QRCodeKey Privacy Policy

Introduction

QRCodeKey ("we," "us," "our," or the "Company") is operated by Jal Technology LLC, located at 2501 Chatham Rd Suite N, Springfield, IL 62704, USA. Jal Technology LLC is the data controller responsible for your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Information We Collect

How We Use Your Information

We collect and process your information for the following purposes:

• ✓ QR Code Tracking: To create, manage, and track QR codes and their scans
• ✓ Attendance Management: To record attendance and generate attendance reports
• ✓ Notifications: To send you push notifications, emails, and SMS about QR activities
• ✓ AI Chatbot (AG): To power our AI virtual assistant that helps you manage QR codes, groups, plans, and account actions
• ✓ Account Management: To maintain your account and provide customer support
• ✓ Analytics: To understand usage patterns and improve our service
• ✓ Payments: To process payments through Stripe
• ✓ Legal Compliance: To comply with laws and regulations

Third-Party Service Providers

We share your information with trusted third-party services. A complete and current list of all sub-processors, including the data they process and their location, is available on our Sub-Processors page. The most commonly used providers are listed here:

AI Chatbot (AG) — Data Processing

Billing Information

When you purchase a subscription, we store billing metadata including your billing address, payment method type (e.g., Visa, Mastercard), last four digits of your card, transaction amounts, and transaction history. We do NOT store your full credit card number, CVV, or full payment credentials — these are handled exclusively by Stripe's PCI-compliant payment infrastructure.

Data Retention

We retain your personal data as long as your account is active. When you delete your account, we will permanently delete all associated data within 30 days, including:

• • Your profile information
• • All QR codes you created
• • All scan logs and attendance records
• • Team and organization data
• • Payment history

Your Privacy Rights

You have the following rights regarding your data:

Data Security

We implement industry-standard security measures to protect your data:

• • Data encryption in transit (TLS/SSL)
• • Data encryption at rest in MongoDB Atlas
• • Password hashing with bcrypt (12-round salting)
• • JWT token authentication
• • Rate limiting to prevent unauthorized access
• • Regular security audits

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting the new policy on our website with an updated "Last Updated" date.

Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information.

To exercise any of these rights, use the self-service form at qrcodekey.com/privacy/delete-my-data (no QRCodeKey account required), email info@qrcodekey.com, or call (708) 690-0550. We will respond to your request within 45 calendar days. If we need additional time due to the complexity of the request, we may extend this period by up to 45 additional calendar days (90 calendar days total), and will notify you of the extension.

Additional State Privacy Rights

In addition to California rights described above, residents of certain other states have privacy rights under their respective laws:

To exercise any of these rights, please contact us at info@qrcodekey.com. If your request is denied, you have the right to appeal by contacting us at the same address.

Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, QRCodeKey does not currently respond to DNT browser signals or headers. However, you can manage your privacy preferences through your account settings and the cookie management options described below. We will update this policy if a uniform DNT standard is adopted.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and track information about your use of our service. Cookies are small data files placed on your device.

Managing Cookies: You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified before a cookie is set. Please note that disabling cookies may affect the functionality of our service.

For more details, please see our Cookie Policy.

SMS Communications and TCPA Compliance

QRCodeKey may send SMS text message notifications related to QR code activity, OTP verification, attendance alerts, and account updates via our third-party messaging provider, Telnyx.

• • Consent: By providing your phone number and enabling SMS notifications, you expressly consent to receive automated text messages from QRCodeKey. Consent is not a condition of purchase or use of our service.
• • Message Frequency: Message frequency varies based on your account activity and notification settings. You may receive messages related to QR code scans, attendance events, and account alerts.
• • Message and Data Rates: Message and data rates may apply depending on your mobile carrier and plan. QRCodeKey is not responsible for any charges from your mobile carrier.
• • Opt-Out: You can opt out of SMS notifications at any time by replying STOP to any message you receive from us, or by disabling SMS notifications in your account settings. After opting out, you will receive a final confirmation message.
• • Help: Reply HELP to any message for assistance, or contact us at info@qrcodekey.com.

QRCodeKey complies with the Telephone Consumer Protection Act (TCPA) and all applicable federal and state regulations governing automated text messaging. We will not send SMS messages to any number that has not opted in to receive communications from us.

CAN-SPAM Compliance

QRCodeKey complies with the CAN-SPAM Act for all commercial email communications. In accordance with CAN-SPAM, we agree to the following:

• • We will not use false or misleading subjects or email addresses.
• • We will identify the message as an advertisement when applicable.
• • We will include our physical mailing address in every email: 2501 Chatham Rd Suite N, Springfield, IL 62704, USA.
• • We will honor opt-out and unsubscribe requests promptly, within 10 business days.
• • We will provide a clear unsubscribe mechanism in every commercial email.

