Sign QR
How it worksFeaturesPricingPrivacy
Log in

Legal

Privacy Policy

Effective date: June 18, 2026. This policy explains how Sign QR collects, uses, shares, and protects personal information.

Draft reviewed for CPRA alignment — obtain California privacy counsel sign-off before production reliance.

Exercise your rightsEmail privacy team

On this page

Who we areScopeInformation we collectSourcesPurposes of useDisclosure & sharingSensitive informationRetentionSecurityYour privacy rightsChildrenChangesContact

On this page

  1. Who we are
  2. Scope
  3. Information we collect
  4. Sources
  5. Purposes of use
  6. Disclosure & sharing
  7. Sensitive information
  8. Retention
  9. Security
  10. Your privacy rights
  11. Children
  12. Changes
  13. Contact

1. Who we are

Sign QR (“we,” “us”) operates the petition and signature platform at this website. When you sign a petition at /p/[slug], Sign QR is the business that collects your personal information. Campaign organizers use our platform as customers; they are not separate controllers for signer data collected through Sign QR.

2. Scope

This policy describes how we handle personal information about petition signers, campaign organizers (account holders), and visitors to our site. Signer data collected on public petition pages is handled by Sign QR as described in section 1. Organizer account data (for example campaign settings, QR placement addresses, and billing) is collected to operate your dashboard. It applies to California residents’ rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, and to all users as described below.

3. Categories of personal information we collect

CategoryExamples
IdentifiersName, email, Google account ID, session ID
Contact informationPhone, mailing address (optional on sign form)
Internet / device activityScan events, hold-to-sign events, timestamps, session IDs; address search text when organizers use location lookup tools
GeolocationSigners: precise coordinates only if you opt in on the petition page. Organizers: QR placement coordinates and optional street addresses you enter; optional device location if you use “near me” or similar placement tools
Organizer account & campaign dataCampaign titles, QR placement names/labels, placement addresses, scan analytics tied to placements (organizers only)
Commercial informationSubscription tier, Stripe customer ID (organizers only)

4. Sources

  • Directly from you (sign form, organizer dashboard, account settings)
  • Google when you sign in (OAuth) or use address autocomplete / map tools
  • Automatic collection (session IDs, scan/hold analytics)
  • Device/browser if you allow location on the petition page (signers) or in placement setup (organizers)

5. Purposes of use

  • Record and display petition signatures
  • Provide signature counts, scan schedules, geo heat maps, and related analytics to campaign organizers
  • Let organizers configure QR placement locations (including address lookup and map display)
  • Send optional email notifications to organizers (Resend)
  • Allow organizers to send optional follow-up email and, where enabled, SMS text messages to signers who provided a phone number
  • Process organizer subscriptions (Stripe)
  • Security, fraud prevention, and audit logging (hashed identifiers)
  • Comply with law and respond to privacy requests

6. Disclosure and sharing — we do not sell

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.

We may disclose information to:

  • Service providers under contracts that limit their use of the data, including:
    • Supabase — database, authentication, file storage
    • Vercel — application hosting
    • Google — account sign-in (OAuth); Maps, Places, and Geocoding APIs when organizers search or verify placement addresses and view dashboard maps (search text, selected addresses, and map viewport requests are sent to Google)
    • Stripe — organizer subscriptions and billing
    • Resend — transactional and follow-up email
    • Twilio — SMS follow-up messages when an organizer sends them and a signer has provided a phone number
  • Organizer-configured CRM tools (e.g. Zapier, Airtable, custom HTTPS webhooks) when an organizer enables CRM sync — this may constitute sharing under CPRA. You may opt out of sharing at any time.
  • Law enforcement or regulators when required by law

When you use Google address autocomplete, Google’s own privacy policy also applies to their processing of those requests. We do not use Google data for cross-context behavioral advertising.

7. Sensitive personal information

Precise geolocation is sensitive under CPRA.

  • Petition visitors / signers: we collect precise coordinates only if you tap Allow location on the petition page. If you decline, scans may still be recorded without precise coordinates; we may attribute activity to a campaign QR placement when you use a placement-specific link.
  • Organizers: placing a QR code may involve precise coordinates and street addresses you enter or select. Optional browser location (for example “near me”) is used only if you allow it in your device settings when prompted.

You may limit our use of sensitive PI by declining location permissions and using opt-out of sharing where applicable. Signers may also use dashboard or web-form privacy tools described in section 10.

8. Retention

  • Signatures: Until you request deletion, delete your account, or the underlying campaign is removed
  • QR placements & campaign geo: While the campaign exists and your organizer account is active, or until you delete the placement or campaign
  • Scan / hold analytics: Approximately 12 months, then purged
  • Audit logs (hashed): Approximately 24 months

See Your Privacy Rights to request deletion.

9. Security

We use TLS in transit, database access controls (Row Level Security), and envelope encryption for signatory contact fields at rest. No method of transmission or storage is 100% secure.

10. Your California privacy rights

California residents may request:

  • Know / access — categories and specific pieces of PI we hold about you
  • Delete — deletion of PI we collected from you
  • Correct — correction of inaccurate PI
  • Opt-out of sharing — stop CRM sharing of your signer contact data
  • Limit use of sensitive PI — decline precise location on petition or placement pages; use opt-out as described

We will not discriminate against you for exercising these rights (no denial of service, different prices, or reduced quality for opting out).

How to submit a request:

  • Signed in: Dashboard → Account (instant export / delete / opt-out)
  • Not signed in: Privacy request form
  • Email: privacy@signqr.com

We will verify your identity before fulfilling requests (account login or email verification). We aim to respond within 45 days.

11. Children

Sign QR is not directed to children under 16. We do not knowingly collect personal information from children under 16. Contact us to request deletion if you believe we have collected a child’s information.

12. Changes

We may update this policy. We will post the revised policy with a new effective date. Material changes may be communicated by email or site notice where required.

13. Contact

Privacy inquiries and requests: privacy@signqr.com · Web form

Terms of ServicePrivacy PolicyAccessibilityYour Privacy RightsDo Not Sell or Share

© 2026 Sign QR