Privacy Policy

This Privacy Policy explains what information I collect through VisitorLog.io ("the Service"), how I use it, and what choices you have. I built this service to help organizations manage visitor check-ins and check-outs, and I take the responsibility of handling your data seriously.

When I say "you" or "your," I mean anyone who interacts with the Service, whether you are an account holder managing visitors or a visitor checking in at a facility.

1. Information I Collect

Visitor Data

When a visitor checks in at a facility (through a QR code, manual entry, or kiosk), the Service collects the visitor's name, company or organization, phone number, email address, and reason for the visit. Depending on the facility's configuration, I may also collect a drawn signature for NDA acknowledgment, security screening responses, and a photo for identification purposes.

Account Data

When you register for an account, I collect your email address and a password (stored as a salted hash, never in plain text). If you sign in through Google, Microsoft, or a SAML identity provider, I receive your name and email address from that provider. I do not receive or store your SSO password.

Device and Access Data

Every request to the Service includes your IP address, browser type, and the page you visited. I log this information for security monitoring, abuse prevention, and audit trail purposes. I do not use tracking pixels, fingerprinting, or any behavioral analytics tools.

2. How I Use Your Information

I use the information I collect for the following purposes and nothing more.

• Operating the visitor management system, including check-in, check-out, QR code generation, and visitor identification
• Sending notifications to facility staff when visitors arrive or depart, and sending confirmation emails to visitors
• Sending SMS messages through Twilio when a facility has enabled text notifications (only to phone numbers provided during check-in or by account holders who opt in)
• Maintaining audit logs that record who accessed what data and when, for security and compliance
• Enforcing security measures like bot protection, rate limiting, and session management
• Generating aggregate analytics visible on the facility dashboard (total visits, peak hours, visit duration) with no data sold or shared externally

I do not sell, rent, or share your personal information with advertisers, data brokers, or any third party for marketing purposes. Full stop.

3. Data Storage and Security

Each organization ("tenant") on VisitorLog.io gets its own isolated database. Your visitor records, facility settings, and audit logs are physically separated from every other tenant's data. One organization cannot access another's information under any circumstances.

All data in transit is encrypted via HTTPS/TLS. The server infrastructure uses encrypted storage at rest. Passwords are hashed using bcrypt with per-user salts. SSO authentication tokens and Twilio API credentials are encrypted with AES-256-GCM before storage.

The Service runs on infrastructure hosted in the United States. While I implement reasonable security controls, no system is perfectly secure, and I cannot guarantee absolute protection against every possible threat. For more detail on security limitations, see the Terms of Service.

4. Third-Party Services

The Service relies on a small number of third-party providers to function. Here is exactly what each one does and what data it receives.

Twilio (SMS Notifications)

When a facility enables SMS notifications, visitor phone numbers and short notification messages are transmitted to Twilio for delivery. Twilio processes this data under its own privacy policy. SMS is entirely optional and configured per facility.

SMTP2Go (Email Delivery)

All transactional emails (check-in confirmations, staff notifications, password resets) are sent through SMTP2Go. The recipient email address and message content pass through their servers for delivery.

Cloudflare Turnstile (Bot Protection)

Login and registration forms use Cloudflare Turnstile to verify that requests come from real people, not automated scripts. Turnstile may collect your IP address and browser characteristics to make this determination. It does not place tracking cookies or build advertising profiles.

Google and Microsoft (Optional SSO)

If you choose to sign in with Google or Microsoft, those providers share your name and email address with the Service during the authentication flow. I do not receive your password from these providers, and I do not send any of your visitor data back to them.

SAML Identity Providers (Optional Enterprise SSO)

Organizations can configure SAML 2.0 single sign-on with their own identity provider (such as Azure AD or Okta). During authentication, the identity provider sends your name and email to the Service. I do not send visitor data to your identity provider.

5. SMS/Text Messaging

Some facilities on VisitorLog.io offer SMS text message notifications related to your visit. This section explains how I handle text messaging, how you consent to receive messages, and how you can opt out at any time.

How You Opt In

You may be asked to provide your phone number when checking in or out of a facility, either through a QR code check-in page, a manual entry form, or a registration form. If SMS notifications are enabled for that facility, the check-in form will include a clear disclosure and an optional consent checkbox. By checking that box, you are giving your prior express written consent to receive automated text messages from VisitorLog.io (on behalf of the facility) at the phone number you provide. The consent checkbox is never pre-checked; you must affirmatively opt in.

Consent to receive text messages is not a condition of entry to any facility, completion of any check-in, or use of the Service. You may decline SMS notifications and still check in normally.

