Privacy Policy

Last updated: 31 March 2026 · Effective: 31 March 2026

        The short version: QR Share Me is designed to store as little of your data as possible. On the free tier, your QR codes live entirely in your browser — we hold nothing. If you upgrade, we store only what's needed to sync your codes and provide analytics. We never sell your data, we never run ads, and we never use third-party tracking.
    

1. Who We Are

QR Share Me is provided by Orcasci Ltd, a company registered in England and Wales (Company No. 07387280), with its registered office at 27/28 Eastcastle Street, London, W1W 8DH, United Kingdom ("we", "us", "the data controller").

Privacy contact: privacy@qrshareme.com

2. What This Policy Covers

This policy covers the QR Share Me web application and the QR Share Me website (qrshareme.com). It explains what personal data we process, why, and what rights you have.

QR Share Me operates in two tiers — free and upgraded (paid). What data we process depends on which tier you use. We've organised this policy so you can see exactly what applies to you.

3. Free Tier — What We Process

        In short: Almost nothing. Your QR codes stay in your browser. We don't have an account for you, we don't track you, and we can't see what you've created.
    

3.1 Data stored in your browser

When you create QR codes on the free tier, all data — your URLs, labels, styling choices, and card positions — is stored locally in your browser using the Web Storage API. This data never leaves your device. We cannot access it, read it, or recover it.

This is not personal data we process. You control it entirely. If you clear your browser data, it's gone.

3.2 Metadata fetching

When you add a URL to a QR code, our server visits that URL once to retrieve its title and preview image, so your card looks good. During this request:

Your browser sends a request to our server with the URL you entered.
Our server fetches the page and extracts the title and image.
The retrieved metadata is sent back to your browser and is not stored on our server.

The URL you enter may constitute personal data (for example, if it contains your name or username). We process this URL solely to retrieve display metadata, and we do not store the URL on our server after the metadata has been returned to your browser.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — providing core functionality you initiated. We have assessed that our legitimate interest in providing this feature is not overridden by your rights, given that you initiate the request, the data is transient, and nothing is retained on our servers.

3.3 Server access logs

When your browser communicates with our server (for metadata fetching or loading the app), standard technical information is logged by our hosting provider:

IP address
Date, time, and page requested
Browser type and operating system

These logs are maintained by our hosting provider for security and operational purposes. We do not use them to identify or track individual users. They are automatically deleted according to our hosting provider's retention policy (typically 14–30 days).

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — security, abuse prevention, and maintaining the Service.

3.4 What we don't do on the free tier

We don't create an account for you.
We don't set cookies or use tracking technologies.
We don't use third-party analytics (no Google Analytics, no tracking pixels).
We don't store your QR codes on our servers.
We don't know who you are.

4. Upgraded (Paid) Tier — What We Additionally Process

When you upgrade your account, we process additional data to provide cloud sync, scan analytics, and other upgraded features. Everything in Section 3 still applies, plus the following.

4.1 Account data

Data	Purpose	Legal Basis	Retention
Email address	Account creation and authentication	Contract (Art. 6(1)(b))	Until account deletion + 30 days
Password (hashed and salted)	Authentication	Contract (Art. 6(1)(b))	Until account deletion
Authentication provider ID (if using Google sign-in)	Authentication	Contract (Art. 6(1)(b))	Until account deletion

4.2 Cloud-synced QR code data

Data	Purpose	Legal Basis	Retention
QR code content (URLs, labels, subtitles, styling, position)	Cross-device sync	Contract (Art. 6(1)(b))	Until you delete codes or account

4.3 Scan analytics (opt-in only)

Scan analytics are disabled by default. You choose to enable tracking for each individual QR code. When enabled, and someone scans your tracked QR code, we collect:

Data	Purpose	Legal Basis	Retention
Scan count	Total scans for your QR code	Legitimate interest (Art. 6(1)(f))	Until short link deleted
Device type (mobile, desktop, tablet)	Aggregate device breakdown	Legitimate interest (Art. 6(1)(f))	90 days (raw), then aggregated
Country	Aggregate geographic breakdown	Legitimate interest (Art. 6(1)(f))	90 days (raw), then aggregated
Daily trend (scans per day)	Usage patterns over time	Legitimate interest (Art. 6(1)(f))	Until short link deleted

        What we don't collect from scans: We do not store IP addresses, full browser fingerprints, referrer URLs, or any data that could identify the individual person who scanned your QR code. Analytics are aggregate only — you see "47 scans from Germany on mobile", never "a specific person scanned this at 14:22."
    

Why legitimate interest? QR code creators have a reasonable interest in understanding aggregate usage of their content. The data processed is minimal — device type and country only, with no IP addresses stored. The scanner's reasonable expectation when scanning a public QR code includes basic aggregate counting. We have assessed that this interest is not overridden by the scanner's rights, given the anonymous and aggregate nature of the data.

You can disable tracking for any QR code at any time. When you disable it, we stop collecting new scan data. Existing analytics are retained until you delete the short link or your account.

4.4 Payment data

When the paid tier launches, payments will be processed by a third-party payment provider. We will not store your credit card number or bank details on our servers. This section will be updated with the specific payment provider and their privacy policy before the paid tier goes live.

5. People Who Scan QR Codes

If someone scans a QR Share Me QR code (and it's a tracked QR code), we want to be transparent about what happens:

You are redirected to the destination URL chosen by the QR code creator.
If the QR code has tracking enabled, we record one aggregate data point: that a scan occurred, along with the device type (mobile/desktop/tablet) and country. We do not store your IP address, browser fingerprint, or any data that could directly identify you in our application database.
Our hosting provider maintains standard server access logs (including IP addresses) for security purposes. These are retained for 14–30 days, are not linked to scan analytics, and are not accessible to QR code creators.
The redirect happens instantly. There is no consent popup, tracking cookie, or delay.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — the QR code creator has a legitimate interest in aggregate scan counts. The processing has negligible impact on the scanner, as no identifying data is stored or shared.

