Trust + Compliance.

All customer data (accounts, tags, scan logs, profiles) lives in a Postgres database hosted in India. Application servers run on a Mumbai VPS. Backups are encrypted and held in the same region. No customer data is replicated outside India by default.

Every request to qrsprint.com and its subdomains is served over TLS, terminated at nginx with certificates from Let's Encrypt. HTTP traffic is redirected to HTTPS at the edge. Internal service calls between nginx and the Node runtime ride a loopback socket on the same host.

Database volumes use disk-level encryption (LUKS) on the host VPS. Database backups are encrypted before they leave the box. Secrets (API keys, OTP signing keys) are stored in environment files outside the repo, readable only by the application user.

The masked WhatsApp relay is implemented on top of the Meta WhatsApp Cloud API through Botbiz. A scanner sending a message never sees your real number, the QRSprint relay number appears on both ends. Botbiz holds the routing table, we hold the mapping between your tag and your real number.

Sign-in uses NextAuth on the server. Phone-number sign-in is verified by an MSG91 one-time password, valid for a short window and single-use. Passwords, where supported as a fallback, are stored as scrypt hashes with per-user salts. We never log raw OTPs or passwords.

Every tag scan is recorded in two tables. ScanLog captures the public scan event (timestamp, rough region, device class). QRScan captures dynamic-QR redirects (short-code, destination, referrer hint). Both feed your dashboard analytics and our abuse-review queue. Logs are append-only at the application layer.

The default retention is 12 months for scan logs and relay message metadata, after which records are aggregated into counts and the raw rows are deleted. Account-level data (your tags and profile) lives until you delete it. On written request to founders@qrsprint.com, we will delete your entire account and associated logs within 48 hours.

• MSG91, OTP SMS delivery for phone-number sign-in
• Botbiz (Meta WhatsApp Cloud API), masked-relay message routing
• Razorpay, payment processing for Smart Tag orders and paid plans
• Resend, transactional email (sign-in links, order confirmations, support replies)
• Google, OAuth sign-in only (no analytics, no ads, no fonts loaded from Google CDNs)

No other third party receives identifiable QRSprint customer data.

QRSprint follows GDPR principles on a best-effort basis: data minimisation, right to deletion, right to export. We are not yet certified, formal GDPR readiness review is planned alongside our SOC 2 Type I engagement, which is in progress with an external auditor. Updates will be posted on this page as milestones are hit.

Vulnerability reports, security questions, and procurement diligence: email the founders directly at founders@qrsprint.com. We respond within one business day and credit responsible disclosure in the changelog.