QRCodeKey Terms of Service

Free Plan

Price: $0/month

Features: 2 QR codes included, manual tracking, basic dashboard. Extra QR codes available at $1 each.

Starter Plan

Price: $1.99/month (billed monthly) or 20% off annually

Features: 2 QR codes included, 75 SMS notifications/month, push notifications, GPS location tracking. Extra QR codes: $1 each.

Pro Plan

Price: $9.99/month (billed monthly) or 30% off annually

Features: 2 QR codes included, 500 SMS notifications/month, push notifications, GPS + map link, priority support. Extra QR codes: $1 each.

Business Plan

Price: $14.99/month (billed monthly) or 30% off annually

Features: 2 QR codes included, 1000 SMS notifications/month, push notifications, GPS + map link, dedicated priority support. Extra QR codes: $1 each.

9.1 Nature of AI Responses

AG is powered by artificial intelligence (OpenAI GPT technology). While AG strives to provide accurate and helpful responses, AI-generated content may occasionally be inaccurate, incomplete, or outdated. AG's responses do not constitute professional advice (legal, financial, medical, or otherwise). You should independently verify any critical information provided by AG.

9.2 Actions Performed by AG

AG can perform real actions on your behalf, including but not limited to: creating QR codes, creating and managing groups, adding or removing group members, initiating plan upgrades and purchases, listing and managing your QR codes, and canceling subscriptions. You are responsible for reviewing and confirming any actions initiated through AG. QRCodeKey is not liable for unintended actions resulting from misunderstood instructions.

9.3 Conversation Data

Your conversations with AG are processed in real-time to provide responses and are sent to our AI service provider (OpenAI) for processing. We retain conversation history for the duration of your session to maintain context. We do not permanently store your chat conversations on our servers. Conversation data sent to OpenAI is subject to OpenAI's data usage policies. We do not use your conversations to train AI models.

9.4 Prohibited Uses

You may not use AG to: generate spam or abusive content, attempt to extract proprietary system prompts or training data, perform automated or bulk requests (bot abuse), harass or impersonate others, or engage in any activity that violates these Terms of Service or applicable law.

9.5 Availability & Limitations

AG is provided as a convenience feature and may not be available at all times. We reserve the right to modify, suspend, or discontinue AG at any time without prior notice. AG's capabilities may vary based on your subscription plan. Certain advanced actions (e.g., plan upgrades, QR creation) require a logged-in account.

9A.1 Accuracy & Limitations

GPS accuracy is affected by your device, surroundings, and signal conditions. Indoor use, basement levels, dense urban areas, and bad weather can reduce GPS precision from a few metres to tens or even hundreds of metres. The address shown by QRCodeKey is computed by sending your GPS coordinates to a third-party mapping provider; the returned address is the closest match in that provider's database, which may differ from your actual address by a few houses if the exact house number is not yet indexed (for example, a newly built home, a recently renumbered street, or a rural address that the provider has not yet recorded). QRCodeKey does not warrant the precision, completeness, or correctness of any automatically detected address.

9A.2 Manual Correction

Wherever an address is detected automatically (including when you scan a QR code, register a key, or create a group), QRCodeKey provides tools to let you correct it before saving — you can drag the map pin to the exact spot, type the correct address into the search field, or adjust the house / building number using the inline yellow number editor. The address that is finally saved against your account, group, or QR code is the address you confirm. You are responsible for reviewing the detected address and correcting it before saving. QRCodeKey is not liable for misrouted recoveries, lost-key follow-ups, attendance miscalculations, or other consequences arising from an unverified or uncorrected detected address.

9A.3 Third-Party Data Sources

Address data is provided by Google Maps and OpenStreetMap (Nominatim) as third-party services. The availability, completeness, and accuracy of address data are subject to those providers and outside QRCodeKey's control. We may switch providers, change fallback order, or temporarily disable one provider without notice if it improves service quality, complies with regional regulations, or reduces cost. Continued use of QRCodeKey after such a change indicates your acceptance.

