1. What We Collect
Account Data
- Email: For login and account recovery
- Password: Stored as bcrypt hash. We never see it.
- Name: Optional. For display purposes only.
- Google OAuth token: If you connect Sheets. Fernet-encrypted.
Content You Create
- Short links, QR codes, Link Hubs, Micro Block Apps
- Titles, descriptions, customizations (colors, logos)
- Form structures for Micro Block Apps
Form Submission Data (Micro Block Apps)
- Responses: Stored in our database for sync reliability
- Sync to Sheets: Written to your connected Google Sheets
- Retention: Kept until you delete the Micro Block App or your account
Analytics Data
- Device type: Mobile, desktop, or tablet
- Browser: Name and version
- OS: Operating system
- Referrer: Where the click came from
- Timestamp: When the scan occurred
- IP hash: SHA-256 hash (original IP never stored)
- Visitor ID: Composite hash for unique visitor counting
- Location: City/region/country from IP lookup
GPS coordinates (lat/lon) collected only if you enable geolocation AND the visitor grants permission.
2. How We Use It
- Core service: Generate QR codes, shorten URLs, redirect clicks
- Analytics: Show you who's scanning your codes
- Google Sheets: Write form submissions to your spreadsheets
- Security: Detect abuse, prevent fraud
- Account emails: Password resets, critical updates only
We never: Sell data to third parties. Use data for advertising. Share data with marketing platforms.
3. Security Measures
| Transport | HTTPS/TLS everywhere |
| Passwords | bcrypt with salt |
| OAuth tokens | Fernet symmetric encryption |
| IP addresses | SHA-256 hashed before storage |
| Sessions | Secure, HTTP-only cookies |
| Database | PostgreSQL with restricted access |
4. Third-Party Services
Google APIs (if you connect)
- Google Sheets API: Write form submissions
- Google Drive API: Manage files the app creates
- Revoke anytime: Google Account Settings
Geolocation (for IP-based location)
- IPWho.org / ipwho.is: IP to location lookup
- OpenStreetMap Nominatim: Coordinates to address
No third-party analytics. We don't use Google Analytics, Facebook Pixel, Mixpanel, or any tracking scripts.
5. Cookies
We use cookies for:
- Session management (keeping you logged in)
- CSRF protection (security)
We don't use:
- Advertising cookies
- Cross-site tracking cookies
- Third-party analytics cookies
For unique visitor counting, we use localStorage visitor IDs (clearable via browser settings) combined with IP hash.
6. Your Rights
You can:
- View all your data in-app
- Export analytics as CSV (paid plans)
- Delete individual links/QR codes
- Delete your entire account
- Revoke Google access
- Opt out of GPS tracking
Data retention:
- Active data: Until you delete it
- Deleted data: Removed within 30 days
- Backups: Purged within 90 days
7. GDPR Compliance
For users in the EEA, our legal basis:
- Contract: Providing the service you signed up for
- Legitimate interest: Analytics, fraud prevention
- Consent: GPS tracking, Google OAuth (you explicitly enable these)
- Legal obligation: Compliance with applicable laws
8. Age Requirement
EvalQR is for users 13 and older. We don't knowingly collect data from children. If you believe we have, contact us immediately.
9. Policy Updates
We may update this policy. Changes posted here with a new "Last Updated" date. Material changes = email notification.
Our Commitment
We built EvalQR because we believe analytics shouldn't require surveillance. Your data belongs to you. We're transparent about what we collect, minimal about what we store, and give you full control. No hidden trackers. No data sales. Just honest tools.