To unsubscribe from our emails, click the "Unsubscribe" link at the bottom of any email, or contact us at info@qrcodekey.com.

Data Breach Notification

In the event of a data breach that compromises your personal information, QRCodeKey will:

• • Investigate and contain the breach as quickly as possible.
• • Notify affected users via email and/or SMS without unreasonable delay.
• • Notify the appropriate regulatory bodies as required by applicable laws.
• • Provide a description of the breach, the types of information involved, steps we have taken in response, and recommendations for affected users to protect themselves.
• • Offer identity theft protection services if sensitive personal information is compromised.

Jurisdiction-Specific Timelines:

• • EU/EEA (GDPR): Notify supervisory authority within 72 hours of becoming aware (Article 33); notify affected individuals without undue delay where there is a high risk (Article 34).
• • United Kingdom: Notify the ICO within 72 hours; notify affected individuals without undue delay where high risk exists.
• • United States (Illinois): Within 30 days under the Illinois Personal Information Protection Act; other states as required by their respective breach notification laws.
• • Canada (PIPEDA): Notify affected individuals and the Privacy Commissioner of Canada as soon as feasible.
• • Australia: Notify the OAIC and affected individuals as soon as practicable under the Notifiable Data Breaches scheme (Privacy Act 1988, Part IIIC).
• • Brazil (LGPD): Notify the ANPD and affected individuals within a reasonable timeframe as defined by the ANPD.
• • India (DPDP): Notify the Data Protection Board of India without delay.
• • South Africa (POPIA): Notify the Information Regulator and affected individuals as soon as reasonably possible.
• • All other jurisdictions: In accordance with the breach notification requirements of your local data protection law.

International Data Transfers

QRCodeKey is operated from the United States, and your personal data is stored and processed on servers located in the United States. If you access our service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence. By using QRCodeKey, you consent to the transfer of your information to the United States and the processing of your data in accordance with this Privacy Policy and applicable US laws.

Third-Party Links

Our service may contain links to third-party websites, services, or applications that are not operated by QRCodeKey. If you click on a third-party link, you will be directed to that third party's website. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. QRCodeKey is not liable for any damages or losses arising from your use of third-party websites or services.

European Economic Area (EEA) Privacy Rights — GDPR

If you are located in the European Economic Area (EEA), you are protected by the General Data Protection Regulation (GDPR). QRCodeKey processes your personal data based on the following legal bases:

To exercise any of these rights, use the self-service form at qrcodekey.com/privacy/delete-my-data or email info@qrcodekey.com. We will respond to your request without undue delay and in any event within one month as required by GDPR Article 12(3). If your request is complex or we receive a high volume of requests, we may extend this period by up to two additional months, and will notify you of the extension within the initial one-month period.

United Kingdom Privacy Rights — UK GDPR

If you are located in the United Kingdom, you are protected by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. You have the same rights as EEA residents described above, including the rights of access, rectification, erasure, restriction, data portability, objection, and protection against automated decision-making. Your data is transferred to the United States using appropriate safeguards including the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Canadian Privacy Rights — PIPEDA

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) protects your personal information. Under PIPEDA, you have the following rights:

For residents of Quebec, the Act Respecting the Protection of Personal Information in the Private Sector (Quebec Law 25) provides additional protections, including the requirement for express consent for the collection and use of sensitive personal information.

Brazilian Privacy Rights — LGPD

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) provides you with specific rights regarding your personal data. Under the LGPD, you have the right to:

• • Confirm the existence of processing of your personal data
• • Access your personal data
• • Correct incomplete, inaccurate, or outdated personal data
• • Anonymize, block, or delete unnecessary or excessive personal data
• • Request data portability to another service or product provider
• • Delete personal data processed with your consent
• • Obtain information about public and private entities with which we have shared your data
• • Be informed about the possibility of denying consent and the consequences thereof
• • Revoke your consent at any time

To exercise your LGPD rights, contact us at info@qrcodekey.com. You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

Australian Privacy Rights — Privacy Act 1988

If you are located in Australia, the Privacy Act 1988 and the Australian Privacy Principles (APPs) protect your personal information. Under the APPs, you have the right to:

• • Access your personal information held by us
• • Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information
• • Opt out of receiving direct marketing communications
• • Make a complaint about a breach of the Australian Privacy Principles

We will respond to your request within a reasonable period. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

South African Privacy Rights — POPIA

If you are located in South Africa, the Protection of Personal Information Act (POPIA) provides you with the following rights:

• • The right to be notified that personal information is being collected or that your personal information has been accessed or acquired by an unauthorized person
• • The right to request access to your personal information
• • The right to request correction or deletion of your personal information
• • The right to object to the processing of your personal information
• • The right not to have your personal information processed for purposes of direct marketing by means of unsolicited electronic communications
• • The right to submit a complaint to the Information Regulator

To exercise your POPIA rights, contact us at info@qrcodekey.com. You may also lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.

