Privacy, in plain language
There are two halves to PermaQR: the generator, which runs entirely on your device, and the optional dynamic-code service, which necessarily involves a server. This page says exactly what each half sees — and, more usefully, what it can never see.
The generator: nothing leaves your browser
Generation makes zero network calls
Everything on the free tier — encoding, styling, logo embedding, Scan-Check verification, SVG/PNG/PDF export — runs as code in your browser. Your URLs, WiFi passwords and contact details are never sent to us, because there is no request to send them with. You can verify this yourself: open DevTools, watch the network tab while you build and download a code, and you'll see nothing. The page even works offline once loaded.
Payment data in EPC codes stays on your device
EPC/GiroCode payment codes contain your IBAN, name and amounts. All of it — including the IBAN checksum validation — is processed locally. No server of ours ever sees your banking details.
Saved designs live in your browser, not our cloud
When you save a design or template, it's stored in your browser's IndexedDB — local storage on your machine. We can't read it, list it, or lose it. Clearing your browser data deletes it, so export anything you want to keep.
Dynamic codes: what a scan logs, when you opt in
Dynamic codes are the one feature that involves our servers — a scan hits our redirect and is forwarded to your destination. That redirect is designed so aggregate statistics exist for you without records about individual people existing anywhere.
What is recorded per scan
Four things: the code that was scanned, a timestamp, the country, and a coarse device class plus OS family (for example "mobile, Android") derived from the user agent at the edge. That's the complete list.
What is never stored
The raw IP address and the raw user-agent string are discarded immediately after the country and device class are derived — they are never written anywhere. The redirect sets no cookies and stores nothing on the scanner's device, so there is no cross-site tracking and nothing to consent to; scanning one of our codes triggers no banner because there is nothing a banner would be asking about.
Analytics are aggregate-only, never per-person
Your dashboard shows scans over time, by country and by device class — counts, not people. There are no individual scan profiles, no fingerprints, and no way to follow one visitor around, for you or for us. That's a deliberate limitation: analytics that can't identify anyone can't leak anyone.
The app's own analytics
The PermaQR site itself uses a cookieless, self-hosted beacon to count page views and feature
usage — no third-party analytics scripts, no advertising identifiers, nothing shared with anyone.
If you'd rather not be counted at all, set pq.analytics=off
in your browser's localStorage and the beacon stays silent.
If anything on this page seems to not match what the product actually does, we want to know — that would be a bug of the worst kind.