Your rights as a scanner: Even though we cannot identify you from the aggregate data we store, you have rights under GDPR as a data subject. If you have questions or wish to exercise your rights, contact us at privacy@qrshareme.com. You also have the right to lodge a complaint with your local data protection authority.

6. QR Share Me Website (qrshareme.com)

The QR Share Me marketing website may collect:

6.1 Newsletter / waitlist signup

If you sign up for our newsletter or waitlist, we collect your email address. We use double opt-in: you'll receive a confirmation email and must click the link to confirm your subscription.

Legal basis: Consent (Art. 6(1)(a)). You can unsubscribe at any time via the link in every email.

6.2 Website hosting logs

Same as Section 3.3 — standard server access logs maintained by the hosting provider for security purposes.

7. Third-Party Services

We use a small number of third-party services. Here is every service that may receive data from your use of QR Share Me:

Service	Purpose	Data shared	Their privacy policy
Supabase (Frankfurt, Germany)	Authentication and cloud data storage (upgraded tier only)	Email, QR code data	supabase.com/privacy
Google OAuth (optional)	Sign-in option (upgraded tier only)	OAuth token, email	policies.google.com/privacy
Railway (United States)	Application hosting	Server access logs (IP, timestamps); EU data transferred under Standard Contractual Clauses	railway.com/legal/privacy

We have data processing agreements in place with sub-processors that currently handle personal data on our behalf (Railway, for hosting). Supabase and Google OAuth are listed above as sub-processors that will become active when the upgraded tier launches; their respective DPAs will be confirmed before that tier is enabled. This satisfies GDPR Article 28.

8. Cookies and Local Storage

Cookies: QR Share Me does not set cookies for tracking or analytics. Authentication cookies may be set by our authentication provider (Supabase) when you are logged in to an upgraded account — these are strictly necessary for the Service to function.

Local storage: The app uses your browser's local storage to save your QR codes (free tier) and preferences. This is not tracking — it's how the app works. You can clear it at any time through your browser settings.

Service worker: The app uses a service worker to enable offline functionality and faster loading. The service worker caches application files only — it does not track your activity.

9. Data Security

Local data (free tier): Protected by your device and browser's security. We have no access to it.
Cloud data (upgraded tier): Stored in Supabase's EU (Frankfurt, Germany) data centre. Protected by row-level security (only you can access your data), TLS encryption in transit, and encryption at rest.
Passwords: Hashed and salted. We cannot read your password.

No system is 100% secure. If we discover a breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

10. Data Retention

Data	Kept for	Then what
Local QR codes (free tier)	Until you clear your browser	Gone — we never had it
Account and synced QR codes	Until you delete your account	Permanently deleted within 30 days (this period allows us to process the deletion across our systems, complete any pending data exports, and purge all backup copies; the account is immediately deactivated)
Scan analytics (raw data points)	90 days	Aggregated into counts only, individual records deleted
Scan analytics (aggregated)	Until you delete the short link or account	Permanently deleted
Newsletter subscription	Until you unsubscribe	Email deleted within 30 days
Server access logs	14–30 days (hosting provider's policy)	Automatically deleted
Data after account cancellation (lapsed paid subscription)	Up to ninety days after subscription lapses	Permanently deleted unless you resubscribe

11. Your Rights

Under GDPR (and UK GDPR if you are in the UK), you have the right to:

Access — request a copy of all personal data we hold about you.
Rectification — ask us to correct inaccurate data.
Erasure — ask us to delete your data ("right to be forgotten"). You can also do this yourself by deleting your account.
Data portability — receive your data in a machine-readable format (JSON).
Restriction — ask us to stop processing your data while a complaint is resolved.
Objection — object to processing based on legitimate interest (Sections 3.2, 3.3, and 4.3).
Withdraw consent — where we process data based on your consent (newsletter), you can withdraw it at any time. Withdrawal doesn't affect processing that already occurred.

To exercise any of these rights, email privacy@qrshareme.com. We will respond within 30 days.

You also have the right to lodge a complaint with a data protection supervisory authority. In the UK: the ICO (Information Commissioner's Office). In Germany: the BfDI (Federal Commissioner for Data Protection) or your local state authority. In other EU countries: your national data protection authority.

12. International Data Transfers

Orcasci Ltd is based in the United Kingdom, which has an EU adequacy decision for data protection. Cloud data is stored in the EU (Frankfurt, Germany) via Supabase. We do not transfer your data to countries without adequate data protection unless covered by Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

Some third-party services (Google OAuth) may process data in countries outside the EU/UK. They do so under SCCs or other GDPR-approved transfer mechanisms.

13. Children

QR Share Me is not directed at children under 16. We apply a minimum age of 16 across all jurisdictions for simplicity, even where local law permits a lower threshold (such as 13 in the UK). We do not knowingly collect personal data from children. If you believe a child under 16 has created an account, contact us at privacy@qrshareme.com and we will delete the account promptly.

14. Changes to This Policy

We may update this policy to reflect changes in the Service or applicable law. When we make material changes:

We update the "Last updated" date at the top.
We notify upgraded users by email at least 14 days before material changes take effect.

15. Contact

For any privacy questions, data requests, or complaints:

Email: privacy@qrshareme.com
Data controller: Orcasci Ltd, 27/28 Eastcastle Street, London, W1W 8DH, United Kingdom
Company No.: 07387280 (England and Wales)

This privacy policy was last reviewed on 31 March 2026.