9A.4 Reporting Address Errors

If QRCodeKey persistently returns the wrong address for your location, we recommend reporting the missing address directly to the underlying mapping provider — for Google Maps, use the "Add a missing place" / "Suggest an edit" feature inside the Google Maps app; for OpenStreetMap, use the "Edit" function at openstreetmap.org. Once accepted by the provider (typically within a few days), QRCodeKey will automatically pick up the corrected address on your next location refresh, with no further action needed on your part.

9A.5 Permission & Consent

Precise location (GPS) is captured only with your explicit browser-level or operating-system-level permission. You may revoke this permission at any time from your device settings; in that case the platform will fall back to approximate IP-based location, and some features (group geo-fencing, real-time scan alerts, address auto-fill) will be limited or unavailable. The same disclaimers about accuracy in 9A.1 apply with even greater force to IP-based location, which is generally accurate only to the city level.

9A.6 AI Assistant Responses About Addresses

If you ask the AI assistant ("AG" or the inbound voice agent) why a detected address differs from your real address, it will explain the GPS / mapping-provider limitation summarized in 9A.1 above and offer the manual-correction options described in 9A.2. AG does not have the ability to override the underlying mapping provider's database or to make the saved address more accurate than what you confirm in the UI.

9B.1 Multi-Location Deployment

A QR Owner may print, sticker, share, embed, or otherwise distribute the same QR code at multiple physical locations or on multiple items at the same time — for example, posting the same QR on multiple buildings, vehicles, products, signs, business cards, packaging, marketing materials, or assets. QRCodeKey does not place any technical limit on how many copies of a QR code an Owner can deploy and does not, by default, distinguish between "originals" and "copies."

9B.2 Simultaneous & Multi-Location Scans

Because the same QR code can be deployed at multiple locations, multiple scans of the same QR code can occur simultaneously or near-simultaneously from different geographic locations. Each scan event is independently captured (with its own GPS coordinates, device, time, and finder details) and pushed to the QR Owner via SMS, push, in-app feed, and map. QRCodeKey treats every such scan as legitimate and does not arbitrate which scan is "real." Interpretation of simultaneous or geographically inconsistent scans — including, without limitation, which one corresponds to the original item, whether one or more scans is fraudulent, whether the scans indicate counterfeit, theft, duplication, or unauthorized re-use — is the sole responsibility of the QR Owner.

9B.3 Owner-Borne Liability

The QR Owner is solely responsible for: (a) deciding how many copies of a given QR to deploy; (b) where and on what items to deploy them; (c) keeping a record of the deployment locations if the QR Owner needs to map scan events back to specific physical items; (d) any commercial, legal, regulatory, or reputational consequences arising from multi-location or simultaneous scans of the same QR; and (e) any disputes with finders, customers, employees, partners, or third parties about which scan corresponds to which physical instance. QRCodeKey is not a party to any such dispute and bears no liability for outcomes arising from a QR Owner’s distribution choices.

9B.4 Recommended Best Practices

To reduce ambiguity in case of multi-location scans, QR Owners are encouraged to: (a) use a unique QR code per physical item rather than sharing one QR across multiple items; (b) maintain an internal mapping ("QR ID → physical asset") so each scan event can be traced back to a specific item; (c) for organization attendance, pin a fixed group GPS / address so out-of-radius scans are flagged automatically; (d) deactivate any QR that is no longer in use to prevent stale scans; and (e) treat scan data as audit / advisory information rather than as a single source of truth for high-stakes decisions.

9B.5 No Counterfeit / Duplication Detection Warranty

QRCodeKey does not warrant that the platform can detect counterfeiting, photocopying, screenshotting, or unauthorized duplication of a QR code, nor that it can prevent third parties from re-printing a publicly visible QR code. If a QR Owner needs cryptographic, anti-counterfeit, or single-use guarantees, the QR Owner must implement those guarantees independently (for example, with rotating one-time tokens behind the QR redirect, watermarking, or holographic substrates). The standard QRCodeKey QR is a static identifier and is not a security primitive.

