Privacy

Go2RE is a small business. This page describes exactly what we collect, why, where it goes, and how to remove it. Last updated 2026-05-09.

The short version

  • We collect what's needed to run a QR-code service — account info, the URLs you point QR codes at, and a count of how many times each code is scanned.
  • Sign-in is Google OAuth or email/password — your choice.
  • Payment is processed by Stripe. We never see your card number.
  • We don't sell your data, run ads, or share it with anyone except the third parties listed below.
  • You can edit or delete everything from your account page.

What we collect

Account

  • Email address — used to sign you in and to contact you about your account.
  • Display name, optional phone, business address, and a few profile fields you fill in voluntarily on the account page.
  • Password hash (bcrypt) if you signed up with a password, or your Google subject ID if you signed in with Google. Not both at once unless you explicitly link them.

Links and scans

  • The destination URL for each QR code you create, plus the optional name, MLS, and ZIP labels you assign.
  • Per-hour scan counts for each link, used to render the stats charts. We do not store individual scan IPs, user-agents, or geolocation — just a count per hour per link.

Billing

  • If you're on a paid plan, your Stripe customer ID and subscription ID are stored in our database — that's the entire payment record we keep. Card numbers, billing addresses, and invoice history live with Stripe and never touch our servers.

Contact form

  • Whatever you typed — name, optional email, message body. Plus your IP, used briefly to throttle obvious spam (3 messages per hour per IP). The IP sits on the message row for admin context but is never displayed publicly.

Operational

  • Session cookies — small signed values that prove you're logged in and protect form posts from cross-site attacks. HttpOnly + Secure + SameSite=Lax.
  • Server access logs — standard HTTP method, path, response code, client IP. Useful for debugging and security; no analytics or fingerprinting.

Third parties

  • Google — when you sign in with Google, they tell us your subject ID, email, and name. We tell them nothing about you.
  • Stripe — handles all card processing. Their privacy policy applies to data submitted on their checkout page.
  • Nothing else. No analytics, no ads, no CRM, no marketing email.

How long we keep it

Until you ask us not to. There's no automatic expiry — your account, your links, and your scan history persist as long as you want them.

If you delete your account (contact us via the contact form for now — a self-serve "delete account" button is on the roadmap), we remove your user row and cancel any active Stripe subscription. Stripe retains transaction records on their side per their own retention policy.

Security

Data lives on a single server in a US data center, behind HTTPS only. The database isn't reachable from the public internet. Passwords are bcrypt-hashed; OAuth tokens are not stored after sign-in completes. We take database backups before risky migrations.

Your rights

  • Access — sign in and look at your account page and links; everything we have on you is shown there or one click away.
  • Correct — edit account fields, link names, and destination URLs directly.
  • Delete — deactivate or remove individual links from the links page; ask us to delete your account via the contact form.

Changes to this policy

Material changes will move the "Last updated" date at the top.

Contact

Use the contact form. You'll get a reply only if you supplied an email and ticked "I'd like a reply" — we don't have any other way to reach you.