Privacy
Privacy Policy
Effective: 2026-07-01 · Slovenia / EU jurisdiction. Controller established in the EU.
This Privacy Policy describes how Zoran Bebić (“GlyphIQ”, “we”, “us”) processes personal data when you use the GlyphIQ service at https://glyphiq.app and its subdomains, including the dashboard, the public static-QR generator, and the redirect infrastructure that resolves your dynamic and standalone QR codes.
We act as controller for the personal data described here. Where we use third-party processors to operate the Service, those processors act on our instructions under a Data Processing Agreement; they are listed at /sub-processors.
This Policy is incorporated into our Terms of Service by reference. Nothing in this Policy limits any non-waivable statutory right you may have under the GDPR or the Slovenian Personal Data Protection Act (Zakon o varstvu osebnih podatkov, “ZVOP-2”).
1. Controller and contact
The controller for your personal data is:
Zoran BebićSloveniaFor privacy enquiries and data-subject requests, contact privacy@glyphiq.app. This mailbox is pinned to a 30-day Article 12(3) response clock; do not route privacy requests through general support.
Because GlyphIQ is established in Slovenia (an EU Member State), no Article 27 representative-in-the-Union is appointed. The lead supervisory authority is the Slovenian Information Commissioner (Informacijski pooblaščenec, ip-rs.si).
2. Categories of personal data we process
2.1 Account and identity data
Held by Clerk (our authentication provider) as authoritative identity record: email address, display name, first/last name, profile image, phone number (if provided), password hash, session tokens, and OAuth provider tokens. GlyphIQ does not store your password or session tokens on its own infrastructure — we only persist your Clerk user ID alongside activity timestamps (last login, inactivity-warning send-time) in our MongoDB.
2.2 Subscription and billing data
Held by Lemon Squeezy as Merchant of Record: buyer name, billing address, payment card details, tax identifiers, and invoice records. We never receive raw payment details — checkout is a Lemon Squeezy-hosted flow returning only IDs and status via signed webhook. GlyphIQ persists only the Lemon Squeezy subscription ID, customer ID, variant ID, plan tier, billing cadence, status, code quotas, credit counters, and period-end dates.
2.3 QR code metadata
For each code you create, we store: the short code, the destination URL, customisation settings, the type (dynamic/standalone) and variant (URL/vCard/WiFi), folder membership, status (active/paused/archived), creation and edit timestamps. QR code images are generated entirely in your browser — we never store them server-side.
For vCard and WiFicodes the content you encode may itself be personal or sensitive data, including data about third parties: a vCard stores the contact details you enter (name, phone, email, company, job title, website, address), and a WiFi code stores the network name (SSID) and password. This content is stored in our MongoDB and mirrored to the edge redirect store (Cloudflare KV) so the hosted vCard/WiFi page can render when the code is scanned. You are responsible for having a lawful basis to encode any third party's details.
When you create or edit a URL code, we submit the destination URL to our safety-screening providers (see §4) to check it against known-malicious-link databases. We store the resulting verdict (clean / flagged), its source, and the check time on the code record; we do not fetch or store the content of the destination page.
2.4 Scan analytics (pseudonymized at collection)
When a visitor scans one of your dynamic or standalone codes, our Cloudflare Worker records: a SHA-256-truncated visitor hash(16 hex characters, computed from a server-side secret salt concatenated with the visitor's IP address — the raw IP is never stored), a 2-letter ISO country code derived at the edge, a derived device-type classification (mobile / tablet / desktop), a derived browser name, the HTTP Referer header, the short code, and the scan timestamp.
Pseudonymization happens at collection, not post-hoc. The raw IP and the raw User-Agent are discarded inside the Worker and never reach storage. Geolocation is country-only — we never derive city, region, or coordinates.
Scan data is stored in Cloudflare Analytics Engine; MongoDB stores zero scan records. Scan analytics is optional per code — the analytics flag on each code defaults to off at creation.
2.5 Archived-code landing-page data
When a code enters the archived state (see Terms §11), scans of that code resolve to a landing page on expired.glyphiq.app. At serve time we record the same pseudonymized fields as a live scan plus the last-known destination URL fragment used to theme the page. Once an ad network is wired on that subdomain, any cookies it sets will be subject to its own DPA and scoped to the subdomain only — no cross-site tracking, no behavioural profiling. See §6 for transfer mechanics and §10 for the consent posture.
