shield_lock Privacy

Privacy Policy

Last updated: March 2026 | Controller: Ostheimer OG, Fabriksgasse 20, 2230 Gänserndorf, Austria | [email protected]

1. Principles

We process personal data in accordance with GDPR (EU) 2016/679. qr3.app is built with Privacy by Design: IP addresses are never stored — they are immediately hashed (SHA-256 + daily rotating salt) at the Cloudflare edge before any data is persisted.

2. Data We Process

2.1 API Users (Registered Accounts)

  • Account data: Email address, name (via Clerk.com authentication)
  • Billing data: Stripe customer ID, subscription status (no card data — Stripe processes payments directly)
  • Usage data: Created QR codes, workspace configurations
  • Legal basis: Art. 6(1)(b) GDPR — contract performance

2.2 QR Code Scan Analytics (End Users)

  • Hashed IP: SHA-256 hash + daily salt — not reversible, no personal reference
  • Device data: Device type, OS, browser (anonymized from User-Agent)
  • Geo data: Country, city (from Cloudflare CF-IPCountry header — no IP stored)
  • Legal basis: Art. 6(1)(f) GDPR — legitimate interest of QR code owners in analytics
  • Retention: 90 days, then automatically deleted

2.3 Website Visits (qr3.app)

  • No tracking cookies, no third-party analytics
  • Server logs: Cloudflare processes connection data per their Privacy Policy

3. Third-Party Services

We share data only with:

  • Cloudflare, Inc. (USA) — infrastructure, CDN, Workers. Legal basis: Standard Contractual Clauses (SCCs)
  • Clerk.com — authentication. Legal basis: SCCs
  • Stripe, Inc. (USA) — payment processing. Legal basis: SCCs

No data is shared for advertising purposes.

4. Your Rights (GDPR Art. 15–22)

  • Access (Art. 15): GET /v1/account/privacy or email [email protected]
  • Portability (Art. 20): GET /v1/account/export — full JSON export
  • Erasure (Art. 17): DELETE /v1/account or email — full deletion within 30 days
  • Restriction (Art. 18): Email [email protected]
  • Objection (Art. 21): At any time for legitimate interest processing

5. Cookies

qr3.app uses only technically necessary session cookies (authentication via Clerk). No marketing or tracking cookies. Cookie consent banners are not required.

6. Data Security

All data is transmitted encrypted (TLS 1.3). Database encryption at rest via Cloudflare D1. API keys are stored hashed. Webhook signatures use HMAC-SHA256.

7. Right to Lodge a Complaint

You have the right to lodge a complaint with the Austrian Data Protection Authority:
Datenschutzbehörde (dsb.gv.at), Barichgasse 40-42, 1030 Vienna, Austria

8. Contact

Ostheimer OG
Fabriksgasse 20, 2230 Gänserndorf, Austria
[email protected]