Types of Messages

If you opt in, you may receive text messages related to your visit, including check-in confirmations, host approval or denial notifications, checkout reminders, and visit status updates. These messages are transactional and directly related to the visit you initiated. I will never send marketing, promotional, or advertising messages to your phone number.

Message Frequency and Rates

Message frequency varies based on your visit activity. You will typically receive between 1 and 5 messages per visit. Message and data rates may apply depending on your mobile carrier and plan. I am not responsible for any charges your carrier may impose for receiving text messages.

How to Opt Out

You can opt out of text messages at any time by replying STOP to any message you receive from the Service. You may also text STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT. After opting out, you will receive one final confirmation message acknowledging your request, and no further messages will be sent. Your opt-out takes effect immediately.

If you wish to resume receiving text messages after opting out, you may reply START to the same number, or you may consent again during a future check-in.

Help

For assistance with text messages, reply HELP to any message from the Service. You will receive a response with the program name, a brief description, and instructions for opting out. You can also contact the Service operator using the information in Section 11 below.

Phone Number Data Handling

Your phone number is collected solely for the purpose of delivering visit-related notifications. It is stored in the facility's isolated tenant database and is subject to the same retention period the organization has configured (see Section 7). Your phone number is transmitted to Twilio solely for message delivery and is not sold, rented, or shared with any third party for marketing or advertising purposes.

I maintain a record of your SMS consent, including when and how it was obtained, in compliance with the Telephone Consumer Protection Act (TCPA) and applicable regulations. I also maintain an opt-out log to ensure that once you opt out, no further messages are sent to your number from that facility.

Compliance

The SMS features of this Service are operated in compliance with the Telephone Consumer Protection Act (TCPA), the Cellular Telecommunications Industry Association (CTIA) Messaging Principles and Best Practices, and applicable state consumer protection laws, including the California Consumer Privacy Act (CCPA). If you are a resident of a state with additional text messaging protections, those protections apply to you in addition to the rights described here.

6. Cookies

The Service uses a small number of cookies, all functional. There are no advertising cookies, no tracking cookies, and no third-party analytics cookies.

• Session cookie keeps you logged in while you use the application. It expires when you sign out or after a period of inactivity.
• Theme preference cookie remembers whether you selected light or dark mode.
• Turnstile cookie is set by Cloudflare during bot verification on login and registration pages. It is strictly functional.

That is the complete list. I do not use Google Analytics, Facebook Pixel, Hotjar, or any similar tracking service.

7. Data Retention

Each organization controls how long visitor data is kept. Account owners can configure a retention period in their settings, with the default set to 12 months. After the retention period expires, visitor records are automatically pruned during routine maintenance.

Visitor sessions that remain open without a check-out are automatically closed after a configurable period (default 24 hours) to prevent stale records from accumulating.

Organization owners can export all visitor data in standard formats and can perform a full data wipe through the dashboard. A data wipe permanently deletes all visitor records, audit logs, and session history for that organization. This action requires the owner to re-verify their password and cannot be undone.

Account data (your email, password hash, and preferences) is retained as long as your account exists. If you delete your account or request deletion, this data is removed.

8. Your Rights

You have the right to know what data the Service holds about you, to receive a copy of that data, and to request its deletion. Here is how to exercise those rights.

• Account holders can view, export, and delete visitor data directly from the dashboard. User profile information can be updated or removed from the settings page.
• Visitors who checked in at a facility and want to know what data was recorded, or want that data removed, should contact the organization that manages the facility. The organization's administrators have the tools to look up and delete individual visitor records.
• Anyone can contact me directly through the information in Section 11 below to make a data access or deletion request.

I will respond to verified data requests within 30 days. In some cases, I may need to verify your identity before fulfilling a request to prevent unauthorized access to someone else's data.

9. Children's Privacy

The Service is not directed at children under 13 years of age. I do not knowingly collect personal information from children under 13. If I learn that I have collected information from a child under 13, I will delete it promptly. If you believe a child under 13 has provided personal information through the Service, please contact me so I can take appropriate action.

10. Changes to This Policy

I may update this Privacy Policy from time to time. When I make changes, I will revise the "Effective Date" at the top of this page. For significant changes that affect how I handle your data, I will make reasonable efforts to notify registered account holders by email. Your continued use of the Service after a revised policy takes effect means you accept those changes.

11. Contact

If you have questions about this Privacy Policy, want to make a data request, or need to report a privacy concern, please contact the Service operator through the information provided on the VisitorLog.io website.