Privacy Policy

⚖️ Do Not Sell or Share My Personal Information – See your rights under California law below.

C.QR Technologies Inc. ("C.QR," "we," "us," "our") is committed to protecting the privacy of our users — especially those in vulnerable situations. This Privacy Policy explains how we collect, use, and safeguard your information when you use the C.QR platform at cqrtech.net and associated services.

1. Our Foundational Privacy Principles

C.QR Technologies treats all user data with the highest level of care — as if it were Protected Health Information, regardless of legal classification. Our foundational principles:

• Dignity by Default: Privacy is a fundamental human right. Our systems are designed with the highest standards to protect your dignity at all times.
• No Paywall in Crisis: Critical safety features remain accessible when you need them most.
• Privacy-by-Design: Data protection is engineered into every feature from inception — never added after.
• You Own Your Data: Your data belongs to you. We provide full control, portability, and deletion rights.
• Security Beyond Compliance: While not directly a Covered Entity under HIPAA, C.QR unequivocally applies stringent privacy and security principles inspired by HIPAA, GDPR, and CCPA to all user data.

2. Information We Collect

We collect information to provide and improve our services:

• Account Information: Name, email address, and authentication details.
• Profile Information: Display name, preferred language, accessibility settings, and preferences.
• Plan Content: Your safety plans, trusted contacts, and guidance content. All sensitive plan content is encrypted at rest with user-scoped keys.
• Vault Items: Scenarios, procedures, and advocacy materials you create or store.
• Payment Information: Processed through secure third-party processors. C.QR does not store full card details.
• Usage Data: Aggregated, anonymized interaction data. Individual users control opt-in for personal activity data.
• Scan Event Data: When a QR key is accessed — timestamp only. IP addresses and precise geolocation are never stored. Locked Safety Mode can suppress scan logging entirely.

3. How We Use Your Information

We use your information to:

• Deliver, operate, and improve the C.QR platform.
• Personalize your experience including accessibility settings and plan preferences.
• Send service-related communications and, with consent, updates.
• Protect the security and integrity of the platform using behavioral signals — never content access.
• Comply with applicable law.

We do not sell, rent, or broker your personal data to any third party.

4. Organizational Accounts & Data Visibility

If you are part of an Organization account, data visibility depends on the organization's type:

• Employer/Workplace Organizations: Org administrators have access only to shared organizational Vault items relevant to workplace safety procedures and policies. They have NO visibility into any personal plan content or individual profile details.
• Schools and Care Organizations: These organizations are encouraged to work collaboratively with individuals and their trusted inner circle to co-create safety plan content. Any access is consensual and cooperative — never unilateral.

Under no circumstances can any org administrator decrypt or access individual personal plan content without the explicit consent of the plan owner. Org admins cannot access: personal plans, accommodation guidance, audio recordings, personal recovery email, DV safety mode status, or personal location settings.

5. Data Sharing & Subprocessors

We share limited data only with trusted subprocessors to deliver the Service (Base44 for infrastructure, Paddle for payment processing). All subprocessors are contractually bound to process data only as instructed.

We do not share personal plan content with any third party. Ever.

Key subprocessors: Base44 (platform infrastructure, database, file storage, email delivery), Paddle.com Market Limited (payment processing), Google Fonts (font delivery — browser IP at font load time only).

5a. Payment Processing — Paddle as Merchant of Record

All payments are processed by Paddle.com Market Limited ("Paddle"), which acts as the Merchant of Record for all C.QR transactions.

What this means for your data: C.QR does not store your credit card number, CVV, or full billing details. Paddle receives your payment information directly and processes it under their own PCI-DSS compliance. C.QR receives only: your email address, subscription tier, transaction status, and billing amount. Paddle's Privacy Policy governs how your payment data is handled: paddle.com/legal/privacy.

For payment-related data requests, contact Paddle directly via paddle.com or contact C.QR at questions@cqrtech.net and we will facilitate.

6. Legal Requirements

We may disclose your account information if required by law or in response to valid legal requests (e.g., subpoenas, court orders).

C.QR is committed to: notifying affected users before complying where legally permitted, legally challenging requests we believe are overbroad, discriminatory, or harmful to vulnerable populations, and providing only the minimum data strictly required.

Sensitive fields (including PINs, recovery credentials, and contact details) are encrypted at the application layer. C.QR operates on managed infrastructure — database-layer security is provided by our platform provider (Base44). We do not store plaintext access credentials.

7. Business Transfers

In the event of a merger, acquisition, or asset sale: Basic account information may be transferred, but personal plan content and Vault items remain subject to the same encryption and access rules — no acquiring entity receives decryption capability for individual user content. Users will receive advance notice and the option to export or permanently delete their data before any transfer takes effect.

8. Your Data Rights

You have meaningful control over your data:

• Access & Correction: Access and update most of your profile and plan data directly in the app.
• Deletion: You may request deletion of your account and all associated data. Our system automatically processes deletion requests within 30 days. You will receive a confirmation email when deletion is complete.
• Data Portability: You may request a structured export of your plan data, including decrypted vault content (scenarios, guidance steps, and FAQ pairs). Exports are available within 24 hours of request.
• Opt-Out: Opt out of non-essential data processing at any time.
• Analytics: Opt-in only to personal activity data. Aggregate, anonymized data only by default.

For GDPR/CCPA requests: privacy@cqrtech.net

9. Data Security

C.QR implements robust technical and organizational security measures: AES-256-GCM encryption for sensitive fields at the application layer before storage, TLS/HTTPS for all data in transit, bcrypt (cost >= 12) for all PIN and password hashing — never stored or logged in plaintext, behavioral signal moderation that never reads plan content, regular internal security audits and access log reviews. C.QR does not sell, share, or use personal safety data for advertising or profiling — ever.

10. Data Retention

We retain data only as long as necessary. IP addresses are never stored. Scan event timestamps are retained for 90 days, after which they are deleted. Account deletion is processed automatically within 30 days of request. Our daily purge cron removes any residual ephemeral data.

11. Breach Notification

In the event of a confirmed data breach, C.QR will notify affected users within 72 hours via email to their registered address, detailing what happened, what data was affected, and what steps are being taken. Because sensitive plan content is encrypted at rest (AES-256-GCM), a breach of infrastructure does not automatically equal a breach of your plan content.

12. International Users

C.QR operates globally. Your data may be processed and stored outside your country. We implement appropriate safeguards (including Standard Contractual Clauses where applicable) to ensure your data receives adequate protection. We are committed to CCPA (California), GDPR (EU/UK), PIPEDA (Canada), and Australia's Privacy Act principles.

13. Children's Privacy

C.QR accounts may only be created by individuals 18 years or older. Plans may be created on behalf of minors by authorized guardians. We do not knowingly collect personal information directly from children under 13. Contact privacy@cqrtech.net if you have concerns.

14. Changes to This Policy

We will notify you of material changes via email or in-app notice at least 14 days before they take effect.

15. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, including decrypted vault content.
• Right to Delete: You may request deletion of your personal information.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: C.QR does not sell personal information to third parties.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for any purpose other than delivering the Service to you.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.
• Authorized Agents: You may designate an authorized agent to make a request on your behalf.

To exercise any of these rights, contact: privacy@cqrtech.net. Response time: within 45 days of receipt (extendable by 45 days with notice).

Shine the Light (CA Civil Code §1798.83): We do not share personal information with third parties for direct marketing purposes.

16. Contact

For privacy-related inquiries: C.QR Technologies Inc., questions@cqrtech.net, cqrtech.net