Skip to main content
QR-Verse
Security & Privacy

Security & Privacy at QR-Verse

We believe you deserve to know exactly how your data is stored, processed, and protected. No vague promises - just facts. QR-Verse runs on EU-hosted infrastructure, is GDPR compliant, and gives you full control over your data.

EU Hosted
GDPR Compliant
TLS Encrypted

Infrastructure

Where your data lives and how it is served.

EU Hosting (Hetzner, Germany)

Application servers run on Hetzner cloud data centers in Germany. Your data does not leave the European Union.

Hetzner Online GmbH, Nuremberg & Falkenstein, DE

Database (Supabase / PostgreSQL)

All QR code data and user accounts are stored in PostgreSQL with Row Level Security enforced. Daily automated backups with point-in-time recovery.

EU region, encrypted at rest (AES-256)

CDN & DDoS Protection (Cloudflare)

All traffic passes through Cloudflare for edge caching, global availability, and DDoS mitigation. Cloudflare processes data under GDPR-compliant terms.

Anycast network, 300+ PoPs globally

Encryption

Data protection in transit and at rest.

In Transit

  • TLS 1.2+ enforced on all connections
  • HSTS (HTTP Strict Transport Security) enabled
  • Automatic HTTP to HTTPS redirect
  • Secure cookies with SameSite and Secure flags

At Rest

  • AES-256 encryption for stored data
  • bcrypt hashing for passwords (never stored in plain text)
  • Encrypted database backups
  • Payment info processed by Stripe - we never see card numbers

What We Collect & What We Don't

Transparency about every data point.

What we collect

  • Account email address
  • QR code content and destination URLs
  • Scan analytics: device type, city-level location, timestamp
  • Payment info processed via Stripe (we never see card numbers)
  • IP address during account creation (for security only, not stored long-term)

What we don't collect

  • Browsing history from scan landing pages
  • Personal identity of people who scan your QR codes
  • Biometric data of any kind
  • Data from third-party trackers on scan pages (we don't run any)
  • Location data more precise than city level
  • Social media profiles or cross-platform tracking

GDPR Compliance

Your rights under GDPR - and how we honour them.

Right to Access

You can request a full export of all data we hold about you at any time from your account settings.

Right to Portability

Export your QR codes, scan data, and account information in standard formats (CSV, JSON). Your data, your way.

Right to Deletion

Delete your account and all associated data at any time. Deletion is permanent and irreversible after the 30-day grace period.

No Data Selling

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. Period.

Analytics Opt-in for Scanners

Scan analytics are opt-in for the people who scan your QR codes. No persistent cookies are set on scan pages.

Data Processing Agreement

Business customers can request a DPA (Data Processing Agreement) by emailing [email protected].

What Happens When You Cancel

We want you to trust that your work is safe, even if you leave.

QR codes keep redirecting

Your dynamic QR codes continue to work after cancellation. We do not break redirect chains just because a subscription lapses.

Analytics paused, not deleted

Scan analytics are paused when you downgrade to free. Your historical data is retained and becomes accessible again if you reactivate.

Export before you delete

You can export all your QR codes, scan data, and account information at any time - including after cancellation, during the 30-day grace period.

30-day grace period

After cancellation your account remains fully accessible for 30 days. After that, the account is archived (not immediately deleted) for an additional 60 days.

Responsible Disclosure

Found a security issue? We want to hear from you.

Contact: [email protected]

Email us with a description of the issue, steps to reproduce, and your suggested severity. PGP key available on request.

48-hour acknowledgement

We commit to acknowledging every security report within 48 hours. For critical vulnerabilities we aim to have a patch within 7 days.

Good-faith researchers protected

We will not pursue legal action against security researchers who disclose vulnerabilities in good faith, follow our guidelines, and do not access or modify user data.

Hall of fame

Researchers who responsibly disclose valid vulnerabilities are credited in our security hall of fame (with permission).

Frequently Asked Questions

Is QR-Verse GDPR compliant?

Yes. QR-Verse is built to be GDPR compliant. Our servers are hosted in Germany (EU), we process only necessary data, provide full data export and deletion rights, do not use third-party trackers, and do not sell user data. Business customers can request a Data Processing Agreement.

Where are my QR codes stored?

All QR code data is stored in a PostgreSQL database hosted on Supabase in the EU region. The database uses Row Level Security so that each user can only access their own data. Backups are encrypted and stored in the same EU region.

What happens to my data if I cancel?

When you cancel, your QR codes continue redirecting. Analytics are paused but your historical data is retained. You have a 30-day grace period with full account access to export everything. After that, the account is archived for 60 more days before permanent deletion.

Do you sell user data?

No. We do not sell, rent, or share user data with any third party for marketing or advertising. Our business model is subscriptions. Your data is used solely to provide the QR-Verse service to you.

Is my scan data anonymous?

Yes. We collect device type, browser, operating system, approximate city-level location, and timestamp. We do not collect names, email addresses, or any personally identifiable information from people who scan your QR codes. No cookies are set on scan pages.

How do you handle security vulnerabilities?

Security issues should be reported to [email protected]. We acknowledge reports within 48 hours, prioritize fixes based on severity, and protect good-faith researchers from legal action. We do not have a bounty program currently but we do maintain a hall of fame.

Can I export my data?

Yes. You can export your QR codes and scan analytics as CSV or JSON at any time from your account settings. This is available on all plans, including free. You can also request a full account data export by contacting support.

Do third parties access my QR code data?

Our infrastructure partners (Hetzner for hosting, Supabase for the database, Cloudflare for CDN, Stripe for payments) have limited, necessary access as part of providing the service. None of these partners are permitted to use your data for their own purposes. We do not share data with advertisers, data brokers, or analytics platforms.

Start Creating Secure QR Codes

EU-hosted, GDPR compliant, and transparent about every data point. Free to start.

Create Free QR CodeView pricing