Security
How we handle your data, where it lives, and what we do (and don't do) with it. No legalese, no hand-waving.
Data handling
What we collect and how we store it
Account data. Your name, email, and hashed password. Standard for any web application. We use this to authenticate you and send transactional emails (password resets, plan changes). We don't sell it, share it, or use it for marketing you didn't opt into.
Scan data. When someone scans your QR code, we record: timestamp, device type, browser, operating system, city, and country. We do not record names, email addresses, or any personal information about the person scanning. The scan is anonymous.
Payment data. Handled entirely by Stripe. We never see, store, or process your card number. Stripe is PCI DSS Level 1 certified, the highest level of payment security certification.
IP privacy
Hashed, not stored
Every QR code scan comes with an IP address. Most analytics tools store it raw. We don't.
Instead, we run each IP through a one-way hash function with a secret salt before it touches the database. The raw IP exists only in memory for the split second it takes to compute the hash and perform a geo-IP lookup (city and country). Then it's gone.
The hash lets us distinguish unique visitors from returning ones (useful for understanding reach vs volume) without ever knowing who those visitors are. You can't reverse a hash back to an IP address. That's the point.
Infrastructure
Where your data lives
Hosting. Application and database run on Hetzner infrastructure. TLS terminates at our Caddy reverse proxy, so all connections are encrypted in transit.
Database. PostgreSQL with encrypted storage. Backups are encrypted and retained for disaster recovery.
File storage. QR code logo images are stored in Cloudflare R2. Only PNG and JPG files are accepted. SVG uploads are blocked to prevent cross-site scripting attacks.
Redirect service. The dsqr.io redirect service runs as a separate process. It handles QR code scans and is designed for high availability, so a temporary outage in the main application doesn't affect redirects.
What we don't do
Boundaries we've set
We don't sell your data. We don't share scan analytics with third parties. We don't run retargeting pixels on the redirect service. We don't fingerprint devices beyond what the user-agent string provides.
We don't use scan data for advertising. Your analytics are yours. They exist to help you understand how your QR codes perform, not to feed an ad network.
For the full legal details, read our Privacy Policy.
Vulnerability reporting
Found something? Tell us.
If you've found a security vulnerability, please email security@deadsimpleqr.com with a description and steps to reproduce. We'll acknowledge receipt within 48 hours and work to fix the issue as quickly as possible.
We appreciate responsible disclosure. Please don't post vulnerabilities publicly before we've had a chance to address them.
Frequently asked
Common questions
Do you store IP addresses?
No. We hash IP addresses using a one-way hash with a secret salt before storing them. The raw IP is never written to disk or kept in memory beyond the moment of the scan. We use the hash to distinguish unique vs returning visitors, nothing more.
Is my data encrypted?
Yes. All traffic between your browser and our servers is encrypted via TLS. Data at rest in our database is encrypted by the hosting provider. Stripe handles all payment data directly. Card numbers never touch our servers.
Where is my data stored?
Our application and database run on Hetzner infrastructure in Europe. QR code logo images are stored in Cloudflare R2. We don't replicate your data to third-party analytics or advertising platforms.
What happens to my data if I delete my account?
Your account and personal information are deleted. Your QR codes continue to redirect (Codes Never Die guarantee), but they're no longer associated with any account. Scan analytics data is retained according to your plan's retention window, then purged.
How do I report a security vulnerability?
Email security@deadsimpleqr.com with details. We take every report seriously and will respond within 48 hours.
Learn more
Explore Dead Simple QR
Ready to try something simpler?
Create your first QR code in under a minute. No credit card, no surprises.