🔒 Privacy Policy

Your Privacy, Clearly Explained

We built BulkQR with privacy in mind. This policy explains exactly what data we collect, why we collect it, how long we keep it, and what rights you have. No jargon, no surprises.

Last updated: January 15, 2025 · Effective: January 15, 2025

The Short Version

📁

Uploaded Files

Your CSV/Excel files are processed immediately and deleted from our servers. We never store your uploaded data permanently.

📦

Generated ZIPs

ZIP files are automatically deleted 1 hour after generation. Download your files promptly — they are not kept.

👤

Account Data

If you create an account, we store your name, email, and hashed password. We never store plain-text passwords.

🚫

No Selling Data

We never sell, rent, or share your personal data with third parties for marketing or advertising purposes.

1 Who We Are

BulkQR ("we", "us", or "our") operates the bulk QR code generation service available at https://bulkqrcode.net ("the Service"). We are the data controller for personal data collected through this Service.

If you have any questions about this Privacy Policy or how we handle your data, you can reach our privacy team at privacy@bulkqrcode.net.

2 What We Collect

We collect different types of data depending on how you use the Service:

A. When You Use the QR Generator (No Account Required)

→

Uploaded file content — The URLs, text, and other data in your uploaded CSV or Excel file. This data is processed in memory to generate your QR codes and is never written to permanent storage. It is deleted immediately after your ZIP is created.

→

IP address — Your IP address is logged as part of our activity log (generation count, timestamp, and ZIP filename). This is used for rate limiting, fraud prevention, and abuse monitoring. IP addresses in the activity log are retained for up to 90 days, then purged.

→

Session data — A temporary session identifier is created in your browser for the duration of your visit (rate limiting, CSRF protection). This is not a persistent tracking cookie and expires when you close your browser.

→

Generated ZIP files — Your QR code ZIP is stored temporarily on our server for download. ZIP files are automatically deleted 1 hour after generation. We do not access or review the content of your generated QR codes.

B. When You Create an Account

→

Name and email address — Required to create and identify your account. Your email is used to send account-related communications (password reset, billing receipts, service notices). We do not send unsolicited marketing emails.

→

Hashed password — Your password is processed using bcrypt (PHP's PASSWORD_DEFAULT) before storage. We never store, log, or transmit plain-text passwords. We cannot retrieve your password — only reset it.

→

Plan/subscription status — Which plan you are on (Free, Pro, Business) and your billing history, used to enforce feature limits and process refunds.

→

Generation history — A log of your past QR code batches (count, date, ZIP filename). The underlying uploaded data and generated images are not retained — only the metadata.

→

Remember-me token — If you check "Keep me signed in", a secure random token is stored in a cookie and in our database. This token is hashed and expires after 30 days. You can revoke it at any time by signing out.

C. When You Contact Us

→

Support messages — When you submit a contact form or email us, we receive your name, email address, and message content. This is used solely to respond to your inquiry. Support messages are retained for up to 2 years for dispute resolution, then deleted.

✅ What We Do NOT Collect

✓The content of your QR codes (URLs, text, data) beyond temporary processing
✓Payment card numbers (handled entirely by Stripe — we never see your card)
✓Browser fingerprints or cross-site tracking data
✓Location data beyond IP-level country detection
✓Biometric data of any kind
✓Data from minors under 13 years of age (see Section 9)

3 How We Use Your Data

We use the data we collect only for the following purposes:

Purpose	Data Used	Legal Basis
Generating QR codes from your uploaded data	Uploaded file content	Contract performance
Delivering your generated ZIP file for download	Temporary server storage	Contract performance
Rate limiting to prevent server abuse	IP address (hashed), session	Legitimate interest
Account creation and authentication	Name, email, password hash	Contract performance
Sending account-related emails	Email address	Contract performance
Processing subscription payments	Email (shared with Stripe)	Contract performance
Providing billing history and receipts	Name, email, plan status	Legal obligation
Responding to support requests	Name, email, message content	Legitimate interest
Monitoring for fraud and abuse	IP address, activity log	Legitimate interest
Improving the Service (aggregate analytics only)	Anonymized usage statistics	Legitimate interest

We never use your data for advertising, profiling, or selling to third parties.

4 Data Retention

We retain data only as long as necessary for the purposes described above:

📁

Uploaded CSV/Excel files

Deleted immediately after ZIP generation — never written to permanent storage

📦

Generated ZIP files

Automatically deleted 1 hour after generation

🔢

Activity log (IP, count)

Rolling 500-entry log; IP addresses purged after 90 days

📊

Preview QR codes

Deleted after 5 minutes (cached for performance)

🔑

Session data

Expires when browser session ends (or after 24 hours)

🍪

Remember-me cookie

30 days from last use, or until you sign out

👤

Account data (name, email)

Until you delete your account, or 3 years of inactivity

💳

Billing records

7 years (legal requirement for financial records)

✉️

Support messages

Up to 2 years, then deleted

📧

Newsletter subscriptions

Until you unsubscribe

5 Third Parties & Sub-Processors

We use a limited number of trusted third-party services to operate the Service. We do not sell or share your data with any third party for marketing purposes.

