Privacy Policy
Effective: 29 April 2026 - Version 2026-04-29-v1
This policy explains how QR-Verse processes your personal data, the legal bases we rely on, the subprocessors we use, the retention periods we apply, and the rights you have under the EU General Data Protection Regulation (GDPR). We host in the EU, store the minimum data we need, and never sell your information.
Manage your privacy now
Summary
- We are the data controller. EU-based, no US parent. Contact: support@qr-verse.com.
- We process your account email, subscription details, the QR codes you create, anonymised scan analytics, and AI Art generation history.
- We use Supabase (Frankfurt), Stripe, Resend, Cloudflare, Hetzner, and Sentry. The full list with locations is in section 5.
- Marketing and analytics cookies are off by default. Affiliate cookies only fire if you opt in.
- You can download or delete your data at any time from Settings -> Privacy. Deletion has a 30-day grace period.
1. Data controller and contact
The data controller responsible for the processing described in this policy is:
- QR-Verse
- Operated from the European Union
- support@qr-verse.com
- Data Protection Officer (DPO): support@qr-verse.com - mark your email "DPO" so it routes correctly.
- EU Representative: Not separately appointed - the controller is established in the European Union, so an Article 27 representative is not required.
- Lead supervisory authority: Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority - https://autoriteitpersoonsgegevens.nl
2. Categories of personal data we process
We collect only what we need to deliver the service. Each category below lists what we hold and why.
Account data
Email address, display name, locale preference, password hash (when not using OAuth), and OAuth identifiers from Google or Apple if you sign in with them.
Subscription and billing data
Stripe customer ID, plan tier, subscription status, invoice history, country for VAT, and the last 4 digits of the card. We never see or store full card numbers - Stripe handles that.
QR code metadata
The QR codes you create, their target URLs (for dynamic codes), names you assign them, type (URL, vCard, WiFi, etc.), and the styling parameters you choose.
Scan analytics
Timestamp of each scan, country derived from the scanner's IP (the IP itself is never stored), device class (mobile/desktop/tablet), and rough OS family. All scan rows are pseudonymised - they cannot be tied back to the individual scanner.
AI Art generations
The text prompt you submit, the parameters used (style, controlnet strength, seed), and the resulting image. Stored so you can re-download or regenerate. Not used to train any third-party model.
Email logs
Delivery, bounce, open, and click events for transactional and marketing emails, returned by our email provider Resend. Used for deliverability monitoring and to suppress addresses that bounce.
Cookie consent log
When you accept, reject, or change cookie preferences, we store the categories you chose, the consent_version that was active at the time, and the timestamp. This is the audit trail required by Article 7(1) GDPR.
3. Legal bases (GDPR Article 6)
We rely on the following legal bases. Each one is matched to the categories of data above:
Performance of a contract (Article 6(1)(b))
Account data, subscription and billing data, and QR code metadata - we cannot deliver the service without them.
Legitimate interest (Article 6(1)(f))
Scan analytics in aggregate (security, fraud prevention, capacity planning), error logs, and audit trails. We have weighed your interests against ours and documented the balancing test internally.
Consent (Article 6(1)(a))
Marketing emails, non-essential cookies (analytics, marketing, affiliate), and AI Art prompt history beyond active sessions. You can withdraw consent at any time and it is as easy to withdraw as it was to give.
Legal obligation (Article 6(1)(c))
Invoices and subscription records retained for 7 years to satisfy tax law (Dutch Belastingdienst, equivalent EU member-state rules).
4. Recipients and subprocessors
We work with a small set of carefully chosen subprocessors. They process data only on our written instructions under a Data Processing Agreement (DPA).
| Vendor | Purpose | Data location | DPA |
|---|---|---|---|
| Supabase | Database, authentication, file storage | EU - Frankfurt (eu-central-1) | DPA |
| Stripe | Payment processing, subscription billing | Ireland (EU) with US fallback under SCCs | DPA |
| Resend | Transactional and marketing email delivery | EU + US under SCCs | DPA |
| Cloudflare | CDN, DDoS protection, edge caching | Global edge network | DPA |
| Hetzner Online | Application hosting, container infrastructure | EU - Germany only | DPA |
| Sentry | Error tracking and performance monitoring | EU region (de.sentry.io) | DPA |
| Impact (pxf.io) | Affiliate referral tracking - only loads if you opt into Affiliate cookies | US under SCCs | DPA |
| NordVPN affiliate | Partner referral attribution - only loads if you opt into Affiliate cookies | Panama with EU SCCs | DPA |
Full subprocessor list: /legal/subprocessors
5. International data transfers
Most of your data stays in the EU. A few processors operate from the United States. For each US transfer we rely on the European Commission's Standard Contractual Clauses (SCCs, 2021/914) signed within the relevant DPA.
