Privacy Policy

Our Commitment to Your Privacy

At QRAnalytica, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our QR code analytics platform and related services. Please read this privacy policy carefully.

Quick Summary: We collect data necessary to provide our QR code analytics services. We never sell your personal information. You have full control over your data and can request deletion at any time.

1. Information We Collect

Personal Information You Provide

When you register for an account or use our Services, we collect:

Account Information: Name, email address
Payment Information: Billing details processed securely through LemonSqueezy (we do not store credit card information)
Communication Data: Messages you send us, support tickets, feedback

QR Code Tracking Data

When someone scans a QR code created through our platform, we collect:

Device Information: Device type, operating system, browser type
Location Data: Country, region, city .While we mask IP addresses to enhance privacy, this data is still processed as personal data under GDPR and used only for analytics purposes as described in our legal basis.
Scan Details: Date and time of scan, referring source
User Agent: Browser and device characteristics

Note: This data is collected for analytics purposes to help you understand who is engaging with your QR codes. We do not collect personally identifiable information from end users who scan your QR codes.

Automatically Collected Information

When you visit our website or use our Services, we automatically collect:

Usage Data: Pages visited, features used, time spent on platform
Technical Data: Browser type, device identifiers
Cookies and Tracking: Session cookies, preference settings, analytics data
Log Data: Server logs, error reports, performance metrics

Third-Party Integrations

If you connect third-party services to your account:

Google Analytics: Analytics tracking codes and associated data
Facebook Pixel: Pixel IDs and tracking configuration
Custom Domains: Domain names and DNS configuration

2. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery

Create and manage your account
Generate and track QR codes
Provide analytics and insights
Process payments and manage subscriptions

Communication

Send service-related notifications and updates
Respond to your inquiries and support requests
Send marketing communications (with your consent)
Notify you of changes to our policies or services

Improvement and Security

Improve and optimize our Services
Develop new features and functionality
Detect and prevent fraud and abuse
Maintain security and protect user accounts

Analytics and Research

Analyze usage patterns and trends
Create aggregated, anonymized statistics
Conduct market research and analysis
Measure effectiveness of our services

Legal Compliance

Comply with legal obligations
Enforce our Terms of Service
Respond to legal requests and prevent harm
Protect our rights and property

2A. Legal Basis for Processing Your Data

GDPR Compliance: Under the General Data Protection Regulation (GDPR) Article 13(1)(c), we are required to inform you of the legal basis for processing your personal data. Below we specify which legal basis applies to each type of processing activity.

We process your personal data based on the following legal grounds under GDPR Article 6:

Legitimate Interest (Article 6(1)(f))

We process QR code scan data and analytics based on our legitimate interest in:

Service Delivery: Providing QR code performance analytics to our customers as the core functionality of our platform
Fraud Prevention: Detecting and preventing fraudulent activities, abuse, and unauthorized access to protect our users and platform integrity
Platform Security: Ensuring the security and stability of our services, including monitoring for security threats and system performance
Service Improvement: Analyzing usage patterns to optimize our platform, develop new features, and enhance user experience

Balancing Test: We have conducted a Legitimate Interest Assessment and determined that our processing is necessary for these purposes, uses minimal data (masked IPs, aggregated analytics), and does not override your fundamental rights and freedoms. Users scanning QR codes can reasonably expect basic analytics tracking as part of QR code functionality.

Your Right to Object: You have the right to object to processing based on legitimate interest at any time. See Section 6A below for details on how to exercise this right.

Contract Performance (Article 6(1)(b))

Processing necessary to fulfill our contractual obligations to you:

Creating and managing your account
Generating QR codes and providing access to your dashboard
Processing payments and managing subscriptions
Providing customer support and responding to your requests
Delivering the core services you signed up for

Consent (Article 6(1)(a))

Processing based on your explicit consent for:

Marketing communications and promotional emails
Non-essential analytics cookies (Google Analytics, Microsoft Clarity)
Third-party integrations (Google Analytics ID, Facebook Pixel)
Optional features and beta program participation

You can withdraw your consent at any time through by contacting us. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal requirements:

Retaining payment records for tax and accounting purposes (7 years)
Responding to lawful requests from authorities
Complying with data protection regulations and user rights requests
Maintaining records required by applicable laws

Important: Different legal bases may apply to different types of data processing. If you have questions about which legal basis applies to a specific processing activity, please contact us at [email protected].

3. How We Share Your Information

✓ We never sell your personal information to third parties.

We may share your information in the following limited circumstances:

Service Providers

We work with trusted third-party service providers who assist us in operating our platform:

Payment processing (LemonSqueezy)
Cloud hosting and infrastructure (Cloudflare)
Email delivery services (Using Zoho)
Customer support tools (Crisp Chat)
Analytics services (Google Analytics)

These providers are contractually obligated to protect your data and use it only for providing services to us.

Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

Legal Requirements

We may disclose your information if required by law, court order, or to:

Comply with legal processes
Protect our rights and property
Prevent fraud or security issues
Protect the safety of users or the public

With Your Consent

We may share your information for other purposes with your explicit consent.

Aggregated Data

We may share aggregated, non-personally identifiable information publicly or with partners to show usage trends and insights.

4. Data Security

We implement industry-standard security measures to protect your information:

Encryption

All data transmitted over HTTPS with TLS encryption. Passwords are hashed and salted.

Secure Infrastructure

Data stored on secure, SOC 2 compliant cloud infrastructure with regular backups.

