Privacy Policy

Last Updated: November 25, 2024

Our Privacy-First Commitment

EvalQR is built on a privacy-first foundation. We believe you should own your data, understand how it's used, and have full control over it.

This Privacy Policy explains how EvalQR ("we," "us," or "our") collects, uses, and protects your information when you use our platform at evalqrapp.com (the "Service").

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address: For account creation and authentication
  • Password: Stored as a bcrypt hash (we never see your actual password)
  • Name: Optional, for personalizing your experience
  • Google account information: If you connect Google Sheets, we store an encrypted OAuth token (not your password)

1.2 QR Code & Link Data

When you create short links, QR codes, Link Hubs, or Micro Block Apps, we collect:

  • Destination URLs: The links you shorten
  • Titles and descriptions: Metadata you provide
  • QR code customizations: Colors, logos, shapes you choose
  • Form structure: For Micro Block Apps, the questions and field types you create

1.3 Analytics Data (Privacy-Focused)

When someone scans your QR code or clicks your link, we collect:

  • Hashed IP address: We SHA-256 hash IP addresses immediately. we never store raw IPs
  • Browser and operating system: Name and version (e.g., "Chrome 120.0.0", "Windows 10")
  • Device type: Mobile, desktop, or tablet
  • Referrer: Where the click came from (if available)
  • Timestamp: When the scan/click occurred
  • GPS location (optional): Only if you enable geolocation and the user grants permission. We capture coordinates, city, region, and country.
  • Device fingerprint: A hashed identifier based on browser metadata (for unique visitor counting)

1.4 Form Submission Data

For Micro Block Apps, when users fill out your forms:

  • Submitted responses: Text, checkboxes, ratings, dates, and location data users provide
  • Submission metadata: Timestamp, browser/OS (if applicable)
  • Note: This data is written directly to YOUR Google Sheets via OAuth. we don't retain copies on our servers beyond analytics metadata

2. How We Use Your Information

We use collected information for:

  • Account management: Creating and maintaining your account, authentication
  • Core functionality: Generating QR codes, shortening URLs, redirecting clicks
  • Analytics: Providing you with click/scan insights (browser, OS, device, location data)
  • Google Sheets integration: Writing Micro Block App submissions to your connected spreadsheets
  • Service improvements: Identifying bugs, optimizing performance
  • Security: Detecting fraud, abuse, or unauthorized access
  • Communication: Sending account-related emails (e.g., password resets, important updates)

We never sell your data to third parties or use it for advertising.

3. Data Storage & Security

3.1 Where Your Data Lives

  • EvalQR Database (PostgreSQL): Account info, link metadata, analytics data
  • Your Google Sheets: Micro Block App submission data (via OAuth. you own this data)
  • File storage: QR code images (PNG/SVG), user-uploaded logos

3.2 Security Measures

  • Encryption: All data transmitted over HTTPS (TLS encryption)
  • Password hashing: bcrypt with salt (industry-standard)
  • OAuth token encryption: Fernet symmetric encryption for stored Google tokens
  • IP hashing: SHA-256 hashing before storage (irreversible)
  • Session security: Secure, HTTP-only cookies with 30-day expiration
  • Database access: Restricted to authorized personnel only

4. Third-Party Services

4.1 Google Services

When you connect Google Sheets:

  • We use Google OAuth 2.0 for authentication (secure, no password sharing)
  • We request access to: Google Sheets API (write submissions) and Google Drive API (manage files the app creates)
  • You can revoke access anytime via Google Account Settings
  • Data written to your Sheets is governed by Google's Privacy Policy

4.2 Geolocation Services

For GPS tracking (opt-in only):

  • IPWho.org & ipwho.is: WiFi IP-based geolocation (fallback when GPS unavailable)
  • OpenStreetMap Nominatim API: Reverse geocoding (convert coordinates to addresses)
  • We don't share your location data with these services beyond what's necessary for lookups

4.3 No Third-Party Analytics

We do NOT use Google Analytics, Facebook Pixel, or any third-party tracking scripts. Your privacy is paramount.

5. Cookies & Tracking

5.1 Session Cookies (Essential)

We use cookies to:

  • Keep you logged in (session management)
  • Prevent CSRF attacks (security tokens)
  • These cookies are essential for the Service to function

5.2 Local Storage (Analytics)

For unique visitor tracking:

  • We store a visitor ID in your browser's localStorage (if you scan/click a tracked link)
  • This helps us count unique visitors vs. total clicks
  • Combined with device fingerprint and IP hash for accuracy
  • You can clear this anytime via browser settings

5.3 No Tracking Cookies

We do NOT use third-party cookies for advertising, behavioral tracking, or cross-site tracking.

6. Your Rights & Control

You have the right to:

  • Access your data: View all links, QR codes, and analytics you've created
  • Export your data: Download analytics as CSV files
  • Delete your data: Remove individual links, QR codes, Link Hubs, or Micro Block Apps anytime
  • Delete your account: Contact us to permanently delete your account and all associated data
  • Revoke Google access: Disconnect Google Sheets integration via your account settings or Google's permission panel
  • Opt-out of geolocation: Don't enable GPS tracking when creating links (it's off by default)
  • Correct your data: Update account details, link titles, or form structures anytime

Data Retention:

  • Active account data: Retained until you delete it or close your account
  • Analytics data: Retained indefinitely unless you delete the associated link/form
  • Deleted data: Permanently removed within 30 days (backups purged within 90 days)

7. Children's Privacy

EvalQR is not intended for users under 13 years old. We do not knowingly collect personal information from children. If you believe we've inadvertently collected data from a child, please contact us immediately to delete it.

8. International Data Transfers

EvalQR operates globally. Your data may be stored and processed in data centers outside your country of residence. By using the Service, you consent to these transfers. We ensure all transfers comply with applicable data protection laws.

9. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with a revised "Last Updated" date. For material changes, we'll notify you via email (if you've provided one) or a prominent notice on the Service.

Continued use of EvalQR after changes constitutes acceptance of the updated policy.

10. Legal Basis (GDPR Compliance)

If you're in the European Economic Area (EEA), our legal basis for processing your data:

  • Contract performance: Providing the Service you signed up for
  • Legitimate interests: Analytics, fraud prevention, service improvement
  • Consent: GPS geolocation (you explicitly enable), Google OAuth (you authorize)
  • Legal obligation: Complying with laws (e.g., tax records, abuse reporting)

11. Contact Us

Questions, concerns, or data requests? We're here to help:

Privacy-First Promise

We built EvalQR because we believe in ethical analytics. Your data belongs to you. We're transparent about what we collect, why we need it, and how you can control it. No hidden trackers, no data sales, no creepy behavior. Just honest tools for measuring impact.