Japanese Privacy Rights — APPI

If you are located in Japan, the Act on the Protection of Personal Information (APPI) provides you with the right to request disclosure, correction, suspension of use, or deletion of your personal information. When we transfer your personal data outside Japan, we ensure compliance with APPI cross-border transfer requirements. To exercise your rights, contact us at info@qrcodekey.com. You may also file a complaint with the Personal Information Protection Commission of Japan (PPC).

South Korean Privacy Rights — PIPA

If you are located in South Korea, the Personal Information Protection Act (PIPA) provides you with the right to access, correct, delete, and suspend processing of your personal information. We collect and process your personal data only with your consent or as permitted by PIPA. You have the right to withdraw consent at any time. To exercise your rights or file a complaint, contact us at info@qrcodekey.com. You may also contact the Personal Information Protection Commission (PIPC) of South Korea.

Singapore Privacy Rights — PDPA

If you are located in Singapore, the Personal Data Protection Act (PDPA) provides you with the right to access and correct your personal data, and to withdraw your consent for the collection, use, or disclosure of your personal data. We obtain your consent before collecting, using, or disclosing your personal data, and you may withdraw consent at any time with reasonable notice. To exercise your rights, contact us at info@qrcodekey.com. You may also lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore.

Chinese Privacy Rights — PIPL

If you are located in the People's Republic of China, the Personal Information Protection Law (PIPL) provides you with the right to know about and make decisions regarding the processing of your personal information. You have the right to access, copy, correct, and delete your personal information, and to withdraw your consent. You have the right to request an explanation of the processing rules. We process your personal information based on your consent or other lawful bases under PIPL. Cross-border transfer of your data is conducted in compliance with PIPL requirements. To exercise your rights, contact us at info@qrcodekey.com.

Thai Privacy Rights — PDPA

If you are located in Thailand, the Personal Data Protection Act B.E. 2562 (PDPA) provides you with the right to access, correct, delete, restrict, and port your personal data. You have the right to withdraw consent and to object to processing. We collect and process your personal data with your consent or on other lawful bases recognized by the PDPA. To exercise your rights, contact us at info@qrcodekey.com. You may also lodge a complaint with the Personal Data Protection Committee (PDPC) of Thailand.

Philippine Privacy Rights — Data Privacy Act

If you are located in the Philippines, Republic Act No. 10173 (Data Privacy Act of 2012) provides you with the right to be informed, the right to access, the right to object, the right to erasure and blocking, the right to rectification, the right to data portability, and the right to file a complaint. To exercise your rights, contact us at info@qrcodekey.com. You may also lodge a complaint with the National Privacy Commission (NPC) of the Philippines.

Indonesian Privacy Rights — PDP Law

If you are located in Indonesia, Law No. 27 of 2022 on Personal Data Protection (PDP Law) provides you with the right to obtain information about the processing of your personal data, the right to access, correct, update, and delete your personal data, the right to withdraw consent, the right to object to automated decision-making, and the right to data portability. To exercise your rights, contact us at info@qrcodekey.com.

Malaysian Privacy Rights — PDPA 2010

If you are located in Malaysia, the Personal Data Protection Act 2010 (PDPA) requires us to process your personal data with your consent and for a lawful purpose. You have the right to access, correct, and withdraw consent for the processing of your personal data. To exercise your rights, contact us at info@qrcodekey.com.

New Zealand Privacy Rights — Privacy Act 2020

If you are located in New Zealand, the Privacy Act 2020 and the Information Privacy Principles (IPPs) protect your personal information. You have the right to access and request correction of your personal information. We collect personal information only for lawful purposes directly related to our service. To exercise your rights, contact us at info@qrcodekey.com. You may also lodge a complaint with the Office of the Privacy Commissioner of New Zealand.

Swiss Privacy Rights — nFADP

If you are located in Switzerland, the new Federal Act on Data Protection (nFADP/revDSG) provides you with the right to access, rectify, and delete your personal data, and the right to data portability. Your data is transferred to the US using appropriate safeguards. You may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC). To exercise your rights, contact us at info@qrcodekey.com.