Access Controls

Strict access controls and authentication for internal systems and databases.

Monitoring

Continuous monitoring for security threats and unauthorized access attempts.

Important: While we implement strong security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your information for as long as necessary to provide our Services and fulfill the purposes described in this policy:

Account Data: Retained while your account is active and for 90 days after deletion
QR Code Analytics: Retained for the duration of your account plus 90 days
Payment Records: Retained for 7 years for tax and accounting purposes
Support Communications: Retained for 3 years
Log Data: Retained for 90 days unless required longer for security or legal reasons

After the retention period, we securely delete or anonymize your information. Some information may be retained in backup systems for up to 30 additional days.

6. Your Privacy Rights

You have the following rights regarding your personal information:

Access and Portability

Request a copy of your personal information in a machine-readable format.

Correction

Update or correct inaccurate information in your account settings.

Deletion

Request deletion of your account and personal information (subject to legal retention requirements).

Opt-Out

Unsubscribe from marketing communications at any time.

Restriction

Request restriction of processing in certain circumstances.

Object

Object to processing of your information for certain purposes.

To exercise these rights, contact us at [email protected]. We will respond to your request within 30 days.

Your Right to Object (GDPR Article 21)

⚠️ IMPORTANT: You have an absolute right to object to data processing based on legitimate interest at any time.

Under GDPR Article 21, you have the right to object to processing of your personal data when we rely on legitimate interest as the legal basis (as described in Section 2A above). This includes:

QR code scan analytics and tracking
Platform usage analytics for service improvement
Fraud detection and security monitoring (where not legally required)
Marketing analysis and research

How to Exercise Your Right to Object

To object to processing based on legitimate interest, you can:

Email Us

Send your objection request to [email protected] with the subject line "GDPR Article 21 Objection"

What Information to Include in Your Objection

To process your objection efficiently, please include:

Your full name and email address associated with your account
Specific processing activities you object to (e.g., "QR scan analytics", "usage tracking")
Reason for your objection (optional but helpful)
Whether you want to object to all legitimate interest processing or specific activities

What Happens After You Object

Response Time: We will respond to your objection within 30 days (or 60 days for complex requests, with notification).

Processing Suspension: We will immediately suspend the processing you objected to while we assess your request.

Assessment: We will evaluate whether we have compelling legitimate grounds that override your interests, rights, and freedoms.

Outcome: If your objection is valid, we will permanently stop the processing. If we have compelling grounds to continue, we will explain our reasoning.

Service Impact: Some objections may affect service functionality (e.g., objecting to QR analytics may limit dashboard features). We will inform you of any impacts.

No Cost, No Consequences: Exercising your right to object is completely free and will not negatively affect your account status or service access (except where the processing is essential for service delivery).

Right to Lodge a Complaint: If you believe we have not properly handled your objection, you have the right to lodge a complaint with your local data protection authority. For EU users, find your authority at https://edpb.europa.eu/about-edpb/board/members_en.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience:

GDPR Cookie Consent

Non-essential cookies (analytics, functional) are blocked by default and only deployed after you provide explicit consent through our cookie banner. Essential cookies required for website functionality are always active. You can withdraw your consent at any time by adjusting your cookie preferences.

Essential Cookies (Always Active)

Required for the website to function properly (authentication, security, preferences). These cookies cannot be disabled as they are necessary for core functionality.

Analytics Cookies (Requires Consent)

Help us understand how you use our Services (Google Analytics, Microsoft Clarity). These cookies are only loaded after you provide explicit consent through our cookie banner.

Functional Cookies (Requires Consent)

Remember your preferences and settings. These cookies enhance your experience but are not essential for basic functionality.

You can control cookies through your browser settings or our cookie consent banner. Note that disabling cookies may limit functionality of our Services. To change your cookie preferences, clear your browser cookies and reload the page to see the consent banner again.

8. Third-Party Services and Links

Our Services may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

When you use integrations like Google Analytics or Facebook Pixel, your data is also subject to those platforms' privacy policies.

9. Children's Privacy

Our Services are not directed to children under 13 years of age (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States and other jurisdictions that may have data protection laws that differ from those in your jurisdiction.

GDPR Compliance for International Transfers

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries without an adequacy decision, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses (2021/914) with all data processors and service providers that process personal data outside the EEA.
Transfer Impact Assessments (TIAs): We conduct Transfer Impact Assessments to evaluate the legal framework and practical safeguards in destination countries, ensuring that the level of protection is not undermined by local laws.
Data Processing Agreements: All service providers are bound by comprehensive Data Processing Agreements that include security obligations, data protection requirements, and audit rights.
Technical Safeguards: We implement encryption in transit (TLS 1.3) and at rest, access controls, and data minimization to protect transferred data.

Post-Schrems II Compliance

Following the invalidation of Privacy Shield in July 2020 (Schrems II ruling), we no longer rely on Privacy Shield for international data transfers. All transfers are now governed by Standard Contractual Clauses with supplementary measures as required by EDPB Recommendations 01/2020.

Primary Data Processing Locations: United States (cloud infrastructure), European Union (backup and redundancy). You can request more information about specific data transfer mechanisms by contacting us at [email protected].

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the updated policy on our website
Sending you an email notification
Displaying a notice in your dashboard

Your continued use of our Services after changes become effective constitutes acceptance of the updated Privacy Policy.

Questions About Privacy?

If you have questions or concerns about how we handle your data, we're here to help.

Email Us GDPR Information