Legal

Privacy Policy

Plain-English, and deliberately short — because we collect deliberately little.

1. Who we are

Cue is operated by Cue Labs Ltd, a company registered in the United Kingdom ("we", "us"). We are the data controller for account and website data, and a data processor for scan analytics collected on behalf of our customers. You can reach us at support@scancue.co.

2. Data we collect from account holders

  • Account data: name, email address, and authentication identifiers, provided when you sign up.
  • Billing data: plan, invoices, and payment status. Card details are handled by our payment processor and never touch our servers.
  • Content you create: QR codes, destinations, redirect rules, styles, uploaded logos, folders, tags, and campaigns.
  • Usage and device data: logs, approximate location from IP, and product analytics used to keep the service secure and improve it.

3. Data we process about people who scan

When someone scans a dynamic code, we process the request to perform the redirect our customer configured. Our analytics are deliberately privacy-preserving:

  • We store a salted, rotating hash derived from the request — never the raw IP address.
  • Geography is resolved to country and city at the edge; the IP is then discarded.
  • The user agent is parsed into device class, OS, and browser family; the raw string is not retained.
  • We set no cross-site tracking cookies and build no per-person profiles from scans.

4. How we use data

  • To provide the service: redirects, dashboards, exports, API, and webhooks.
  • To secure the service: fraud and abuse prevention, rate limiting, and audit logging.
  • To communicate: transactional email about your account, and product updates you can opt out of.
  • To improve the product, using aggregated or de-identified data wherever possible.

5. Legal bases

Where UK/EU data protection law applies, we rely on: performance of a contract (providing the service you signed up for); legitimate interests (security, service improvement, and B2B communications); consent where required (e.g. optional marketing); and legal obligation (tax and accounting records).

6. Sharing and processors

We do not sell personal data. We share it only with sub-processors that host and operate the service (cloud infrastructure, payment processing, email delivery, error monitoring), under data processing agreements, and where required by law. A current list of sub-processors is available on request.

7. International transfers

We store data in the UK/EU where possible. Where a sub-processor processes data outside the UK/EEA, we rely on adequacy decisions or standard contractual clauses.

8. Retention

Account data is kept while your account is active. When you delete your account, your identity is anonymised and your personal workspace's content — including its scan analytics — is deleted, except where law requires longer retention. Scan-level analytics follow your plan's retention period and older events are purged by a daily job. Deleting a QR code deletes its scan events; a deleted shared workspace is recoverable for 30 days, then purged permanently.

9. Your rights

You may request access, correction, deletion, portability, or restriction of your personal data, and object to certain processing, by emailing support@scancue.co. If you are in the UK/EU you may also complain to your supervisory authority (in the UK, the ICO). If you scanned a code created by one of our customers, that customer is the controller for the campaign — contact them first, and we will support their response.

10. Changes

We will post any changes to this policy here and, for material changes, notify account holders by email. This policy was last updated on 3 July 2026.