Privacy Policy

1. Who We Are (Data Controller)

The data controller responsible for personal information processed through QRCodeStack is:

For users in the EEA, the United Kingdom, or Switzerland, you can reach our privacy contact at the email above. We do not currently have an appointed EU representative under GDPR Art. 27 as our processing does not meet the thresholds.

2. Information We Collect

2.1 Account information (from you)

• Email address (required)
• Password (stored only as a one-way salted hash — we never see your plaintext password)
• Name (optional)
• Profile preferences (timezone, language, notification settings)

2.2 Content you create

• QR code destination URLs and content (vCards, WiFi credentials, menus, etc.)
• QR code customization (colors, logos, names, descriptions)
• Files you upload to link to QR codes (PDFs, images) — stored in encrypted object storage

2.3 Scan analytics (collected when someone scans your QR code)

• Date and time of scan
• Device type, operating system, and browser (from User-Agent)
• Approximate geographic location (city / country, derived from IP)
• Referrer information
• IP address — used to derive location, then truncated and not stored in raw form for more than 30 days

If you are the scanner (not the QR code owner), we collect only the data above and do not link it to any account. We do not attempt to identify you from a scan alone.

2.4 Usage and diagnostic data

• Pages viewed, features used, and clicks (only when you've consented to analytics cookies)
• Error reports (via Sentry — necessary for service reliability)
• Server logs (IP, request path, response code) — retained for 30 days for security and abuse prevention

2.5 Payment information

Payments are processed by Dodo Payments. We never see your full card number or bank details. We receive only:

• Subscription status and plan
• Transaction IDs and amounts
• Billing country (for tax)
• Last 4 digits of card (display only)

3. How We Use Your Information & Legal Basis (GDPR Art. 6)

If you are in the EEA, UK, or Switzerland, GDPR requires us to identify a lawful basis for each purpose:

Purpose	Legal basis
Provide and maintain the QR code service	Contract (Art. 6(1)(b))
Process subscription payments	Contract (Art. 6(1)(b))
Display scan analytics to QR code owners	Contract (Art. 6(1)(b))
Send service emails (billing, security, important changes)	Contract (Art. 6(1)(b))
Send marketing emails (product updates, offers)	Consent (Art. 6(1)(a)) — opt-in, revocable any time
Analytics & marketing cookies (GA, Ads, Pixel, Clarity, PostHog)	Consent (Art. 6(1)(a)) — via cookie banner
Fraud / abuse detection, security logging	Legitimate interests (Art. 6(1)(f))
Tax records, accounting, legal compliance	Legal obligation (Art. 6(1)(c))

4. How We Share Information (Sub-processors)

We do not sell or rent personal information. We share data only with the vendors below, under contract, to operate the service:

The categories of recipients we engage are listed below. Where required, we have signed Data Processing Agreements and rely on Standard Contractual Clauses for any transfer outside the EEA/UK. Enterprise customers can request the full named sub-processor list by emailing support@qrcodestack.com with subject "Sub-processor List".

Category of recipient	Purpose	Location
Cloud hosting provider	Application hosting and database	United States
CDN & network security provider	CDN, DNS, DDoS protection, encrypted object storage	Global edge
Dodo Payments	Subscription billing and payment processing	Global
Google (Analytics, Ads)	Site analytics & advertising (only with your consent)	Global
Meta Platforms	Ad measurement via Meta Pixel (only with your consent)	Global
Microsoft Clarity	Session recording & heatmaps (only with your consent)	United States
Product analytics provider	In-app product usage analytics (only with your consent)	United States
Error monitoring provider	Diagnostic error tracking (necessary)	United States / EU
Live chat support provider	Customer support chat (loaded only on Support pages)	India / Global

We may also disclose information when required by law, in response to a valid legal request, or to protect our rights, users, or the public.

5. International Data Transfers

QRCodeStack is operated from India. Data is processed in India, the United States, and the EU (via our sub-processors). When we transfer personal data of EEA/UK/Swiss residents outside those regions, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where applicable.