9B.7 Right to Delete & Permanence of Deletion

If a QR Owner believes their QR code is being scanned at unauthorized locations, has been counterfeited or duplicated, or simply no longer wishes to continue tracking it, the QR Owner may delete the QR code at any time from their dashboard or by asking the AI assistant ("AG"). Deletion is permanent and irreversible. Specifically, on deletion: (a) the QR code identifier becomes invalid and any future scan of the same physical sticker / printout will return a "not registered" page; (b) the QR cannot be re-activated, restored, transferred, or re-issued — even by QRCodeKey support; (c) all data associated with the QR is deleted, including but not limited to the scan history, GPS location history, finder submissions, photos, registered name / phone / email / address, category, message, and any attached attendance / group / visitor records. We retain only the minimal records required for legal, billing, audit, anti-fraud, or regulatory compliance (typically aggregate counters and an indemnification trace) for the period required by applicable law. The QR Owner accepts sole responsibility for the consequences of this irreversible deletion, including loss of evidence in any pending or future dispute, loss of recovery channel for the underlying physical item, and any operational impact (broken attendance flow, broken visitor sign-in, etc.). QRCodeKey will honor a deletion request from the verified QR Owner and is not liable for downstream effects of that decision.

9B.6 Indemnification

You agree to defend, indemnify, and hold harmless QRCodeKey, Jal Technology LLC, and our employees, contractors, officers, and directors from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to your distribution of QR codes, including but not limited to claims that your distribution choices caused confusion, financial loss, reputational harm, mis-routing of recoveries, or attendance / payroll disputes. This indemnity applies regardless of whether the relevant scan was simultaneous, sequential, fraudulent, mistaken, or otherwise.

9C.1 Member-Provided QR — Owner Responsibility

Any individual who voluntarily shares their personal QR code with a Group Admin in order to join a group is solely responsible for: (a) the registered information attached to that QR (name, phone, email, address, photo, message); (b) the accuracy and lawfulness of that information; (c) the consequences of the QR being scanned at the group's GPS-pinned address as part of attendance, sign-in, or visitor flows; and (d) revoking or deleting their participation if they no longer wish to be part of the group. By providing a personal QR to an Admin, the Member confirms that they understand the Group will see, store, and process scan events tied to that QR for the duration of their participation.

9C.2 Parental Consent for Minors

If a QR code being added to a group is registered to, or used to track, a minor (a person under the age of 18, or under any lower age of majority defined by the Member's local jurisdiction — for example, under 13 in the United States under COPPA, or below the applicable threshold under India's DPDP Act 2023 Section 9), the QR must be provided by, and added to the group with the verifiable prior consent of, the minor's parent or legal guardian. The parent or guardian — not the Admin, not the school, not the employer, not the minor — is the data controller for the minor's information processed through QRCodeKey. By submitting a minor's QR to a Group Admin or otherwise authorising its use within a Group, the parent or legal guardian represents and warrants that they have the legal authority to consent on the minor's behalf and that they accept Sections 9A, 9B, 9B.7, and this Section 9C in respect of that minor's QR.

9C.3 Group Admin Liability

A Group Admin who adds, accepts, or retains a Member QR in a Group is responsible for: (a) verifying that the Member (or, for a minor, the Member's parent / legal guardian) has consented to participation; (b) explaining to the Member how the QR will be scanned, where the scan data will go, and how to opt out; (c) maintaining a record of consent (especially for minors) sufficient to satisfy applicable child-data laws (COPPA, DPDP, GDPR-K) on request; (d) promptly removing any Member who withdraws consent; and (e) not using a Member QR for any purpose beyond the originally disclosed Group activity. QRCodeKey is not the data controller for Members within a Group; the Admin (and, for minors, the parent / guardian) is. QRCodeKey acts solely as a processor of the Group's data on the Admin's instructions.

9C.4 Member Rights to Withdraw, Edit, or Delete

A Member (or, for a minor, the parent / legal guardian) may at any time: (a) ask the Admin to remove them from the Group; (b) ask QRCodeKey directly (info@qrcodekey.com) to disconnect their personal QR from any Group; or (c) delete their personal QR entirely under Section 9B.7, which will retroactively invalidate it everywhere — including within Groups it had previously joined. We will action a verified withdrawal within five (5) business days, subject to any minimum legal retention period (for example, attendance / payroll records that an Admin is statutorily required to keep). Deletion under 9B.7 is permanent and irreversible.

