Privacy Policy

1. Introduction

Stone Stories (“we,” “our,” or “us”) operates the website located at stonestoriesqr.com (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect information about you and the individuals commemorated on our platform, including deceased persons.

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

• Account information: First name, last name, email address, and password when you register.
• Memorial content: Names, dates, photographs, videos, audio recordings, biographical text, and other content you upload about the person being commemorated.
• Payment information: Billing details processed securely through Stripe. We do not store full credit card numbers on our servers.
• QR order information: Shipping name and address when you purchase a physical QR code product.
• Guestbook entries: Name, optional email address, and message submitted by visitors to a memorial.
• Support communications: Messages you send to us via our support form or email.

2.2 Information Collected Automatically

• QR scan data: IP address, browser user agent, referrer URL, and timestamp when a QR code is scanned.
• Log data: Server logs including IP addresses, pages visited, and browser type.
• Cookies: We use essential session cookies required for authentication and a consent cookie to record your cookie preferences. We do not use advertising or third-party tracking cookies.

2.3 Information About Deceased Persons

Our platform is designed to host memorials for deceased individuals. Content uploaded about deceased persons (names, dates, photographs, biographies) is provided by the account holder. We treat this information with the same care and respect as other personal data on our platform.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Stone Stories platform.
• Process subscription payments and QR code orders.
• Deliver memorial pages to visitors who scan a QR code.
• Send transactional emails (account confirmation, subscription receipts, password resets, guestbook notifications).
• Provide analytics to memorial owners about QR code scan activity.
• Respond to support requests and account inquiries.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations.

We do not sell your personal information to third parties. We do not use your memorial content or the information of deceased persons for advertising purposes.

4. Sharing of Information

We may share your information with:

• Stripe: For payment processing. Stripe's privacy policy governs their use of payment data.
• SendGrid: For transactional email delivery. Email content is transmitted securely.
• Hosting providers: Infrastructure providers who host our servers and databases, bound by data processing agreements.
• Law enforcement: When required by law, court order, or to protect the rights and safety of our users or the public.

Public memorials: If you set a memorial to “Public,” the memorial content you upload is accessible to any person with the QR code or direct URL. Please consider carefully what information you make publicly accessible.

5. Data Retention

We retain your account and memorial data for as long as your account is active or as needed to provide services. If you cancel your account, we will retain your data for 30 days to allow for account reactivation, after which it will be permanently deleted.

QR scan logs and guestbook entries are retained for the lifetime of the memorial. Payment records are retained for seven (7) years to meet accounting and legal obligations.

6. Cookies

We use the following types of cookies:

• Session cookies (essential): Required for login functionality and CSRF protection. These expire when you close your browser.
• Remember me cookie (functional): A persistent cookie stored for 30 days if you select “Remember me” at login.
• Cookie consent cookie (functional): Records that you have acknowledged our cookie notice. Stored in localStorage.

We do not use advertising, analytics tracking, or social media cookies. You can disable cookies in your browser settings, but this may prevent login functionality from working.

7. Security

We implement industry-standard security measures including:

• AES-256 encryption of data at rest.
• TLS 1.3 encryption for all data in transit (HTTPS).
• Bcrypt password hashing with cost factor 12.
• CSRF token protection on all forms.
• Session security with HttpOnly and SameSite cookie flags.
• Rate limiting on authentication and submission endpoints.

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

8. Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Correct inaccurate personal data.
• Right to erasure: Request deletion of your account and associated personal data.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to restrict processing: Ask us to stop processing your data in certain circumstances.
• Right to object: Object to our processing of your personal data.
• California residents: Under CCPA, you have the right to know what personal information is collected, the right to delete, and the right to opt-out of sale (we do not sell personal information).

To exercise any of these rights, contact us at privacy@stonestoriesqr.com. We will respond within 30 days.

9. Children's Privacy

Our Service is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

10. International Data Transfers

Our servers are located in the United States. If you are accessing our Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States. We comply with applicable data transfer mechanisms for international transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a prominent notice on our website. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@stonestoriesqr.com
• Support: support@stonestoriesqr.com
• Website: stonestoriesqr.com