Privacy Policy

Last updated: May 17, 2026

1. Overview

This Privacy Policy describes what data F29.us QR Code System collects, how it is used, and how it is protected. We aim to collect only what is necessary to operate the Service.

2. Data We Collect

Account data

  • Email address — used for login and account identification
  • Password — stored as a bcrypt hash; your raw password is never stored or logged
  • Account status, role, and timestamps (created, last login)
  • Optional profile fields you choose to provide: first name, last name, display name, company name, phone number, and timezone
  • Persistent-login (Remember Me) tokens — when you check “Remember me for 30 days” at login, we store a random selector, a hashed copy of the secret token, an expiration time, the browser’s user-agent string, and an HMAC-hashed IP. The raw token is never stored; only the cookie sent to your browser contains it. See section 5 for details.

QR code and short-link data

  • QR code names you assign
  • Short-link slugs (including custom slugs you choose)
  • Destination URLs you set and their history
  • QR styling settings: custom foreground and background colors, error correction level
  • Uploaded QR logo files used for branded QR codes (stored server-side, associated with the QR style)

Scan analytics

When a visitor scans one of your QR codes, we log:

  • Timestamp of the scan
  • IP address — stored as an HMAC-SHA256 hash, not in plain text (see section 4)
  • User agent string (browser/device identifier, truncated to 1000 characters)
  • Referer URL (truncated to 2000 characters)
  • Inferred device type (mobile, tablet, desktop, or unknown)
  • Bot flag (whether the scan appears to be automated traffic)
  • Geographic fields (country, region, city) — currently stored as empty; geolocation is not yet implemented

Contact form submissions

If you contact us through the Contact page, we store the name, email address, category, subject, and message you submit. If you are logged in at the time, we also store the associated account ID. For abuse-prevention and rate-limiting we record your browser’s user-agent string and an HMAC-hashed IP — the plain IP is not stored. Submissions are visible only to administrators reviewing the support queue. Admins may attach an internal note that is not shown publicly and not emailed to you.

Abuse reports

If you submit an abuse report through the Report Abuse page, we store the name and email address you provide, the reported URL, the destination URL if provided, the abuse type, and your description / evidence. If you are logged in, we may associate the report with your account. We also store your browser’s user-agent string and an HMAC-hashed IP for abuse prevention and rate limiting; the plain IP is not stored. Abuse reports are visible only to administrators reviewing the moderation queue, and admins may add internal review notes that are not shown publicly and not emailed to you.

Subscription and administrative data

  • Plan assignments and billing cycle records
  • Subscription change requests and their status
  • Admin audit log entries (records of significant actions within the admin area)
  • Login attempt records (used for throttling; retained for 90 days)

3. How We Use Your Data

  • Account operation — authentication, session management, plan enforcement
  • Redirect service — resolving short links to destination URLs
  • Analytics — providing you with scan statistics on your own QR codes
  • Abuse prevention — detecting and blocking misuse via login throttling, moderation, and domain blocklists
  • Transactional email — sending verification, password reset, account security, subscription, and moderation notices
  • Operational troubleshooting — diagnosing errors via server-side logs

4. IP Address Handling

IP addresses recorded during QR code scans are hashed using HMAC-SHA256 with a server-side secret key before storage. The plain IP address is not stored. The hash cannot be reversed to recover the original IP without the secret key. This approach allows abuse detection (identifying repeated scans from the same source) without storing identifiable IP addresses in plain text.

Login attempt records also use HMAC-hashed IPs for the same purpose.

5. Cookies and Sessions

We use cookies to keep you signed in and to protect your account. We do not use tracking cookies or third-party advertising cookies, and we do not share cookie data with advertisers.

Session cookie

The session cookie is named f29_sess. It is HTTP-only, uses SameSite=Lax, is marked Secure when the site is served over HTTPS, and is set to expire when you close your browser (session lifetime). It is required for the site to recognize that you are logged in during an active browser session.

“Remember me for 30 days” cookie

If you check “Remember me for 30 days” during login, we also set a separate persistent authentication cookie named f29_remember. This cookie can keep you signed in for up to 30 days even after your browser session ends.

  • The cookie value is a random selector and secret token generated on the server. It does not contain your email address or password.
  • The cookie is HTTP-only, uses SameSite=Lax, and is marked Secure when the site is served over HTTPS. It is not readable by JavaScript.
  • We store only a SHA-256 hash of the secret token in our database, alongside metadata such as the expiration time, the browser’s user-agent string, and an HMAC-hashed IP. The raw secret is never stored.
  • When the cookie is used to restore your session, the token is rotated (a new secret is issued); the previous value is briefly accepted for a short concurrency grace window before being discarded.
  • You can clear this cookie at any time by logging out — that deletes the stored token for that browser — or by clearing your browser cookies. Expired tokens are also removed automatically by a scheduled cleanup job.
  • Choosing “Remember me” only restores authentication. It does not skip email verification, password-change, or any other security check.

No persistent cookies are set for unauthenticated visitors viewing public pages or following QR code redirects.

6. Third Parties

We do not sell, rent, or share your personal data with third-party advertisers or data brokers. We do not currently use third-party analytics, tracking pixels, or advertising networks.

Application data is stored on infrastructure we control or administer. Transactional email (verification, password reset, account security, subscription, and moderation notices) may be processed through a configured mail server or email service provider.

7. Data Retention

Account data is retained while your account is active. Scan analytics are retained indefinitely but visibility within the app is limited by your plan's analytics retention window. Login attempt records are pruned after 90 days via a scheduled cleanup job.

Uploaded QR logo files are retained while associated with a QR style. When a logo is replaced, removed, or the style is reset, the old logo file is deleted where practical.

Self-service account deletion is not currently implemented. Contact us if you wish to request deletion of your account and associated data.

8. Children's Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will take steps to remove that information.

9. Your Rights and Contact

If you have questions about data we hold on you, or wish to request corrections or deletion, please contact us.

10. Changes to This Policy

We may update this policy from time to time. We will update the date at the top of this page when changes are made.