2.6 Email-delivery data
When we send you a transactional email, Resend receives the recipient address (resolved from Clerk at send time, not persisted in our MongoDB) and the templated body. These emails cover account- and code-lifecycle events: account-inactivity and pre-deletion warnings, code-archival and auto-extend notifications, and URL-safety flag notices. We also send an optional weekly scan-performance summary only to users who turn it on in settings; you can turn it off at any time. To prevent duplicate sends we persist per-event send-time markers (for example the inactivity-warning and pre-deletion timestamps) on your MongoDB record, plus your email preferences where you have set them.
2.7 Dashboard and marketing-site telemetry
On glyphiq.app (the single Next.js application that serves both the marketing root and the authenticated dashboard), we run two cookieless aggregate product-analytics scripts: Vercel Web Analytics (page views, route-level CTA events) and Vercel Speed Insights (Core Web Vitals — LCP, INP, CLS, TTFB, FCP — sampled per session). These scripts set no cookies, store no cross-site identifier, and build no behavioural profile. They receive a coarse country code, a derived device-type classification, a path, a referrer, and (for CTA events) a short event name; no IP address is persisted, no fingerprint is computed, no profile is assembled across sessions.
This telemetry is scoped strictly to glyphiq.app. The scan-resolution path on qr.glyphiq.app and the archived-code landing surface on expired.glyphiq.app are separate origins running separate code; they load none of these scripts and their privacy posture (§2.4, §2.5) is unchanged.
2.8 What we do NOT collect
- No special-category data under GDPR Article 9 (health, biometric, political, religious, union, sexual-orientation).
- No criminal-conviction data under Article 10.
- No raw IP addresses (pseudonymized at the Worker before storage).
- No raw User-Agent strings (categorised at the Worker before storage).
- No city, region, or coordinate-level geolocation.
- No analytics or marketing cookies on the dashboard or marketing surfaces.
- No content from the URLs your codes redirect to — destination content is under your control, not ours.
3. Purposes and legal bases
Each processing activity below cites the corresponding GDPR Article 6(1) legal basis. Where we rely on legitimate interests under Article 6(1)(f), you may object at any time under §8 Objection — Article 21.
| Activity | Purpose | Legal basis |
|---|---|---|
| Authentication | Account creation, sign-in, session management. | Art. 6(1)(b) performance of contract. |
| Subscription billing | Process Subscriptions and Standalone Packs; maintain billing state; record qualifying-activity timestamps. | Art. 6(1)(b) contract AND Art. 6(1)(c) legal obligation (Slovenian invoicing / tax retention). |
| QR redirect | Resolve short codes to destination URLs at the edge. | Art. 6(1)(b) performance of contract. |
| Scan analytics | Record pseudonymized scan aggregates so authenticated users can review their code performance. | Art. 6(1)(f) legitimate interest. |
| Dashboard and marketing-site telemetry | Cookieless aggregate product analytics (page views, Core Web Vitals, CTA events) on the dashboard and marketing surfaces, to measure product and content performance. | Art. 6(1)(f) legitimate interest — no cookies, no behavioural profile, no cross-site tracking. |
| URL safety screening | Submit destination URLs to safety-screening providers at create/edit time to block malicious links. | Art. 6(1)(f) legitimate interest (abuse prevention and visitor safety). |
| Transactional email | Send account- and code-lifecycle notifications (inactivity, pre-deletion, archival, auto-extend, URL-flag) and, for users who opt in, a weekly scan-performance summary. | Art. 6(1)(b) performance of contract for lifecycle emails; Art. 6(1)(a) consent for the opt-in weekly summary. |
| Archived-code landing | Serve a useful page (not a 404) for archived-code scans; future contextual ads fund retention. | Art. 6(1)(f) legitimate interest for the page itself; Art. 6(1)(a) consent for any non-strictly-necessary ad cookie. |
| Incident response | Detect, document, and report personal-data breaches; maintain sub-processor audit records. | Art. 6(1)(c) legal obligation (Art. 33/34) AND Art. 6(1)(f) legitimate interest. |
4. Recipients and sub-processors
Personal data may be processed by the third-party providers listed at /sub-processors in their capacity as our processors. At launch these are:
- Vercel — hosting and edge compute for the dashboard and marketing site; cookieless aggregate analytics (Vercel Web Analytics) and Web Vitals telemetry (Vercel Speed Insights) for those surfaces only.
- Cloudflare — edge redirect, KV short-code storage, Analytics Engine for pseudonymized scan data, destination-URL safety screening (Cloudflare Radar URL Scanner), and bot protection (Turnstile).
- Google (Safe Browsing) — destination-URL safety screening at code create/edit time; the destination URL is checked against the Google Safe Browsing database.