6. Data Retention

• Account data: for the life of your account, plus 30 days after deletion (grace period for recovery), then purged.
• QR codes and uploaded files: for the life of your account, or until you delete them.
• Scan analytics: aggregated indefinitely; raw scan records (with truncated IP) for 24 months.
• Raw server logs: 30 days.
• Payment records and invoices: 7 years (tax law).
• Support emails: 24 months from last interaction.

7. Data Security

• End-to-end encryption for all data in transit (HTTPS-only).
• Passwords stored only as one-way salted hashes.
• Sensitive fields encrypted at rest using industry-standard symmetric encryption.
• Encrypted object storage with provider-managed keys for uploaded files.
• Role-based access controls; least-privilege principle for staff.
• Strict HTTP security headers and Content Security Policy.
• Vulnerability disclosure policy available on request.

Read our full Security & Compliance page for details.

8. Your Privacy Rights (GDPR & UK GDPR)

If you are in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

• Access (Art. 15) — request a copy of the personal data we hold about you.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure / "right to be forgotten" (Art. 17) — request deletion of your data.
• Restriction (Art. 18) — limit how we process your data.
• Portability (Art. 20) — receive your data in a machine-readable format.
• Object (Art. 21) — to processing based on legitimate interests or direct marketing.
• Withdraw consent at any time — without affecting processing already carried out.
• Lodge a complaint with your local supervisory authority.

To exercise any right, submit a request via our privacy request form or email support@qrcodestack.com. We respond within 30 days (extendable by up to 60 days for complex cases, with notice). We may need to verify your identity by asking you to confirm details from your account. There is no fee unless a request is manifestly unfounded or excessive.

9. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you specific rights:

• Right to know what personal information we have collected, used, disclosed, and shared about you in the past 12 months.
• Right to delete personal information, subject to legal exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of "sale" or "sharing" of personal information. We do not sell personal information for money. However, our use of Google Ads and Meta Pixel cookies may qualify as "sharing" for cross-context behavioral advertising under the CPRA. You can opt out using the cookie banner, our "Do Not Sell or Share My Personal Information" link, or by enabling the Global Privacy Control (GPC) signal in your browser — we honor GPC automatically.
• Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.
• Right to non-discrimination for exercising any of these rights.

Categories of personal information we collect (Cal. Civ. Code §1798.140): identifiers (email, IP), commercial information (subscription history), internet/electronic activity (page views, scans), geolocation (approximate), and inferences (from usage patterns, only with consent).

To exercise your CCPA rights, use our privacy request form or email support@qrcodestack.com with subject "CCPA Request". An authorized agent may submit a request on your behalf with written authorization.

10. Cookies & Similar Technologies

We use cookies and similar technologies in three categories:

• Strictly necessary — keep you signed in, remember security tokens, process payments. Cannot be disabled.
• Analytics — measure feature usage and improve the product (Google Analytics, Microsoft Clarity, PostHog). Only set after you grant analytics consent.
• Marketing — measure ad performance and show relevant ads off-site (Google Ads, Meta Pixel). Only set after you grant marketing consent.

You can change your choices at any time via the cookie icon at the bottom-left of every page, or read our full Cookie Policy for the list of cookies and their durations.

11. Children's Privacy

QRCodeStack is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact support@qrcodestack.com and we will delete it.

12. Automated Decision-Making

We do not use your personal data to make decisions that produce legal effects or significantly affect you in an automated way. Fraud-prevention rules may temporarily flag suspicious activity, but a human reviews any account action taken as a result.

13. Data Breach Notification

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected users without undue delay.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest change. For material changes, we will provide additional notice (banner, email, or in-app notification) before the change takes effect. Continued use after the effective date constitutes acceptance.

15. Contact & Questions

Questions, complaints, or data requests:

• Email: support@qrcodestack.com
• Privacy request form: qrcodestack.com/privacy-request
• Postal address: See section 1 above.