Privacy policy

re ("we," "us") runs a free QR code and short-link service. This policy explains what we collect when you create an account, save links, or scan a code — and what we do with it.

See also our Terms.

When you use re, we may process:

• Account data — email address (stored for sign-in lookup), optional display name (encrypted at rest), and a password hash (we never store your plain-text password).
• Session data — sign-in cookie, session id, and basic device metadata (browser, operating system, IP address, user agent) to keep you logged in and to secure the service.
• Link data — short link ids, labels, destination URLs you set, whether a link is active, scan counts, and QR type (classic or image).
• Image uploads — if you make an image QR, we store the image you upload in private object storage so we can generate and serve the scannable code. Source images are not published publicly.
• Scan telemetry — for saved links, we log scan time (UTC), device type, browser and OS family (parsed from the user agent — we do not store the raw user agent string on new events), language hint from Accept-Language, country when our CDN provides it, referrer host, hashed IP, and routing outcome for analytics and abuse detection.
• Guest links — you can create some links without an account. Those links are not tied to a dashboard and we do not offer scan history or recovery for guest links.

Link labels, destination URLs, and optional display names are encrypted at rest in the database before they are written. This helps protect that data if a database dump occurs without the encryption key.

Your email address stays in readable form so we can look you up at sign-in. Passwords are stored as one-way hashes, not encrypted text.

This is not end-to-end encryption. When you manage a link, update your profile, or when someone scans a code, the server decrypts stored fields as needed. Operators who run the live service and hold the encryption key can serve content to authenticated sessions and perform redirects. Combine field-level encryption with host and database volume encryption for defense in depth.

When someone scans your code, we route them through re's redirect service. Destinations we classify as low risk redirect immediately with no interstitial. If we classify a destination as medium or high risk, visitors see a warning page first and can choose to continue — we do not block owners from saving or using the link.

Scan events may be logged for analytics and anomaly detection on saved links, as described under What we collect.

Signed-in users receive an httpOnly session cookie (re_token) so you stay logged in. Safety warnings may set a short-lived gate cookie per link. We do not use advertising or cross-site tracking cookies. Details are in our Cookie policy.

If you own a link in your dashboard, you can view aggregated scan statistics: totals over time, device and browser/OS breakdowns, country (when available), language hints, referrer hosts, and recent scan timestamps. We use hashed IP addresses for unique-source counts — not raw IPs in the analytics UI.

Scan logging happens on our servers when someone opens your short link; it is separate from browser cookies. See the cookie policy for what visitors store locally.

We use collected data to:

• Run the service — create QR codes, route scans to your current URL, and show your dashboard.
• Authenticate you and protect accounts from abuse.
• Apply rate limits and keep the platform stable.
• Respond to support or legal requests when required.

We do not sell your personal information.

When someone scans your code, our servers receive the short link id and send the visitor to the URL you configured. We increment a scan counter for saved links. We do not inject ads into that flow.

We keep account and link data while your account is active. You can delete your account from the account settings page — that deactivates sign-in and revokes sessions. Link rows may remain in our database after deactivation for operational integrity; contact us if you need a specific link removed.

• Update your profile or email from account settings.
• Pause or change where a saved link sends people from your dashboard.
• Delete your account if you no longer want to use re.

Questions about this policy: [email protected]