1. Introduction

QRlytics ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our QR code generation and analytics service.

QRlytics is operated by Z-AGENCY s.r.o., a company registered in the Czech Republic. For company registration details, please contact us at info@processgate.ai.

2. Information We Collect

2.1 Personal Information

When you register for an account, we collect:

Email address
Full name (optional)
Phone number (optional)
Company name (optional)
Website URL (optional)
Payment information (processed securely by Stripe)

2.2 QR Code Scan Data

When someone scans a QR code created through our service, we collect:

IP address (anonymized after 30 days)
Approximate geographic location (country and city level, derived from IP address)
Device type (mobile, desktop, tablet)
Browser and operating system information
Date and time of the scan
Referrer URL (if available)

2.3 Mobile App Data

When using our mobile application, we additionally collect:

Device information (model, OS version) for compatibility purposes
Push notification tokens (for delivering notifications you've opted into)
Camera access (only when actively scanning QR codes, no images stored)
Photo library access (only when saving QR codes you've created)

2.4 Authentication Methods

We support multiple sign-in methods:

Email/Password: Credentials secured via Supabase Auth with industry-standard encryption
Apple Sign In: We receive only information you authorize Apple to share. Apple may provide a private relay email address to protect your actual email
Google Sign In: We receive basic profile information (email, name) that you authorize Google to share

2.5 API & Webhook Data (VIP Plans)

If you use our VIP API features, we additionally store:

API keys generated for your account
API call logs (endpoint, method, timestamp, response status)
Webhook URLs you configure for scan notifications

When a webhook is configured, scan data (location, device, timestamp) is sent to the external URL you specify. You are responsible for the data handling at your webhook endpoint.

3. How We Use Your Information

We use the collected information to:

Provide and maintain our service
Generate analytics reports for your QR codes
Process payments and manage subscriptions
Send service-related communications
Send marketing communications (with your consent)
Improve our service and develop new features
Detect and prevent fraud or abuse (including rate limiting)

4. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data based on:

Contract: Processing necessary to provide our service to you
Consent: For marketing communications and optional data collection
Legitimate Interest: For service improvement and security
Legal Obligation: For tax and regulatory compliance

5. Data Sharing

We do not sell your personal data. We may share data with:

Stripe: Payment processing (payment details only)
Supabase: Database and authentication services (hosted in EU)
Vercel: Hosting infrastructure (application delivery)
ip-api.com: IP geolocation for scan analytics (IP addresses only, no personal data)
Resend: Transactional email delivery (email address and message content)
Airtable: Cookie consent records and user feedback storage

All third-party services are GDPR-compliant and have appropriate data processing agreements.

5.1 Mobile App SDKs

Our mobile application uses the following third-party services:

Expo: App development platform (no personal data shared)
RevenueCat: In-app purchase management (subscription status only)
Apple App Store / Google Play: App distribution and in-app purchases

6. Your Rights (GDPR)

You have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate personal data
Erasure: Request deletion of your personal data
Restriction: Limit how we process your data
Portability: Receive your data in a portable format
Object: Object to processing based on legitimate interest
Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at info@qrlytics.eu or use the settings in your account.

7. Data Retention

We retain your personal data for as long as your account is active. Scan analytics data is retained according to your subscription plan:

Free plan: 30 days
Pro plan: 90 days
VIP plans: 365 days

After the retention period, scan data is anonymized and aggregated. After account deletion, we retain minimal data for 30 days for recovery purposes, then permanently delete it. Some data may be retained longer for legal and regulatory compliance.

8. Data Security

We implement industry-standard security measures including:

Encryption in transit (TLS 1.3)
Encryption at rest via our database provider
Rate limiting on all API endpoints
CSRF protection and secure session management
Input validation and access controls
Security monitoring and code review practices

9. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies. Analytics cookies are only used with your consent.

Your cookie consent preferences are stored in our records management system for compliance purposes. You can update your preferences at any time via the cookie banner.

10. International Transfers

Your data may be transferred to and processed in countries outside the EU/EEA. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: info@qrlytics.eu
Data Protection Officer: info@processgate.ai
Operator: Z-AGENCY s.r.o., Czech Republic