Privacy Policy

Last updated 6 June 2026

This policy explains what we collect, why, and the choices you have. We aim to collect the minimum needed to run Scanoki (the "Service").

1. What we collect

  • Account data: email and authentication identifiers when you sign in.
  • Design data: the QR designs, destinations, and assets you create.
  • Billing data: handled by our payment processor (Stripe); we store only subscription status and identifiers, never full card numbers.
  • Scan analytics: for dynamic QR codes we record coarse, aggregated scan events (time, approximate geography, device class). Free static codes are encoded directly and never pass through our servers, so they are not tracked.

2. How we use it

To provide and secure the Service, render and resolve your codes, produce the analytics you subscribe to, process payments, and communicate about your account.

3. Analytics and tracking

Scan capture is privacy-conscious. For each scan of a dynamic code we record the time, an approximate location (country), the device class, operating system and browser, the referrer, and the preferred language. We never store the raw IP address. To count unique visitors we keep only a one-way hash of the IP and user agent, salted with a secret combined with the current day, so the salt changes daily and the identifier cannot be reversed to a person or linked across days or across the other sites someone visits. Data is retained for your plan's retention window and is then deleted automatically; you can also erase all of it at any time from the Privacy & data section of your account.

4. Advertising measurement

When we run advertising campaigns, our own website (never your QR codes or their scan pages) may use Google and Meta measurement tags to understand which ads lead to sign-ups and subscriptions. If you arrive from an ad we store the ad platform's click identifier and campaign labels in a first-party cookie for up to 90 days, and we may report conversion events (such as a sign-up or purchase, with its value) back to the platform that showed you the ad, identified by that click id and a one-way hash of your email address - never your password, designs, or scan data. These tags only load when advertising measurement is enabled.

5. Sharing

We do not sell your data. We share it only with processors that run the Service (hosting, payments, email, advertising measurement as described above) under contract, and where required by law.

6. Your rights

You can access, export, correct, or delete your data, and close your account at any time. Depending on your region you may have additional rights under GDPR or CCPA; contact us to exercise them.

7. Security and retention

Data is encrypted in transit, secrets are stored in a managed secrets service, and we retain personal data only as long as needed to provide the Service or meet legal obligations.

8. Contact

Privacy questions and data requests: [email protected].

This page is a starting template and should be reviewed by legal counsel before launch.