30% off your first yearUse code View plans
FreeDynamicQRCodeFreeDynamicQRCode
Log InSign Up

Privacy Policy

Last updated: April 5, 2026

FreeDynamicQRCode (“we,” “us,” or “our”) operates the website freedynamicqrcode.com and the vsn.to redirect service. This Privacy Policy explains what data we collect, how we use it, who we share it with, and what rights you have.

1. Data We Collect

Account Data

When you create an account, we collect your email address and, optionally, your name. If you sign in with Google or Microsoft, we receive your email and name from the provider. We do not store your third-party passwords.

QR Code Data

We store the QR codes you create, including destination URLs, names, categories, styling preferences, and uploaded logo images. Dynamic QR codes are associated with a short redirect URL on vsn.to.

Scan Analytics

When someone scans a dynamic QR code, we collect: a one-way SHA-256 hash of the scanner's IP address (the raw IP is used only to derive the country, then immediately hashed and discarded), approximate country, device type (mobile, desktop, or tablet), operating system, browser name, and scan timestamp. We cannot reverse the hash to recover the original IP address.

Payment Data

Payments are processed by Stripe. We do not store credit card numbers, CVVs, or full card details. We receive and store your Stripe customer ID, subscription status, and payment method summary (card brand and last 4 digits) for displaying billing information.

Usage Data

We log account activity (logins, QR creation, password changes, plan changes) for security and support purposes. Activity logs are automatically deleted after 90 days.

2. How We Use Your Data

  • To provide, maintain, and improve the FreeDynamicQRCode service
  • To authenticate your account and protect against unauthorized access
  • To process payments and manage subscriptions
  • To send transactional emails (magic links, payment receipts, account security alerts)
  • To send marketing emails if you opted in (product updates, upgrade reminders, scan milestones) — you can opt out anytime from your Account page
  • To provide scan analytics to QR code owners (Pro plan)
  • To detect and prevent abuse, fraud, and terms of service violations

3. Cookies

We use a single httpOnly, secure session cookie to keep you signed in. This cookie:

  • Is set when you sign in (via magic link, password, or Google)
  • Expires after 90 days or when you sign out
  • Cannot be read by JavaScript (httpOnly flag)
  • Is only sent over HTTPS (secure flag)
  • Does not track you across other websites

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. We do not use Google Analytics or any similar service.

4. Third-Party Services

We share data with the following services only as necessary to operate the platform:

  • Stripe — Processes payments. Receives your email and payment details. We never see your full card number.
  • Amazon SES — Delivers emails (magic links, receipts, notifications). Receives your email address and message content.
  • Google & Microsoft — Social sign-in (optional). We receive your email and name only when you choose to sign in with these providers. No data is shared with them unless you initiate sign-in.
  • Cloudflare — Protects our site from attacks and delivers content faster. Processes request metadata (IP addresses, headers) for security. Also provides bot protection (Turnstile) which analyzes browser signals without collecting personal data.

We do not sell, rent, or share your personal data with advertisers or data brokers. We do not use Google Analytics or any third-party analytics service on our website.

5. Data Retention

  • Scan analytics: Automatically deleted after 2 years (730 days)
  • Activity logs: Automatically deleted after 90 days
  • Email logs: Automatically deleted after 90 days
  • Account data: Retained until you delete your account
  • QR codes: Retained until you delete them or delete your account
  • Deleted accounts: All associated data (QR codes, scan history, preferences) is permanently deleted within 30 days. Short URL slugs are held for 90 days to prevent reuse.

6. Data Security

  • All connections are encrypted with HTTPS
  • Passwords are hashed with bcrypt and never stored in plain text
  • Magic link tokens are hashed with SHA-256 before storage and expire after 1 hour
  • Scanner IP addresses are hashed with SHA-256 and cannot be reversed
  • Credit card numbers never touch our servers — all payment data is handled directly by Stripe
  • Session cookies are httpOnly and secure — they cannot be accessed by JavaScript or sent over unencrypted connections

7. Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we will notify affected users via email and, where required by law, notify the relevant supervisory authority within 72 hours of becoming aware of the breach. We will describe the nature of the breach, the data affected, and the steps we are taking to address it.

8. International Data Transfers

Our servers are located in the United States. If you are located outside the United States, your data will be transferred to and processed in the US. By using FreeDynamicQRCode, you consent to this transfer. We rely on Cloudflare, Stripe, and Amazon's standard contractual clauses and data processing agreements to ensure adequate data protection for international transfers.

9. Your Rights

GDPR (European Economic Area)

If you are in the EEA, you have the right to: access your personal data, rectify inaccurate data, erase your data (“right to be forgotten”), restrict processing, data portability, and object to processing. Because scanner IP addresses are stored only as irreversible hashes, we cannot identify or delete scan records associated with a specific IP address.

CCPA (California)

If you are a California resident, you have the right to: know what personal information we collect, request deletion of your data, and opt out of the sale of your personal information. We do not sell personal information.

Exercising Your Rights

You can delete your account and all associated data from the Account page. You can manage email preferences from the same page. For data export requests, we will provide your data in JSON format. For any requests, contact us via the Contact page. We will respond within 30 days.

Do Not Track

We do not track users across third-party websites. Our site does not respond to Do Not Track (DNT) browser signals because we do not engage in the type of cross-site tracking that DNT is intended to prevent.

10. Children's Privacy

FreeDynamicQRCode is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Email Communications

We send two types of emails:

  • Transactional emails (always sent): Magic sign-in links, payment receipts, payment failure alerts, account security notifications. These cannot be opted out of as they are necessary for account operation.
  • Marketing emails (opt-in): Product updates, scan milestone celebrations, upgrade reminders. You can control these from the Email Preferences section of your Account page.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on our website. Your continued use of FreeDynamicQRCode after changes are posted constitutes your acceptance of the updated policy.

13. Contact

For privacy-related questions or to exercise your data rights, contact us via the Contact page. To report a QR code that links to harmful content, use our Report Abuse page.