QRBloomQRBloom

Privacy Policy

Last updated: March 3, 2026

This Privacy Policy describes how QRBloom ("we," "us," or "our") collects, uses, stores, and shares information when you use our website at qrbloom.com and our QR code generation platform (collectively, "the Service"). By using the Service, you consent to the practices described in this policy.

1. Information We Collect

1.1 Account Information

When you register for an account, we collect your name, email address, and a password (which is stored only in hashed form using bcrypt). If you sign in via Google OAuth, we receive your name, email address, and profile image from Google. We do not receive or store your Google password.

1.2 QR Code Data

We store the content you encode in QR codes, which may include URLs, plain text, contact information (vCard fields), WiFi credentials, email addresses, phone numbers, and social media links. This data is stored on our servers to provide the Service and is associated with your account.

1.3 Scan Analytics

When someone scans a dynamic QR code created through the Service, we collect the following information about the scan event:

  • Hashed IP address — we apply a one-way hash to the scanner's IP address before storage; we do not retain the raw IP address
  • Approximate location — country and city derived from the IP address at the time of the scan
  • Device and browser information — device type, operating system, and browser name parsed from the User-Agent header
  • Timestamp — the date and time of the scan

We do not collect personally identifiable information from individuals who scan QR codes.

1.4 Payment Information

Payments are processed by our third-party payment processor, Stripe, Inc. We do not receive, process, or store your full credit card number, CVV, or bank account details. Stripe provides us with a limited set of information, including your Stripe customer ID, subscription status, and the last four digits of your payment method, which we use solely to manage your subscription.

1.5 API Keys

If you generate an API key through the Service, we store a hashed version of the key. The full key is displayed to you only once at the time of creation.

1.6 Usage and Analytics Data

We use Google Analytics (Google Tag, measurement ID G-P90GH7GDWV), a web analytics service provided by Google LLC, to understand how visitors interact with our website. Google Analytics collects information such as:

  • Pages visited and time spent on each page
  • Referring website or source
  • Browser type, operating system, and screen resolution
  • Approximate geographic location (country/region level)
  • Device type (desktop, mobile, tablet)

This data is processed by Google in accordance with Google's Privacy Policy. Google Analytics uses cookies and similar technologies to collect this information. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

1.7 Log Data

Our servers automatically record information when you access the Service, including your IP address, request URL, HTTP method, response status code, referring URL, and timestamp. This data is used for security monitoring, debugging, and abuse prevention and is retained for a limited period.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and manage your account and sessions
  • Process payments and manage subscriptions via Stripe
  • Provide QR code scan analytics to account holders on eligible plans
  • Analyze website usage to improve the Service (via Google Analytics)
  • Communicate with you about your account, billing, and service-related matters
  • Detect, prevent, and address fraud, abuse, security incidents, and technical issues
  • Comply with legal obligations

We do not use your data for automated decision-making or profiling. We do not send marketing emails unless you have explicitly opted in.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

  • Stripe, Inc. — to process payments and manage subscriptions
  • Google LLC — via Google OAuth (if you choose to sign in with Google) and Google Analytics (website usage data)
  • Infrastructure providers — our hosting and database providers process data on our behalf under appropriate security controls
  • Law enforcement or legal process — we may disclose information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others

4. Cookies and Tracking Technologies

We use the following types of cookies:

  • Essential cookies — required for authentication, session management, and security. These cannot be disabled without breaking core functionality.
  • Analytics cookies — set by Google Analytics to collect anonymous usage data (e.g., _ga, _ga_* cookies). You can opt out using the Google Analytics Opt-out Add-on or by configuring your browser to block third-party cookies.

We do not use advertising cookies or retargeting pixels.

5. Data Security

We implement industry-standard technical and organizational measures to protect your data, including:

  • Encrypted connections (HTTPS/TLS) for all data in transit
  • Passwords hashed with bcrypt before storage
  • IP addresses hashed before storage in scan analytics
  • API keys stored in hashed form
  • Automated SSL certificate renewal via Let's Encrypt
  • Access controls and least-privilege principles on server infrastructure

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

  • Account data is retained for as long as your account is active. If you delete your account, we will delete your personal data and QR codes within 30 days, except where retention is required by law.
  • Scan analytics are retained for the lifetime of the associated QR code and account.
  • Server logs are retained for up to 90 days for security and debugging purposes.
  • Payment records may be retained as required by tax and financial reporting laws.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate or incomplete data
  • Deletion — request deletion of your account and associated personal data
  • Data portability — request an export of your QR code data in a machine-readable format
  • Objection — object to certain processing of your data
  • Withdraw consent — where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, contact us at privacy@qrbloom.com. We will respond within 30 days.

8. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to such transfer and processing.

9. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@qrbloom.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

11. Contact

For privacy-related questions, concerns, or to exercise your data rights, contact us at privacy@qrbloom.com.