Legal

Privacy Policy

Effective: April 25, 2026

1. Who We Are

QR Forge is a product of StanHattie LLC, an Iowa LLC at 731 SE Alices Rd PMB 1035, Waukee, IA 50263. Contact: support@tryqrforge.com.

2. What We Collect

Anonymous use of the generator: nothing. QR codes are generated entirely in your browser; the data never touches our servers.

Authenticated use:

• Email address (used as your primary identity)
• Optional display name
• QR codes you create (type, payload, label, color customization)
• Folder organization
• Subscription / billing metadata (Stripe customer ID, plan tier, subscription status). Stripe holds the payment instrument; we never see your card number.
• Passkey credentials (public key only; the private key never leaves your device)
• Session metadata (creation time, last-active timestamp, salted IP hash, expiry)

Scan data on dynamic QR codes: when someone scans one of your dynamic QR codes, we record:

• Salted SHA-256 hash of the scanner's IP (we do not retain raw IPs)
• Country and city derived from IP geolocation
• User-agent string
• Referer header (if any)
• Timestamp

3. How We Use It

• To run the Service (create, store, and redirect your QR codes)
• To bill you via Stripe (paid plans only)
• To send transactional email (sign-in links, account notices, billing receipts)
• To provide scan analytics in your dashboard
• To detect and prevent abuse (rate limits, anomaly detection)

We do not sell your data. We do not share it with advertisers. We do not build user profiles for marketing.

4. Cookies and Analytics

We use a small set of essential cookies (HttpOnly session cookie for sign-in state, a flag cookie for "session exists" so the navigation can render correctly, a CSRF token for state-changing requests).

If you opt in via the cookie banner, we additionally load Google Analytics 4 and Microsoft Clarity. Without your consent, neither loads. You can change your choice anytime by clearing your browser's local storage for tryqrforge.com.

5. Subprocessors

We use the following service providers to deliver QR Forge:

• Railway (railway.com) — application hosting and PostgreSQL database
• Cloudflare (cloudflare.com) — DNS, CDN, and frontend hosting (Workers + Static Assets)
• Stripe (stripe.com) — payment processing for paid plans
• Resend (resend.com) — transactional email delivery
• Migadu (migadu.com) — inbound email hosting for our support addresses
• Backblaze B2 (backblaze.com) — backup storage
• Google Analytics 4 (google.com) — analytics, opt-in only
• Microsoft Clarity (microsoft.com) — session replay and heatmaps, opt-in only

This list is current as of the effective date above; we will update it before adding new processors that handle personal data.

6. International Transfers

Data is stored in the United States. If you are in the EEA, UK, or Switzerland, your use of the Service involves transferring personal data to the US. By using QR Forge you consent to that transfer. We rely on standard contractual clauses where required.

7. Data Retention

• Active accounts: data retained while the account is active
• Inactive accounts: archived at 12 months, deleted at 18 months
• Deleted accounts: anonymized within 30 days, fully deleted within 90 days
• Transaction data: 7 years (US tax recordkeeping requirement)
• Audit logs: 2 years minimum

8. Your Rights

Regardless of where you live, you can:

• Request a copy of all data tied to your account
• Correct inaccurate data
• Delete your account and associated data
• Object to processing or restrict it
• Withdraw analytics consent at any time

EU and UK residents: you also have the right to lodge a complaint with your local supervisory authority. California residents: under the CCPA, you have the right to know what we collect, delete, opt out of sale (we don't sell), and not face discrimination for exercising these rights.

To exercise any of these rights, email support@tryqrforge.com from the address tied to your account or use the in-dashboard delete-account flow.

9. Security

Sessions are HMAC-signed and stored as HttpOnly Secure cookies. Passkey private keys never leave your device. Magic-link tokens are stored only as SHA-256 hashes and expire in 15 minutes. Passwords don't exist. We use TLS for all connections, security headers (HSTS, CSP, X-Frame-Options) on every response, and rate limiting on auth endpoints.

If we discover a breach affecting your data, we will notify you within 72 hours of confirmation.

10. Children

QR Forge is not directed to children under 13. We do not knowingly collect data from children under 13. If you believe a child has created an account, contact us and we will delete it.

11. Changes

We will update this policy as the Service evolves. Material changes will be announced by email to active users at least 30 days before taking effect.

12. Contact

Privacy questions, data requests, complaints: support@tryqrforge.com
Mailing address: StanHattie LLC, 731 SE Alices Rd PMB 1035, Waukee, IA 50263