Privacy Policy

Last updated: March 2026

iloveqr.tech ("we", "us", "our") respects your privacy. This policy explains what data we collect, how we use it, and your rights under GDPR, CCPA, and applicable data protection laws.

1. Data We Collect

Free Tool (No Account): When you use the free QR code generator, we do not collect or store any personal data. QR codes are generated on request and are not saved on our servers. No cookies are set until you consent.

Registered Accounts: When you create an account, we collect:

• Email address (for account authentication)
• Hashed password (bcrypt — we never store plain text)
• TOTP secret (if 2FA is enabled, stored encrypted)

QR Code Scan Events (Dynamic QR Codes): When someone scans a dynamic QR code, we log:

• IP address (anonymised after 30 days)
• Approximate country and city (resolved from IP via MaxMind GeoLite2)
• Device type, operating system, and browser (parsed from user agent)
• Timestamp of the scan
• Referrer URL (if available)

2. How We Use Your Data

• Account authentication and security (JWT tokens, 2FA)
• Scan analytics displayed on your dashboard
• Abuse prevention (rate limiting, Safe Browsing checks)
• Service improvement and debugging

We do not sell, rent, or share your personal data with third parties.

3. Google AdSense & Cookies

We use Google AdSense to display advertisements. AdSense may use cookies and web beacons to serve ads based on your prior visits to iloveqr.tech or other websites. Google's use of advertising cookies enables it to serve ads based on your visit to our site and/or other sites on the Internet.

You can opt out of personalised advertising by visiting Google's Ads Settings.

We do not set any non-essential cookies until you consent via our cookie consent banner.

4. Data Retention

• IP addresses in scan events: deleted after 30 days
• Aggregate scan data (country, device, counts): retained as long as your account exists
• Account data: retained until you delete your account

5. Your Rights (GDPR)

If you are an EU/EEA resident, you have the right to:

• Access: Request a copy of all data we hold about you.
• Rectify: Correct inaccurate data.
• Delete: Request complete deletion of your account and all associated data via our DELETE /auth/account endpoint or by contacting us.
• Port: Export your scan data as CSV from the analytics dashboard.
• Object: Object to data processing.

6. Data Security

We implement industry-standard security measures:

• Passwords hashed with bcrypt
• API keys stored as bcrypt hashes (never logged)
• All traffic encrypted via HTTPS/TLS
• CORS restricted to our domain in production
• Security headers (HSTS, X-Frame-Options, CSP)

7. Third-Party Services

• Google Safe Browsing API: URLs are sent to Google for safety verification. See Google's privacy policy.
• Google AdSense: See Google's privacy policy.
• MaxMind GeoLite2: IP-to-location resolution. No data shared with MaxMind.

8. Contact

For privacy inquiries or data deletion requests, contact us at privacy@iloveqr.tech.