- MongoDB Atlas (EU region) — account, subscription, and QR-code metadata.
- Clerk — authentication and authoritative identity record.
- Lemon Squeezy — subscription and standalone-pack billing as Merchant of Record.
- Resend — transactional email delivery.
The /sub-processors page is the single source of truth for processor disclosures and is updated whenever a processor is added or removed.
We may also disclose personal data to public authorities where legally compelled (e.g., binding judicial or regulatory orders). We do not sell personal data to third parties and do not use it to train machine-learning models.
5. International data transfers
MongoDB Atlas is provisioned in an EU region — no Article 46 transfer mechanism is required for the account, subscription, and QR-metadata data we store there.
Vercel, Cloudflare, Clerk, Lemon Squeezy, Resend, and Google (Safe Browsing) are established in the United States. Transfers to the US rely on two layers, applied in order:
- Primary: EU-US Data Privacy Framework.Each processor is self-certified under the EU-US DPF (and, where relevant, the UK Extension and the Swiss-US DPF). The European Commission's 2023 adequacy decision applies.
- Fallback: 2021 Standard Contractual Clauses. Module 2 (controller-to-processor) of the 2021 SCCs is incorporated in each processor's Data Processing Addendum. This fallback is in force concurrently with the DPF, so it survives a future DPF invalidation without re-papering.
For Cloudflare specifically, we have completed a Transfer Impact Assessment under the Schrems II test. The combination of Executive Order 14086 proportionality limits, the Data Protection Review Court redress mechanism, and the fact that only pseudonymized scan aggregates (not directly identifying data) cross the border supports a low-risk transfer determination. This assessment is maintained internally and is available to the Slovenian Information Commissioner on request.
6. Retention
- Account and identity data — retained for the lifetime of your account. On account deletion, your MongoDB record is removed and the Clerk identity is deleted through the Clerk admin flow.
- Subscription state — retained for the lifetime of your account in our MongoDB. Lemon Squeezy retains the underlying invoice records for the period required by Slovenian accounting law (a minimum 10-year retention obligation under ZVOP-2 and the Slovenian VAT Act for invoicing records) and US tax law as applicable.
- QR-code metadata— retained while the code exists. On code deletion the metadata is removed; on account deletion all your codes' metadata is removed.
- Scan analytics— retained in Cloudflare Analytics Engine for approximately 90 days under Cloudflare's retention policy (subject to change by Cloudflare). No identifier links a scan record to a natural person, so retention horizons do not present re-identification risk.
- Archived codes— we do not commit to a fixed retention period for an archived code's KV redirect entry and MongoDB metadata. We retain them on a best-effort basis for as long as it stays feasible — generally prioritising codes that are still scanned and releasing dormant ones — and may delete them or discontinue archived-code retention at any time, including on cessation of the Service. See Terms §11 for the commercial framing.
- Email-delivery records— per-event send-time markers (inactivity, pre-deletion, archival, auto-extend, URL-flag) and your email preferences are retained for as long as your account is active. Resend's own delivery logs follow its DPA retention.
- Incident records — retained internally for 5 years from closure of the incident under our breach-response procedure.
7. Your rights
Under GDPR Articles 15–22 and the corresponding ZVOP-2 provisions, you have the following rights with respect to your personal data. Send any request to privacy@glyphiq.app. We will respond within 30 days from receipt, extendable by one further month for complex or multiple requests with notice to you.
We verify the requester via an email round-trip to the account-of-record address held by Clerk before disclosing, modifying, or deleting any personal data — necessary to prevent someone else from acting on your record.
7.1 Access — Article 15
You may obtain a copy of your personal data held by GlyphIQ — the MongoDB user record, subscription record, and the QR code / folder records associated with your account. Identity fields (email, name, phone, profile image) are held by Clerk; we will direct you to Clerk's export flow for those.
7.2 Rectification — Article 16
You may correct inaccurate personal data. MongoDB-held fields are corrected on request; Clerk-held identity fields you update directly via your Clerk profile (Clerk is the authoritative source for those).
7.3 Erasure — Article 17
You may request deletion of your account. We remove your MongoDB user, subscription, QR code, and folder records, and delete your Clerk identity via the Clerk admin flow. Some records are subject to Article 17(3) exemptions — notably, Lemon Squeezy retains invoice records under ZVOP-2 / Slovenian accounting law for a minimum 10-year period in its capacity as Merchant of Record.
