Skip to main content
ER ExaRoutes
Sign in Get started

Privacy Policy

Last updated: 6 May 2026

This policy explains how ExaRoutes handles personal information when you visit our marketing site, use our dashboard or API, or are redirected through a QR code we host. If anything is unclear, write to privacy@exaroutes.com.

1. Who we are

ExaRoutes is operated by Aviral Gohil, a sole proprietor based in Jabalpur, Madhya Pradesh, India. In this policy "ExaRoutes", "we", "us", and "our" refer to that sole proprietorship.

For data protection purposes ExaRoutes is the controller of the personal information described in section 2.1 to 2.4 below. For QR scan data described in section 2.5 our customer (the person or business that owns the QR code) is the controller and we act as their processor under the Data Processing Addendum.

2. Information we collect

2.1 Account information

When you create an account we collect your email address, your display name, and (if you sign up with a password) a salted bcrypt hash of that password. We never store passwords in plain text. If you sign up with Google we receive your Google email, name, and profile picture from Google; we never see your Google password.

You may also choose to add a country of residence, a profile picture, and an email-updates preference. These are optional and editable from your Profile settings.

If you enable two-factor authentication we store an encrypted TOTP seed and a set of hashed single-use backup codes. Backup codes are shown to you in plain text once at generation time; we cannot recover them after that.

2.2 Workspace and content

As you use the dashboard you create workspaces, QR codes, brand kits, lead-capture forms, AI-generated landing pages, and similar content. The QR code targets you configure (URLs, deep-link rules, geo and device routing rules, GA4 measurement IDs, Meta pixel IDs, scan caps, expiry dates, password gates, uploaded logos) are stored against your account. Logos and form-attachment uploads live in AWS S3; everything else lives in AWS DynamoDB.

2.3 Billing information

Paid subscriptions are processed by our payment partner Dodo Payments, who acts as Merchant of Record. When you check out, your card details are collected and stored by Dodo on PCI-DSS compliant infrastructure. We never see or store your full card number. We do receive and store a Dodo customer reference, your plan tier, billing dates, payment status, and any failed-payment metadata so we can display subscription state in the dashboard.

2.4 Operational telemetry

We log API requests, authentication events (including IP address, user agent, and success or failure of each attempt), and per-user login attempt counters for rate-limiting and account lockout. We capture application errors and a limited slice of performance data via Sentry to diagnose bugs.

On the marketing site we use PostHog for product analytics, but only after you accept the cookie banner. If you decline or ignore the banner, no PostHog script is loaded and no analytics cookies are set. We additionally use Cloudflare Web Analytics, which does not use cookies and does not fingerprint visitors.

2.5 QR scan data (you, when you scan someone's code)

When you scan a dynamic QR code that resolves through our service, we receive your IP address, your browser's user agent string, the HTTP Referer header (if your browser sends one), and the time of the scan. From the IP we derive an approximate country, region, and city using an offline GeoIP database; we do not perform a reverse-DNS lookup or any further identification.

We compute a one-way SHA-256 fingerprint of (IP + user agent + QR ID + day) and use it to deduplicate repeated scans within a 60-second window so analytics counts are not inflated. The fingerprint is not reversible to the underlying IP.

If the customer who owns the QR code has connected Google Analytics 4 or a Meta (Facebook) pixel to it, we forward a scan event to those services on their behalf. The GA4 forward uses a hashed pseudonymous identifier; the Meta forward sends the raw IP and user agent because Meta's Conversions API requires it. The customer is the controller of this forwarding decision; we execute it under their DPA.

Scan data is associated with the customer's QR code, not with you. We do not combine scan data across different customers' QR codes to build a profile of you, and we do not sell or license scan data to anyone.

Because we have no direct relationship with you when you scan a code, the customer who owns the QR code (the controller for that scan data) is responsible for telling you about this collection in their own privacy notice. If you have questions about a specific scan, contact the business whose QR code you scanned.

2.6 Communications

When you email support@exaroutes.com, fill in the contact form, or reply to a transactional email, we receive your email address and the contents of your message. Transactional email (account verification, password reset, billing notifications, plan-change confirmations) is delivered via Zoho Mail.

2.7 AI landing page builder

If you use our AI landing page builder feature, the prompt you enter and a short context about the page are sent to Google's Gemini API to generate page copy. Google processes that prompt under their own published terms. The generated copy is stored against your account; we do not retain a separate copy of the prompt beyond what you save.

3. Why we use your information (legal bases)

For visitors and customers in the EU, UK, and other GDPR-aligned jurisdictions, we rely on the following legal bases:

  • Performance of a contract. Account, workspace, billing, and QR generation. Without these we cannot deliver the service you signed up for.
  • Legitimate interests. Security logging, abuse prevention, error monitoring, fraud detection on payments, and aggregated product analytics. We balance these against your privacy interests and use the minimum data needed.
  • Consent. Optional product analytics cookies (PostHog) and marketing emails (which you can opt out of in Profile settings or by clicking the unsubscribe link).
  • Legal obligation. Tax, accounting, and responses to lawful requests from authorities.

