Privacy Policy | QRFeedback.ai

At QRFeedback.ai, operated by Startekk, LLC, we are committed to protecting your privacy and being transparent about how we collect, use, and safeguard your personal information. This policy explains our practices in full. By using our platform, you acknowledge this policy. If you do not agree, please discontinue use of the service.

1. Who We Are

QRFeedback.ai is a product of Startekk, LLC, a technology company headquartered at 5465 Legacy Drive, Suite 650, Plano, TX 75024. We are the data controller for information collected from registered users of this platform.

For the purposes of GDPR, our designated Data Protection Officer can be reached at dpo@startekk.net. For product-specific privacy queries, contact privacy@qrfeedback.ai.

When your customers submit feedback via your QR code forms, you — the business owner — are the data controller for that customer data. Startekk, LLC acts as a data processor on your behalf for those records.

2. Information We Collect

We collect only the information necessary to provide the QRFeedback.ai service:

Contact information — name, email address, phone number (if provided)
Business information — business name, location, type, and Google Review URL (if provided)
Account information — email address and hashed password; we never store plain-text passwords
Profile and brand assets — profile photo and brand logo, only if you choose to upload them
Payment information — billing address only; card details are processed exclusively by Stripe and never transmitted to or stored by us
Customer feedback data — responses submitted by your customers via your QR code forms, including optional email addresses they voluntarily provide
Usage data — pages visited, features used, session timestamps, and device/browser information used to maintain and improve the platform
Communication data — messages and support requests you send to us

We do not collect sensitive personal data such as health records, financial account numbers, biometric data, or government identification numbers, and our platform must not be used to collect such information.

3. How We Use Your Information

We use the information we collect solely to provide, maintain, and improve the QRFeedback.ai platform:

To create and manage your account and subscription
To process payments via Stripe
To store and display your customer feedback data in your dashboard
To send AI-generated complaint summaries and alerts where you have enabled these features
To send transactional communications — invoices, password resets, 2FA codes, weekly digest emails
To detect and prevent fraudulent or abusive use of the platform
To analyse aggregate, anonymised usage patterns to improve our features
To comply with applicable legal obligations

We do not use your data for advertising purposes. We do not sell your personal information to any third party.

4. AI-Powered Services — Important Notice

⚠ No Guarantees for AI Features. QRFeedback.ai uses artificial intelligence (OpenAI GPT-4o-mini) to generate complaint summaries, sentiment scores, and suggested reply drafts. These outputs are provided "as is" without any warranty of accuracy, completeness, or reliability. AI-generated content does not constitute professional advice of any kind. All AI outputs must be reviewed by you before acting on them. We are not liable for decisions made based on AI-generated content.

When you use AI features on Pro or Business plans, anonymised feedback text (with no customer PII) is transmitted to OpenAI's API for processing. This is subject to OpenAI's own privacy policy. By enabling AI features, you consent to this transmission.

You may opt out of AI processing at any time by disabling the feature in your dashboard settings or by contacting privacy@qrfeedback.ai.

5. Lawful Basis for Processing (GDPR — Article 6)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland:

Processing Activity	Lawful Basis
Account creation and management	Contract (Art. 6(1)(b))
Payment processing and subscription management	Contract (Art. 6(1)(b))
Delivering feedback data to your dashboard	Contract (Art. 6(1)(b))
Transactional emails (invoices, alerts, digests)	Contract (Art. 6(1)(b))
AI complaint analysis (Pro/Business plans)	Legitimate interest (Art. 6(1)(f)) + your consent to the feature
Platform security and fraud prevention	Legitimate interest (Art. 6(1)(f))
Aggregate analytics and platform improvement	Legitimate interest (Art. 6(1)(f))
Legal compliance and record-keeping	Legal obligation (Art. 6(1)(c))

6. Information Sharing and Third-Party Processors

We do not sell your personal information. We share data only with the following service providers who process it on our behalf, each under a data processing agreement:

Supabase — database, authentication, and file storage (EU/US regions)
Stripe — payment processing; does not receive feedback content or customer PII
OpenAI — AI analysis on Pro and Business plans; only anonymised feedback text is sent
Resend — transactional email delivery
Vercel — application hosting and infrastructure

We may disclose information when required by applicable law, court order, or to protect the legal rights and safety of Startekk, LLC and its users. We will notify affected users of any such disclosure where legally permitted.

