Privacy Policy

Last updated: April 28, 2026

Short version: we don't sell your data, and we don't share it with anyone except the vendors we need to actually run the Service. Here's the long version.

1. What we collect

• Generating a static QR code: nothing. Static QR codes are built entirely in your browser. The text or URL you encode never leaves your device.
• If you sign in with Google: we receive your email address, your Google account ID, and (if you've set them publicly) your display name and profile picture. We use this to identify your account and show you who you're signed in as.
• Dynamic short URLs you create: we store the destination URL, the random slug we generate, the time you created it, and an association to your account.
• Scans of dynamic short URLs: for each scan we record the timestamp, the country (derived from IP at request time, not the IP itself), the user-agent string, and the referer if present. We do not store raw IP addresses, and we do not place a cookie on the device of the person scanning.
• Marketing site analytics: we use Google Analytics to measure anonymous, aggregate usage of the website (page views, rough location, device type, referral source). Google Analytics is configured with IP anonymization. We don't use it to build profiles of individual visitors.
• Logs: Cloudflare keeps short-lived request logs for operational purposes (debugging, abuse mitigation, DDoS protection) per its own retention policy.

2. How we use it

• To redirect dynamic short URLs to the destinations you configured.
• To show you stats for the codes you own (totals, country and device breakdowns over time).
• To keep the Service up, secure, and free from abuse.
• To understand, in aggregate, how the marketing site is performing so we can improve it.

3. Who we share it with

We do not sell your data, ever. We do not share it with advertisers, brokers, or any third party for marketing purposes. We share data only with the vendors we need to deliver the Service:

• Cloudflare — hosts the website, runs the redirect Worker, stores short-URL data and scan events, and protects the Service from abuse. All traffic to and from AFQR passes through Cloudflare.
• Google — provides "Sign in with Google" (OAuth). When you sign in, your browser talks directly to Google, and Google returns a verified identity to us.
• Google Analytics — receives the anonymous, aggregate marketing-site usage described above.
• Law enforcement — only when we receive a valid legal request and only the minimum data required to comply.

That's it. There is no other category of recipient.

4. Cookies

We use a single first-party session cookie to keep you signed in to the admin dashboard. Google Analytics sets its own cookies on the marketing site for measurement. We do not use cookies on the redirect path — that is, scanning a QR code created with AFQR does not set a cookie on the scanner's device.

5. Data retention

• Account data and the dynamic short URLs you create are retained for as long as your account is active.
• Scan events for dynamic codes are stored in Cloudflare Analytics Engine, which retains raw events per Cloudflare's policy (currently approximately 90 days). Older events age out automatically; we do not keep a separate long-term copy.
• When you delete your account, we immediately remove the redirect entries (so the codes stop working right away) and the account record (which cascades to your stored short URLs, sessions, and OAuth link). Cloudflare retains point-in-time database backups for up to 30 days as part of normal operations; after that window your data is gone.

6. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete the personal data we hold about you, and to object to certain processing. You can delete your account at any time from the admin dashboard — scroll to the "Delete account" section. You can also email us and we'll do it. We won't make you fill out a form.

7. Children

AFQR is not directed to children under 13. We don't knowingly collect personal information from anyone under 13. If you believe we have, email us and we'll delete it.

8. International transfers

AFQR runs on Cloudflare's global network, and Google's services run globally as well. Your data may be processed in countries other than your own, including the United States. By using the Service you consent to this transfer.

9. Security

We use HTTPS everywhere, treat secrets as secrets, and lean on Cloudflare's infrastructure for the rest. No service can promise perfect security, but we don't store anything we don't need.

10. Changes

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. If a change is material — for example, adding a new category of data we collect or a new sub-processor — we'll do our best to flag it visibly.

11. Contact

Privacy questions, data requests, or anything else: hi@actuallyfreeqr.codes.