Privacy Policy

Last updated: February 2026

1. What We Collect

Account data: When you create an account, we store your email address and display name via Firebase Authentication. Anonymous users can use the app without providing any personal information.

QR scan analytics: When someone scans a QR code you created, we collect:

• Approximate geographic location (country, city) derived from the scanner's IP address using MaxMind GeoLite2
• Device type (mobile/desktop), operating system, and browser name — derived from the HTTP User-Agent header
• A one-way SHA-256 hash of the IP address (the raw IP address is never stored)

Placement data: If you register a physical QR code placement, we store the GPS coordinates you provide and an optional label/description.

2. What We Do NOT Collect

• We do not store raw IP addresses — only irreversible hashes
• We do not store raw User-Agent strings
• We do not track HTTP referers
• We do not use advertising trackers or sell data to third parties
• We do not use cookies on the public QR redirect endpoint

3. How We Use Your Data

All collected data is used solely to provide you with QR code analytics (scan counts, geographic heatmaps, device breakdowns, time-of-day analysis). We do not share, sell, or rent your data to any third party.

4. Data Retention

Scan analytics data is retained for 12 months from the date of the scan. After that period, records are automatically deleted. Account data is retained until you delete your account.

5. Account Deletion

You can permanently delete your account and all associated data (QR codes, scan history, placements, campaigns) at any time from the app's Dashboard menu. Deletion is immediate and irreversible.

6. Third-Party Services

• Firebase Authentication (Google) — for account sign-in. See Firebase Privacy Policy.
• MaxMind GeoLite2 — for IP-to-location lookups (IP is hashed after lookup). See MaxMind Privacy Policy.
• Firebase Crashlytics — for crash reporting. See Firebase Privacy Policy.
• Google Analytics for Firebase — for anonymous app usage analytics. See Firebase Privacy Policy.

7. Security

All data is transmitted over HTTPS/TLS. The database is isolated within a private Kubernetes network. Access is restricted to authenticated backend services only.

8. Children's Privacy

Power QR is not directed at children under 13. We do not knowingly collect personal information from children.

9. Changes

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision.

10. Contact

If you have questions about this policy, contact us at privacy@gelotto.io.