QQRQuick
Legal

Cookie Policy

A complete list of every cookie and localStorage key we use.

Last updated: 2026-05-23Effective: 2026-06-22

1.The short version

QRQuick uses only first-party essential cookies and a small set of localStorage keys for your preferences. We do not use Google Analytics, Facebook Pixel, or any third-party analytics or advertising trackers.

You do not need to "accept cookies" to use QRQuick — there is nothing optional to opt into.

2.Cookies we set

Session cookies (essential — cannot be disabled):

  • qrq.session — your signed JWT access token. Expires 1 hour after the last request, refreshed automatically. HttpOnly, Secure, SameSite=Lax.
  • qrq.refresh — opaque refresh token for re-issuing access tokens. HttpOnly, Secure, SameSite=Strict, 30-day rolling.
  • qrq.csrf — CSRF protection token for state-changing requests. Readable by our front-end JavaScript.

We do not set any third-party cookies. We do not set cookies on people who only scan QR codes (the redirect endpoint is cookieless).

3.localStorage keys

These are stored in your browser for your convenience — they never leave your device unless you submit a form:

  • qrq.locale — your language preference (en / hi)
  • qrq.theme — your color theme (light / dark / system)
  • qrq.user — cached display name + email for sidebar (refreshed on login)
  • qrq.workspace — currently selected workspace ID
  • qrq.gettingStarted.dismissed — whether you've dismissed the onboarding checklist
  • qrq.whatsnew.seen — the highest changelog version you've acknowledged
  • qrq.tour.completed — whether you've finished the welcome tour
  • qrq.creator.draft — autosaved QR you were building before sign-up (so we can restore it after signup)

You can clear all of these from your browser's site-data settings without affecting the operation of the dashboard.

4.Analytics

We measure traffic to qrquick.in using a privacy-respecting, first-party log pipeline that records:

  • the path you visited
  • the day (not the timestamp) and country
  • a hash of your IP (not the IP itself), discarded after 7 days

No persistent identifier is stored, no cross-site tracking is performed, and the data is never shared with third parties. We use this only to understand which marketing pages are working.

5.How we track QR scans

Dynamic QRs created on QRQuick redirect through q.qrquick.in (or your custom domain on the Agency plan).

When someone scans a QR, the redirect endpoint records: - a timestamp - the QR id - country + city (derived from IP, then the full IP is discarded) - device type, OS, browser - whether the request looked like a bot (heuristic)

No cookie is set on the scanner. No personal data is collected unless the QR points to a landing page where you have asked for it explicitly with a lead-capture block.

6.Opting out

Because we use only essential cookies and no third-party tracking, there is nothing to opt out of beyond clearing your localStorage.

If you are a scanner and prefer your scan not be counted toward our analytics, send the Do Not Track header — we honor it at the redirect endpoint (the scan still resolves, but it is excluded from the workspace's stats).

7.Changes

If we ever add a new cookie or localStorage key, this page is updated and the "Last updated" date at the top is bumped. Material changes are also announced in the in-app What's New modal.

Questions? Email privacy@qrquick.in.

Questions about this document? Email legal@qrquick.in.

Terms of ServicePrivacy PolicyCookie PolicyData Processing Addendum
Cookie Policy · QRQuick · QRQuick