4. Sub-processors and other recipients

We share personal information with the following sub-processors so they can help us run the service. We have appropriate contracts in place with each.

  • Amazon Web Services (us-east-1, USA): hosting, DynamoDB, S3, CloudFront, SES.
  • Dodo Payments: payment processing as Merchant of Record.
  • Zoho Corporation: transactional and support email.
  • PostHog: product analytics on the marketing site (consent-gated).
  • Cloudflare: CDN, bot protection, cookieless web analytics, and Turnstile CAPTCHA on signup, password recovery, and form submission flows.
  • Sentry, Inc.: error and performance monitoring.
  • Google LLC: Google sign-in (only if you choose it); AI landing page generation via the Gemini API (only if you use the feature).

A current list including processing purpose, location, and the legal mechanism for international transfers is published in Annex A of the Data Processing Addendum and is updated when we add or remove a sub-processor.

We do not sell personal information. We do not use personal information for cross-context behavioural advertising. We do not share personal information with anyone for their own marketing purposes.

We will disclose personal information if compelled by valid legal process, to protect the safety of any person, to enforce our Terms of Service and Acceptable Use Policy, or to investigate suspected fraud or security incidents. Where lawful, we will tell you about the request before complying.

5. Where your information is stored

ExaRoutes is hosted on Amazon Web Services in the us-east-1 region (Northern Virginia, USA). If you are in the EU, UK, India, or another country, your personal information is transferred to and processed in the United States. For transfers from the EU and UK we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where relevant) with each sub-processor that handles EU or UK data.

6. How long we keep it

  • Account data: kept while your account is active. When you delete your account we remove your account row, your workspaces, your QR codes and associated analytics, your uploaded files in S3, and your audit-log entries.
  • Operational backups: rolling 30-day window. If you exercise the right to erasure, your live data is deleted within 30 days and any backup that still contains it is overwritten by the rolling window within the same period. If a backup is restored before that has happened, we re-apply the deletion.
  • Billing records: invoices, transaction records, and tax-relevant data are retained for as long as Indian tax law requires, which is typically up to eight years, even after account deletion.
  • Security and authentication logs: up to 12 months, after which they are aggregated or deleted.
  • Scan analytics: retained for as long as the customer's QR code exists, then deleted with the QR code or with the customer's account, whichever comes first. We do not cap the retention of historical scan analytics on active QR codes; the customer can clear their analytics at any time from the dashboard.

7. Your rights

Depending on where you live, you have some or all of the following rights over your personal information.

If you are in the EU, UK, or another GDPR-aligned country: the right to access, rectify, erase, restrict, port, or object to our processing of your personal data, and the right to withdraw any consent you have given. You can also lodge a complaint with your local data protection authority.

If you are in California or another US state with a comprehensive privacy law (CPRA, VCDPA, CPA, CTDPA, UCPA, and similar): the right to know what we collect, the right to delete it, the right to correct it, the right to opt out of sale or sharing (we do neither), and the right not to be discriminated against for exercising these rights.

If you are in India: rights as a Data Principal under the Digital Personal Data Protection Act 2023, including the right to access, correction, erasure, grievance redressal, and to nominate a person to act on your behalf in case of death or incapacity.

To exercise any of these rights, email privacy@exaroutes.com from the address on your account, or use the in-app deletion and export controls in Profile settings. We respond within 30 days. Where the law allows, we may verify your identity before acting on a request.

8. Cookies and similar technologies

For the full list of cookies and browser-storage entries we set, see the Cookies Policy. The short version: authentication cookies are strictly necessary and set without consent; product analytics cookies (PostHog) are loaded only after you accept the cookie banner; we do not run any third-party advertising cookies.

9. Children

ExaRoutes is intended for adult business users (marketing teams, agencies, and similar) and is not directed to children. By creating an account you confirm you are of legal age to enter into a binding contract in your jurisdiction (typically 18 in India and most countries). We do not knowingly collect personal information from children. If you believe a child has given us personal information, email privacy@exaroutes.com and we will delete it promptly.

10. Security

We protect your data with TLS in transit, encryption at rest for sensitive fields (including TOTP seeds), bcrypt-hashed passwords, MFA support, audit logging on privileged actions, isolated production credentials, and least-privilege IAM. No security control is perfect; if we ever experience a breach that materially affects you, we will notify you in line with the notification deadlines in the laws that apply to your jurisdiction.

11. Changes to this policy

We may update this policy as the service evolves. The "Last updated" date at the top reflects the most recent change. If a change materially reduces your rights, we will give you reasonable notice (typically by email to the address on your account or a banner in the dashboard) before it takes effect.

12. Contact

For privacy questions, requests, or complaints, contact us at privacy@exaroutes.com. We do not currently have a Data Protection Officer because we are not legally required to appoint one; the proprietor handles privacy matters directly.