Skip to content
QR Maker

Privacy Policy

Last updated: April 1, 2026

QR Maker ("we", "us") takes your privacy seriously. This policy explains what data we collect, why, and your rights over it. It applies to all users globally and is designed to comply with the GDPR (EU), CCPA (California), and other applicable privacy laws.

Data controller: XANTICO CONSULTING SL (operating as QR Maker)

CIF: B26564195 · C/ Hermosilla 48, 1º Dcha., 28001 Madrid, Spain

privacy@qr-maker.io

1. What We Collect

Account data

Email address, name, and password (hashed) when you create an account. Collected to provide the Service and communicate with you.

Billing data

Payment is handled by Stripe. We store only your subscription status and plan tier — never your card number or banking details.

QR scan analytics

When someone scans your QR code we record: timestamp, approximate country (from IP, not stored), device type, and browser. We do not store the IP address of the scanner. This data is attributed to your account, not to the scanner.

Usage & logs

API requests, feature usage, and error logs for operating and improving the Service. Server logs are retained for 30 days.

Cookies & local storage

Essential cookies for authentication and session management. Analytics cookies only with your consent. See our Cookie Policy.

2. Legal Bases (GDPR)

  • Contract: Account data and billing, to fulfil our subscription agreement.
  • Legitimate interests: Usage logs, security, fraud prevention, and product improvement.
  • Consent: Analytics cookies and marketing emails (opt-in only).

3. How We Use Your Data

  • To provide and maintain the Service
  • To process payments and manage your subscription
  • To show you scan analytics dashboards
  • To send transactional emails (password reset, invoices)
  • To detect and prevent fraud and abuse
  • To improve the Service based on aggregate usage patterns

We do not sell your data to third parties.

4. Third-Party Services

We share data with these processors to operate the Service:

  • Supabase — database and file storage (EU region)
  • Stripe — payment processing
  • Vercel — web hosting
  • Cloudflare — CDN and DDoS protection
  • OpenAI — AI chat feature (your messages are sent to OpenAI; not used to train models)

All processors are contractually bound to use data only for the specified purpose and to maintain appropriate security.

5. Data Retention

  • Account data: retained while your account is active, then 30 days after closure
  • QR scan analytics: 2 years
  • Billing records: 7 years (legal obligation)
  • Server logs: 30 days

6. International Transfers

We are primarily based in the EU. Some processors operate in the US. Transfers from the EU to the US are covered by Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.

7. Your Rights

Depending on your location, you may have the following rights:

EU/EEA (GDPR)

  • Access — obtain a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Object to processing based on legitimate interests
  • Withdraw consent at any time
  • Lodge a complaint with your national supervisory authority

California (CCPA/CPRA)

  • Know what personal information is collected and how it is used
  • Delete your personal information
  • Correct inaccurate information
  • Opt out of sale/sharing (we do not sell data)
  • Non-discrimination for exercising rights

To exercise any of these rights, email privacy@qr-maker.io. We will respond within 30 days.

8. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect data from children. If you believe a child has provided us data, contact privacy@qr-maker.io and we will delete it promptly.

9. Security

We use industry-standard measures including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. No system is perfectly secure — please use a strong, unique password and enable two-factor authentication where available.

10. Changes

We will notify you of material changes by email or by displaying a prominent notice on the Service before changes take effect.

11. Contact

Privacy questions or requests: privacy@qr-maker.io