Privacy Policy

Last updated: April 2026

1. Who we are

QR SaaS is operated by [Your Company Name], registered in the Netherlands (KVK: [KVK number], VAT: [VAT number]).
Questions? Contact us at privacy@[yourdomain].nl.

2. What data we collect

• Account data: email address, optional display name.
• Billing data: billing address, VAT number (if business). Payment details are handled exclusively by Mollie B.V. — we never store card numbers or IBAN.
• QR scan data: hashed IP address (not reversible), country, city, device type, operating system, browser family, HTTP referrer, and timestamp. We do not store the original IP address.

3. Why we collect it

• Account data: to provide the service and send transactional emails (invoices, password resets).
• Billing data: to issue legally-compliant invoices and process payments.
• Scan analytics: to provide you with scan statistics for your QR codes.

4. Data retention

• Free plan: scan data is automatically deleted after 365 days.
• Paid plan: scan data is retained indefinitely, or until you delete your account.
• Account data and invoices are retained for 7 years to meet Dutch bookkeeping obligations.

5. Who we share data with

• Mollie B.V. — payment processing. Mollie Privacy Policy.
• SMTP2GO — transactional email delivery.
• We do not sell, rent or trade personal data.

6. Your rights (GDPR)

As a data subject in the EU/EEA you have the right to:

• Access — export all your data via Settings → Export data.
• Deletion — delete your account and all associated data via Settings → Delete account.
• Rectification — update your details in Settings.
• Portability — covered by the JSON export.
• Object / restrict — contact us at the address above.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

7. Cookies

We use a single session cookie (strictly necessary for login) and a CSRF token cookie. We do not use tracking or advertising cookies. No cookie banner is required under GDPR for strictly-necessary cookies.

8. Security

Passwords are hashed with Argon2id. All traffic is served over HTTPS. IP addresses are hashed before storage and cannot be reversed.

9. Changes

We will notify registered users of material changes via email at least 14 days before they take effect.