- Stripe (subset of payment data) - SCCs + Stripe's supplementary measures.
- Resend (email metadata) - SCCs + EU-US Data Privacy Framework (where applicable).
- Sentry (error stack traces, scrubbed of PII) - SCCs + EU region by default.
- Impact / pxf.io (affiliate cookies, only when consented) - SCCs.
- Cloudflare (edge requests transit) - SCCs.
We do not transfer personal data to processors based in countries without an adequacy decision unless covered by SCCs and supplementary technical measures (encryption in transit and at rest).
6. Retention periods
We keep personal data only for as long as we need it. Specific periods:
Active account
Indefinite while your subscription or free account is active.
Deleted account
30-day grace period after you request deletion. During the grace period your account is suspended and recoverable. After 30 days, hard deletion runs and personal identifiers are purged.
Subscription and invoice records
7 years from the date of the invoice. Required by Dutch tax law (Algemene Wet Rijksbelastingen, art. 52) and equivalent EU member-state retention rules.
Scan analytics
Raw scan rows: 90 days. After 90 days they are aggregated to country/day counters and the row-level records are deleted.
Cookie consent log
12 months from the date of the consent decision. Required by guidance from CNIL and EDPB on consent records.
Email logs
24 months. Used for deliverability monitoring and bounce suppression.
Backups
Encrypted backups roll off after 35 days. If you request deletion, we will not restore your data from backup unless legally required.
7. Your rights under GDPR
You have the following rights over your personal data. Most can be exercised directly from your account; for the rest, email support@qr-verse.com and we will respond within 30 days.
Right to access (Article 15)
Download a complete copy of your data as a ZIP archive.
Export my data->Right to rectification (Article 16)
Update incorrect personal data.
Edit profile->Right to erasure (Article 17)
Permanently delete your account and personal data. Deletion has a 30-day grace period during which you can cancel.
Delete my account->Right to restriction (Article 18)
Ask us to limit how we process your data while a complaint or correction is pending.
Email support@qr-verse.com->Right to data portability (Article 20)
Receive your data in a structured, machine-readable format (JSON inside a ZIP) and transmit it to another controller.
Export my data->Right to object (Article 21)
Object to processing for marketing or based on legitimate interest. You can opt out of marketing emails directly.
Email preferences->Right to withdraw consent (Article 7(3))
Revoke cookie consent or marketing consent at any time. As easy to revoke as to give.
Cookie preferences->Right to lodge a complaint (Article 77)
File a complaint with the supervisory authority in your EU member state. Our lead authority is the Dutch AP. You may also contact your local DPA.
Find your DPA->
9. Security measures
We follow standard EU SaaS security practices:
- TLS 1.2+ for all traffic between you and our edge (Cloudflare).
- Encryption at rest for the Supabase Postgres database and storage buckets.
- Row-Level Security (RLS) policies on every user-facing table - users can only read their own data.
- Secrets stored in environment variables, never in source control.
- Sentry alerts for runtime errors, with automatic PII scrubbing.
- Penetration test review on major releases; bug bounty available - mail support@qr-verse.com.
- Backups encrypted with AES-256, 35-day rolling retention, EU-only.
- Two-factor authentication is enforced for all founder accounts and offered to every user.
10. Children
QR-Verse is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and you believe your child has registered an account, email support@qr-verse.com and we will delete the account within 5 working days. Where local law sets a higher digital-consent age (e.g. 16 in NL/DE, 15 in FR), the higher age applies.
11. Changes to this policy
When we make material changes:
- We update the version and effective date at the top of this page.
- We email all users at least 30 days before the new policy takes effect.
- If the change affects cookie categories, we bump CONSENT_VERSION which forces the cookie banner to re-prompt every visitor.
- We keep an archive of previous versions linked at the top of this page.
12. Contact
For privacy questions, data subject requests, or DPO matters:
support@qr-verse.comWe aim to acknowledge requests within 72 hours and resolve them within 30 days as required by Article 12(3) GDPR.
Effective: 29 April 2026 - Version 2026-04-29-v1
Cookie banner consent_version: 2026-04-29-v1