Cookie Policy (Canada)
Plain-English version. Your jurisdiction-specific terms appear at the bottom of the document. Switch jurisdictions if you'd prefer different rules.
Plain-English drafts. These pages are written for clarity, not as substitute legal advice. For binding interpretation, the version executed via dpo@qrnfctap.com on letterhead controls.
Cookie Policy
Last updated: 2026-05-02
This Cookie Policy explains what cookies and similar storage technologies QR NFC Tap uses on qrnfctap.com, why, and how you can manage them.
Cookies are small text files stored on your device by your browser. Similar technologies — local storage, session storage, IndexedDB, web beacons — are treated the same way for the purposes of this Policy.
1. The four cookie categories
We follow the EDPB four-category model: strictly necessary, performance, functional, and marketing. The cookie banner gives you per-category control.
1.1 Strictly necessary
These cookies make the site work. Without them you cannot sign in, the site cannot prevent CSRF attacks, and your cookie preferences cannot be remembered. They cannot be disabled.
| Name | Purpose | Type | Duration |
|---|---|---|---|
quick_code_session |
Session identifier; keeps you signed in | First-party, HTTP-only | 2 hours |
XSRF-TOKEN |
CSRF protection | First-party | 2 hours |
tc-cookie-consent |
Stores your cookie-consent choice | First-party, JavaScript | 12 months |
tc-theme |
Light/dark mode preference | First-party, JavaScript | 12 months |
tc-jurisdiction |
Auto-detected legal jurisdiction (UK/EU/US/CA) | First-party, JavaScript | 12 months |
1.2 Performance / analytics
We currently run no third-party analytics (no Google Analytics, no Plausible, no Mixpanel). Server-side anonymised request logging is used for security/billing. If we add analytics in future, this section will list each tool, the cookies it sets, and you will be asked for fresh consent.
1.3 Functional
| Name | Purpose | Set by | Duration |
|---|---|---|---|
tc-pending-qr-type |
Remembers which QR type you wanted before sign-up so we can deep-link after auth | First-party, local storage | Until used or 24h |
| QR NFC Tap local-storage cache | Recently-viewed dashboard pages, draft QR codes (autosave) | First-party, local storage | Until cleared |
1.4 Marketing / advertising
We do not currently set any marketing cookies, do not run third-party advertising, and do not participate in any ad-network's identifier sync. If you've enabled the "Marketing" toggle, no cookies are set today; this is reserved for future opt-in features.
2. Third-party cookies
Three third-party services may set cookies on QR NFC Tap pages:
| Provider | Purpose | When set |
|---|---|---|
| Stripe | Fraud prevention on payment pages | Only on checkout / payment screens; first-party from m.stripe.com |
| Cloudflare | Bot/DDoS protection (cf_clearance, __cf_bm) | On pages served via Cloudflare proxy |
| Google Fonts | Font delivery (no cookies, but a subresource request to fonts.gstatic.com is logged) | Every page load (we may self-host fonts in future to remove this) |
These are essential to security/serving the page; turning them off would break checkout or trigger security challenges. Stripe is a payment processor; their cookie use is governed by Stripe's own privacy policy.
3. How to manage cookies
Via our cookie banner
The banner appears on first visit. Click "Customise" to enable/disable each non-essential category. You can revisit your choices any time by clicking "Cookie settings" in the footer (or directly at /cookies).
Via your browser
Every modern browser lets you block, delete, or be warned about cookies. Instructions:
- Chrome: Settings → Privacy and security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari (macOS): Settings → Privacy → Cookies and Website Data
- Safari (iOS): Settings → Safari → Block All Cookies
- Edge: Settings → Cookies and site permissions → Cookies and site data
Note: blocking strictly-necessary cookies will break sign-in.
Do Not Track / Global Privacy Control
We honour Global Privacy Control (GPC) signals as an opt-out of "sale" or "sharing" for CCPA purposes (we don't do either, but the signal is honoured). We don't change behaviour for legacy "Do Not Track" — there's no industry consensus on what it means.
4. Cookies on subdomains and custom domains
If you use QR NFC Tap on a custom domain (Agency tier customer), the same categories apply but cookies are set on your domain (not qrnfctap.com). Your customer-facing instances inherit our cookie banner unless you have configured a custom one. Get in touch at support@qrnfctap.com to customise.
5. Updates
We update this Policy when we add or remove a cookie. Material changes notified in the cookie banner re-prompt; non-material changes shown silently with the "Last updated" date.
6. Contact
Questions about cookies: dpo@qrnfctap.com.
Jurisdiction-specific provisions follow.
Canada — Cookie supplement
PIPEDA does not impose a cookie-specific consent regime, but cookies that collect personal information fall within PIPEDA's general consent requirement.
Quebec residents — Law 25 / Bill 64
Quebec privacy law (S.Q. 2021 c. 25) imposes stricter consent rules on technology that collects personal information through automated means:
- Cookies that profile, track, or identify a Quebec resident require express, granular consent (the cookie banner provides this)
- Where reasonable, default settings should disable non-essential profiling cookies
- Use of biometric or sensitive technologies is subject to additional disclosure
QR NFC Tap's cookie banner defaults all non-essential categories to OFF for Quebec visitors. Strictly-necessary cookies (session, CSRF, banner state) remain on, as required to provide the requested service.
Lodge a complaint
- Federal: Office of the Privacy Commissioner of Canada — https://www.priv.gc.ca
- Quebec: Commission d'accès à l'information du Québec — https://www.cai.gouv.qc.ca
- Alberta: Office of the Information and Privacy Commissioner of Alberta — https://oipc.ab.ca
- BC: OIPC for British Columbia — https://www.oipc.bc.ca