QRFancy
Sign inStart free
Home · Legal

Privacy Policy

Last updated: May 10, 2026

QRFancy ("QRFancy", "we", "us") respects your privacy. This Privacy Policy explains what personal data we collect when you use qrfancy.com (the "Service"), why we collect it, how we use it, and your rights under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA/CPRA"), and other applicable privacy laws.

1. Who is the data controller?

QRFancy is the controller for personal data processed through the Service. You can reach us at privacy@qrfancy.com.

2. What data we collect

  • Account data: email address, display name, password hash, OAuth identifiers (e.g. Google sub).
  • QR code content: destinations, slugs, designs and metadata you create.
  • Scan analytics: aggregate scan counts, approximate country (derived from IP), coarse device type, referrer URL. We do not store full IP addresses, do not use cookies for tracking, and do not attempt to identify the individual scanner.
  • Lead-capture submissions (optional): if you enable a lead form on a QR, the data your visitors submit (name, email, phone) is stored on your behalf — you become the controller for that data.
  • Billing data: if you purchase a plan or print product, Stripe processes your payment. We store the Stripe customer ID and order metadata, but never your full card number.
  • Diagnostics: server logs containing request paths, status codes and timestamps, retained up to 30 days.

3. Why we process it (legal bases)

  • Contract — to provide the Service you signed up for.
  • Legitimate interest — to keep the Service secure, prevent abuse, and improve features. Our interest is balanced against your rights.
  • Consent — for optional features such as marketing emails. You can withdraw consent at any time.
  • Legal obligation — to keep tax/billing records and respond to lawful requests.

4. Sub-processors

We use the following sub-processors. Each is bound by a Data Processing Agreement ("DPA") and processes data only to deliver the Service:

  • Supabase (database, authentication, storage) — EU/US.
  • Cloudflare (CDN, DDoS protection) — global.
  • Stripe (payments) — US, EU.
  • Printful (print fulfilment, only if you order physical products) — US, EU.
  • Resend / Postmark (transactional email) — US, EU.
  • Google AI / OpenAI (only if you use the AI artwork feature; prompts and generated images may be processed in the US).

5. International transfers

Where personal data is transferred outside the EEA / UK, we rely on Standard Contractual Clauses and the EU–US Data Privacy Framework where applicable.

6. Retention

  • Account data: until you delete your account, plus up to 30 days of backup retention.
  • Scan events: 24 months, then automatically aggregated and anonymised.
  • Billing records: 7 years (legal requirement in most jurisdictions).

7. Your rights

Depending on your jurisdiction you may have the right to access, rectify, erase, restrict or port your personal data, to object to processing, and to withdraw consent. You also have the right to lodge a complaint with your local supervisory authority. To exercise any of these, email privacy@qrfancy.com. We respond within 30 days.

8. Children

The Service is not directed to children under 16. We do not knowingly collect data from them.

9. Security

We use TLS in transit, encryption at rest, role-based access controls, row-level security on the database, and regular dependency audits. No system is perfectly secure — please use a strong, unique password and report any vulnerability to security@qrfancy.com.

10. Changes to this policy

We will notify you of material changes by email or in-product banner at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

Questions? Email legal@qrfancy.com.