Privacy Policy
Last updated: 2026-05-16
Introduction
Garage Sale QR ("we," "us," or "our") operates garageqr.app, a service that lets US sellers print QR stickers for in-person garage sales and let buyers contact them by SMS. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights.
This policy is effective as of 2026-05-16. By using garageqr.app you agree to the collection and use of information described here.
Data we collect
We collect only what's necessary to run the service:
- Email address — provided when you sign in via Google or a magic link. Used to identify your account and send sign-in emails.
- IP address — logged by Cloudflare's infrastructure for security and abuse prevention. We do not store IP addresses in our database.
- Seller-uploaded photos — stored in Cloudflare R2. EXIF metadata (including any embedded location data) is stripped before storage. See "Photos and location data" below.
- Server-side error telemetry — Our API Worker emits structured logs and traces via Cloudflare's OpenTelemetry pipeline to Sentry for diagnostics and uptime monitoring. These signals are generated server-side and may include request paths, HTTP status codes, and error stack traces. We do not run a client-side error SDK on the seller dashboard.
- Session cookies — see "Cookies we set" below.
We do not collect: buyer information (buyers contact sellers directly by SMS with no account), payment data (no transactions occur on this platform), precise geolocation, or behavioral advertising data.
Photos and location data
Location data embedded in photos you upload is stripped before storage and never retained.
Modern smartphones (iPhones and Android devices) embed GPS coordinates, altitude, and timestamp data in JPEG and HEIC files. These coordinates are often accurate to within a few meters of your home address. Before any photo you upload reaches our storage, we remove all EXIF GPS tags and convert HEIC files to JPEG. The stripped version is what is stored and displayed on your listing page. The original photo with GPS data is never transmitted beyond your browser.
Cookies we set
We use the following cookies. Buyer visitors (people scanning QR stickers) are not subject to authentication cookies — only the Cloudflare infrastructure cookie may be set.
| Name | Purpose | Lifetime | HttpOnly | Domain |
|---|---|---|---|---|
| gqr_access | Authentication JWT — verifies seller identity for API requests. Secure. SameSite: Lax. | 15 minutes | Yes | garageqr.app |
| gqr_refresh | Long-lived refresh token — silently renews the access token so you stay signed in. Secure. SameSite: Lax. | 30 days | Yes | garageqr.app |
| gqr_theme | Theme preference (light or dark mode) — written by ThemeToggle client-side, read by SSR for first-paint theme. Seller routes only — not set on buyer pages. SameSite: Lax. Path: /. Max-Age: 31536000 (1 year). | 1 year | HttpOnly: No | garageqr.app |
| gqr_oauth_state | CSRF nonce for Google OAuth flow — set at login start, cleared after callback. Secure. SameSite: Lax. | 10 minutes | Yes | garageqr.app |
| __cf_bm | Set by Cloudflare's bot-management infrastructure (Turnstile). Not a garageqr.app cookie — managed by Cloudflare. | 30 minutes | Yes (CF-managed) | .garageqr.app |
Service providers
We use the following service providers who process data on our behalf. We do not sell your data to any of them or anyone else.
- Cloudflare — infrastructure, CDN, Cloudflare Analytics (privacy-friendly, no tracking cookies), bot management (Turnstile), and R2 object storage for seller-uploaded photos. Cloudflare processes every request IP address as part of its infrastructure role.
- Resend — transactional email. Receives your email address solely to deliver magic-link sign-in emails.
- Google — OAuth identity verification. When you sign in with Google, Google verifies your identity and shares your email address and a unique account identifier with us. We receive only what's needed to create or match your account.
- Sentry — Receives server-side log and trace data from our API Worker via Cloudflare Workers OTLP. Used for error diagnostics and uptime alerting. Does not receive request bodies, cookies, or photo contents.
Data we do not collect
- Payment information — no transactions occur on this platform.
- Buyer information — buyers contact sellers directly by SMS. We have no buyer accounts and collect no buyer data.
- Cross-context behavioral advertising data — we do not use advertising networks, tracking pixels, or behavioral analytics.
- Location data from photos — stripped before storage (see "Photos and location data" above).
Data retention
Listing photos are deleted from R2 when you delete the listing. Your account and all associated data (listings, photos) are deleted when you request account deletion by emailing [email protected]. We process deletion requests within 30 days.
Your rights
California residents have the following rights under the CCPA:
- Right to know — you may request what personal information we have about you.
- Right to delete — you may request that we delete your personal information.
- Right to correct — you may request that we correct inaccurate personal information.
- Right to non-discrimination — we will not discriminate against you for exercising your rights.
We do not sell or share personal information for cross-context behavioral advertising. To exercise any right, email [email protected].
Contact
Questions about this policy: [email protected]
Changes
We may update this policy. When we do, we update the "Last updated" date at the top of the page. Continued use of garageqr.app after a change constitutes acceptance of the revised policy.