp, country (derived from Cloudflare headers), device type (from the user-agent header), HTTP referrer, and IP address. This data powers the analytics dashboard visible to the link owner.

Uploaded logo images: If you upload a center logo for a QR code on a paid plan, we store the image as a base64-encoded data URL in a dedicated logo record linked to that QR code. Images are compressed in your browser before upload to roughly 15–30 KB (capped at 64 KB); SVG uploads are rasterized before storage. We never access the logo files in any other context, and they are only used to render your QR code.

Subscription data: If you purchase a paid plan, we store your plan type, subscription status, and billing period. Your payment card details, billing address, and payment method are processed and stored by our payment processor, LemonSqueezy – not by us.

Why We Collect It

  • Account data is used solely for authentication and displaying your profile.
  • Scan analytics let you understand who is using your QR codes, from where, and on what devices.
  • Uploaded logo images are used solely to render the customized QR codes you create.

How Data Is Stored

All data is stored in Cloudflare D1 (database) and Cloudflare KV (caching and sessions). Data is processed at the Cloudflare edge location nearest to each request. Sessions expire after 7 days.

Deleting Your Data

  • Deleting a link removes all associated scan analytics data and any uploaded logo image immediately and permanently.
  • Deleting your account removes all your links, scan data, sessions, and profile information. This action is permanent and cannot be undone.
  • You can delete individual links or your entire account from the dashboard.

Third-Party Services

  • Google OAuth: Used for sign-in. Google provides your name, email, and profile image. See Google's privacy policy.
  • GitHub OAuth: Used for sign-in. GitHub provides your name, email address, and profile image according to your GitHub account settings. See GitHub's privacy statement.
  • Cloudflare: Hosts the application, database, and edge network. See Cloudflare's privacy policy.
  • LemonSqueezy: Our payment processor and merchant of record. When you purchase a paid plan, LemonSqueezy processes your name, email address, billing address, and payment method. We do not have access to your full card number. See LemonSqueezy's privacy policy.

Cookies

We use a single session cookie for authentication and a CSRF cookie for security. We do not use tracking cookies, advertising cookies, or third-party analytics scripts. When you proceed to checkout for a paid plan, LemonSqueezy's payment overlay may set its own cookies for payment processing. For full details, see our Cookie Policy.

Non-User Data (QR Code Scanners)

When someone scans a QR code created through EternalQR, we record their IP address, country, user agent, referrer, and the timestamp – even if they do not have an account. This data is collected under our legitimate interest in providing scan analytics to the link owner. Raw scan details are retained for up to 365 days, or less if the associated link or account is deleted earlier.

Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or the United Kingdom, we process your data under the following legal bases:

  • Consent: When you sign in with Google or GitHub and create an account, you consent to the collection and processing of your account data.
  • Legitimate interest: Scan analytics data is processed to provide link owners with insights into how their QR codes are used. Security measures (rate limiting, CSRF protection) protect the integrity of the Service.
  • Contractual necessity: Processing required to deliver the Service you signed up for (storing your links, redirecting scans, maintaining your session, and processing payments for paid subscriptions).

Your Rights (GDPR)

If you are in the EEA or the UK, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data (you can update your display name from your account settings).
  • Erase your data by deleting your account, which permanently removes all your links, scan data, sessions, and profile information.
  • Restrict or object to processing in certain circumstances.
  • Data portability – receive your data in a structured, machine-readable format.
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at legal@eternalqr.app.

California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used.
  • Delete your personal information (via account deletion).
  • Opt out of the sale of personal information. We do not sell your personal information to third parties.
  • Non-discrimination for exercising your privacy rights.

Data Retention

  • Account data is retained until you delete your account.
  • Raw scan analytics details are retained for up to 365 days, or until the associated link or account is deleted. Aggregate counts may be retained longer to preserve lifetime scan totals.
  • Sessions expire automatically after 7 days.
  • Rate-limiting data is ephemeral and expires within minutes.
  • Subscription records are retained while your account exists. Payment transaction history is retained by LemonSqueezy in accordance with their data retention policies.

International Data Transfers

EternalQR runs on Cloudflare Workers, which processes requests at the edge location nearest to each visitor. This means your data may be processed in any of Cloudflare's 300+ data centres worldwide. Cloudflare maintains appropriate safeguards for international data transfers, including Standard Contractual Clauses for transfers from the EEA. See Cloudflare's privacy policy for details.

Data Controller

The data controller for the Service is:

Vempus Technologies Private Limited
Koraput, Odisha, India
legal@eternalqr.app

Contact

If you have questions about this policy or your data, contact us at legal@eternalqr.app.