9C.6 Attendance Disputes, Proxy Scans & Fraudulent Check-ins

In the Group Attendance use case (school, employer, factory, hospital, gym, college, etc.) a Member QR is scanned at the Group's pinned GPS location to record attendance, sign-in, or clock-in events. QRCodeKey records the scan event factually but does not verify the physical presence of the Member. Examples of disputes that can arise — and that QRCodeKey is not the arbiter of — include, without limitation: (a) the Member QR was scanned at the location but the Member was actually somewhere else (proxy / buddy-punch fraud, even when the geofence radius and GPS accuracy were satisfied); (b) the Member QR was scanned by a third party who borrowed, photographed, or copied the QR; (c) the Member claims to have been physically present but the scan never registered (lost network, GPS denied, dead phone, employer kiosk down); (d) the scan timestamp is contested between Member and Admin (one says clock-out, the other says lunch break); or (e) any other discrepancy between what the scan log shows and what the parties believe actually happened. All such disputes are to be resolved directly between the Group Admin and the Member (or, for a minor, the Member's parent or legal guardian) — QRCodeKey is not a party to the resolution. The Admin may rely on the scan log, GPS coordinates, accuracy radius, device fingerprint, IP address, and any other data we surface (we do notoffer face / biometric verification), in combination with the Admin's own internal evidence such as photo-ID checks and physical presence verification at the entry point, to make a final determination. The Admin may also pursue any lawful remedy, including but not limited to internal disciplinary action, payroll adjustment, suspension or termination of employment, expulsion from the institution, civil claim, or referral to law-enforcement authorities, in accordance with applicable employment, education, consumer-protection, and criminal laws of the relevant jurisdiction. The Member, on the other hand, may dispute the Admin's determination through whatever internal grievance process the Admin makes available, applicable labor / education tribunals, consumer-redressal forums, or courts of competent jurisdiction. QRCodeKey will, on receipt of a valid legal request (subpoena, court order, or properly verified data-subject request), provide the underlying scan-log data to the lawful requester, but does not adjudicate the dispute itself, does not mediate between the Admin and the Member, does not certify the truth of any scan, and does not guarantee that any scan event is or is not a genuine attendance record. Each party indemnifies QRCodeKey against any claim arising from the other party's use, misuse, or misinterpretation of scan data in an attendance dispute.

9C.7 Group Data Visibility & Access Routing

Within a Group on QRCodeKey, only the Group Admin can view, search, export, manage, edit, or delete the Group's combined data— including the Member roster, every Member QR's scan and attendance log inside that Group, the Group's pinned address and geofence, visitor sign-ins, shift schedules, leave records, holiday calendar, attendance reports, and any other Group-level analytics. Members do not see other Members' scans, do not see the full attendance roster, and do not have administrative controls over the Group. This is by design: the Group Admin is the data controller for the Group's combined dataset under applicable privacy law (GDPR Article 4(7), CCPA / CPRA "business," India DPDP Section 2(i) "Data Fiduciary"), and QRCodeKey acts solely as a processor / data fiduciary's data processor on the Admin's instructions.

Member requests for their own data within a Group must be routed through the Group Admin.Specifically, if a Member (or, for a minor, the Member's parent or legal guardian) wants to (a) see their own scan history, attendance records, or other Group-related data; (b) obtain a copy of that data in a portable format; (c) correct an incorrect entry; (d) restrict the Admin's further processing; (e) lodge a complaint about the Group's use of their data; or (f) be removed from the Group — the Member must first contact the Group Admin in writing. The Admin is responsible for fulfilling the Member's request within the timelines required by applicable law (typically 30 days under GDPR, 45 days under CCPA, or as required under DPDP). If the Admin fails to respond, the Member may then escalate to QRCodeKey at info@qrcodekey.com (we will, on receipt of a verified Member identity, provide the Member with a read-only export of the Member's own scan and attendance entries within that Group, but we will not unilaterally edit the Group's combined dataset against the Admin's instructions; the Member retains the right to escalate to the appropriate data-protection authority — for example, the FTC or a state Attorney General in the US, the ICO in the UK, the local Data Protection Authority in the EU, or the Data Protection Board of India under DPDP Section 27). Members always retain the absolute right to delete their personal QR code under Section 9B.7 at any time without going through the Admin; doing so retroactively invalidates the QR everywhere, including within all Groups it had previously joined.

