QQRQuick
Legal

Privacy Policy

How we handle your data — written in plain language, aligned with India's DPDP Act.

Last updated: 2026-05-23Effective: 2026-06-22

1.Who we are

QRQuick ("we", "us") is the data fiduciary for personal data processed through the qrquick.in website and dashboard. We operate from Jaipur, India.

For any privacy request, write to our Grievance Officer: - Email: privacy@qrquick.in - Subject line: "DPDP request"

We respond to verified requests within 15 days.

2.Scope of this policy

This Privacy Policy describes how we handle personal data of:

  • Account holders — people who sign up at qrquick.in
  • End scanners — people who scan a QR code generated on our platform
  • Visitors — people who browse our marketing pages

It is aligned with the Digital Personal Data Protection Act, 2023 (India) and incorporates GDPR principles for our international users.

3.Data we collect

From account holders:

  • Name, email address, hashed password (Argon2id)
  • Workspace name, billing address, GST number (if applicable)
  • Payment metadata from Razorpay (we never see card numbers)
  • Content you create: QR codes, landing pages, leads you import

From end scanners (people who scan a dynamic QR):

  • Approximate location (country + city derived from IP — we do not store full IP addresses after 30 days)
  • Device type, operating system, browser
  • Referrer URL where the QR was placed (if available)
  • Timestamp of the scan

From everyone:

  • Server access logs (rotated after 30 days)
  • A small set of first-party cookies described in our Cookie Policy

4.Why we process your data (legal bases)

  • Contract — to operate your account, deliver redirects, and bill you
  • Legitimate interests — to detect abuse, fight phishing, and improve the product
  • Legal obligation — to retain invoices, respond to court orders, comply with tax law
  • Consent — for marketing emails (always opt-out from the email footer) and for non-essential cookies (we use none)

5.Who we share data with

We share only the data necessary, with these sub-processors:

  • Razorpay Software Private Limited (Bengaluru, India) — payment processing
  • Hetzner Online GmbH (Germany) — primary application hosting
  • Amazon Web Services (Mumbai, India) — encrypted off-site database backups
  • Resend (United States) — transactional email (verification, password reset, receipts)

A complete sub-processor list with their roles is published in our Data Processing Addendum. We notify customers by email 30 days before adding a new sub-processor.

We do not sell or rent your data. We do not share data with advertising networks.

6.Your rights under DPDP

Indian residents have the right to:

  • Access — see what data we hold about you (built into /dashboard/settings/account → "Export my data")
  • Correction — fix inaccurate personal data (do this yourself in /dashboard/account/profile)
  • Erasure — delete your account and associated personal data (self-service in /dashboard/settings/account → "Delete account")
  • Grievance redressal — contact our Grievance Officer (above)
  • Nominate — appoint someone to exercise these rights if you become incapacitated or pass away (email privacy@qrquick.in to set this up)

GDPR users additionally have the right to data portability (we export in machine-readable JSON) and the right to object to processing.

7.How long we keep data

  • Account data — for the life of your account, then 30 days in soft-delete (recoverable on request), then deleted
  • Scan events — 24 months by default; configurable to as low as 30 days from /dashboard/settings/privacy
  • Audit logs — 13 months, then deleted
  • Invoices — 7 years (Indian tax law requires this)
  • Backups — encrypted, 30 days, then overwritten

When you delete your account, the only data we retain is invoice records (legally required) and abuse-flag history (to prevent re-onboarding banned accounts).

8.How we protect your data

  • Passwords are hashed with Argon2id (m=19456, t=2, p=1) — never stored in plain text
  • In-transit encryption — TLS 1.3 on every public endpoint
  • At-rest encryption — full-disk encryption on database servers
  • Two-factor authentication is available for every account and required for admins
  • Audit logging — every write action is logged with actor + timestamp
  • Backups — encrypted daily and tested monthly
  • Access controls — internal access is limited to named engineers with logged sudo

If we detect a breach affecting your personal data, we notify you and the Data Protection Board of India within 72 hours.

9.Children

QRQuick is not directed to children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, email privacy@qrquick.in and we will delete it.

10.International transfers

Some of our infrastructure runs in Germany (Hetzner) and the United States (Resend for email). When personal data is transferred outside India, we rely on Standard Contractual Clauses and equivalent protections, and we will move data to India-based providers whenever it is operationally feasible.

Our primary database and backups are in India.

11.Changes to this policy

We may update this Privacy Policy. Material changes are communicated by email and a dashboard banner at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision.

Questions or to exercise your rights: privacy@qrquick.in.

Questions about this document? Email legal@qrquick.in.

Terms of ServicePrivacy PolicyCookie PolicyData Processing Addendum
Privacy Policy · QRQuick · QRQuick