Privacy Policy

uLinkQR ("we", "us", "our") is a QR-based lost-and-found alert service operated by uLinkQR, an India-based platform.

Contact: support@ulinkqr.com

• Phone number — OTP login and push delivery only. Stored encrypted. Not shown to scanners by default — only displayed if you explicitly add it to your tag's public details.
• First name — Shown to the person who scans your tag.
• Tag details — Category, tag ID, optional description, and any extra details you choose to make public (e.g. phone number).
• Alert data — Timestamp, message from reporter, location text (if typed).
• Device token — FCM push token. OS type for compatibility.
• Anonymised usage data — Feature interactions to improve the service.

• Send instant push notifications when your QR is scanned
• Enable masked calling between owner and reporter
• Manage your account and subscription status
• Send service updates (not marketing unless you opt in)
• Detect fraud, spam, and platform abuse
• Meet legal obligations under IT Act 2000 and DPDP Act 2023

If you add your phone number to your tag's public details, you are voluntarily making it visible to scanners for convenience. You can remove it at any time from your tag settings. Any breach of encrypted storage is treated as a critical security incident subject to immediate remediation and CERT-In disclosure.

Processed via PhonePe Payment Gateway (PhonePe Private Limited, RBI-regulated). When you pay:

• You're redirected to PhonePe's secure page or UPI app
• We receive only: transaction ID + success/failure. Never your card, UPI ID, or bank details.
• PhonePe's privacy policy governs their data handling
• We store: plan type, start date, transaction reference — for billing and support

We do not sell, rent, or trade your data. We share only with:

• PhonePe — payment processing
• Firebase/Google — push notifications (FCM) and OTP
• Cloud host — servers in India / compliant regions
• Law enforcement — only on valid court order under IT Act Section 69

• Active accounts — retained while account is active
• Alert history — 90 days, then permanently deleted
• Deleted accounts — all personal data erased within 30 days
• Payment records — 7 years (Indian GST/tax law)

• AES-256 encryption at rest, TLS 1.3 in transit
• OTP-only login — no passwords stored
• Rate limiting on all scan endpoints
• Regular security audits and penetration testing
• Breach disclosure within 72 hours per CERT-In mandate

• Access — Request a copy of your data
• Correction — Fix inaccurate data
• Erasure — Delete your account and all personal data
• Grievance — Complain to our Grievance Officer
• Nomination — Appoint someone to act on your behalf

To exercise rights: support@ulinkqr.com or use Settings → Delete Account. We respond within 30 days.

• Session cookie — keeps you logged in (essential)
• Analytics — anonymised usage only, no cross-site tracking, no ad networks

uLinkQR is not for users under 18. If a minor has registered, email support@ulinkqr.com and we'll delete the account within 48 hours.

Material changes notified via push/email at least 14 days before taking effect. Continued use = acceptance.

• Email: support@ulinkqr.com
• Response time: 30 days for all requests