Skip to content

Privacy Policy

Last updated: February 15, 2026

PageQR (“we”, “us”, or “our”) operates the pageqr.io website and related services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

Account Information

When you create an account via magic link or Google OAuth, we collect your email address and display name. Authentication is handled by Supabase Auth — we do not store passwords.

Page Content

Content you add to instruction pages — including text, links, uploaded PDFs, and video URLs — is stored in our database and associated file storage. Uploaded media (images, PDFs) are stored in Cloudflare R2 object storage.

QR Scan Analytics

When someone scans a QR code linked to your page, we record the scan timestamp, approximate geographic location, device type, and a one-way hash of the scanner’s IP address. We do not store raw IP addresses — we use irreversible hashing to count unique visitors while preserving privacy.

Payment Information

Billing is processed by Stripe. We do not store credit card numbers or full payment details on our servers. We retain your Stripe customer ID and subscription status to manage your account.

2. How We Use Your Information

  • Provide, maintain, and improve the PageQR service
  • Authenticate your identity and secure your account
  • Process payments and manage subscriptions
  • Generate scan analytics for your QR codes
  • Send transactional emails (e.g., magic link sign-ins)
  • Respond to support requests

We do not sell your personal data. We do not use your data for advertising or marketing profiling.

3. Third-Party Services

We use the following third-party services to operate PageQR:

  • Supabase — authentication and database hosting
  • Stripe — payment processing
  • Vercel — application hosting and edge network
  • Cloudflare R2 — file and media storage
  • Resend — transactional email delivery
  • Sentry — error tracking and performance monitoring

Each of these providers has their own privacy policy governing how they handle data. We only share the minimum data required for each service to function.

Additionally, page creators may optionally configure third-party tracking pixels (Facebook Pixel, Google Analytics, Google Tag Manager) on their public instruction pages. When present, these tracking services are subject to their own privacy policies and a cookie consent banner is displayed to visitors in jurisdictions that require it.

4. Cookies

PageQR uses the following categories of cookies:

Essential Cookies

Required for the service to function. These include:

  • Authentication session cookies (Supabase Auth)
  • Page access gate cookies (for password-protected pages)
  • Lead capture gate cookies (for email-gated pages)
  • Cookie consent preference cookie

Cookieless Analytics

We use Vercel Analytics and Speed Insights for performance monitoring. These tools do not use cookies or collect personal data.

Third-Party Tracking (Public Pages Only)

Page creators may add Facebook Pixel, Google Analytics (GA4), or Google Tag Manager to their instruction pages. These services set their own cookies. For visitors in the EU/EEA, UK, Canada, and Brazil, a cookie consent banner is displayed, and these cookies are only loaded after explicit consent.

5. Data Retention

  • Account data (email, display name, company name): Retained while your account is active. Deleted within 30 days of account deletion.
  • Page content (text, links, settings): Retained while your account is active. Deleted on account deletion via cascading delete.
  • Uploaded media (images, PDFs): Stored in Cloudflare R2. Deleted when the associated page is deleted or account is closed.
  • Scan analytics: Retained per plan tier — Free: 7 days, Starter: 30 days, Pro: 90 days, Business: 365 days.
  • Payment records: Retained for 7 years as required by tax and financial regulations. Managed by Stripe.
  • Anonymized aggregate data: May be retained indefinitely for service improvement and statistical analysis.

6. Data Security

We implement industry-standard security measures including encrypted connections (TLS), secure authentication flows (PKCE), row-level security policies at the database level, and hashed IP addresses for scan tracking. However, no method of transmission over the Internet is 100% secure.

7. Your Rights

Depending on your location, you may have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your personal data
  • Portability — request an export of your data in a machine-readable format
  • Objection — object to certain processing of your data
  • Restriction of processing — request restriction in certain circumstances

GDPR (EU/EEA): If you are in the EU or EEA, you have rights under the General Data Protection Regulation. Our legal basis for processing your data is contractual necessity (providing the service you signed up for) and legitimate interest (improving our service).

CCPA (California): California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information.

PIPEDA (Canada): Canadian residents have rights under the Personal Information Protection and Electronic Documents Act. You may request access to, correction of, or deletion of your personal information. To withdraw consent or exercise your rights, contact privacy@pageqr.io. You may file a complaint with the Office of the Privacy Commissioner of Canada.

UK GDPR: UK residents have equivalent rights to those under the EU GDPR, including access, correction, deletion, portability, and objection. Our legal basis for processing is contractual necessity and legitimate interest. You may lodge a complaint with the Information Commissioner’s Office (ICO).

Right to Restrict Processing: Under GDPR Article 18, you may request restriction of processing in certain circumstances, such as when you contest the accuracy of your data or when processing is unlawful but you oppose deletion.

To exercise any of these rights, contact us at privacy@pageqr.io.

8. Data Breach Notification

In the event of a personal data breach:

  • GDPR jurisdictions: We will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay when the breach poses a high risk
  • PIPEDA jurisdictions: We will notify the Privacy Commissioner of Canada and affected individuals as required
  • All users: We will provide notification via email and a notice on our service

Notification will include the nature of the breach, data affected, measures taken, and recommended user actions.

9. Children's Privacy

PageQR is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date. Your continued use of PageQR after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, contact us at privacy@pageqr.io.