Security
Secure for you. Private for the people scanning.
A QR platform sits between your printed brand and your audience. Cue treats both sides of that trust seriously — here's exactly how.
Encryption in transit
All traffic — dashboard, API, and every scan redirect — is served exclusively over TLS 1.2+.
Privacy-preserving analytics
Scan events store a salted, rotating visitor hash — never a raw IP address. Geography is derived at the edge and coarsened to city level; raw user agents are parsed and discarded.
Signed webhooks
Every webhook delivery is signed with HMAC-SHA256 using your endpoint secret, carried in the X-Cue-Signature header with a timestamp to prevent replays.
Role-based access control
Owner, admin, and member roles scope who can create, retarget, export, and administer — enforced on every request, not just hidden in the UI.
Audit logging
Destination changes, exports, key rotations, and every API write are recorded immutably with actor, action, and timestamp — visible in the dashboard on Business and above.
API key hygiene
Keys are shown once, stored hashed, scoped per environment, and revocable instantly. Per-key rate limits contain the blast radius of a leaked credential.
GDPR-friendly by architecture, not by checkbox
Most scan-tracking products collect everything and rely on policy to stay compliant. Cue inverts that: the analytics pipeline physically cannot produce a person-level profile, because identifying data is hashed or discarded before it ever reaches storage.
- Scan analytics are engineered for data minimisation: no raw IPs, no cross-site identifiers, no per-person profiles.
- Data is processed in the EU/UK; a signed DPA is available on Enterprise plans.
- Retention follows your plan and your instructions — deleting a code or workspace deletes its scan events.
- Data-subject requests are simple because we hold no directly identifying scanner data in analytics.
Found something? Tell us first.
We welcome good-faith security research. Report vulnerabilities to support@cueqr.dev and we'll acknowledge your report, keep you updated, and credit you if you'd like.