Privacy Policy

Last updated: 21 April 2026

1. Who is the controller?

QRZY is the controller of personal data processed through this site and service. QRZY is operated by DATS Digital LLC, based in Wyoming, USA. The full business details are on our Legal Notice.

Privacy inquiries: dpo@qrzy.co
General contact: support@qrzy.co

2. What we collect and why

Account data

  • Name and email (from Google OAuth or direct sign-up).
  • Tier, preferences, and in-product settings.

Legal basis: performance of contract (GDPR Art. 6(1)(b)).

QR code and workflow data

  • QR code names, destination URLs, routing rules, channel attribution slugs.

Legal basis: performance of contract.

QR scan data

When a QR code is scanned, our redirect service briefly processes the scan in order to route the user. We store:

  • Timestamp.
  • Derived country and city (from IP geolocation at Cloudflare's edge).
  • Device type, browser family, and operating system (derived from the User-Agent).
  • Channel attribution (if the URL contains a channel slug).

Raw IP addresses are not persisted in our analytics store; we only keep the derived country/city. Raw scan rows are retained for up to 7 days for anti-abuse purposes and are then discarded. Aggregated, non-identifying analytics are retained per the retention defined by your plan.

Legal basis: legitimate interest (GDPR Art. 6(1)(f)) — operating the redirect service, protecting it from abuse, and giving QR code owners aggregated insights.

Payment metadata

Paid subscriptions are processed by Creem.io acting as Merchant of Record. Card details are handled by Creem.io and its PCI-DSS compliant processors; we do not store card numbers. We receive and retain only the metadata needed to recognise your paid status (subscription ID, plan, status, invoice references).

Legal basis: performance of contract + legal obligation (accounting, tax).

Waitlist

If you join the waitlist, we store your email address and the timestamp, solely to invite you to the service.

Legal basis: consent (GDPR Art. 6(1)(a)). You can ask us to delete your waitlist entry at any time.

Support correspondence

Emails you send to any @qrzy.co address are retained for the period needed to handle your request and to comply with applicable record-keeping obligations.

3. Analytics

To measure site traffic and improve QRZY, we use two analytics tools, both configured to minimise data collection:

  • Cloudflare Web Analytics — cookieless, no fingerprinting, no personal data stored on your device.
  • Google Analytics 4, routed through Cloudflare Zaraz in server-side mode. In this configuration: no GA4 cookies (such as _ga or _ga_*) are set on your device, no client-side fingerprinting is performed, and your IP address is stripped by Cloudflare before any request reaches Google (the "Hide Originating IP Address" setting is enabled). Google receives only aggregated event data such as page path, referrer, and device class.

Analytics are collected only on the public marketing site. When you are signed in to the QRZY dashboard, analytics are suppressed — your authenticated product usage is not sent to Google Analytics or to any third-party analytics tool.

We do not use advertising trackers, remarketing pixels, or third-party social tracking pixels (Facebook, LinkedIn, TikTok, etc.) on the QRZY website.

Legal basis: legitimate interest (GDPR Art. 6(1)(f)) — understanding aggregate usage of QRZY. Because the analytics data in this configuration does not identify you, does not use cookies, and does not expose your IP to Google, we rely on legitimate interest rather than consent. You can object to this processing at any time by emailing dpo@qrzy.co; we will suppress further analytics collection for you on request.

4. Cookies

QRZY uses only cookies that are strictly necessary to deliver the service — primarily an authentication session cookie when you sign in. See our Cookie Policy for the full list.

5. Who processes data on our behalf (sub-processors)

  • Cloudflare, Inc. — hosting of the application, Workers execution, D1 database, KV cache, Web Analytics, Zaraz tag management, DDoS and WAF protection.
  • Creem.io — Merchant of Record for subscription billing.
  • Google LLC / Google Ireland Ltd. — Google OAuth sign-in (only if you choose to sign in with Google) and Google Analytics 4, which receives event data server-side through Cloudflare Zaraz in the cookieless, IP-anonymised configuration described above.

Each sub-processor processes only the data needed for its function and is bound by a contract that meets GDPR Art. 28.

For data subjects in the European Union and European Economic Area, QRZY's designated EU representative under GDPR Art. 27 is D-NIS, napredne informacijske storitve, Denis Avguštin s.p., Slovenia. You may also direct GDPR-related communications for the controller through this EU representative at dpo@qrzy.co.

6. International data transfers

Some sub-processors (notably Cloudflare and Google) operate globally. Where personal data leaves the European Economic Area, transfers rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

7. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Erase your data ("right to be forgotten"), subject to legal retention requirements.
  • Restrict or object to certain processing.
  • Receive a portable copy of your data.
  • Withdraw consent at any time (where processing is based on consent).

To exercise any of these rights, email dpo@qrzy.co. We respond within 30 days.

You also have the right to lodge a complaint with the data protection authority in your country of habitual residence, place of work, or place of the alleged infringement.

8. Data retention

  • Account data: while your account is active, plus a short period (up to 90 days) after deletion for operational backups.
  • QR code and workflow data: while the QR code exists in your account; deleted when you delete it.
  • Raw scan rows: up to 7 days, then discarded.
  • Aggregated analytics: per the retention window of your plan (Free: 7 days, Starter: 7 days, Pro: 30 days, Business: 365 days, Elite: indefinite).
  • Billing and tax records: retained as required by applicable accounting and tax law.

9. Security

We use TLS 1.3 for all connections, encryption at rest for stored data, and least-privilege access controls for our internal operations. For more, see our Security page.

10. Children

QRZY is not directed at children under the age required for lawful digital consent in their jurisdiction. We do not knowingly collect personal data from children below that threshold. If you believe a child has given us personal data without appropriate consent, contact dpo@qrzy.co and we will delete it.

11. California Residents (CCPA / CPRA)

QRZY does not sell or share personal information as those terms are defined under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). California residents have the right to:

  • Know what personal information is collected about you and how it is used.
  • Delete personal information we hold about you, subject to limited legal exceptions.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information (we do not sell or share it).
  • Non-discrimination for exercising any privacy right.

To exercise these rights, email dpo@qrzy.co. We will respond within 45 days as required by CCPA.

12. Changes to this policy

We may update this Privacy Policy as our processing evolves. Material changes will be announced by email or prominent in-product notice before they take effect.