QR Platform
TermsSign inGet started
Legal Document

Privacy Policy

Effective date: January 1, 2026  ·  Last updated: January 1, 2026

This Privacy Policy explains how QR Platform ("we", "our", or "us") collects, uses, stores, and shares your personal data when you use our QR code generation and analytics platform. We are committed to transparency and protecting your rights under the General Data Protection Regulation (GDPR), the Indian Personal Data Protection Act, the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1Introduction

By accessing or using QR Platform (available at qrplatform.app and its subdomains), you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this policy, please do not use our Service.

This policy applies to all users of the platform — including visitors to the marketing site, registered account holders, and end-users who scan QR codes generated through our Service (scan recipients).

2Data Controller Information

The data controller responsible for your personal data is:

QR Platform

Email: privacy@qrplatform.app

For GDPR-related requests: gdpr@qrplatform.app

If you are located in the European Economic Area (EEA), you may also lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

3Data We Collect

3.1 Account & Profile Data

When you register for an account, we collect:

  • First and last name
  • Email address
  • Hashed password (bcrypt; we never store plaintext passwords)
  • Account creation timestamp and last login timestamp
  • Email verification status
  • Subscription plan and billing information (plan tier; we do not store card numbers)

3.2 QR Code Content Data

Data you provide when creating QR codes, including URLs, contact details (vCard), WiFi credentials, plain text, and other content types. This data is stored to render and serve your QR codes.

3.3 Scan Analytics Data

When someone scans one of your QR codes, we automatically record:

  • Hashed IP address — the scanner's IP is immediately SHA-256 hashed before storage. We never store raw IP addresses. The hash is used solely to count unique scans.
  • Approximate geolocation — country, region, and city derived from the IP using a local GeoIP database (MaxMind GeoLite2). No GPS or precise location is accessed.
  • Device & browser — user-agent string parsed to extract device type (mobile/desktop/tablet), operating system, and browser name. The raw user-agent string is not stored.
  • Scan timestamp
  • Referrer URL (if available)

3.4 Technical & Log Data

Server logs may temporarily contain IP addresses, HTTP request paths, and timestamps for operational and security purposes. These logs are automatically purged within 30 days.

3.5 Communications Data

If you contact us by email or through support channels, we retain the correspondence to provide assistance and improve the Service.

4How We Use Your Data

We use collected data to:

  • Create and manage your account
  • Generate and serve QR codes
  • Process QR code scans and provide analytics dashboards to QR code owners
  • Send transactional emails (email verification, password reset, scan milestone notifications)
  • Enforce subscription plan limits and process billing
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations
  • Improve and develop the Service through aggregate, anonymised usage analysis
  • Respond to support requests and communications

We do not sell your personal data to third parties, nor do we use it for targeted advertising.

6Data Sharing & Third Parties

We do not sell or rent personal data. We share data only as necessary with the following categories of recipients:

Cloud Storage (AWS S3 or compatible)

QR code images (PNG/SVG) and uploaded logos are stored in cloud object storage. No personal data beyond the file content is stored there.

Email Service Provider (SMTP)

Transactional emails (verification, password reset, notifications) are sent via a configured SMTP relay. Only recipient email address and email content are transmitted.

GeoIP Database (MaxMind GeoLite2)

IP-to-location lookups are performed locally on our servers using a locally installed database. No data is sent to MaxMind servers.

Hosting & Infrastructure Providers

Our servers and databases are hosted with cloud infrastructure providers (e.g., AWS EC2). These providers process data on our behalf under data processing agreements.

Legal Authorities

We may disclose data when required by law, court order, or to protect the rights, property, or safety of QR Platform, our users, or the public.

7International Data Transfers

Your data may be processed in countries outside your country of residence, including countries outside the European Economic Area (EEA). Where we transfer personal data from the EEA to third countries, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions issued by the European Commission
  • Binding Corporate Rules where applicable

You may request a copy of the relevant safeguards by contacting us at privacy@qrplatform.app.

8Data Retention

Data TypeRetention Period
Account dataUntil account deletion + 30 days backup window
QR code dataUntil QR code is deleted by user or account is closed
Scan analyticsFree plan: 30 days; Starter: 1 year; Pro/Enterprise: unlimited
Hashed IP for uniquenessSame as scan analytics retention period
Transactional email records12 months
Server logs30 days, then automatically purged
Support communications3 years from last interaction

When you delete your account, your personal data is deleted or anonymised within 30 days, except where we are required to retain it for legal or compliance purposes.

9Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Right of Access (GDPR Art. 15)

Request a copy of all personal data we hold about you.

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data.

Right to Erasure / "Right to be Forgotten" (Art. 17)

Request deletion of your data when it is no longer necessary, or when you withdraw consent.

Right to Restriction (Art. 18)

Request that we limit processing of your data in certain circumstances.

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format and transfer it to another controller.

Right to Object (Art. 21)

Object to processing based on legitimate interests, including profiling.

Right to Withdraw Consent

Where processing is based on consent, withdraw it at any time without affecting prior processing.

Right to Lodge a Complaint

File a complaint with your national data protection supervisory authority.

CCPA Rights (California)

California residents may request disclosure, deletion, and opt-out of sale of personal information.

To exercise any of these rights, email us at privacy@qrplatform.app with "Data Rights Request" in the subject line. We will respond within 30 days (or within 72 hours for urgent erasure requests in breach-related scenarios). We may need to verify your identity before fulfilling the request.

10Cookies & Tracking Technologies

We use the following categories of cookies and local storage:

Strictly Necessary

Examples: Authentication tokens (stored in localStorage), session identifiers

Basis: Required for the Service to function. Cannot be disabled.

Functional / Preference

Examples: Saved filter preferences, UI state

Basis: Legitimate interest. Improves your experience.

Analytics (Self-hosted)

Examples: Aggregate platform usage metrics collected on our own servers

Basis: Legitimate interest. No third-party analytics scripts (e.g. Google Analytics) are used.

We do not use third-party advertising cookies or tracking pixels. You can clear cookies and localStorage through your browser settings at any time.

11Children's Privacy

QR Platform is not directed to individuals under the age of 16 (or under 13 in the United States). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal information without parental consent, please contact us at privacy@qrplatform.app and we will delete such data promptly.

12Security

We implement industry-standard technical and organisational measures to protect your personal data, including:

  • TLS/HTTPS encryption for all data in transit
  • bcrypt password hashing with a cost factor ≥10
  • SHA-256 IP hashing before storage
  • JWT access tokens with 15-minute expiry and refresh token rotation
  • Rate limiting on authentication endpoints to prevent brute-force attacks
  • Encrypted database connections
  • Regular security reviews and dependency audits

No method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33/34.

13Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and/or by displaying a prominent notice on the platform at least 30 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

14Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

QR Platform — Privacy Team

Email: privacy@qrplatform.app

GDPR requests: gdpr@qrplatform.app

We aim to respond to all privacy requests within 30 days. For urgent matters (e.g. suspected data breach), we respond within 72 hours.

Read our Terms & Conditions← Back to home