This Privacy Policy describes how AliasQR, a sole proprietorship operated by John Tran (“AliasQR,” “we,” “us”) collects, uses, discloses, and protects personal information when you visit the marketing website at aliasqr.com (the “Site”) or submit your email to the AliasQR waitlist (the “Waitlist”). It does not describe practices for any AliasQR product or relay service, which is not yet generally available; a separate notice will accompany that product at launch.
1. Who we are
AliasQR is operated by AliasQR, a sole proprietorship operated by John Tran, a company organized under the laws of California, USA. For data-protection purposes, AliasQR is the controller of the personal information described in this Policy.
For privacy questions, contact founder@aliasqr.com. For requests to exercise your rights, see Section 11 below.
EU/UK representative. AliasQR has not designated an EU representative; EU data subjects may contact us at founder@aliasqr.com.
2. What this Policy covers
This Policy applies to personal information we collect:
- when you visit any page of the Site;
- when you submit your email address (and optional segment selection) to the Waitlist; and
- through automated technologies on the Site (such as analytics beacons and a theme preference stored in your browser).
This Policy does not cover (a) any AliasQR product, relay service, sticker, or dashboard that is not yet generally available, (b) third-party websites linked from the Site, or (c) information you give us through other channels (for example, by emailing support).
3. Personal information we collect
3.1 Information you give us
| Category | Field | Source | Required? |
|---|---|---|---|
| Contact | Email address | Waitlist form | Yes |
| Preference | Segment selection (e.g., “pro,” “biz,” “pet,” “creator,” “other”) | Waitlist form | No |
| Form metadata | Which form on the Site you submitted from (e.g., hero or main waitlist card) | Waitlist form (server-side) | Auto |
3.2 Information we collect automatically
| Category | Examples | Where it lives |
|---|---|---|
| Network identifiers | IP address (extracted from the X-Forwarded-For header on Waitlist submissions) |
Stored in our Waitlist database; also held briefly in our rate-limit cache |
| Device and browser | User-Agent string, referring URL | Stored alongside your Waitlist submission |
| Usage analytics | Page-view counts and performance timing collected by Vercel Web Analytics and Vercel Speed Insights via first-party, cookieless beacons | Vercel analytics dashboard |
| Local browser storage | A “light/dark” theme preference stored in your browser’s localStorage as aliasqr-theme |
Your device only — never sent to us |
| Server logs | Standard request logs (timestamp, path, status code, IP, User-Agent) generated by our hosting provider | Vercel platform logs |
3.3 Information we do not collect
Through the Site and Waitlist as they exist today, we do not ask for and do not knowingly collect: phone numbers, postal addresses, names, dates of birth, government identifiers, payment information, precise geolocation, biometric data, or special-category data (such as health, racial or ethnic origin, religious beliefs, or sexual orientation). If we expand collection at general availability, we will update this Policy and notify Waitlist subscribers before doing so.
4. How we use personal information
We use personal information for the limited purposes set out below. The third column identifies our legal basis under the EU/UK General Data Protection Regulation (“GDPR”) where it applies.
| Purpose | What this means in practice | GDPR legal basis |
|---|---|---|
| Waitlist communications | Sending you transactional and product-update emails about AliasQR’s development and launch | Art. 6(1)(a) consent (your submission of the form) and/or Art. 6(1)(f) legitimate interests in pre-launch contact with people who have actively signed up |
| Abuse prevention | Rate-limiting Waitlist submissions per IP to deter scraping and form abuse | Art. 6(1)(f) legitimate interests in protecting the Site and the integrity of the Waitlist |
| Site analytics | Measuring page views and performance to understand how the Site is used and to improve it | Art. 6(1)(f) legitimate interests in operating and improving the Site (analytics are first-party and cookieless; see our Cookies Notice) |
| Security and integrity | Detecting and responding to suspected abuse, fraud, security incidents, and violations of our Acceptable Use Policy; maintaining server logs for diagnostic purposes | Art. 6(1)(f) legitimate interests in security; where applicable, Art. 6(1)(c) legal obligation |
| Legal compliance | Responding to legally valid requests from public authorities and complying with applicable law | Art. 6(1)(c) legal obligation |
| Corporate transactions | Evaluating, negotiating, or completing a merger, acquisition, financing, or sale of assets | Art. 6(1)(f) legitimate interests in operating the business |
We do not use personal information collected through the Site or Waitlist for advertising, behavioral profiling, automated decision-making with legal or similarly significant effects, or training of machine-learning or AI models.
