1. Who we are
Sign QR (“we,” “us”) operates the petition and signature platform at this website. When you sign a petition at /p/[slug], Sign QR is the business that collects your personal information. Campaign organizers use our platform as customers; they are not separate controllers for signer data collected through Sign QR.
2. Scope
This policy describes how we handle personal information about petition signers, campaign organizers (account holders), and visitors to our site. Signer data collected on public petition pages is handled by Sign QR as described in section 1. Organizer account data (for example campaign settings, QR placement addresses, and billing) is collected to operate your dashboard. It applies to California residents’ rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, and to all users as described below.
3. Categories of personal information we collect
| Category | Examples |
|---|---|
| Identifiers | Name, email, Google account ID, session ID |
| Contact information | Phone, mailing address (optional on sign form) |
| Internet / device activity | Scan events, hold-to-sign events, timestamps, session IDs; address search text when organizers use location lookup tools |
| Geolocation | Signers: precise coordinates only if you opt in on the petition page. Organizers: QR placement coordinates and optional street addresses you enter; optional device location if you use “near me” or similar placement tools |
| Organizer account & campaign data | Campaign titles, QR placement names/labels, placement addresses, scan analytics tied to placements (organizers only) |
| Commercial information | Subscription tier, Stripe customer ID (organizers only) |
4. Sources
- Directly from you (sign form, organizer dashboard, account settings)
- Google when you sign in (OAuth) or use address autocomplete / map tools
- Automatic collection (session IDs, scan/hold analytics)
- Device/browser if you allow location on the petition page (signers) or in placement setup (organizers)
5. Purposes of use
- Record and display petition signatures
- Provide signature counts, scan schedules, geo heat maps, and related analytics to campaign organizers
- Let organizers configure QR placement locations (including address lookup and map display)
- Send optional email notifications to organizers (Resend)
- Allow organizers to send optional follow-up email and, where enabled, SMS text messages to signers who provided a phone number
- Process organizer subscriptions (Stripe)
- Security, fraud prevention, and audit logging (hashed identifiers)
- Comply with law and respond to privacy requests
6. Disclosure and sharing — we do not sell
We may disclose information to:
- Service providers under contracts that limit their use of the data, including:
- Supabase — database, authentication, file storage
- Vercel — application hosting
- Google — account sign-in (OAuth); Maps, Places, and Geocoding APIs when organizers search or verify placement addresses and view dashboard maps (search text, selected addresses, and map viewport requests are sent to Google)
- Stripe — organizer subscriptions and billing
- Resend — transactional and follow-up email
- Twilio — SMS follow-up messages when an organizer sends them and a signer has provided a phone number
- Organizer-configured CRM tools (e.g. Zapier, Airtable, custom HTTPS webhooks) when an organizer enables CRM sync — this may constitute sharing under CPRA. You may opt out of sharing at any time.
- Law enforcement or regulators when required by law
When you use Google address autocomplete, Google’s own privacy policy also applies to their processing of those requests. We do not use Google data for cross-context behavioral advertising.
7. Sensitive personal information
Precise geolocation is sensitive under CPRA.
- Petition visitors / signers: we collect precise coordinates only if you tap Allow location on the petition page. If you decline, scans may still be recorded without precise coordinates; we may attribute activity to a campaign QR placement when you use a placement-specific link.
- Organizers: placing a QR code may involve precise coordinates and street addresses you enter or select. Optional browser location (for example “near me”) is used only if you allow it in your device settings when prompted.
You may limit our use of sensitive PI by declining location permissions and using opt-out of sharing where applicable. Signers may also use dashboard or web-form privacy tools described in section 10.
8. Retention
- Signatures: Until you request deletion, delete your account, or the underlying campaign is removed
- QR placements & campaign geo: While the campaign exists and your organizer account is active, or until you delete the placement or campaign
- Scan / hold analytics: Approximately 12 months, then purged
- Audit logs (hashed): Approximately 24 months
See Your Privacy Rights to request deletion.
9. Security
We use TLS in transit, database access controls (Row Level Security), and envelope encryption for signatory contact fields at rest. No method of transmission or storage is 100% secure.
10. Your California privacy rights
California residents may request:
- Know / access — categories and specific pieces of PI we hold about you
- Delete — deletion of PI we collected from you
- Correct — correction of inaccurate PI
- Opt-out of sharing — stop CRM sharing of your signer contact data
- Limit use of sensitive PI — decline precise location on petition or placement pages; use opt-out as described
We will not discriminate against you for exercising these rights (no denial of service, different prices, or reduced quality for opting out).
How to submit a request:
- Signed in: Dashboard → Account (instant export / delete / opt-out)
- Not signed in: Privacy request form
- Email: privacy@signqr.com
We will verify your identity before fulfilling requests (account login or email verification). We aim to respond within 45 days.
11. Children
Sign QR is not directed to children under 16. We do not knowingly collect personal information from children under 16. Contact us to request deletion if you believe we have collected a child’s information.
12. Changes
We may update this policy. We will post the revised policy with a new effective date. Material changes may be communicated by email or site notice where required.
13. Contact
Privacy inquiries and requests: privacy@signqr.com · Web form