QRCodeKey is a real-time GPS tracking platform that uses QR codes. You generate a QR code, attach it to anything (person, pet, vehicle, asset), and when someone scans it, you get the exact GPS location instantly.

How does QR code GPS tracking work?

Generate a QR code on QRCodeKey, print and attach it. When anyone scans the QR code with their phone camera, their GPS location is captured and sent to your dashboard in real-time with coordinates, city, and timestamp.

Is QRCodeKey free to use?

Yes, QRCodeKey offers a free plan with basic QR code tracking. Premium plans are available for businesses needing bulk QR codes, team management, and advanced analytics.

Can I use QRCodeKey for attendance tracking?

Yes, QRCodeKey has built-in attendance management with GPS-verified check-ins. Create groups for schools, offices, or organizations and track attendance with QR code scanning.

Biometric Information Privacy Policy

Version: v1.0-2026-04-28 · Last Updated: April 28, 2026 · Effective Date: April 28, 2026

This policy is published in compliance with Section 15(a) of the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), Texas Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code §503.001), Washington H.B. 1493 (RCW 19.375), and corresponding biometric privacy obligations under GDPR Article 9, the India DPDP Act 2023 / SPDI Rules 2011, and other applicable laws.

1. Scope

This policy applies to QRCodeKey's optional face verification feature, operated by Jal Technology LLC (the "Company", "we"). It governs the collection, use, retention, and destruction of biometric identifiers and biometric information ("biometric data") of end users ("members") who use that feature, and supplements (but does not replace) the QRCodeKey Privacy Policy.

2. Definitions

• Biometric identifier: a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry (per BIPA §10).
• Biometric information: any information, regardless of form, based on a biometric identifier used to identify an individual.
• Member: the end user (employee, student, attendee) whose face is enrolled.
• Organization: the Data Controller / Data Fiduciary that operates an account on QRCodeKey and enrolls its members.
• Reference template: the mathematical encoding of facial geometry stored at enrollment.
• Verification image: the selfie captured at the moment of attendance, compared against the reference template.

3. Biometric data we collect

When the face verification feature is enabled by an organization and the member provides written informed consent, we collect:

• A reference photo (at enrollment) and/or a derived facial geometry template;
• Verification selfies captured at each attendance event;
• A confidence score and the timestamp of each verification.

We do NOT collect any other biometric identifier (fingerprints, voiceprints, retina/iris, hand geometry, DNA, etc.).

4. Purpose of collection

Biometric data is collected solely to:

• Verify that the person presenting at attendance is the enrolled member;
• Prevent proxy attendance fraud;
• Provide an audit trail of attendance events for the organization.

We do NOT use biometric data for advertising, marketing, profiling, behavioural prediction, sale, lease, trade, or to train any third-party AI model. Biometric data is never transferred to advertising networks, data brokers, social media, or analytics providers.

5. Written informed consent

In compliance with BIPA §15(b), we obtain written consent from each member before collecting any biometric data. Our enrollment workflow:

1. Presents this Biometric Privacy Policy and a summary of what is being collected, the purpose, and the retention period.
2. Requires the member (or parent/guardian if a minor) to affirmatively check three independent consent statements covering disclosure, retention, and voluntariness.
3. Records the consent action with timestamp, IP address, user-agent, consent policy version, and consenting user identity. This audit record is retained for legal defense purposes.
4. Only then accepts the reference photo and creates the biometric record.

Minors: for any member under 18, the consent screen requires the parent or legal guardian's name and relationship to the minor. The DPDP Act 2023 (India) and various state laws require verifiable parental consent.

6. Retention schedule

In compliance with BIPA §15(a), biometric data is retained for the shorter of:

• Three (3) years from the date of the member's last interaction with the face verification feature; OR
• Until consent is withdrawn by the member or their parent/guardian; OR
• Until the account or organization is deleted; OR
• When the initial purpose of the collection has been satisfied.

Each verification event resets the 3-year clock. If a member does not use the feature for three years, retention expires automatically and the data is destroyed.

7. Destruction guidelines

When retention expires, consent is withdrawn, or the member or organization requests deletion, we destroy biometric data within 30 days using:

• Cryptographic erasure: the encrypted record is overwritten with null/empty values in the production database.
• Backup purge: encrypted database backups containing the record are rotated out within their normal 30-day backup retention cycle. Once rotated, the encryption keys for older backups are not retained.
• Audit metadata (timestamp, consent version) is retained for up to 5 years for legal defense purposes; this metadata contains no biometric content.

Confirmation of destruction is logged and available on request to the affected member.

8. No sale, lease, or trade

In compliance with BIPA §15(c), we do NOT sell, lease, trade, or otherwise profit from a member's biometric data. Biometric data is never used as consideration in any commercial transaction.

9. Disclosure to third parties

In compliance with BIPA §15(d), we do NOT disclose, redisclose, or otherwise disseminate biometric data unless one of the following applies:

• The member or their legally authorized representative consents in writing to the disclosure;
• Disclosure completes a financial transaction the member requested;
• Disclosure is required by federal, state, or municipal law, ordinance, or regulation;
• Disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

Sub-processors: biometric data is processed by infrastructure sub-processors strictly necessary to operate the service: MongoDB Atlas (encrypted database), Render (hosting). Each is bound by a Data Processing Agreement and may not use biometric data for any other purpose.

10. Storage and security

In compliance with BIPA §15(e), we store, transmit, and protect biometric data using the reasonable standard of care within our industry, in a manner that is the same as or more protective than the manner in which we store, transmit, and protect other confidential and sensitive information. Specifically:

• Encryption at rest (AES-256) in MongoDB Atlas;
• Encryption in transit (TLS 1.2 or higher);
• JWT-authenticated API access with role-based authorization;
• Audit logs of every read/write to biometric records;
• Strict access controls limiting biometric data access to authenticated backend services only;
• Regular security reviews and key rotation;
• Sub-processors selected for SOC 2 / ISO 27001 compliance where available.

11. Your rights

• Right to know: request a description of the biometric data we hold about you and how it is processed.
• Right to withdraw consent: revoke biometric consent at any time. Upon withdrawal, biometric data is deleted within 30 days.
• Right to deletion: request immediate deletion of biometric data even before retention expires.
• Right to receive these guidelines: request a copy of this policy in PDF or other format.
• Right to lodge a complaint: with the Illinois Attorney General, the FTC, your state regulator, an EU Data Protection Authority, the Data Protection Board of India, or other competent authority.

To exercise any of these rights, contact us at privacy@qrcodekey.com or use the in-app "Withdraw Biometric Consent" option in your account settings.

12. Roles: organization vs QRCodeKey

When an organization (employer, school, event operator) enables face verification and enrolls its members, the organization is the Data Controller (GDPR) / Data Fiduciary (DPDP Act). The organization is responsible for obtaining all necessary consents from members, for ensuring that local labour, education, and consumer laws are followed, and for providing notices to its members.

QRCodeKey acts as a Data Processor on behalf of the organization, governed by our Data Processing Agreement (available on request). We provide consent capture tools, secure storage, and deletion mechanisms to support the organization's compliance.

13. Changes to this policy

When we materially change this policy we will increment the version number and require members to re-consent before further use of the face verification feature. Old consent records remain in our audit log alongside the new version, preserving the consent trail.

14. Contact

Questions or requests under this policy:

Company: QRCodeKey by Jal Technology LLC

Address: 647 Rose Ln, Bartlett, IL 60103, USA

Privacy Email: privacy@qrcodekey.com

General Email: info.qrcodekey@gmail.com

Phone: (708) 300-5490

We will respond to biometric-related requests within 7 business days.