Middle East Privacy Rights

To exercise any rights under Middle East privacy laws, contact us at info@qrcodekey.com.

African Privacy Rights (Additional)

To exercise any rights under African privacy laws, contact us at info@qrcodekey.com.

Latin American Privacy Rights (Additional)

To exercise any rights under Latin American privacy laws, contact us at info@qrcodekey.com.

Russian Privacy Rights — Federal Law No. 152-FZ

If you are located in Russia, Federal Law No. 152-FZ on Personal Data provides you with the right to access, correct, block, and destroy your personal data. We process your personal data with your consent. You have the right to withdraw consent at any time. To exercise your rights, contact us at info@qrcodekey.com. You may also lodge a complaint with Roskomnadzor (Federal Service for Supervision of Communications).

Additional US State Privacy Laws

In addition to California, Virginia, Colorado, and Connecticut privacy laws described above, residents of the following states have specific privacy rights under their respective state laws:

To exercise any US state privacy rights, please contact us at info@qrcodekey.com or call (708) 690-0550.

Other Jurisdictions

If you are located in a jurisdiction not specifically mentioned above that has data protection or privacy laws, QRCodeKey is committed to respecting your privacy rights under your local laws. We will process your personal data in accordance with applicable data protection laws and provide you with the rights available to you under your local legislation. To exercise any privacy rights or for any privacy-related inquiries, please contact us at info@qrcodekey.com. We will respond to your request within the timeframe required by your local law, or within 30 days if no specific timeframe is prescribed.

QR Code Distribution & Owner Responsibility

When you create a QR code on QRCodeKey, you may print, sticker, or otherwise deploy that QR at one or many physical locations or on multiple items. QRCodeKey does not limit how many copies of a single QR you deploy and does not, by default, distinguish "originals" from copies. As a result, multiple scans of the same QR can occur simultaneously or near-simultaneously from different geographic locations, and each will be captured and notified to you independently. QRCodeKey treats every scan as legitimate and does not arbitrate which scan is "real" or which physical item it corresponds to. Interpreting multi-location or simultaneous scans, mapping each scan back to a specific physical instance, and resolving any related disputes (with finders, customers, employees, partners, or third parties) is the sole responsibility of the QR Owner. We collect, store, and surface scan data on a per-event basis; we do not perform anti-counterfeit, anti-duplication, or fraud detection on QR scans. If a QR Owner suspects unauthorized multi-location scanning, the QR Owner may delete the QR code at any time from their dashboard or via the AI assistant; deletion is permanent and irreversible and removes the QR identifier together with its full scan history, finder submissions, registered name / phone / email / address, photos, and any attached attendance or visitor records. The QR Owner accepts sole responsibility for the consequences of this irreversible deletion (loss of evidence, loss of recovery channel, broken attendance flow). See Sections 9B.7 (Deletion) and 9B (overall) of the Terms of Service for the full responsibility, indemnification, and best-practices framework.

