This Privacy Policy describes how JR Generations LLC ("we," "us," "our") collects, uses, and shares information when you use TurtleQR. It applies to turtleqr.com, app.turtleqr.com, and related subdomains and APIs.
By using TurtleQR, you agree to the practices described here. For the scope of permitted activities, see our Terms of Service.
Account information. When you register, we collect your email address and a hashed password. We do not store passwords in plaintext. We use Argon2id with a server-side pepper for password hashing.
Workspace and team data. We store workspace names, member email addresses, team roles, and settings you configure.
QR code content. We store the destination URLs, vCard records, form schemas, and other content you attach to QR codes. vCard codes may contain personal information you choose to include (name, phone, address, photo). Form codes may collect visitor-submitted data you define. You control what is collected.
Scan events. Every time a QR code is scanned, we record: a timestamp, the IP address (used to derive approximate country and region, then discarded or hashed with a daily-rotating salt), browser user-agent (used to infer device type and OS), the code's workspace, and whether the scan was unique. We do not record exact IP addresses in long-term storage. Scan data is retained per the retention window of your plan tier.
Payment metadata. Billing is handled by Stripe. We receive and store Stripe customer ID, subscription ID, plan name, billing interval, subscription status, and current period dates. We do not receive or store full card numbers. See Stripe's Privacy Policy for their practices.
Transactional email metadata. When we send you an email (password reset, subscription receipts, shipping notifications), the delivery event is logged by our email provider (Resend or Mailgun, depending on context). We do not store email body content beyond the sending event.
Usage metadata. We log API requests, error rates, and performance metrics for operating and debugging the service. These logs are retained for 30 days and are not linked to individual user identity in long-term storage.
TurtleQR uses the following cookies:
We do not use third-party advertising cookies or tracking pixels.
We use the information we collect to:
We do not use your content or scan data to train AI models. We do not sell data to third parties.
We share your information only with:
Cloudflare. Our infrastructure runs on Cloudflare Workers, D1 (SQLite), KV, R2 (object storage), and Queues. Cloudflare processes all data that flows through these services. Cloudflare is a data processor acting on our instructions. See Cloudflare's Privacy Policy at cloudflare.com/privacypolicy.
Stripe. Payment processing is handled by Stripe. When you subscribe, you interact with Stripe's checkout. Stripe is a data processor for payment events and a data controller for its own services. See Stripe's Privacy Policy at stripe.com/privacy.
Resend / Mailgun. Transactional email is delivered via Resend (primary) or Mailgun (fallback). These providers receive your email address and the email content we send. They are data processors.
JR Generations LLC sticker shop. If you purchase stickers, your shipping address is used to fulfill the order. Orders are self-fulfilled by Jeff Rolson / JR Generations LLC. Shipping addresses are not shared with third parties.
Legal requirements. We may disclose information if required by law, subpoena, or court order, or if we believe disclosure is necessary to protect our rights or prevent harm.
We do not sell your personal information. We do not share it for advertising purposes.
Scan analytics are retained per the window for your plan. Longer retention windows are available on higher-tier plans; exact windows are published on the pricing page. Retention limits are enforced by automated cleanup jobs.
Account data (email, hashed password, workspace settings) is retained for as long as your account is active. After account deletion, we remove personal data within 30 days.
Payment metadata is retained for 7 years to comply with financial recordkeeping obligations.
Email logs are retained for 30 days.
We take reasonable steps to protect your information:
No system is perfectly secure. We will notify affected users promptly in the event of a data breach that creates a material risk to them.
Export. You can export your workspace data (codes, scan analytics, vCard records) from /settings/data in the dashboard.
Deletion. You can delete your account and all associated data from /settings/data. Deletion is permanent and processed within 30 days.
Correction. You can update your account email, workspace name, and other profile fields from settings at any time.
GDPR (EU residents). If you are in the European Union, you have rights under the GDPR to access, correct, delete, and port your personal data, and to object to or restrict certain processing. To exercise these rights, contact hello@turtleqr.com. We will respond within 30 days.
CCPA (California residents). California residents have the right to know what personal information we collect, to request deletion, and to opt out of sale. We do not sell personal information, so there is no opt-out needed for sale. To exercise other rights, contact hello@turtleqr.com.
We are a small operator. We will handle requests in good faith and promptly.
TurtleQR is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information, contact hello@turtleqr.com and we will delete it.
We may update this Privacy Policy. When we make material changes, we will update the effective date above. For active subscribers, we will send a notice to the email address on file.
Privacy questions or data requests: hello@turtleqr.com.
TurtleQR is operated by JR Generations LLC.
This document is generated v1.0 by Claude on 2026-05-17. Subject to review by Jeff Rolson before considered authoritative.