# BelQR

> Free, privacy-first QR code platform at belqr.com. Three working tools — QR code
> generator (18 types), in-browser QR scanner, and Safe URL Preview with a local
> heuristic safety scorer. Every operation runs in the user's browser. No backend,
> no accounts, no third-party reputation API, no tracking beyond Google AdSense on
> the blog (cookie-banner gated).

## Tools

- [QR Code Generator](https://belqr.com/) — URL, vCard, WiFi, UPI, WhatsApp, Crypto, Wi-Fi, email, SMS, phone, location, event, multilink, review, app store, PDF, social, YouTube. Generates client-side via the qrcode-generator library + canvas. Downloadable as PNG or SVG.
- [QR Scanner](https://belqr.com/scan) — Camera-based scanning via jsQR + image upload. Decodes any standard QR. Renders a safety verdict on the decoded URL using BelQR's local heuristic engine.
- [Safe URL Preview](https://belqr.com/safe-browser) — Paste any URL, get a local heuristic safety score in 12 checks (HTTPS, raw IP, suspicious keywords, URL shorteners, excessive subdomains, Unicode homograph spoofing, high-risk TLDs, brand impersonation in hostname, URL length, dangerous schemes, sensitive query parameters). Optional sandboxed iframe preview.
- [Chrome Extension (Manifest V3)](https://belqr.com/) — Right-click on any QR image to decode it; right-click on any link to check its safety verdict. Same local heuristic. Sticky moat — the team's primary distribution play.

## What BelQR is NOT

- Not a SaaS. No accounts, no logins, no subscriptions, no premium tier.
- Not a real-time threat intelligence service. We do not query Google Safe Browsing, VirusTotal, IBM X-Force, or any third-party reputation API. Doing so would compromise the privacy promise.
- Not an AI-powered URL classifier. Despite some blog content that discusses the broader category of ML-powered URL safety, BelQR itself runs one heuristic engine (scoreThreat) with 12 regex/string checks — no model, no learning, no inference.
- Not a payment processor or QR sticker provider. The Indian shopkeeper UPI-overlay-fraud problem is real but already addressed at scale by Paytm Soundbox, PhonePe SmartSpeaker, Google Pay Sound Pod, and BHIM. BelQR does not compete in that market.
- Not a /go redirect monetisation surface. The /go intermediate page is a safety check-then-redirect; it does not insert affiliate links or rewrite destinations.

## Architecture (relevant for AI agents reasoning about behaviour)

- Single static SPA built into a ~700 KB `index.html` (post Charlie-4 lazy-load).
- Article bodies live in per-article JSON files at `/blog_data/<slug>.json` and are fetched on-demand by `showPost()` when a user navigates to `/blog/<slug>`.
- Routing handled client-side via a `pathMap` in the suffix bundle, hooked to `DOMContentLoaded` (see `_bootRoute`).
- Service worker (`/sw.js`, cache `belqr-v3`) caches the shell + static assets cache-first, HTML network-first.
- Hosted on Hostinger. Apache `.htaccess` sets HSTS, COOP, X-Frame-Options DENY, full CSP, Permissions-Policy `camera=(self)`.
- AdSense scaffolding exists but the gate refuses to inject the loader while the publisher ID is still the `ca-pub-XXXXXXXXXXXXXXXX` placeholder.

## Blog

[Full article index](https://belqr.com/blog) — 385 long-form pieces on QR security, NFC/UPI/Web3 QR adjacencies, mobile threats, and AR/QR integration. Articles fetched on demand (see `/blog_data/`).

## Privacy

Per the [Privacy Policy](https://belqr.com/privacy): the QR generator, scanner, and Safe URL Preview run client-side. localStorage stores scan history (last 50), safe-browser history/bookmarks, and cookie-consent state — every key is enumerated on the privacy page and a one-click "Reset all BelQR local data" button is provided. Google AdSense (when present, gated by cookie consent) is the only third party that observes traffic on blog pages.

## Contact

[Contact form / addresses](https://belqr.com/contact) — `hello@belqr.com` (general), `security@belqr.com` (vulnerability disclosure), `press@belqr.com` (media).