qrcardd™ Authentication Policies & Procedures

---

Last updated: September 2, 2025

Applies to: All qrcardd™ QR codes, nimble pages, and client-linked destinations.

When you see the qrcardd™ Verified badge, the code and its destination have been vetted against our security, content, and redirect rules. We audit links before launch and monitor them afterward. We don’t run third-party ads on nimble pages. We log changes, respond to reports, and suspend non-compliant links fast. External sites remain the responsibility of the business owner.

Badge text you may see: qrcardd™ Verified • Redirect Policy Compliant

This policy explains how qrcardd™ authenticates clients, verifies links, and enforces safe redirects for QR experiences hosted on qrcardd.com and client destinations linked from qrcardd™ pages.

• Nimble Page: The ad-free micro site hosted on qrcardd.com that a scan lands on.
• Destination Link: Any link from a nimble page to an external website or service.
• Verified Badge: The visual mark indicating the QR and its configured redirects passed our checks.
• Redirect: Any forward from a qrcardd.com URL to another page (internal or external).
   

When a card displays qrcardd™ Verified, it means:

• The business identity was authenticated.
• The QR payload and nimble page passed security/content review.
• External links met our Redirect Policy at the time of review.
• Ongoing monitoring is active; changes are logged and re-checked.
   

Note: “Verified” confirms compliance with our policy—not an endorsement of the business’s products, services, or claims.
 

We use layered checks before a QR goes live and recurring checks after.

1. Business Identity Verification
   • Proof of business (registration, EIN or equivalent), contact of record, and payment verification.
   • High-risk categories may require enhanced documentation.
      

1. Ownership / Link Control
   • Domain control check (email at domain, tokenized URL, or DNS file/record).
   • Platform-account control if linking to third-party profiles (e.g., app stores, booking platforms).
      

1. Security & Redirect Vetting
   • HTTPS/TLS required end-to-end (no mixed content).
   • One-hop rule: redirects may not chain beyond one additional hop.
   • No auto-downloads, forced app installs, wallet/connect prompts, or invasive permission requests on initial load.
   • No third-party URL shorteners to mask final destinations (qrcardd’s own short links are allowed).
   • Payment links must use reputable processors (e.g., Stripe, Square, PayPal) with HTTPS checkout.
      

1. Content Standards Review
   • No malware, fraud, impersonation, or deceptive design.
   • No prohibited content (illegal activity; explicit sexual content; incitement to violence; hate; doxxing).
   • Claims that require substantiation (e.g., medical, financial) must link to supporting info or be removed.
      

1. Ongoing Monitoring
   • Automated link health & safety scans, certificate checks, and status codes.
   • Change detection on configured destinations; alerts trigger re-review.
   • Abuse signals (e.g., unusual bounce patterns, user reports) escalate to manual review.
      

1. Incident Response & Takedown
   • We may suspend or reroute scans to a warning page if a link becomes unsafe or non-compliant.
   • Owner of record is notified; restoration occurs after remediation and re-verification.
      

Allowed

• Secure HTTPS destinations with transparent, direct experiences.
• Single additional hop, if necessary (e.g., tracking to final).
• Clear, labeled Partner/Affiliate links (optional) with a short disclosure.
   

Not Allowed

• HTTP (non-TLS) endpoints; mixed content.
• Multi-hop redirect chains or obfuscated shorteners.
• Auto-downloads, forced installs, or unexpected permissions on first load.
• Phishing, credential harvesting, fake login portals, or deceptive giveaways.
• Content that violates law or this policy.
   

• Authorized Requests Only: Edits must come from the owner of record or approved contacts.
• Logging: All changes are time-stamped and retained for audit.
• Re-Verification: Material changes (new domains, checkout flows, app links) require re-review.
• Turnaround: Simple text/link swaps are typically processed quickly; complex changes may take longer.
• Fees: Edits beyond plan allowances may incur a posted change fee.
   

• Keep business info, links, and content accurate and lawful.
• Ensure third-party destinations (booking, tickets, forms) comply with this policy.
• Notify qrcardd™ of security incidents or compromised accounts immediately.
• Do not misuse the Verified badge or attempt to bypass checks.
   

• Encryption: HTTPS everywhere, HSTS, modern TLS.
• Tokenization: Unique, scoped tokens per campaign/QR to mitigate tampering.
• Protection: Rate-limits, WAF, and anomaly detection for abuse patterns.
• Isolation: Nimble pages are ad-free; we avoid third-party embeds that track users.
• Privacy: First-party analytics only (scans, unique scans, button CTR, city-level geo). No cross-site tracking.
   

Data Retention: Analytics are retained for operational reporting (e.g., up to 13 months) unless law or contracts require different terms.

• Nimble pages are designed mobile-first and aim to meet WCAG 2.1 AA-aligned practices (readable contrast, larger tap targets).
• We optimize for fast loads on modern devices and reasonable performance on slower connections.
   

If you encounter a code misusing qrcardd™ branding or a Verified badge:

• Visit qrcardd.com/report (or email security@qrcardd.com). 
• Include a photo of the code, location/context, and (if possible) the opened URL.
  We will investigate promptly and, if needed, disable or reroute the code and notify the owner of record.
   

• Takedown: qrcardd™ may suspend a QR or destination that breaches this policy or credible safety concerns.
• Appeal: The owner of record may appeal by providing remediation details and supporting documentation.
• Restoration: After successful re-verification, we restore the QR or update it to a compliant destination.
   

• The qrcardd™ Verified badge may only appear on qrcardd-hosted pages or approved materials for the verified campaign.
• Do not alter or mimic the badge. Do not imply endorsement by qrcardd™ of products or claims.
   

• qrcardd™ pages are ad-free by default.
• Optional Partner/Affiliate links must be clearly labeled and comply with applicable disclosure laws.
• External sites are operated by third parties; their policies and practices apply there.
   

• qrcardd™ verifies QR codes and links for policy compliance at the time of review and monitors for changes; we cannot guarantee uninterrupted safety of external sites we do not control.
• qrcardd™ is not responsible for the content, availability, data practices, or actions of third-party destinations.
• Nothing in this page constitutes legal, compliance, or security advice.
• To the maximum extent permitted by law, qrcardd™ disclaims warranties (express/implied) and limits liability for indirect, incidental, or consequential damages arising from use of external destinations.
   

We may update this policy to reflect new risks, laws, or platform changes. Material updates will be posted here with a new “Last updated” date.

All marks associated with qrcardd™ — including qcardd™, qrcardds™, eventcardd™, eventcardds™, currencycardd™, yourcardd™, and yourcardds™ — are intellectual property of qrcardd.com™. 

Security & Abuse: security@qrcardd.com
General Support: support@qrcardd.com
Legal Inquiries: legal@qrcardd.com

Compliance Notice: Every QR code distributed by qrcardd™ is strictly vetted and complies with the qrcardd™ Redirect Policy.