Security & Privacy Practices

The engineering behind a privacy-friendly QR analytics product, in plain English.

Hashed identifiers, not raw IPs

When someone scans a dynamic QR, our redirect handler hashes their IP address with SHA-256 using a salt that rotates every 24 hours. Only the hash is stored. After the salt rotates, the hash cannot be reversed even by us — which means we can compute "unique scans yesterday" but not link individual people across days.

Local GeoIP, no third-party leakage

Country and (optional) city enrichment uses a local copy of the MaxMind GeoLite2 database. The IP is looked up in-memory in our own server — no request leaves to a third party for this enrichment.

No trackers

No Google Analytics. No Facebook Pixel. No Hotjar, Segment, Intercom, Mixpanel, or any other third-party JS for analytics or marketing automation. The entire frontend bundle is served from our domain, and the only outbound connections from your dashboard are to our API and (for QR-styling) to your own logo URL if you upload one.

Authentication

Sessions are managed by better-auth with secure HTTP-only cookies and CSRF protection. Passwords are hashed with industry-standard one-way functions; we never store plaintext.

Transport security

All traffic to QRLagoon — both the dashboard and the redirect endpoint — is served over HTTPS with HSTS. We do not accept plaintext connections.

Data deletion

You can delete any QR code or project from the dashboard, which removes its scan events too. Account deletion is available on request — email privacy@qrlagoon.com and we'll erase your data within 30 days.

Reporting a vulnerability

Email security@qrlagoon.com. We respond within 2 business days, fix critical issues within 7 days, and we do not pursue legal action against good-faith researchers who follow responsible disclosure.