9C.8 Admin's Right to Delete the Group & Permanence of Group Deletion

A Group Admin may delete an entire Group at any time from the dashboard or by asking the AI assistant. Group deletion is permanent and irreversible. On deletion: (a) the Group itself becomes inaccessible to the Admin, all Members, and all visitors; (b) the Group's pinned address / geofence is removed; (c) all Member roster entries inside the Group are wiped (the underlying personal QR codes themselves are NOT deleted — those remain in each Member's own account, and can be added to other Groups; only the membership link to this particular deleted Group is wiped); (d) all Group data is wiped, including the Group's combined attendance log, clock-in / clock-out events, GPS scan coordinates inside the Group, shift schedules, leave records, holiday calendar, attendance reports, audit log entries, and any custom Group settings; (e) all visitor data is wiped, including visitor sign-ins, visitor sign-outs, visitor names, phone numbers, emails, photos, signatures, purpose-of-visit notes, host notification history, and visitor-pass QR mappings tied to that Group; and (f) any reports, exports, or analytics that referenced the Group will no longer load. None of this data can be recovered, restored, re-issued, or reconstructed by the Admin, the Members, the visitors, or QRCodeKey support — even on receipt of a court order — because the underlying records have been irreversibly deleted from our active datastore. We retain only the minimal records required for legal, billing, audit, anti-fraud, or regulatory compliance (typically aggregate counters, a deletion-audit trace, and a tombstone of the Group identifier) for the period required by applicable law. The Admin accepts sole responsibility for the consequences of this irreversible deletion, including but not limited to: loss of evidence in any pending or future Member / employer / visitor / payroll / education / regulatory dispute; loss of attendance history that the Admin or its institution may be statutorily required to retain (the Admin must export and back up such records before deletion); broken visitor sign-in flow at the physical premises; and any operational, legal, financial, or reputational fallout therefrom. Members and visitors who had their data inside the Group will see that data disappear from their own dashboards as well; QRCodeKey is not liable for downstream confusion or loss arising from the Admin's decision to delete. Before performing the deletion, the Admin (or, where the AI assistant is performing the action on the Admin's behalf) must explicitly confirm understanding of these consequences. See also Section 9B.7 for the parallel right of an individual Member to delete their personal QR.

9C.9 Visitor Self-Reported Data & Admin Verification

When the Visitor Management feature is enabled for a Group, a finder / visitor at the Group's premises scans the Group's Visitor QR and is presented with a sign-in form. The visitor enters their own information into that form — typically name, phone number, email, purpose of visit, photo, and signature — and submits it to the Group Admin via QRCodeKey. By design, this information is self-reported by the visitor and is not independently verified by QRCodeKey. The visitor may, accidentally or intentionally, provide incomplete, inaccurate, outdated, fictitious, impersonating, or otherwise misleading information; QRCodeKey has no technical or contractual ability to validate the truthfulness of any field on a visitor sign-in form.

It is the Group Admin's sole responsibility to verify the accuracy of visitor-provided information at the point of entry— for example, by checking a government-issued photo ID against the entered name, validating the phone number with an in-person callback, comparing the live visitor with the submitted photo, or whatever procedure the Admin's organization requires. The Admin determines (and accepts the consequences of) whom they admit to the premises, the level of identity-verification rigor they apply, and the extent to which they trust the self-reported visitor record. QRCodeKey makes the data the visitor submitted available in the Admin's dashboard, surfaces it in visitor reports and host notifications, and stores it for the Group's retention period (subject to deletion under Section 9B.7 by the visitor, and Section 9C.8 by the Admin), but QRCodeKey does not warrant the truthfulness, completeness, or fitness for any particular purpose of any visitor entry.

Visitor liability. A visitor who knowingly provides false information through a QRCodeKey visitor sign-in (false name, fake phone, impersonation, fraudulent purpose) is solely responsible for any criminal, civil, regulatory, or contractual consequences of that misrepresentation under applicable trespass, fraud, identity-theft, anti-impersonation, or premises-security laws of the relevant jurisdiction. Admin liability. An Admin who knowingly relies on visitor self-reported data without applying their own verification procedure (where required by law, regulation, sector practice, or the Admin's own internal policy — for example, in healthcare, schools, regulated workplaces, or critical infrastructure) is solely responsible for any harm or breach arising from that reliance. QRCodeKey liability.QRCodeKey is not the controller of, and does not warrant, visitor self-reported data; we are a processor of the data the Admin (with the visitor's direct submission) has chosen to collect. Each party indemnifies QRCodeKey against any claim arising from the other party's false information, lack of verification, or downstream use.

