Privacy Policy

Introduction

Verdorian Technologies LLC ("Company," "we," "us," or "our") operates the QRSafePro platform, accessible at qrsafepro.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including our website, QR-based inspection tools, and administrative dashboard.

By accessing or using QRSafePro, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1. Information We Collect

1.1 Information You Provide

• Account Information: When an organization registers for QRSafePro, we collect the organization name, administrator name, email address, and password.
• Employee Information: Organization administrators add employee records including names and 4-digit PINs for field inspection access. Employees do not create their own accounts.
• Inspection Records: When field workers complete inspections, we collect checklist responses, written comments, condition assessments, and overall pass/fail determinations.
• Photographs: Users may capture and upload photographs of equipment during inspections and transfers. These images are stored in our cloud infrastructure.
• GPS Coordinates: With the user's browser permission, we collect geographic coordinates at the time of inspection or transfer submission to verify location compliance.
• Transfer Records: Equipment chain-of-custody data including sender identity, receiver identity, origin location, destination location, timestamps, and condition notes.
• Organization Settings: Billing information, plan preferences, feature configurations, and location/site data entered by administrators.

1.2 Information Collected Automatically

• Usage Data: We collect information about how you interact with the Service, including pages visited, features used, inspection completion rates, and session duration.
• Device Information: Browser type and version, operating system, device type, screen resolution, and language preferences.
• IP Address: Collected for rate limiting, security monitoring, and abuse prevention. IP addresses are used to enforce PIN attempt limits (5 attempts per 10-minute window).
• Log Data: Server logs that include request timestamps, API endpoints accessed, response codes, and error information for debugging and security purposes.

1.3 Information We Do Not Collect

• We do not collect Social Security numbers, financial account numbers, or government-issued identification numbers from field workers.
• We do not use facial recognition or biometric data.
• We do not collect data from third-party social media accounts.
• Field workers (those who scan QR codes) are not required to create accounts or provide email addresses.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Operation: To provide, maintain, and improve the QRSafePro inspection and chain-of-custody platform, including processing inspections, managing equipment transfers, and generating compliance reports.
• Authentication & Security: To verify administrator identities via email/password login and field worker identities via 4-digit PINs, and to protect against unauthorized access.
• Compliance Documentation: To create and store digital inspection records that may be used by your organization for OSHA compliance, safety audits, and internal quality assurance.
• Communication: To send transactional emails such as inspection notifications, transfer alerts, account verification, and password reset messages.
• Analytics: To generate dashboard analytics for organization administrators, including inspection completion rates, equipment status summaries, and overdue inspection alerts.
• Audit Trail: To maintain an immutable audit log of significant actions taken within each organization's account for security and accountability purposes.
• Platform Improvement: To analyze aggregate, de-identified usage patterns to improve platform performance, user experience, and feature development.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.

3. Data Storage & Security

3.1 Infrastructure

Your data is stored on Supabase infrastructure, which runs on Amazon Web Services (AWS) in the us-east-1 (N. Virginia) region. All data is stored within the United States.

3.2 Security Measures

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Encryption at Rest: Database storage is encrypted at rest using AES-256 encryption provided by AWS.
• Row-Level Security: Our database enforces row-level security (RLS) policies ensuring that each organization can only access its own data. Cross-organization data access is architecturally impossible.
• PIN Security: Employee PINs are hashed using bcrypt before storage. Plain-text PINs are never stored in our database.
• Rate Limiting: PIN verification endpoints are rate-limited to 5 attempts per 10-minute window per IP address to prevent brute-force attacks.
• Access Controls: Administrative access is restricted by role-based permissions. Service-level database keys are only used in server-side API routes and are never exposed to client-side code.
• Audit Logging: Significant actions (logins, data modifications, exports) are recorded in an immutable audit log.

3.3 Data Retention

We retain your organization's data for as long as your account is active. Inspection records, transfer logs, and associated photographs are retained indefinitely unless you request deletion. Your organization owns its inspection data, and you may request an export or deletion at any time by contacting us.

If you cancel your account, we will retain your data for 90 days to allow for reactivation. After 90 days, all organization data will be permanently deleted from our production systems. Backup copies may persist for up to an additional 90 days before being purged from backup storage.

4. Third-Party Services

We share data with the following third-party service providers, solely for the purposes of operating the Service:

• Supabase (Database & Authentication): Stores all application data including user accounts, inspection records, and uploaded files. Supabase processes data in accordance with their Privacy Policy.
• Vercel (Hosting): Hosts the QRSafePro web application and processes incoming HTTP requests. Vercel may collect IP addresses and request metadata as part of their infrastructure. See Vercel's Privacy Policy.
• Resend (Email): Used to send transactional emails such as inspection notifications and account communications. Email addresses and message content are processed by Resend. See Resend's Privacy Policy.
• Stripe (Payments — Planned): When payment processing is activated, Stripe will handle all billing and payment card information. We do not store credit card numbers on our servers. Stripe is PCI DSS Level 1 certified. See Stripe's Privacy Policy.

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not share your data with data brokers or advertising networks.

5. Cookies & Tracking Technologies

QRSafePro uses a minimal set of cookies strictly necessary for the operation of the Service:

• Authentication Cookies: Session cookies set by Supabase Auth to maintain your logged-in state on the admin dashboard. These are essential for the Service to function and cannot be disabled.
• Security Cookies: Cookies used for CSRF protection and rate-limiting enforcement.

We do not use third-party analytics cookies, advertising cookies, tracking pixels, or social media widgets. We do not use Google Analytics, Facebook Pixel, or any similar tracking services.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right to Access: You may request a copy of the personal data we hold about you or your organization.
• Right to Correction: You may request that we correct inaccurate or incomplete personal data.
• Right to Deletion: You may request that we delete your personal data, subject to certain legal exceptions (e.g., data required for legal compliance).
• Right to Data Portability: You may request an export of your organization's inspection data in a machine-readable format (CSV).
• Right to Restrict Processing: You may request that we limit how we process your data in certain circumstances.
• Right to Object: You may object to the processing of your personal data for certain purposes.

To exercise any of these rights, contact us at admin@qrsafepro.com. We will respond to all verifiable requests within 45 days.

7. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share your information.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing or quality of service for making a request.
• No Sale of Personal Information: We do not sell personal information as defined by the CCPA. We have not sold personal information in the preceding 12 months.

To submit a CCPA request, email admin@qrsafepro.com with the subject line "CCPA Request." We will verify your identity before processing any request.

8. Children's Privacy

QRSafePro is a business-to-business platform designed for use by organizations and their adult employees in construction, industrial, and commercial settings. The Service is not intended for use by individuals under the age of 18.

We do not knowingly collect personal information from children under 13 years of age. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at admin@qrsafepro.com.

9. International Data Transfers

QRSafePro is operated from the United States, and all data is stored within the United States (AWS us-east-1). If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page and updating the "Last Updated" date at the top. For significant changes, we may also send email notification to account administrators.

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of those changes.

11. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: