Privacy Policy
Last updated June 2026
Who we are
BriefQR is QR-based workforce time tracking. This policy explains what personal data we process, why, on what legal basis, for how long, and the rights you have.
Controller vs. processor. For data about a customer's workers (scans, location, optional photos) the customer company is the data controller and BriefQR acts as a processor on its behalf. For a customer's own account and billing data (owner/manager email, subscription), BriefQR is the controller.
What we collect and why
| Data | Whose | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Owner/manager email & login | Customer staff | Run the account | Contract | Life of account |
| Operator name / identifier | Worker | Attribute hours to a person | Contract (employer is controller) | Life of account |
| GPS location at scan | Worker | Verify the clock-in happened on site | Legitimate interest | Per company policy / session |
| Scan-scene photo (opt-in, off by default) | Worker | Optional proof of presence | Legitimate interest | Default 90 days, auto-purged |
| Work sessions / hours | Worker | The core time record | Contract | Account lifetime / until exported |
| Payment data | Owner | Take payment | Contract | Held by Creem — we never store card data |
| Email send metadata | Owner / invitee | Deliver verification & invites | Legitimate interest | Per Plunk |
Location and photos. Photo capture is off by default. When a company turns it on, the operator sees an on-screen notice before any frame is captured, images are downscaled, stored in a private bucket, and purged automatically on the company's retention schedule.
Map & address search. When a manager sets a location's geofence on the map, or an operator or manager views a map of a work session, your browser loads map tiles from OpenFreeMap and — while you type an address or drop a pin — sends the typed query and the pin's coordinates to Photon (komoot) for address lookup. Those providers receive your IP address and those requests to render the map and return results. No cookies or identifiers are set and no BriefQR login or account data is sent. If a business customer's DPA requires it we can self-host both services so no map data leaves our infrastructure.
Sub-processors
We use a small set of vetted providers to run the service. See the full sub-processor list. A Data Processing Agreement is available to business customers on request at support@briefqr.com.
Your rights
You may request access, correction, deletion, or export of your personal data, and you may object to processing. For worker data, requests are directed by the employer (controller); BriefQR will action erasure on the controller's instruction. To exercise any right, email support@briefqr.com.
Cookies
The landing site and app set only strictly-necessary cookies (your login session). We use no advertising or analytics cookies, so there is no consent banner. This will be revisited if analytics are added.
Contact
Questions or data requests: support@briefqr.com. The controller for BriefQR account and billing data is Top Focus LLC, 701 Tillery Street, Unit 12-1251, Austin, TX 78702, United States.