Group invitations & member-provided QR codes. When a Group Admin invites participants to a Group on QRCodeKey, members typically join by sharing their own personal QR code with the Admin. Each member who shares a personal QR is responsible for the information attached to it and for the consequences of being scanned at the Group's pinned location for attendance / sign-in / visitor flows. For minors (under 18, or below the applicable local age — for example under 13 in the United States under COPPA, or below the applicable threshold under India's DPDP Act 2023 Section 9), the QR must be supplied with verifiable prior consent of the minor's parent or legal guardian. The parent / legal guardian — not the Admin, not the school, not the employer — is the data controller for that minor's data on QRCodeKey. Any Admin who adds a Member (especially a minor) without proper consent is solely responsible and indemnifies QRCodeKey for any resulting claim. See Terms Section 9C (Group Membership & Member-Provided QR Codes) for the full framework. Attendance disputes & proxy scans: if a Member QR is scanned at the Group's pinned location while the Member is actually elsewhere (or vice versa), or any other discrepancy arises between the scan log and the parties' account of what happened, QRCodeKey records the event factually but does not verify physical presence and is not the arbiter of the dispute. Resolution is between the Admin and the Member (or, for a minor, the parent / legal guardian); the Admin may also pursue any lawful remedy (internal action, payroll adjustment, civil claim, or referral to authorities). See Terms Section 9C.6 for the full attendance-dispute framework. Group data visibility & access routing: only the Group Admin can view, search, export, edit, or delete the Group's combined dataset (Member roster, scan and attendance logs, geofence, visitor sign-ins, shift / leave / holiday records, reports). The Admin is the data controller for the Group's combined dataset; QRCodeKey acts as a processor on the Admin's instructions. A Member who wants to access, correct, port, restrict, or delete their own Group data must first ask the Group Admin in writing; if the Admin does not respond within the legal deadline, the Member may escalate to QRCodeKey (info@qrcodekey.com) and ultimately to the relevant data-protection authority. Members always retain the absolute right to delete their personal QR under Terms Section 9B.7 at any time, which retroactively invalidates the QR within every Group. See Terms Section 9C.7 for the full data-visibility & access-routing framework. Group deletion by the Admin: a Group Admin may delete an entire Group at any time. Deletion is permanent and irreversible: the Group, its pinned location, the entire combined attendance / clock-in / clock-out / shift / leave / holiday / report log, the audit trail, and all visitor data inside the Group (visitor names, phones, emails, photos, signatures, purposes, sign-ins, sign-outs, host notifications) are wiped from our active datastore and cannot be recovered, restored, or re-issued — not even by QRCodeKey support and not even on receipt of a court order. The Admin accepts sole responsibility for downstream consequences (loss of evidence in pending disputes, loss of statutorily-retainable records, broken visitor sign-in at the physical premises, etc.). Members' personal QR codes are NOT deleted by a Group deletion — only their membership link to that particular Group is removed; the personal QRs continue to exist in each Member's own account. See Terms Section 9C.8 for the full Group-deletion framework. Visitor self-reported data & Admin verification: in the Visitor Management flow, the visitor enters their own name, phone, email, purpose, photo, and signature into the sign-in form. QRCodeKey does NOT verify this self-reported data. The visitor is responsible for the truthfulness of what they submit; the Group Admin is responsible for verifying the visitor's identity at the point of entry (ID check, photo comparison, callback, or whatever procedure their organization requires). QRCodeKey acts as a processor of the data the Admin chose to collect and the visitor chose to submit; we do not warrant truthfulness or fitness for purpose. See Terms Section 9C.9 for the full visitor-data framework and indemnification. Reports, export & Admin's data-retention responsibility:QRCodeKey gives the Group Admin built-in attendance and visitor reports in Daily, Weekly, and Monthly views, downloadable as printable PDF or spreadsheet (Excel / CSV) and printable from the dashboard. The Admin is solely responsible for downloading, printing, archiving, and securely storing — outside QRCodeKey — any records they (or their institution) are required to retain by law, regulation, contract, sector practice, or internal policy (labor / wage-hour, tax, payroll, education attendance registers, healthcare visitor logs, building-access logs, litigation-hold records, etc.). QRCodeKey does not guarantee perpetual storage: Group data can be deleted by the Admin under Section 9C.8, individual entries can be wiped by Members under Section 9B.7, and retention windows / archival / feature changes may affect long-term availability. Once an Admin downloads a report, the resulting file is entirely in the Admin's custody — the Admin is responsible for securing it, sharing it lawfully, redacting personal data where required (minor data under COPPA / DPDP Section 9, biometrics under BIPA, special-category data under GDPR Article 9), and deleting it at the end of its retention period. QRCodeKey has no control over downloaded copies and accepts no liability for their downstream handling, loss, theft, or misuse. See Terms Section 9C.10 for the full retention-and-export framework.

International Data Transfer Mechanisms

QRCodeKey is based in the United States. When we transfer personal data from outside the US to our servers, we use the following legal mechanisms to ensure the protection of your data:

• • EU-US Data Privacy Framework (DPF): Where applicable, we may rely on the EU-US Data Privacy Framework for transfers from the EEA to the US.
• • Standard Contractual Clauses (SCCs): For transfers from the EEA, we rely on SCCs approved by the European Commission as adopted under Commission Implementing Decision (EU) 2021/914.
• • UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom, we use the UK IDTA or the UK Addendum to the EU SCCs.
• • Swiss nFADP: For transfers from Switzerland, we use SCCs recognized by the Federal Data Protection and Information Commissioner (FDPIC).
• • Consent: Where required, we obtain your explicit consent for the transfer of your data outside your jurisdiction.
• • Adequacy Decisions: Where an adequacy decision exists between your country and the US, we rely on that decision.

Important notes for certain jurisdictions: Russia's Federal Law 152-FZ requires that personal data of Russian citizens be stored on servers within the Russian Federation (data localization). QRCodeKey's servers are located in the United States; therefore, Russian users should be aware that their data is processed and stored outside Russia. China's PIPL requires specific cross-border data transfer mechanisms (security assessment, certification, or standard contracts); QRCodeKey takes reasonable steps to comply with these requirements for Chinese users.

Regardless of the transfer mechanism, we ensure that your personal data receives an adequate level of protection in accordance with applicable data protection laws.