Privacy

Privacy Policy

Effective date: 8 June 2026 · Last updated: 8 June 2026

    QRForge is committed to protecting your privacy. This policy explains what personal data we collect, how we use it, and your rights. We process data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.
  

1. Who We Are

QRForge ("we", "us", "our") operates the QRForge platform available at qrforge.link. For the purposes of the GDPR, QRForge acts as the data controller for personal data collected from registered users and visitors to our website.

For questions about this policy or your personal data, contact us at privacy@qrforge.link.

2. Data We Collect

2.1 Data You Provide

Category	Examples	When collected
Account data	Name, email address, password (hashed)	At registration
Billing data	Subscription plan, billing country, last 4 digits of card (via LemonSqueezy)	On subscription
Content data	QR code configurations, landing page content, project names, custom domain names	During use of Service
Communications	Support messages, feedback submissions	When you contact us

2.2 Data Collected Automatically

Category	Examples	Purpose
Usage data	Pages visited, features used, timestamps	Service improvement
Device & technical data	Browser type, operating system, screen resolution, IP address	Security, compatibility
QR scan analytics	Scan timestamp, approximate geolocation (country/city), device type, operating system, referrer	Analytics for QR code owners
Log data	Server logs, error reports, performance metrics	Diagnostics, security

2.3 End-User Scan Data

When a person scans a QR code created with QRForge, we may collect limited technical data about that scan (e.g. approximate location derived from IP address, device type, scan time). QRForge acts as a data processor for this data on behalf of the QR code owner (who is the data controller). QR code owners are responsible for ensuring they have a lawful basis for collecting this data and for providing appropriate disclosures to their end-users.

3. Legal Basis for Processing (GDPR)

Processing activity	Legal basis
Providing the Service (account management, QR code delivery)	Performance of a contract (Art. 6(1)(b))
Billing and payment processing	Performance of a contract (Art. 6(1)(b))
Security monitoring and fraud prevention	Legitimate interests (Art. 6(1)(f))
Service improvement and analytics	Legitimate interests (Art. 6(1)(f))
Sending transactional emails (verification, billing alerts)	Performance of a contract (Art. 6(1)(b))
Marketing communications (where applicable)	Consent (Art. 6(1)(a))
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))

4. How We Use Your Data

We use the data we collect to:

Create and manage your account and provide the Service
Process payments and manage your subscription
Send transactional emails (email verification, invoices, payment alerts, subscription updates)
Provide QR scan analytics dashboards to you as the QR code owner
Monitor and improve the performance, security, and reliability of the Service
Detect, prevent, and investigate fraud, abuse, or security incidents
Respond to your support requests and communications
Comply with our legal obligations

We will not sell your personal data to third parties, nor will we use it for targeted advertising without your explicit consent.

5. Data Sharing & Disclosure

We share your data only in the following circumstances:

5.1 Service Providers (Sub-processors)

Provider	Purpose	Location
Google Cloud Platform / Firebase	Infrastructure, database, authentication, hosting	EU (europe-west1)
LemonSqueezy	Payment processing, subscription management	USA (SCCs apply)
Resend	Transactional email delivery	USA (SCCs apply)
Sentry	Error monitoring and crash reporting	USA (SCCs apply)

All sub-processors are bound by data processing agreements and are required to process data only as instructed by us.

5.2 Legal Requirements

We may disclose your data if required to do so by law, regulation, or valid legal process, or to protect the rights, property, or safety of QRForge, our users, or the public.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your data in other ways if you have given explicit consent to do so.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with the Service. Specifically:

Account data: retained for the duration of your account plus up to 90 days after deletion to allow for account recovery
Billing records: retained for 7 years to comply with financial and tax regulations
QR scan analytics: retained for the duration of your account; you may delete individual QR codes and their associated data at any time
Support communications: retained for up to 3 years
Server logs: retained for up to 90 days

When data is no longer required, we securely delete or anonymise it.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access Request a copy of the personal data we hold about you.

Rectification Request correction of inaccurate or incomplete data.

Erasure Request deletion of your personal data ("right to be forgotten").

Restriction Request that we restrict processing of your data.

Portability Receive your data in a structured, machine-readable format.

Objection Object to processing based on legitimate interests.

Withdraw consent Withdraw consent at any time where processing is based on consent.

Complaint Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@qrforge.link. We will respond within 30 days. We may ask you to verify your identity before processing your request.

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise CCPA rights, contact us at privacy@qrforge.link.

8. Cookies & Tracking

We use cookies and similar technologies to operate the Service. These include:

Type	Purpose	Can be disabled?
Essential	Authentication session, security tokens required for the Service to function	No — required for Service
Functional	User preferences, UI state	Yes (may affect functionality)
Analytics	Aggregate usage statistics to improve the Service	Yes

We do not use third-party advertising cookies or cross-site tracking cookies. You can manage cookies through your browser settings.

9. Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:

Data encrypted in transit (TLS 1.2+) and at rest
Firebase Authentication with bcrypt-hashed passwords
Firestore security rules restricting data access to authorised users
Infrastructure hosted on Google Cloud Platform (ISO 27001, SOC 2 certified)
API key management via Google Secret Manager
Regular security monitoring and error tracking via Sentry

Despite these measures, no transmission over the internet is completely secure. In the event of a personal data breach, we will notify affected users and the relevant supervisory authority in accordance with applicable law.

10. International Data Transfers

Our primary infrastructure is hosted in the EU (Google Cloud europe-west1). Some sub-processors are located outside the European Economic Area (EEA). Where we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable

You may request further information about the specific transfer mechanisms we rely on by contacting privacy@qrforge.link.

11. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@qrforge.link and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on this page and, where appropriate, by email to your registered address. The "Last updated" date at the top indicates when this policy was last revised.

We encourage you to review this policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

13. Contact & DPO

For privacy-related enquiries, data subject requests, or concerns, please contact us:

📧 Privacy enquiries: privacy@qrforge.link
📧 General: hello@qrforge.link
🌐 qrforge.link

We aim to respond to all privacy requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.