In the event of a merger, acquisition, or asset sale, your data may be transferred to the successor entity. We will notify you before your data becomes subject to a different privacy policy.

7. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or other approved transfer mechanisms. Stripe and Vercel maintain certifications under applicable data transfer frameworks.

8. Data Security

We implement industry-standard security measures to protect your data:

All data in transit is encrypted using 256-bit SSL/TLS
Data at rest is stored in encrypted databases
Passwords are hashed using bcrypt and never stored in plain text
Row-level security policies ensure no user can access another user's data
Admin access uses a separate JWT authentication system with signed session tokens
Optional two-factor authentication (email OTP) is available for all accounts
Access controls and authentication are enforced at all system layers

No method of transmission over the internet is 100% secure. In the event of a confirmed data breach affecting your personal data, we will notify you and relevant supervisory authorities as required by applicable law.

9. Data Retention

We retain your personal information for as long as necessary to provide the service and comply with legal obligations:

Active accounts — data retained for the life of the account
Deleted accounts — personal data deleted within 30 days of account deletion request, except where legal retention is required
Financial records — retained for 7 years for tax and legal compliance
Customer feedback data — retained for the life of the associated account, then deleted with it
Usage/analytics data — anonymised and may be retained indefinitely in aggregate form

10. Cookies and Tracking

We use essential cookies to maintain your login session and security. We do not use advertising or cross-site tracking cookies. For full details, including how to manage your preferences, please see our Cookie Policy.

11. Your Rights — GDPR (EEA / UK / Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights. To exercise any of them, contact privacy@qrfeedback.ai or our DPO at dpo@startekk.net. We will respond within 30 days.

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion where there is no overriding legal basis to retain.

Right to Restriction

Request that we limit processing in certain circumstances.

Right to Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests.

Right to Withdraw Consent

Withdraw consent for consent-based processing at any time.

Right to Lodge a Complaint

File a complaint with your local supervisory authority (e.g. ICO in the UK).

12. California Residents — CCPA / CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know — the categories and specific pieces of personal information we have collected about you
Right to Delete — request deletion of your personal information, subject to certain exceptions
Right to Correct — request correction of inaccurate personal information
Right to Opt-Out — we do not sell personal information; this right is not applicable but is acknowledged
Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights

To exercise your California rights, contact us at privacy@qrfeedback.ai or by phone at (469) 713-3993. We will respond within 45 days as required by law.

13. Non-Discrimination (29 CFR § 1625.2)

Startekk, LLC does not discriminate in the provision of QRFeedback.ai services on the basis of age, race, colour, national origin, sex, disability, religion, genetic information, or any other characteristic protected under applicable federal, state, or local law, including the Age Discrimination in Employment Act as reflected in 29 CFR § 1625.2. All eligible users receive equal access to the platform and its features on the same terms.

14. Children's Privacy

QRFeedback.ai is a business tool intended for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe a minor has submitted personal data to us, contact privacy@qrfeedback.ai immediately and we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with a new "Last Updated" date. Significant changes will be communicated to registered users via email or prominent in-app notice at least 14 days before taking effect. Continued use of the platform after changes constitutes acceptance of the updated policy.

16. Contact & Data Protection

Startekk, LLC
5465 Legacy Drive, Suite 650
Plano, TX 75024
Phone: (469) 713-3993

Privacy enquiries: privacy@qrfeedback.ai
Data Protection Officer: dpo@startekk.net

We aim to respond to all privacy-related requests within 30 days (45 days for California requests). For urgent matters, mark your email subject line URGENT — Privacy Request.