5. Service providers and other recipients
We share personal information only with the categories of recipients listed below, and only to the extent reasonably necessary for the purposes described in Section 4.
- Vercel Inc. — hosting, edge functions, analytics
- Vercel hosts the Site, runs the Waitlist API endpoint, and provides Vercel Web Analytics and Vercel Speed Insights. Vercel processes IP addresses, request metadata, and Waitlist submissions in transit. Privacy: vercel.com/legal/privacy-policy.
- Supabase, Inc. — Waitlist database
- Supabase stores the Waitlist table containing the email, segment, source, IP address, User-Agent, and Referer for each submission. Privacy: supabase.com/privacy.
- Upstash, Inc. — rate-limit cache
- Upstash provides the Redis cache used to rate-limit Waitlist submissions. The cache stores short-lived keys derived from your IP address; entries expire automatically. Privacy: upstash.com/trust/privacy.
- Google LLC — font delivery
- The Site loads fonts from Google Fonts. Loading a font from Google’s CDN exposes your IP address and User-Agent to Google as a routine part of the HTTP request. Google does not receive any other information from us in this flow. Privacy: policies.google.com/privacy.
- Email delivery provider
- When we send Waitlist emails, an email-service provider (Cloudflare Email Routing (forwarding only)) processes your address to deliver the message and to record bounces and unsubscribes.
- Twilio Inc. — SMS delivery and phone verification
- If you opt in to SMS notifications, Twilio processes your mobile phone number to deliver one-time verification passcodes and the transactional notification messages you requested, acting solely on our behalf. Privacy: twilio.com/legal/privacy.
- Professional advisors
- Auditors, lawyers, and accountants, bound by professional duties of confidentiality, in the course of advising AliasQR.
- Authorities and other parties
- Where we are legally required to do so, or where disclosure is necessary to protect our or others’ rights, safety, or property, including in response to a subpoena, court order, or other lawful demand.
- Successor in a corporate transaction
- If AliasQR is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred to the surviving or acquiring entity, subject to confidentiality protections.
We do not sell personal information, and we do not “share” personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively “CCPA”).
5.1 Mobile numbers and SMS opt-in data
If you provide a mobile phone number and opt in to receive SMS notifications, we use that number solely to send the one-time verification passcode and the transactional account notifications you requested. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Text-messaging originator opt-in data and consent will not be shared with any third parties, excluding the SMS delivery provider acting on our behalf (Twilio Inc.) solely to deliver the messages you requested. Message frequency varies; message and data rates may apply; reply STOP to opt out or HELP for help at any time. The full program disclosure, including the exact consent language shown at the point of collection, is published in our Legal Notice.
6. International transfers
The recipients listed in Section 5 may process your personal information in countries other than the country in which you reside, including the United States. Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed by the relevant authority to provide an adequate level of protection, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) and apply supplementary measures as appropriate. You may request a copy of the relevant safeguards by contacting founder@aliasqr.com.
7. Cookies and similar technologies
We use a small number of first-party storage and beacon technologies on the Site. The Site does not use third-party advertising cookies and does not participate in cross-site tracking. For the full list and how to opt out, see our Cookies Notice.
8. Retention
We keep personal information only as long as necessary for the purpose for which it was collected. Specific retention periods:
- Waitlist entries (email, segment, source, IP, User-Agent, Referer): retained until ninety (90) days after general availability of the AliasQR product, unless you ask us to delete your entry sooner. If general availability does not occur, we will delete or anonymize Waitlist entries within a reasonable period after we discontinue the Waitlist.
- Rate-limit cache entries: short-lived (typically expire within minutes) under a sliding-window scheme on Upstash.
