Privacy Policy

We provide a link management and QR code platform for creators.

Account: Name, email, username, password (bcrypt). Content: Links, descriptions, QR configs. Analytics: Device type, country, referrer, timestamp. Technical: Session cookie, access logs (30 days). OAuth: Name, email, profile picture if you use social login.

Contract performance (Art. 6(1)(b)) for core features. Legitimate interests (Art. 6(1)(f)) for security. Consent (Art. 6(1)(a)) where requested. Legal obligation (Art. 6(1)(c)) where required.

Account management & authentication. Link routing and QR generation. Analytics dashboard. Transactional emails. Security monitoring. We never sell or share your data for marketing.

One first-party session cookie (rb_sid) — HttpOnly, SameSite=Lax, Secure on HTTPS. No third-party ad or tracking cookies.

Hosting provider for infrastructure. Google/Apple OAuth only if you use social login. QR rendering is fully local in the browser — no external requests.

Account data: active account lifetime. Analytics: 90 days raw. Logs: 30 days. Post-deletion: all personal data removed within 30 days.

Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18), Portability (Art. 20), Objection (Art. 21). We respond within 30 days.

HTTPS/TLS, bcrypt password hashing, CSRF protection, session isolation, regular security reviews.

returnbob is not for persons under 16. Contact us to remove any accidentally collected child data.

Material changes announced by email or in-app notice at least 14 days before taking effect.