9C.10 Reports, Export & Admin's Data Retention Responsibility

QRCodeKey provides the Group Admin with built-in reporting for both attendance (Member clock-in / clock-out, GPS, shift, leave, and holiday data) and visitor management (visitor sign-ins, sign-outs, names, phones, emails, photos, signatures, purpose-of-visit, host notifications). Reports can be viewed and exported in Daily, Weekly, and Monthly ranges directly from the Admin dashboard, and downloaded as printable PDF and / or spreadsheet (Excel / CSV) files. The Admin may also print these reports directly from the browser.

Admin must self-archive any records they need to retain.The Admin is solely responsible for downloading, printing, archiving, and securely storing — outside of QRCodeKey — any attendance, payroll, visitor, audit, or other Group records that the Admin (or its institution) is required to retain by law, regulation, contract, sector practice, or its own internal policy. This includes, without limitation: labor / wage-hour records (US FLSA, EU Working Time Directive, India Shops & Establishments Acts, etc.); tax and payroll records; education attendance registers; healthcare visitor logs; building-security and access-control logs; and any records subject to a litigation hold, subpoena, audit, or regulatory request. The Admin agrees to perform these exports on a regular cadence (at minimum, before any planned Group deletion, before significant Member roster changes, and at the end of each statutory retention cycle).

QRCodeKey does not guarantee perpetual storage of Group reports.While QRCodeKey will make reasonable efforts to retain Group attendance and visitor data for the duration of the Admin's active subscription, the Admin acknowledges that: (a) Group data may be deleted at any time by the Admin under Section 9C.8 (Group deletion is permanent and irreversible); (b) Member personal QR codes (and associated entries within Groups) may be deleted by their owners under Section 9B.7 at any time, retroactively removing those entries from Group reports; (c) data retention windows, archival policies, downsampling of older records, and feature changes may affect long-term availability; and (d) QRCodeKey is not a system of record for legal, payroll, regulatory, or tax compliance — it is an operational tool. The Admin is the data controller (GDPR Article 4(7), CCPA / CPRA, India DPDP Act 2023) and bears the legal record-keeping obligation; QRCodeKey acts solely as a processor.

Exported file responsibility.Once an Admin downloads a PDF, Excel, or CSV report from QRCodeKey, the resulting file is in the Admin's sole custody. The Admin is responsible for: securing the file with appropriate encryption / access controls; lawfully sharing it (e.g., with payroll providers, regulators, or auditors) consistent with applicable privacy law and the consent obtained from Members and visitors; redacting or limiting personal data where required (e.g., minor data under COPPA / DPDP Section 9 / GDPR Article 8, special-category data under GDPR Article 9, sensitive personal data under India DPDP Rule 8); and securely deleting the file at the end of its retention period. QRCodeKey has no further control over downloaded copies and accepts no liability for their downstream handling, loss, theft, mis-disclosure, or misuse by the Admin or any party to whom the Admin transmits the file. The Admin indemnifies QRCodeKey against any claim arising from the Admin's post-download handling of an exported report.

9C.5 Misuse & Indemnification

An Admin must not add any Member QR to a Group without the Member's (or, for a minor, the parent / guardian's) prior consent. Adding a QR without consent — including scraping QRs, using stolen QR codes, photographing someone else's printed QR without permission, or coercing a Member into joining — is a violation of these Terms and may also violate applicable privacy, child-data, anti-stalking, or labor laws. The Admin agrees to defend, indemnify, and hold QRCodeKey, Jal Technology LLC, and our employees harmless from any claim, regulatory action, or third-party complaint arising from a Member QR being added or retained in a Group without proper consent, including claims by minors, their parents / legal guardians, employees, government regulators, or other interested parties. QRCodeKey reserves the right, but not the obligation, to suspend or remove any Group, Admin, or Member QR that we reasonably believe violates this section.