Privacy Policy

Last updated June 2026

Draft. This document is being finalized with our policy tooling and is pending legal review. Questions? Email support@briefqr.com.

Who we are

BriefQR is QR-based workforce time tracking. This policy explains what personal data we process, why, on what legal basis, for how long, and the rights you have.

Controller vs. processor. For data about a customer's workers (scans, location, optional photos) the customer company is the data controller and BriefQR acts as a processor on its behalf. For a customer's own account and billing data (owner/manager email, subscription), BriefQR is the controller.

What we collect and why

DataWhosePurposeLegal basisRetention
Owner/manager email & loginCustomer staffRun the accountContractLife of account
Operator name / identifierWorkerAttribute hours to a personContract (employer is controller)Life of account
GPS location at scanWorkerVerify the clock-in happened on siteLegitimate interestPer company policy / session
Scan-scene photo (opt-in, off by default)WorkerOptional proof of presenceLegitimate interestDefault 90 days, auto-purged
Work sessions / hoursWorkerThe core time recordContractAccount lifetime / until exported
Payment dataOwnerTake paymentContractHeld by Creem — we never store card data
Email send metadataOwner / inviteeDeliver verification & invitesLegitimate interestPer Plunk

Location and photos. Photo capture is off by default. When a company turns it on, the operator sees an on-screen notice before any frame is captured, images are downscaled, stored in a private bucket, and purged automatically on the company's retention schedule.

Map & address search. When a manager sets a location's geofence on the map, or an operator or manager views a map of a work session, your browser loads map tiles from OpenFreeMap and — while you type an address or drop a pin — sends the typed query and the pin's coordinates to Photon (komoot) for address lookup. Those providers receive your IP address and those requests to render the map and return results. No cookies or identifiers are set and no BriefQR login or account data is sent. If a business customer's DPA requires it we can self-host both services so no map data leaves our infrastructure.

Sub-processors

We use a small set of vetted providers to run the service. See the full sub-processor list. A Data Processing Agreement is available to business customers on request at support@briefqr.com.

Your rights

You may request access, correction, deletion, or export of your personal data, and you may object to processing. For worker data, requests are directed by the employer (controller); BriefQR will action erasure on the controller's instruction. To exercise any right, email support@briefqr.com.

Cookies

The landing site and app set only strictly-necessary cookies (your login session). We use no advertising or analytics cookies, so there is no consent banner. This will be revisited if analytics are added.

Contact

Questions or data requests: support@briefqr.com. The controller for BriefQR account and billing data is Top Focus LLC, 701 Tillery Street, Unit 12-1251, Austin, TX 78702, United States.