Privacy Policy
Last updated: March 2026 | Controller: Ostheimer OG, Fabriksgasse 20, 2230 Gänserndorf, Austria | [email protected]
1. Principles
We process personal data in accordance with GDPR (EU) 2016/679. qr3.app is built with Privacy by Design: IP addresses are never stored — they are immediately hashed (SHA-256 + daily rotating salt) at the Cloudflare edge before any data is persisted.
2. Data We Process
2.1 API Users (Registered Accounts)
- Account data: Email address, name (via Clerk.com authentication)
- Billing data: Stripe customer ID, subscription status (no card data — Stripe processes payments directly)
- Usage data: Created QR codes, workspace configurations
- Legal basis: Art. 6(1)(b) GDPR — contract performance
2.2 QR Code Scan Analytics (End Users)
- Hashed IP: SHA-256 hash + daily salt — not reversible, no personal reference
- Device data: Device type, OS, browser (anonymized from User-Agent)
- Geo data: Country, city (from Cloudflare CF-IPCountry header — no IP stored)
- Legal basis: Art. 6(1)(f) GDPR — legitimate interest of QR code owners in analytics
- Retention: 90 days, then automatically deleted
2.3 Website Visits (qr3.app)
- No tracking cookies, no third-party analytics
- Server logs: Cloudflare processes connection data per their Privacy Policy
3. Third-Party Services
We share data only with:
- Cloudflare, Inc. (USA) — infrastructure, CDN, Workers. Legal basis: Standard Contractual Clauses (SCCs)
- Clerk.com — authentication. Legal basis: SCCs
- Stripe, Inc. (USA) — payment processing. Legal basis: SCCs
No data is shared for advertising purposes.
4. Your Rights (GDPR Art. 15–22)
- Access (Art. 15):
GET /v1/account/privacyor email [email protected] - Portability (Art. 20):
GET /v1/account/export— full JSON export - Erasure (Art. 17):
DELETE /v1/accountor email — full deletion within 30 days - Restriction (Art. 18): Email [email protected]
- Objection (Art. 21): At any time for legitimate interest processing
5. Cookies
qr3.app uses only technically necessary session cookies (authentication via Clerk). No marketing or tracking cookies. Cookie consent banners are not required.
6. Data Security
All data is transmitted encrypted (TLS 1.3). Database encryption at rest via Cloudflare D1. API keys are stored hashed. Webhook signatures use HMAC-SHA256.
7. Right to Lodge a Complaint
You have the right to lodge a complaint with the Austrian Data Protection Authority:
Datenschutzbehörde (dsb.gv.at), Barichgasse 40-42, 1030 Vienna, Austria
8. Contact
Ostheimer OG
Fabriksgasse 20, 2230 Gänserndorf, Austria
[email protected]