← Home

Privacy Policy

Last updated: 5/18/2026

1. Controller

The controller for GDPR purposes is the operator listed in the Imprint.

2. Purposes & legal bases

  • Account & login – Art. 6(1)(b) GDPR. Data: email, name, hashed password or Google OAuth token (Firebase Auth).
  • QR code creation / management – Art. 6(1)(b) GDPR. Stored: title, target URLs, uploaded files (logos, PDFs), design settings.
  • Payments – Art. 6(1)(b)/(c) GDPR. Handled by Stripe; we do not store card data.
  • Scan statistics for dynamic QR codes – Art. 6(1)(f) GDPR (legitimate interest of the QR owner). Collected on scan: truncated IP (IPv4 /24, IPv6 /64), user-agent, derived OS/browser/device, country/city/coordinates via IP geolocation (approximate), timestamp, daily hash for unique detection. We do not store full IPs.
  • Error / security logs – Art. 6(1)(f) GDPR. Retention up to 30 days.

3. Recipients / third-country transfers

  • Google Firebase (Google Ireland Ltd. / Google LLC, USA) – auth, Firestore, hosting. SCCs under Art. 46 GDPR.
  • Stripe Payments Europe Ltd. (Ireland, with Stripe Inc., USA) – payments.
  • Vercel Inc. (USA) – application hosting; EU regions preferred.
  • ip-api.com – IP geolocation (IP sent for lookup only, not stored).
  • OpenStreetMap (UK) – map tiles for dashboard heatmap.

4. Retention

  • Account / QR data: until you delete it.
  • Detailed scan events: plan-dependent — Basic 30 days, Pay-per-QR 90 days, Starter 180 days, Advanced 365 days, Professional 730 days. After that, anonymous monthly aggregation is kept for long-term statistics.
  • Anonymous archive aggregates (month + country + device type): unlimited, as they are no longer personal data (Recital 26 GDPR).
  • Invoices / payment records: 10 years (German tax law).
  • You receive a warning email 30 days before the first automatic purge with an export link.

5. Your rights (Art. 15–22 GDPR)

  • Access, rectification, erasure, restriction, portability, objection.
  • In the dashboard under Settings → My Data you can export your data (JSON) or delete your account and all associated QR codes.
  • Right to lodge a complaint with a supervisory authority.

6. Cookies & local storage

Technically necessary cookies (login session) are set without consent. For optional analytics cookies we ask on first visit via the consent banner (Art. 6(1)(a) GDPR); consent can be withdrawn at any time.

7. Contact

Contact details are listed in the imprint.