For security, I could create a system where after the purchase the private key gets sent to you via email. And we send the wallet address with QR code by mail. This could maybe work?
No. That makes no difference. There is no need to send the wallet address if someone is already getting the private key because the address is derived from the private key.
The problem is that since you created the private key, you still have access to that private key and therefore can spend any Bitcoin associated with that private key. People have to trust you to not steal their money.