- Server logs: retained per the default retention of our hosting provider, currently a rolling window measured in days to weeks rather than months.
- Records related to legal claims, audits, or regulatory obligations: retained for the period required by applicable law.
When the retention period ends, we delete or anonymize the personal information.
9. Your rights under EU/UK and similar laws
If GDPR or a substantially similar law applies to you, you have the following rights, subject to the conditions and exceptions in that law:
- Access: request a copy of the personal information we hold about you and information about how we process it.
- Rectification: ask us to correct inaccurate or incomplete personal information.
- Erasure: ask us to delete personal information we hold about you.
- Restriction: ask us to limit processing in certain circumstances.
- Portability: receive your personal information in a structured, commonly used, machine-readable format and ask us to transmit it to another controller where technically feasible.
- Objection: object to processing based on our legitimate interests, including any direct-marketing use of your data.
- Withdraw consent: where processing is based on consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
- Lodge a complaint: lodge a complaint with a supervisory authority, including the data-protection authority of your habitual residence, place of work, or place of the alleged infringement.
10. Your rights under U.S. state privacy laws
If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or another U.S. state with a comprehensive privacy law, you have the following rights, subject to that law’s conditions and exceptions:
- Right to know what personal information we have collected, used, disclosed, and (where applicable) sold or shared.
- Right to access a copy of that personal information in a portable format.
- Right to delete personal information we collected from you.
- Right to correct inaccurate personal information.
- Right to opt out of any “sale” or “sharing” of personal information for cross-context behavioral advertising, and of certain forms of profiling. As stated in Section 5, AliasQR does not sell or share personal information in this sense, so there is presently nothing to opt out of.
- Right to non-discrimination: we will not discriminate against you for exercising your rights.
Categories of personal information collected, sources, purposes, and recipients are described in Sections 3, 4, and 5 above. We do not collect or process “sensitive personal information” as that term is defined under the CCPA through the Site or Waitlist.
Authorized agents. You may use an authorized agent to submit a request on your behalf. We may require the agent to provide proof of authorization and may require you to verify your own identity directly with us.
11. How to exercise your rights
To exercise any right described in Sections 9 or 10, email founder@aliasqr.com from the email address you used to join the Waitlist (or, if you have not joined, from the address you would like us to look up). Tell us which right you wish to exercise and provide enough detail for us to locate the relevant data. We will:
- verify your request, typically by replying to the email address on file or by another reasonable identity-verification method;
- respond within the period required by applicable law (generally thirty (30) days for U.S. state-law requests and one (1) month for GDPR requests, with extensions where allowed); and
- where we cannot fulfill the request in whole or in part, tell you why.
We do not charge a fee for responding to your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act, as permitted by applicable law.
12. Children
The Site and Waitlist are not directed at children. We do not knowingly collect personal information from anyone under 13 years of age (or under 16 in jurisdictions where that is the relevant age threshold). If you believe we have collected personal information from a child, contact founder@aliasqr.com and we will delete it.
13. Security
We use technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These currently include encryption in transit (HTTPS/TLS) for traffic to and from the Site, restricted access to the Waitlist database (no anonymous read/write access; service-role credentials held server-side only), database-level row-level-security configuration on the Waitlist table, and standard hosting-provider safeguards.
No method of transmission over the internet or method of electronic storage is fully secure. We cannot guarantee absolute security, and you acknowledge that the security measures described here may evolve over time.
14. Data-breach notification
If we determine that a security incident has resulted in the unauthorized access, acquisition, or disclosure of personal information, we will notify affected individuals and, where required, supervisory authorities, in the manner and within the timeframes required by applicable law.
15. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will update the “Effective” date at the top of this page and, where we have your email address, notify you by email at least seven (7) days before the changes take effect. Your continued use of the Site or Waitlist after the effective date constitutes acceptance of the updated Policy.
16. Contact
For questions about this Policy or about how we handle personal information, contact:
AliasQR, a sole proprietorship operated by John Tran
Email: founder@aliasqr.com
EU/UK representative: AliasQR has not designated an EU representative; EU data subjects may contact us at founder@aliasqr.com