Privacy Policy
This policy explains what data Trustify QR collects from clients (business owners) and from the customers who interact with their review pages — and exactly what we do with it.
Plain-language summary
We collect what we need to run the service: your account info, the businesses you add, the feedback your customers leave, the customer contacts you save, and basic billing data via Razorpay. We never sell your data. We never share your customers' phone numbers or messages with anyone outside what's required to deliver the service. You can request a copy or deletion of your data at any time by emailing us.
Who We Are
Trustify QR is a software-as-a-service platform that helps local businesses collect customer feedback and makes it easy for customers to leave a public review, operated from India. Our website is https://trustifyqr.com/.
Address: Basaratpur, Near Old HP Petrol Pump, Sisodiya Hospital Lane, Gorakhpur, Uttar Pradesh, India
Phone: +91 79857 99619
Email: support@trustifyqr.com
What data we collect
From you (the business owner / client)
- Account details: name, email address, phone number, hashed password.
- Business details: business name, category, Google review link, brand color, logo (if uploaded), rating threshold, welcome message.
- Subscription & payment data: plan, trial/paid status, expiry date, Razorpay order & payment IDs. Card details are never sent to us — Razorpay handles them directly.
- WhatsApp connection: if you connect WhatsApp (Twilio or Meta Cloud), we store the credentials you provide (encrypted at rest) so review invites and follow-ups are sent from your own number.
- Customer contacts you save: when you use the Customers feature, we store the customer details you enter (name, phone, email, address, service, key dates, notes) so we can send the review invite and schedule follow-ups you set up.
- Login history: last login timestamp and recent login attempts (for rate-limiting).
From your customers (people who scan your QR)
- Anonymous events: every QR scan, rating tap, and feedback submission is logged with IP address, user-agent, and timestamp. This powers your analytics dashboard.
- Feedback form data: when a customer submits the feedback form, we collect the name, phone, email (all optional), and message they enter. This data is visible only to you — it is never shared with other clients or used for advertising.
What we do not collect
- We do not run third-party analytics or advertising trackers on the customer-facing QR pages.
- We do not collect device fingerprints beyond standard IP & user-agent.
- We do not request location, contacts, photos, or any phone permission.
- We do not connect to your Google account or read your Google reviews — we only link customers to your public Google review page.
Why we collect it
- To operate the service: we cannot show your dashboard without storing your account, businesses, and feedback.
- To bill you: Razorpay needs the order/payment IDs we record to confirm your plan is active.
- To notify you: we email and WhatsApp you when feedback arrives, when payments succeed, and when your trial is ending.
- To send review invites and follow-ups: we use the customer contacts you save to send the WhatsApp review invite and any follow-up messages you schedule.
- To prevent abuse: IP-based rate limits on logins and form submissions keep spammers out.
- To improve the service: aggregated, non-identifying usage metrics help us understand how the product is used.
Who we share data with
We share the minimum data required to deliver the features you use. We do not sell data to anyone. Third parties that touch your data:
- Razorpay — payment processing. They receive the amount, your email, phone, and a unique order ID at checkout. Razorpay Privacy Policy.
- Twilio / Meta WhatsApp Cloud — sending WhatsApp & SMS notifications. They receive the recipient phone and message body. Twilio Privacy Policy.
- Anthropic (Claude) — generating AI-suggested replies to feedback. When you click "Suggest reply", the customer's message and your business name/category are sent to Anthropic's API. Anthropic does not train on this data. Anthropic Privacy Policy.
- Email provider — sending transactional emails (verification, password reset, billing). They see the recipient address and message body.
- Hosting provider — our servers physically run on a hosting provider's infrastructure with encrypted disk volumes per industry-standard practice.
We do not share data with advertisers, data brokers, or any party not listed above.
How long we keep your data
- Active account data — kept while your account is active.
- Login attempt logs — automatically deleted after 30 days.
- Anonymous QR scan / event logs — automatically deleted after 6 months.
- Email and WhatsApp message logs — automatically deleted after 90 days.
- Abandoned payment orders — automatically deleted after 14 days.
- Account & subscription history — kept for the duration of your account, plus minimum statutory retention required for tax/audit purposes after deletion.
Cleanup runs nightly via an automated cron job.
Your rights (DPDP Act 2023)
If you are based in India, the Digital Personal Data Protection Act, 2023 grants you the following rights:
- Access: request a copy of every piece of personal data we hold about you.
- Correction: ask us to correct inaccurate data. Most fields are also editable directly on your Profile page.
- Erasure: request deletion of your account and associated data. We will complete this within 14 days, except where statute requires retention.
- Portability: export your data in a portable format. Feedback can already be exported as CSV from your dashboard.
- Withdrawal of consent: withdraw consent for any non-essential processing at any time.
- Grievance redressal: raise concerns with our grievance officer (see Contact below).
To exercise any of these rights, email us at support@trustifyqr.com. Identity verification will be required to prevent unauthorised access.
How we protect your data
- Passwords are stored using bcrypt hashing — even we cannot read them.
- All production web traffic is served over HTTPS.
- Sessions use HTTPOnly, SameSite-Lax cookies with strict-mode session ID handling and automatic regeneration on login.
- All database queries use parameterised statements (PDO) to prevent SQL injection.
- Form submissions are protected by CSRF tokens.
- WhatsApp API credentials are encrypted at rest using AES-256.
- Razorpay payment signatures are verified with HMAC-SHA256 using timing-attack-safe comparison.
- Login attempts are rate-limited by IP; uploaded files have their real MIME type verified before saving.
Cookies
We use exactly one cookie per session: a HTTPOnly authentication cookie that keeps you logged in. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required because we only use strictly necessary cookies.
Children
Our service is for businesses and is not directed at children under 18. We do not knowingly collect data from minors.
Contact & Grievance Officer
For privacy questions, data subject rights requests, or grievances:
Trustify QR
Email: support@trustifyqr.com
We will respond within 7 business days. For unresolved grievances, you may contact the Data Protection Board of India once it is operational.
Changes to this policy
We may update this policy from time to time. The "last updated" date at the top reflects any changes. Material changes will be notified via email to active clients at least 14 days before taking effect.