Privacy Policy

Last updated: April 2026

What We Collect

Account data: When you sign in with Google, we store your name, email address, and profile image to identify your account.

Scan analytics: When someone scans or clicks one of your QR code links, we record the timestamp, country (derived from Cloudflare headers), device type (from the user-agent header), HTTP referrer, and IP address. This data powers the analytics dashboard visible to the link owner.

Subscription data: If you purchase a paid plan, we store your plan type, subscription status, and billing period. Your payment card details, billing address, and payment method are processed and stored by our payment processor, LemonSqueezy — not by us.

Why We Collect It

  • Account data is used solely for authentication and displaying your profile.
  • Scan analytics let you understand who is using your QR codes, from where, and on what devices.

How Data Is Stored

All data is stored in Cloudflare D1 (database) and Cloudflare KV (caching and sessions). Data is processed at the Cloudflare edge location nearest to each request. Sessions expire after 7 days.

Deleting Your Data

  • Deleting a link removes all associated scan analytics data immediately.
  • Deleting your account removes all your links, scan data, sessions, and profile information. This action is permanent and cannot be undone.
  • You can delete individual links or your entire account from the dashboard.

Third-Party Services

  • Google OAuth: Used for sign-in. Google provides your name, email, and profile image. See Google's privacy policy.
  • Cloudflare: Hosts the application, database, and edge network. See Cloudflare's privacy policy.
  • LemonSqueezy: Our payment processor and merchant of record. When you purchase a paid plan, LemonSqueezy processes your name, email address, billing address, and payment method. We do not have access to your full card number. See LemonSqueezy's privacy policy.

Cookies

We use a single session cookie for authentication and a CSRF cookie for security. We do not use tracking cookies, advertising cookies, or third-party analytics scripts. When you proceed to checkout for a paid plan, LemonSqueezy's payment overlay may set its own cookies for payment processing. For full details, see our Cookie Policy.

Non-User Data (QR Code Scanners)

When someone scans a QR code created through Eternal QR, we record their IP address, country, user agent, referrer, and the timestamp — even if they do not have an account. This data is collected under our legitimate interest in providing scan analytics to the link owner. It is stored only as long as the associated link exists.

Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or the United Kingdom, we process your data under the following legal bases:

  • Consent: When you sign in with Google and create an account, you consent to the collection and processing of your account data.
  • Legitimate interest: Scan analytics data is processed to provide link owners with insights into how their QR codes are used. Security measures (rate limiting, CSRF protection) protect the integrity of the Service.
  • Contractual necessity: Processing required to deliver the Service you signed up for (storing your links, redirecting scans, maintaining your session, and processing payments for paid subscriptions).

Your Rights (GDPR)

If you are in the EEA or the UK, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data (you can update your display name from your account settings).
  • Erase your data by deleting your account, which permanently removes all your links, scan data, sessions, and profile information.
  • Restrict or object to processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at legal@eternalqr.app.

California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used.
  • Delete your personal information (via account deletion).
  • Opt out of the sale of personal information. We do not sell your personal information to third parties.
  • Non-discrimination for exercising your privacy rights.

Data Retention

  • Account data is retained until you delete your account.
  • Scan analytics data is retained until the associated link is deleted or your account is deleted.
  • Sessions expire automatically after 7 days.
  • Rate-limiting data is ephemeral and expires within minutes.
  • Subscription records are retained while your account exists. Payment transaction history is retained by LemonSqueezy in accordance with their data retention policies.

International Data Transfers

Eternal QR runs on Cloudflare Workers, which processes requests at the edge location nearest to each visitor. This means your data may be processed in any of Cloudflare's 300+ data centres worldwide. Cloudflare maintains appropriate safeguards for international data transfers, including Standard Contractual Clauses for transfers from the EEA. See Cloudflare's privacy policy for details.

Data Controller

The data controller for the Service is:

Vempus Technologies Private Limited
Koraput, Odisha, India
legal@eternalqr.app

Contact

If you have questions about this policy or your data, contact us at legal@eternalqr.app.