Privacy Policy

Last updated: April 28, 2026

1. Who we are

[TODO: Entity name] ("qrbake", "we", "us") operates qrbake.com and the QR code tools available there. You can reach us at [TODO: privacy contact email].

2. What we collect

Browsing without an account

If you generate a QR code without signing in, the content of that code (the URL, Wi-Fi credentials, vCard, etc.) is processed entirely in your browser by the qr-code-styling JavaScript library. We do not transmit, log, or store the content of these QR codes.

Our server still receives standard request data with each page load:

• The page URL you requested
• Your IP address (which we hash with a salted one-way function before storing — we keep the hash for fraud and abuse detection, not the raw IP)
• Your user agent string (browser, OS)
• The referring page, if any
• Timestamp of the request

If you create an account

To save QR codes to your account, we collect:

• Your email address
• A hashed copy of your password (we never see or store your raw password)
• The QR codes you save, including the encoded content and the visual style settings
• A session cookie so you stay signed in

If you join the waitlist or contact us

If you submit your email to the waitlist or send us a message, we keep that email so we can reply or notify you when a feature ships.

3. What we don't collect

• We don't run third-party advertising or marketing trackers (no Google Analytics, no Meta Pixel, no Hotjar, etc.).
• We don't sell or rent your data to anyone.
• We don't read or analyze the content of QR codes you generate without an account.

4. Cookies

We use a single first-party session cookie to keep you signed in. We don't use cookies for advertising or cross-site tracking. If you don't sign in, no cookies are set by qrbake.

5. Third parties we rely on

To run the site we use a small number of infrastructure providers. Each receives only the minimum data needed to do its job:

• Render — hosts the web service. Receives request metadata for routing.
• Neon — hosts our Postgres database. Stores your account and saved QR codes.
• Google Fonts — serves the Geist webfont. Your IP is briefly visible to Google when fetching the font file. If this concerns you, your browser typically caches the font after the first visit.
• unpkg.com — serves the qr-code-styling JavaScript library. Your IP is briefly visible to the unpkg CDN when fetching the script.

6. How long we keep things

• Server access logs: 30 days, then deleted.
• Hashed IPs: 90 days for abuse detection, then deleted.
• Account data and saved QR codes: kept until you delete your account.
• Waitlist emails: kept until the feature ships or you ask us to remove you.

7. Your rights

You can:

• Access the data we hold about you — sign in to see your saved codes, or email us for a copy of everything else.
• Delete your account — this removes your email, password hash, and saved codes immediately.
• Correct inaccurate data — change your email in your account settings or email us.
• Object to specific processing — email us and we'll address it.

If you're in the EU/UK, California, or another jurisdiction with specific privacy rights (GDPR, CCPA, etc.), those rights apply on top of the above. Contact us at [TODO: privacy contact email].

8. Security

We use HTTPS for all connections, hash passwords with a strong key-derivation function, and store hashed (not raw) IPs. No system is perfectly secure — if you ever suspect an issue with your account, contact us immediately.

9. Children

qrbake is not directed at children under 13 (or 16 in the EU/UK). We don't knowingly collect personal data from children. If you believe a child has given us data, contact us and we'll delete it.

10. Changes to this policy

If we change this policy in a meaningful way, we'll update the "Last updated" date at the top and, for material changes, notify account holders by email. Continued use of qrbake after a change means you accept the updated policy.

11. Contact

Questions about this policy or about the data we hold on you: [TODO: privacy contact email].