Stripe

USA / EU Privacy Policy →

Purpose: Payment processing for Pro and Business subscriptions

Email address, billing name. Card data is handled entirely by Stripe — we never see or store card numbers.

Google Fonts

USA Privacy Policy →

Purpose: Loading Syne and DM Sans fonts for the website interface

Your IP address is shared with Google when fonts are loaded. You can mitigate this with browser caching after first visit.

Tailwind CSS CDN

USA Privacy Policy →

Purpose: Loading CSS framework for website styling

Your IP address may be logged by the CDN provider as part of standard CDN access logs.

Web Hosting Provider

Update to your hosting region Privacy Policy →

Purpose: Hosting the website, processing uploads, storing account data

All data described in this policy is stored on servers provided by our hosting provider. All servers are located in [YOUR SERVER REGION — update this].

Note: We do not use Google Analytics, Facebook Pixel, or any other behavioural advertising or cross-site tracking technologies on this Service.

6 Cookies & Local Storage

We use only the minimum cookies necessary to operate the Service:

Cookie Name	Type	Purpose	Duration	Can Opt Out?
PHPSESSID	Strictly necessary	Session management, CSRF protection, rate limiting	Session (browser close)	No — essential for security
remember_token	Functional	"Keep me signed in" persistent login token	30 days	Yes — uncheck "Remember me" or sign out
Google Fonts cache	Third-party	Font file caching by browser after first load	Varies by browser	No — browser-level

We do not use advertising cookies, tracking pixels, or analytics cookies. You can clear all cookies in your browser settings at any time.

7 Data Security

We implement technical and organizational measures to protect your data:

🔐

HTTPS everywhere

All data transmitted over TLS-encrypted connections. HTTP redirects to HTTPS.

🔑

Password hashing

Passwords hashed with bcrypt (PHP PASSWORD_DEFAULT). Plain-text passwords are never stored.

🛡️

CSRF protection

All state-changing forms protected with per-session CSRF tokens using hash_equals() comparison.

🚫

SQL injection prevention

All database queries use PDO prepared statements with parameterized inputs.

⏱️

Brute force protection

📁

File upload validation

Uploads validated by MIME type (not just extension), size-capped, and processed in isolated temp directories.

🗑️

Automatic deletion

Uploaded files and generated ZIPs are auto-deleted on schedule. No manual action required.

🔒

Session security

Sessions use strict mode, httponly cookies, and SameSite=Lax. Session ID regenerated on login.

Data breach notification: In the event of a data breach that affects your personal data, we will notify affected users within 72 hours of discovery, as required by applicable data protection law. Notifications will be sent to the email address on your account.

8 Your Rights

Depending on your location, you may have the following rights regarding your personal data. We honour these rights for all users regardless of jurisdiction:

👁️

Right to Access

Request a copy of all personal data we hold about you.

✏️

Right to Rectification

Request correction of inaccurate or incomplete data.

🗑️

Right to Erasure

Request deletion of your account and all associated personal data ("right to be forgotten").

📦

Right to Portability

Request your data in a machine-readable format (JSON or CSV).

🚫

Right to Object

Object to processing based on legitimate interest at any time.

⏸️

Right to Restriction

Request that we limit processing of your data in certain circumstances.

🔙

Right to Withdraw Consent

Withdraw consent for any processing based on consent (e.g. newsletter) at any time.

To exercise any of these rights, email us at privacy@bulkqrcode.net with the subject line "Privacy Request". We will respond within 30 days. You may also submit a complaint to your local data protection authority if you believe your rights have been violated.

9 Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@bulkqrcode.net and we will delete that data immediately.

Users in the European Union must be at least 16 years old to create an account, in accordance with GDPR Article 8.

10 International Data Transfers

Your data may be transferred to and processed in countries outside your own. Specifically, third-party services such as Stripe and Google Fonts may process data in the United States. We ensure such transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following transfer mechanisms: Standard Contractual Clauses (for transfers to Stripe and Google), and adequacy decisions where applicable.

11 Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will:

→ Update the "Last Updated" date at the top of this page
→ Send a notification email to registered account holders
→ Display a banner on the website for 30 days following the change

Continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy. If you do not agree with a significant change, you may delete your account and discontinue use of the Service.

12 Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

✉️

Privacy Requests

For data access, deletion, or rights requests:

privacy@bulkqrcode.net

Response within 30 days

💬

General Support

For help using the Service:

Visit our Help Center →

Response within 24 hours

Please include "Privacy Request" in your email subject line along with your account email address so we can locate your data and respond promptly.

Related Legal & Help Pages

📋Terms of Service 💬Help Center ✉️Contact Us 💳Pricing & Plans 📡System Status