Information we collect
SoLoQR stores the information needed to create and operate accounts, workspaces, QR campaigns, subscriptions, support workflows, and security controls. This may include account email, display name, workspace details, QR names, destinations, style settings, uploaded logos, subscription status, and product usage records.
Do not upload sensitive personal information, regulated health information, payment card details, private keys, or credentials into QR names, destinations, style metadata, support messages, or uploaded assets.
Dynamic QR analytics
Dynamic QR analytics are designed to be privacy-conscious. SoLoQR records scan events such as QR code ID, destination ID, scan time, referrer domain, device type, browser, operating system, suspected bot status, redirect status, and UTM campaign fields that are present on the QR short link or destination URL.
SoLoQR does not need raw IP addresses or precise GPS coordinates to provide launch analytics. Raw IP addresses are used transiently during redirect handling only to create rotating salted hashes for rough unique-scan counts, then are not stored. If location features are added later, they should use an explicit provider and coarse location approach documented before launch.
Static QR codes
Static QR codes encode content directly into the exported QR image. SoLoQR does not receive scan events for static QR codes after export unless the encoded destination itself sends traffic through a SoLoQR service.
Payments and providers
Stripe processes web subscription checkout, billing portal, invoices, payment methods, and related payment security data. Google Play Billing and future Apple in-app purchase systems may process mobile subscription purchases where platform rules require them.
SoLoQR stores normalized subscription, entitlement, and payment-event records so the product can apply the correct plan limits across web, Android, and future iOS.
Service providers
SoLoQR may use infrastructure, authentication, database, storage, payment, logging, email, and security providers to operate the service. These providers should be used only for business purposes such as hosting, authentication, storage, payments, support, abuse prevention, and reliability.
Data controls and retention
Users can archive or delete QR records through product workflows where available. Some records may be retained for security, billing, abuse prevention, legal compliance, backups, or audit purposes.
Detailed scan analytics should be retained according to plan limits and product retention rules. Aggregated or minimized records may be retained longer for reporting, reliability, and abuse prevention.
Security
SoLoQR uses Logto, backend ownership checks, private storage buckets, server-side entitlement checks, provider webhook verification, and production safety checks to reduce data exposure risk. No system is perfectly secure, so report suspected security or abuse issues promptly through the available support channel.
