Privacy Policy

This Privacy Policy describes how TODO: Company Legal Name Pvt. Ltd. ("Qravio", "we", "our", or "us") collects, uses, shares, and protects information when you use our website at qravio.com and any related services, applications, or features (collectively, the "Service"). By accessing or using the Service, you agree to this policy.

This policy is published in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India and applicable rules thereunder.

1. Information We Collect

Account Data

When you register for an account, we collect:

Full name and email address
Password (stored as a salted hash — never in plain text)
Profile picture (if provided via OAuth)
Organisation/workspace name

QR Code and Workspace Data

When you create and manage QR codes, we store:

QR code name, type, destination URLs, and content
Page design settings (colours, templates, branding)
Files you upload (PDFs, images, vCards) stored in our cloud storage
Folder structure and workspace member roles

Scan Analytics Data

Every time someone scans one of your QR codes, our edge network records the following data to power your analytics dashboard:

Hashed IP address — we apply a one-way cryptographic hash (HMAC-SHA256 with a rotating salt) before storage. The original IP address is never stored.
Country, region, and city (derived from IP, then the IP is discarded)
Device type (mobile, tablet, desktop, bot)
Referrer domain (the website or app that triggered the scan, if available)
Browser language and user-agent string
Timestamp of the scan
A session identifier to distinguish unique visitors from repeat scans

We do not collect or store the full URLs visited by scan recipients, their name, or any device identifiers beyond the hashed IP and session ID.

Payment Data

All payment processing is handled by Razorpay Software Private Limited. We do not collect, process, or store card numbers, bank account details, or UPI credentials on our servers. We receive a transaction ID, subscription status, and billing amount from Razorpay to maintain your subscription record.

Usage and Technical Data

Pages visited within the Service and features used
Browser type, operating system, and viewport size
Errors and performance telemetry (via Vercel)
Support communications you initiate with us

2. How We Use Your Information

Provide and operate the Service — create and serve your QR codes, host your files, and render scan landing pages at the Cloudflare edge
Analytics dashboard — aggregate and display scan statistics for your workspace
Billing and subscriptions — manage plan upgrades, renewals, and invoices via Razorpay
Transactional communications — send account verification, password reset, workspace invitation, and payment receipt emails via Resend
Safety and abuse prevention — detect and block QR codes pointing to malicious or prohibited destinations
Product improvement — analyse aggregate, de-identified usage patterns to prioritise features
Legal compliance — maintain records required by applicable Indian law

3. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties. We share data only in the following limited circumstances:

Recipient	Purpose	Data shared
Supabase Inc.	Authentication, PostgreSQL database, and file storage	All account and workspace data
Cloudflare Inc.	Edge QR routing, KV storage, and CDN	QR metadata, hashed scan events
Razorpay Software Pvt. Ltd.	Payment processing	Email, billing amount, subscription plan
Resend Inc.	Transactional email delivery	Email address and email content
Vercel Inc.	Frontend hosting and analytics	Anonymised page-view telemetry

We may also disclose information if required by law, court order, or a government authority, or to protect the rights, property, or safety of Qravio, our users, or the public.

4. Data Storage and Retention

Account and workspace data — retained while your account is active and for 90 days after account deletion to allow recovery. Permanently deleted thereafter.
Scan analytics — raw scan event rows are retained for 12 months. Aggregated counters (total scans, scans by date, etc.) are retained indefinitely.
Uploaded files — retained while your account is active; deleted within 30 days of account deletion or plan downgrade below the storage threshold.
Billing records — retained for 7 years as required by Indian accounting regulations.

Primary data is stored in data centres operated by Supabase and Cloudflare. See Section 9 for cross-border transfer details.

5. Your Rights under the DPDP Act, 2023

As a Data Principal under India's Digital Personal Data Protection Act, 2023, you have the following rights:

Right to Access — request a summary of the personal data we hold about you
Right to Correction — request correction of inaccurate or incomplete data
Right to Erasure — request deletion of your personal data (subject to legal retention obligations)
Right to Grievance Redressal — raise a complaint with our Grievance Officer
Right to Nominate — nominate another individual to exercise your rights in case of death or incapacity

To exercise any of these rights, email us at TODO: support@qravio.com with the subject line "DPDP Rights Request". We will respond within 30 days.

6. Cookies and Tracking

We use essential cookies (for authentication sessions managed by Supabase) and analytics cookies (Vercel Analytics, which uses anonymised page-view data). We do not use advertising or cross-site tracking cookies. For full details, see our Cookie Policy.

7. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately and we will delete it promptly.

8. International Data Transfers

Our service providers (Supabase, Cloudflare, Vercel) operate infrastructure outside India, including in the United States and European Union. By using the Service, you consent to your data being transferred to and processed in these jurisdictions. We ensure our providers maintain appropriate technical and organisational safeguards.

9. Security

We implement the following security measures to protect your data:

All data in transit is encrypted using TLS 1.2 or higher
All data at rest is encrypted using AES-256
Passwords are stored as one-way Argon2 hashes (via Supabase Auth)
IP addresses are one-way hashed before storage
Role-based access control — team members only access data within their workspace
Service role keys (used for backend-to-database access) are stored as environment variables and never exposed to the client

No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please report it responsibly to TODO: support@qravio.com.

10. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email (to the address on your account) and by updating the "Last updated" date at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

11. Contact and Grievance Officer

For privacy-related questions, requests, or complaints, contact our Grievance Officer:

Name: TODO: Grievance Officer Name
Email: TODO: grievance@qravio.com
Address: TODO: Grievance Officer Address (same as registered office or separate)

Registered Office:
TODO: Company Legal Name Pvt. Ltd.
TODO: Registered Office Address, City, State – PIN Code, India

We aim to acknowledge your grievance within 48 hours and resolve it within 30 days. If you are not satisfied with our response, you may escalate to the Data Protection Board of India once it is constituted under the DPDP Act.