QR1

Legal

Privacy Policy

This policy describes how QR1.app processes personal data under GDPR.

1. Controller

CERUX sp. z o.o., ul. Młynarska 42/115, 01-171 Warszawa, Polska.

Contact: legal@qr1.app

Support: support@qr1.app

2. Data We Process

  • Account & billing data: first/last name, email, phone, preferred language, company name, city/country, VAT number (for VAT calculation), subscription and invoice details.
  • Customer content (hosted pages): texts, images, PDFs, and external links (including YouTube embeds).
  • Customer content may include personal data if the Customer uploads it.
  • Scan events (pseudonymous): ip_hash (SHA-256 + salt), ip_anon (e.g. /24 for IPv4 or first 3 hextets for IPv6), user-agent (stored), derived device/browser/OS, approximate geo derived from IP (country/region/city and optionally coordinates), UTM parameters and referrer domain.
  • No raw IP addresses are stored.
  • Full referrer URL and full landing URL are stored only with analytics consent.
  • A visitor identifier (qr1_vid) is set only with analytics consent.
  • Consent records: your cookie preferences with timestamp/version.
  • Support communications: messages and metadata necessary to respond.

3. Purposes & Legal Bases

  • Service delivery & account administration (Art. 6(1)(b) GDPR – contract).
  • Billing, taxes, accounting (Art. 6(1)(c) – legal obligation).
  • Security, abuse prevention, and service integrity (Art. 6(1)(f) – legitimate interests).
  • Analytics and measurement (including qr1_vid, stable pseudonymous identifiers, full referrer/URL) (Art. 6(1)(a) – consent).
  • Handling legal requests and enforcing Terms (Art. 6(1)(c) / 6(1)(f)).

4. Cookies & Similar Technologies

We use cookies to store consent preferences and to enable optional analytics. See Cookie Policy.

Analytics identifiers and full referrer/URL are collected only if you opt in. You can withdraw consent at any time via Cookie settings.

5. International Transfers

International transfers: Email delivery and related metadata may be processed by MXroute which may involve transfers to third countries. We rely on Standard Contractual Clauses (SCC) and other appropriate safeguards where applicable.

6. Subprocessors

  • Contabo (hosting)
  • Supabase self-hosted (database/storage)
  • Umami self-hosted (analytics)
  • Tolgee self-hosted (localization)
  • Stripe (payments; independent controller / separate controller for payment processing)
  • MXroute (email delivery; potential transfers; SCC)
  • Telegram (notifications if enabled)
  • MaxMind (GeoIP database used locally; no IP data is sent to MaxMind during lookups)

Some service providers may process certain data as independent controllers (e.g., Stripe for payment processing) under their own privacy policies.

7. Retention

  • Raw scan events: up to 13 months.
  • Consent logs: up to 5 years (to demonstrate compliance).
  • Billing/invoices: as required by applicable accounting/tax laws (typically several years).
  • Account and hosted content: until deletion by the customer/admin; after deletion we may retain limited records for legal claims, fraud prevention and tax obligations for the minimum necessary period.

8. Your Rights

You have the right to request access, rectification, erasure, restriction, portability, and to object (where applicable). Where processing is based on consent, you may withdraw consent at any time (this does not affect processing before withdrawal).

To exercise your rights, email us at legal@qr1.app from the address associated with your account and describe your request. We may ask for reasonable verification to protect your account and data.

You also have the right to lodge a complaint with the Polish supervisory authority (PUODO – President of the Personal Data Protection Office).

Contact: legal@qr1.app