Privacy Policy
Last updated: January 2026
1. Introduction
QRlytics ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our QR code generation and analytics service.
QRlytics is operated by Z-AGENCY s.r.o., a company registered in the Czech Republic. For company registration details, please contact us at info@processgate.ai.
2. Information We Collect
2.1 Personal Information
When you register for an account, we collect:
- Email address
- Full name (optional)
- Phone number (optional)
- Company name (optional)
- Website URL (optional)
- Payment information (processed securely by Stripe)
2.2 QR Code Scan Data
When someone scans a QR code created through our service, we collect:
- IP address (anonymized after 30 days)
- Approximate geographic location (country and city level, derived from IP address)
- Device type (mobile, desktop, tablet)
- Browser and operating system information
- Date and time of the scan
- Referrer URL (if available)
2.3 Mobile App Data
When using our mobile application, we additionally collect:
- Device information (model, OS version) for compatibility purposes
- Push notification tokens (for delivering notifications you've opted into)
- Camera access (only when actively scanning QR codes, no images stored)
- Photo library access (only when saving QR codes you've created)
2.4 Authentication Methods
We support multiple sign-in methods:
- Email/Password: Credentials secured via Supabase Auth with industry-standard encryption
- Apple Sign In: We receive only information you authorize Apple to share. Apple may provide a private relay email address to protect your actual email
- Google Sign In: We receive basic profile information (email, name) that you authorize Google to share
2.5 API & Webhook Data (VIP Plans)
If you use our VIP API features, we additionally store:
- API keys generated for your account
- API call logs (endpoint, method, timestamp, response status)
- Webhook URLs you configure for scan notifications
When a webhook is configured, scan data (location, device, timestamp) is sent to the external URL you specify. You are responsible for the data handling at your webhook endpoint.
3. How We Use Your Information
We use the collected information to:
- Provide and maintain our service
- Generate analytics reports for your QR codes
- Process payments and manage subscriptions
- Send service-related communications
- Send marketing communications (with your consent)
- Improve our service and develop new features
- Detect and prevent fraud or abuse (including rate limiting)
4. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your data based on:
- Contract: Processing necessary to provide our service to you
- Consent: For marketing communications and optional data collection
- Legitimate Interest: For service improvement and security
- Legal Obligation: For tax and regulatory compliance
5. Data Sharing
We do not sell your personal data. We may share data with:
- Stripe: Payment processing (payment details only)
- Supabase: Database and authentication services (hosted in EU)
- Vercel: Hosting infrastructure (application delivery)
- ip-api.com: IP geolocation for scan analytics (IP addresses only, no personal data)
- Resend: Transactional email delivery (email address and message content)
- Airtable: Cookie consent records and user feedback storage
All third-party services are GDPR-compliant and have appropriate data processing agreements.
5.1 Mobile App SDKs
Our mobile application uses the following third-party services:
- Expo: App development platform (no personal data shared)
- RevenueCat: In-app purchase management (subscription status only)
- Apple App Store / Google Play: App distribution and in-app purchases
6. Your Rights (GDPR)
You have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your personal data
- Restriction: Limit how we process your data
- Portability: Receive your data in a portable format
- Object: Object to processing based on legitimate interest
- Withdraw Consent: Withdraw consent at any time
To exercise these rights, contact us at info@qrlytics.eu or use the settings in your account.
7. Data Retention
We retain your personal data for as long as your account is active. Scan analytics data is retained according to your subscription plan:
- Free plan: 30 days
- Pro plan: 90 days
- VIP plans: 365 days
After the retention period, scan data is anonymized and aggregated. After account deletion, we retain minimal data for 30 days for recovery purposes, then permanently delete it. Some data may be retained longer for legal and regulatory compliance.
8. Data Security
We implement industry-standard security measures including:
- Encryption in transit (TLS 1.3)
- Encryption at rest via our database provider
- Rate limiting on all API endpoints
- CSRF protection and secure session management
- Input validation and access controls
- Security monitoring and code review practices
9. Cookies
We use essential cookies for authentication and session management. We do not use third-party tracking cookies. Analytics cookies are only used with your consent.
Your cookie consent preferences are stored in our records management system for compliance purposes. You can update your preferences at any time via the cookie banner.
10. International Transfers
Your data may be transferred to and processed in countries outside the EU/EEA. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.
12. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
- Email: info@qrlytics.eu
- Data Protection Officer: info@processgate.ai
- Operator: Z-AGENCY s.r.o., Czech Republic