SafeScan QR Legal
Privacy Policy
1. What We Collect
SafeScan QR collects only what is needed to authenticate users, analyze QR payloads, prevent abuse, and operate the optional SQR airdrop program.
- Google OAuth data: name, email, profile picture, Google ID, and login timestamp.
- Optional Solana wallet address supplied by the user for airdrop eligibility.
- QR scan payloads such as URLs analyzed for risk. Logged-in scans may be associated with the user's email for scan counts and fraud prevention.
- Referral link usage and referral counts.
- IP address hash, approximate region, browser type, device type, and session signals for fraud prevention and analytics.
- Cookies and local storage values for authentication state, consent state, referral state, wallet state, and local report queues.
2. Why We Collect It and Legal Basis
- Authentication: contractual necessity.
- Scan history and QR security delivery: legitimate interest in providing and improving security analysis.
- Airdrop eligibility, scan tiers, referrals, and wallet address: contractual necessity for the tier program.
- Analytics and abuse prevention: legitimate interest.
- Marketing emails: explicit consent only.
3. How Long We Keep It
- Scan logs: targeted for deletion after 90 days.
- Account data: until deletion is requested or after 2 years of inactivity.
- Wallet address: until the user disconnects it or deletes the account.
- Consent records: retained for 5 years to document legal compliance.
4. Who We Share It With
We do not sell personal data and do not use advertising networks. We may share limited data with service providers only as needed:
- Google for OAuth authentication and Google Safe Browsing URL reputation checks.
- VirusTotal for URL reputation checks. URL payloads may be sent, but user identity is not included.
- Anthropic or OpenAI for AI analysis. URL payloads and risk signals may be sent, but direct personal identifiers are excluded.
- Solana RPC providers for wallet interactions involving public blockchain data.
- Render.com for hosting infrastructure.
5. Cookies and Tracking
SafeScan uses essential cookies/local storage for auth, consent, referral, wallet, and report state. Analytics is optional and should only run after consent where required.
6. Your Rights
EU/EEA users may exercise GDPR rights of access, erasure, rectification, restriction, portability, and objection. California users may exercise CCPA/CPRA rights to know, delete, correct, opt out of sale/sharing, limit sensitive personal information, and non-discrimination. Brazilian users may exercise LGPD rights including revoking consent and requesting information about public and private entities with whom data is shared. Canadian users are protected under PIPEDA principles: knowledge and consent, limited use, accuracy, safeguards, access, and the right to challenge compliance.
Use the Data Request portal to submit requests.
7. Children's Privacy
SafeScan is not directed to children under 13. EU users under 16 require parental consent under GDPR Article 8. If we discover an underage user, we will delete associated data promptly.
8. International Data Transfers
Data is hosted in the United States. For EU users, transfers are intended to be covered by Standard Contractual Clauses or other appropriate safeguards where required.
9. Security Measures
- TLS encryption in transit.
- Wallet addresses should be hashed or encrypted at rest as the product matures.
- OAuth tokens are not intentionally stored; SafeScan keeps only account/session references.
- Security incidents are tracked for GDPR Article 33 72-hour supervisory authority review and Article 34 user notice if high risk.
10. Contact
Privacy requests: safescanqr@gmail.com. A formal Data Protection Officer is not required at current scale but will be appointed upon reaching 5,000 EU users or when legally required.