Scan records are infeasible to erase by design. Analytics Engine scan records carry only a pseudonymized visitor hash; they contain no identifier that links to you as a data subject. Without such an identifier we cannot target your scan records for deletion. Pseudonymization at collection is the privacy mechanism that makes erasure both unnecessary and impossible in the same step — your scans contain no personal data about you that we could erase.
7.4 Restriction — Article 18
You may request that we pause processing of your records. Operationally we mark your account as restricted, stop sending transactional email to you, and mark your Lemon Squeezy subscription as cancelled at period end. Records are retained but not actively processed during the restriction.
7.5 Portability — Article 20
You may obtain your personal data in a structured, machine-readable format (JSON). We export your MongoDB user, subscription, QR code, and folder records on request. Clerk-held identity export is performed through Clerk's data export flow.
7.6 Objection — Article 21
You may object to processing we carry out under Article 6(1)(f) legitimate interest. For scan analytics, the pseudonymized nature means we hold no identifiable data for you to object to. For incident handling and sub-processor audit, the legal-obligation basis under Article 33 generally prevails on the compelling-legitimate-grounds test. We record the evaluation in our audit log either way.
7.7 Withdraw consent — Article 7(3)
Where we rely on consent (Article 6(1)(a)) — currently only for non-strictly-necessary cookies on the archived-code landing pages on expired.glyphiq.app once the contextual ad network is wired up — you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
7.8 Lodge a complaint — Article 77
You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. Our lead supervisory authority is the Slovenian Information Commissioner (Informacijski pooblaščenec) at ip-rs.si.
8. Cookies and similar technologies
The GlyphIQ application at glyphiq.app (single origin serving both the marketing root and the authenticated dashboard) uses only strictly-necessary cookies:
- Clerk session and CSRF cookies — required to keep you signed in and to prevent cross-site request forgery.
- Lemon Squeezy checkout-handoff cookies — set during the billing flow when you initiate a purchase.
We do not set analytics, marketing, or third-party tracking cookies on glyphiq.app, and the redirect Worker that resolves your codes at /r/{code} sets and reads zero cookies. Because no non-strictly-necessary cookies are used on that surface, no ePrivacy consent banner is required there.
The glyphiq.app application does load two cookielessaggregate-analytics scripts (Vercel Web Analytics and Vercel Speed Insights — see §2.7). These scripts use no client-side storage, no fingerprinting, no cross-site identifier, and no behavioural profile; under the ePrivacy Directive Article 5(3) they do not trigger a consent-banner obligation because no information is stored on or read from the user's terminal equipment. They are not loaded on qr.glyphiq.app (scan redirect) or expired.glyphiq.app (archived-code landing).
The archived-code landing surface at expired.glyphiq.app is the one exception. Once the contextual ad network is wired (no ad network is wired at launch — see /sub-processors), that surface will carry its own first-party consent banner and ask the visitor for explicit consent under Article 6(1)(a) before any non-strictly-necessary cookie is set. Declining consent will still show the landing page but withhold the ad request. Contextual targeting is a hard product rule — ads are chosen from page content only, never from visitor behaviour.
9. Children
The Service is not directed at persons under 18 (or the age of legal majority in your jurisdiction) and we do not knowingly collect personal data from such persons. If you believe a child has provided personal data to us, contact privacy@glyphiq.app and we will delete the data and close the account.
10. Security
We use commercially reasonable technical and organisational measures to protect personal data, including: TLS in transit; Clerk-managed authentication so passwords never reach our infrastructure; signed webhook verification (Svix HMAC for Clerk, signed-payload verification for Lemon Squeezy and Resend); the visitor-hash salt held as an encrypted Cloudflare Workers Secret; and least-privilege access controls on our MongoDB cluster.
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Slovenian Information Commissioner within 72 hours of awareness under Article 33, and notify you directly under Article 34 if the breach is likely to result in a high risk.
11. Changes to this Policy
We may amend this Policy from time to time. The current version is identified by the Effective date at the top.
For non-material changes (clarifications, formatting, fixes, additions that do not reduce your rights), the updated Policy applies from the new Effective date.
For material changes (changes to the categories of data we process, the purposes, the legal bases, retention periods, or sub-processors in a way that materially affects you), we will notify active users by email at least 30 days before the changes take effect. If you do not accept the change, you may close your account before the change takes effect; we will issue a pro-rated refund of any unused portion of your current paid period per Terms §18.
12. Contact
- Privacy and data-subject requests: privacy@glyphiq.app
- Security incidents: security@glyphiq.app
- General support: support@glyphiq.app
- Legal notices: legal@glyphiq.app
Zoran BebićSlovenia