Privacy Policy
Last updated: 1 March 2026
1. Who We Are
pingable.me ("we", "us", "our") is a service that lets people create QR codes for anonymous, private communication. This policy explains what data we collect, why, and your rights under the General Data Protection Regulation (GDPR).
If you have questions about this policy, contact us at privacy@pingable.me.
2. What Data We Collect
2.1 QR Code Owners (registered users)
When you sign in with Google, we receive and store:
- Account information: name, email address, and profile picture from your Google account.
- QR code configuration: names, welcome messages, and contact method details (phone numbers, email addresses, URLs, usernames) that you choose to add.
- Activity data: a timestamp of your last activity, used solely to determine whether to send you email notifications about new messages.
- Notification preferences: whether you have email notifications enabled.
2.2 Scanners (people who scan QR codes)
Scanners do not need to create an account. When someone scans a QR code and uses the Pingable Chat feature, we store:
- A random device identifier generated and stored locally on their device (in browser localStorage). This is not linked to any personal information.
- Chat messages: the content of messages sent through Pingable Chat.
We do not require scanners to provide a name, email, phone number, or any personal details to use the chat.
2.3 Scan Analytics
When a QR code is scanned, we record:
- Approximate location: city, region, and country, derived from the scanner's IP address. We do not store the IP address itself.
- Device type: whether the scanner is using a mobile, desktop, or tablet device, derived from the browser's user agent string.
- Timestamp: when the scan occurred.
This data is used to provide QR code owners with aggregate scan analytics. It cannot be used to identify individual scanners.
2.4 Cookies and Local Storage
- Authentication cookie: a session cookie set by NextAuth.js to keep you signed in. This is strictly necessary for the service to function and does not require consent.
- Local storage: scanners' device identifiers and conversation references are stored in the browser's localStorage to maintain chat continuity. No tracking or advertising data is stored.
We do not use any advertising, analytics, or third-party tracking cookies.
3. How We Use Your Data
We use your data for the following purposes:
- To provide the service: displaying your QR codes, delivering chat messages, and showing scan statistics.
- To send notifications: email notifications about new chat messages when you are offline (if enabled in your settings).
- To prevent abuse: rate limiting on messages to prevent spam.
We do not sell your data, use it for advertising, or share it with data brokers.
4. Lawful Basis for Processing (GDPR)
| Data | Lawful Basis |
|---|---|
| Account information (name, email, profile picture) | Contract — necessary to provide the service you signed up for |
| QR code configuration and messages | Contract — core functionality of the service |
| Email notifications | Legitimate interest — to ensure you don't miss messages (you can opt out in Settings) |
| Scan analytics (location, device type) | Legitimate interest — to provide usage insights to QR code owners |
| Authentication cookie | Contract — strictly necessary for the service to function |
5. Third-Party Processors
We use the following third-party services to operate pingable.me. Each processes data on our behalf under appropriate data processing agreements:
| Service | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database and real-time messaging | All stored data (accounts, messages, QR codes, scans) | EU (Frankfurt) |
| Vercel | Application hosting | Web requests, IP addresses (for geo lookup, not stored) | Global CDN, EU-based processing |
| Google OAuth | Authentication | Name, email, profile picture (during sign-in) | Global |
| Resend | Email delivery | Recipient email address, notification content | United States |
| ip-api.com | IP geolocation (fallback) | Scanner IP address (not stored by us) | Global |
6. Data Retention
- Account data: retained while your account is active. Deleted upon account deletion request.
- QR codes and contact methods: retained while you keep them. You can delete individual QR codes at any time.
- Chat messages: retained while the associated QR code exists. Deleting a QR code deletes all its conversations and messages.
- Scan analytics: retained while the associated QR code exists.
7. Your Rights (GDPR)
As an EU resident, you have the following rights regarding your personal data:
- Access: request a copy of all data we hold about you.
- Rectification: correct any inaccurate data.
- Erasure: request deletion of your data ("right to be forgotten").
- Data portability: receive your data in a machine-readable format.
- Restriction: request that we limit processing of your data.
- Objection: object to processing based on legitimate interest.
- Withdraw consent: where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, email us at privacy@pingable.me. We will respond within 30 days.
8. Data Security
We protect your data with the following measures:
- All data in transit is encrypted with TLS (HTTPS).
- Database access is restricted with row-level security policies.
- Authentication is handled via industry-standard OAuth 2.0.
- We do not store passwords — authentication is delegated to Google.
9. Children's Privacy
pingable.me is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The "last updated" date at the top of this page reflects the most recent revision.
11. Contact
For any privacy-related questions, requests, or complaints:
- Email: privacy@pingable.me
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.