Privacy Policy


Privacy Policy

Template notice — not legal advice. This document is a plain-English starting template. It has not been reviewed by a lawyer and is not legal advice. Privacy law (including the GDPR, UK GDPR, and CCPA/CPRA) is fact-specific — have a qualified attorney review and adapt this to your business and jurisdiction before you rely on it. Replace every placeholder below with your real details.

Last updated: [DATE]

This Privacy Policy explains how MumenLabs (the "Service"), operated by [LEGAL ENTITY / OWNER NAME] ("we", "us", "our"), collects and uses your information. If you have questions, contact us at [CONTACT EMAIL].

1. What we collect and why

Account information. When you register, we collect your email address and a securely hashed password. We use it to create and secure your account, sign you in, and send essential account emails (verification and password resets).

Credit and payment information. When you buy credits, payment is processed by PayPal. We receive a record of the transaction (such as an order reference, amount, and status) so we can grant credits and keep an accounting ledger. We do not receive or store your full card or bank details — PayPal handles those.

QR scan logs. The dynamic QR service is our core tool. When someone scans a QR code, we log analytics about the scan so the code's owner can understand its performance. This includes the visitor's IP address, user-agent (browser and device), referrer, and an approximate geolocation derived from the IP address. This data is tied to the QR code, not to a named individual, and is used to produce scan statistics and to protect the Service from abuse.

Uploaded files. If you upload files (for example, an image or PDF to serve behind a QR code), we store those files so the Service can host and serve them. Files served behind a public QR code are, by design, accessible to anyone with the link.

Usage analytics (Google Analytics). We use Google Analytics, a service provided by Google, to understand how visitors find and use our website — for example, which pages are viewed, approximate location, and device and browser type. Google Analytics sets its own cookies and processes data such as your IP address and online identifiers as a third-party provider on our behalf. We use this only to measure and improve the Service, not for advertising. You can opt out of Google Analytics at any time using Google's opt-out browser add-on.

Basic operational logs. Like most services, our servers keep short-lived technical logs (such as request metadata and errors) to operate, debug, and secure the Service.

2. Legal bases (GDPR)

Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the Service and process your purchases), legitimate interests (to secure the Service, prevent abuse, and produce scan analytics for code owners), consent where required, and legal obligation (for example, to keep transaction records). You can object to processing based on legitimate interests; see "Your rights" below.

3. Cookies

We use the following cookies:

  • A necessary session cookie set by our authentication system (Better Auth) to keep you signed in and to protect your session. Without it you cannot stay logged in.
  • Google Analytics cookies (for example, _ga and _ga_*), set by Google Analytics to measure how the site is used. These are analytics cookies, not strictly necessary. Blocking them does not affect your ability to use the Service, and you can opt out with Google's opt-out browser add-on.

We do not use advertising or cross-site ad-targeting cookies, and we do not sell your personal information.

4. Third parties we share data with

  • PayPal — to process payments. Your payment is subject to PayPal's own privacy policy.
  • Google (Google Analytics) — to measure and analyze website usage. This is subject to Google's own privacy policy; you can disable it with Google's opt-out browser add-on.
  • Infrastructure and email providers — the hosting, database, object storage, and email delivery providers that run the Service on our behalf, acting under our instructions. [LIST YOUR ACTUAL PROVIDERS / SUB-PROCESSORS HERE.]

We may also disclose information if required by law, or to protect the rights, safety, and security of the Service and its users. We do not sell your personal data.

5. Retention

We keep account information for as long as your account is active. We keep transaction and ledger records for as long as needed for accounting and legal obligations. We keep QR scan logs and operational logs for [RETENTION PERIOD — placeholder, e.g. 12 months], after which they are deleted or anonymized. Uploaded files are kept until you delete them or your account is closed.

6. Your rights

Depending on where you live, you may have the right to access, export, correct, or delete your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise any of these, email us at [CONTACT EMAIL] and we will respond within the time your law requires. You also have the right to complain to your local data protection authority.

7. International transfers

We may process and store data in countries other than yours. Where required, we use appropriate safeguards (such as standard contractual clauses) for international transfers. [CONFIRM/ADJUST — placeholder.]

8. Children

The Service is not directed to children under the age required by your jurisdiction, and we do not knowingly collect their personal data.

9. Changes to this policy

We may update this policy from time to time. We will update the "Last updated" date and, for material changes, provide additional notice where appropriate.

10. Contact

Questions or requests about your privacy? Contact us at [CONTACT EMAIL].

We use a necessary session cookie to keep you signed in, plus Google Analytics (which sets its own cookies) to understand how the site is used. We also log QR scans, including IP address, for analytics. We don't sell your data or run cross-site ad targeting. See our Privacy Policy.