Data Security

This page summarizes BaseQR’s security posture at a high level and directs you to deeper topics in this section. It focuses on how data flows through the product, what access controls exist, and where to find the operational policies that govern storage, retention, uptime, and incident handling.

Scope

• Application data — Organization records, campaigns, and QR codes (including destinations and UTM parameters).

• Analytics data — Scan activity used for reporting (Total Scans, device/OS, location, time patterns). Analytics are anonymous; BaseQR does not collect PII from scans.

• Account data — User identity and role information used for sign-in, invitations, and collaboration features.

Access model

• Organization-level access — Access is scoped to an organization. All users in an organization can see newly created campaigns.

• Roles — Two roles: Admin (manages users/roles and can delete campaigns; includes all User capabilities) and User (creates and manages campaigns and QR codes, updates destinations/UTMs, toggles Active/Inactive, exports assets/reports).

• Enterprise SSO (optional) — Available on Enterprise plans for centralized authentication through your identity provider.

Data handling principles

• Data minimization — QR analytics focus on scan events and context needed for reporting; PII is not collected from scans.

• Change without reprint — Destinations and UTMs can be updated midstream; analytics continuity is preserved under the same code.

• Customer control — Admins manage membership and roles; organizations control their own destination URLs and tagging conventions.

Privacy and attribution

• UTM alignment — UTMs applied to destination URLs enable downstream attribution in your analytics (for example, GA4).

• Customer-owned consent — Consent, cookies, and tracking on destination pages are controlled by your site/app and analytics configuration.

Operational topics (where to find details)

• Data storage & retention — Storage locations, retention windows, and deletion paths are documented on Data Storage & Retention.

• Uptime and service levels — Availability targets and expectations are described on SLAs; real-time platform status is shown on the Uptime Status page.

• Incident response — How incidents are detected, triaged, communicated, and resolved is covered on Incident Response & Status Page.

• Compliance posture — Program-level practices and regulatory considerations are outlined on Compliance.

• Vulnerability reporting — How to report security issues responsibly is defined on Vulnerability Reporting.

Shared responsibility

• You manage destinations — Ensure destination pages are reachable over HTTPS and perform well on mobile, especially in low-signal environments.

• You manage analytics — Implement GA4 (and optionally GTM) and maintain a consistent UTM convention for accurate attribution.

• We provide controls — Organization-level roles, campaign and code management, asset exports, and reporting.