Privacy Policy — rtrn

1. Who we are

rtrn.online (“rtrn”, “we”, “us”) is a lost property QR tag service operated from the United Kingdom. If you have any questions about this policy, contact us at hello@rtrn.online.

2. What data we collect

Account data

When you create an account we collect your email address and a hashed password. This is used to identify you and secure your account.

Tag contact data

You choose what contact information to store on each tag: name, phone number, email address, and a personal note. This information is displayed publicly to anyone who scans your QR code. You are in full control of what you share.

Scan data

When someone scans one of your QR codes, we record: the approximate location derived from their IP address (city, region, country, and coordinates), device type, and browser. We do not store the raw IP address. This data is visible only to you and is used to power the scan history and map features.

Payment data

If you upgrade to Pro, payments are processed by Stripe. We do not store your card details. We retain your Stripe customer ID to manage your subscription.

3. Why we collect it

To provide the service — creating, displaying, and managing QR tags
To notify you when one of your tags is scanned
To show you scan history and location data for your tags
To manage your account and subscription
To comply with legal obligations

Our lawful basis under UK GDPR is contract performance (providing the service you signed up for) and legitimate interests (keeping the service secure and functional).

4. Who we share data with

We use the following third-party services to operate rtrn. They act as data processors on our behalf:

Supabase — database and authentication (EU data hosting)
Vercel — web hosting and serverless functions
Resend — transactional email (scan notifications, account emails)
Stripe — payment processing (Pro subscribers only)
ipapi.co — IP-to-location lookup for scan geolocation (no raw IPs are stored)

We do not sell your data to any third party. We do not use your data for advertising.

5. How long we keep data

Account data — retained until you delete your account
Tag and contact data — retained until you delete the tag or your account
Scan history — retained until you delete the tag or your account

When you delete your account, all associated tags, contact data, and scan history are permanently deleted.

6. Your rights

Under UK GDPR you have the right to:

Access — request a copy of the data we hold about you
Rectification — correct inaccurate data (you can do this yourself in the dashboard)
Erasure — request deletion of your data (you can delete your account yourself, or email us)
Portability — receive your data in a machine-readable format
Objection — object to processing based on legitimate interests

To exercise any of these rights, email hello@rtrn.online. We will respond within 30 days. You also have the right to lodge a complaint with the ICO.

7. Security

All data is transmitted over HTTPS. Passwords are hashed and never stored in plain text. Database access is restricted by row-level security policies — you can only access your own data. We use industry-standard cloud infrastructure with access controls and audit logging.

8. Cookies

We use a single session cookie to keep you logged in. We do not use advertising cookies, tracking cookies, or any third-party analytics. No cookie banner is required as we only use strictly necessary cookies.

9. Changes to this policy

If we make material changes to this policy we will update the date at the top of this page. For significant changes we will notify you by email.

10. Contact

For any privacy-related questions: hello@rtrn.online