capyQR

Privacy Policy

Effective May 16, 2026

Effective date: May 16, 2026 Last updated: May 16, 2026

At a glance (informational summary, not part of the binding policy)

  • Who we are: CapyQR, a globally-distributed SaaS service operating capyqr.com.
  • What we collect: the minimum needed to run the Service — email, hashed authentication tokens, billing identifiers from Stripe, the Customer Content you submit, and salted-and-hashed IP+User-Agent fingerprints for scan-deduplication and abuse prevention. We don't sell your data.
  • Who we share it with: infrastructure providers strictly necessary to provide the Service: Cloudflare (hosting, edge, security), Stripe (billing), Resend (transactional email), Google (only if you log in with Google).
  • Where the data lives: primarily in EU data centers via Cloudflare; some processing may occur in the US under EU-approved transfer mechanisms.
  • How long we keep it: as set out in Section 7 below — broadly, account data until you delete it, scan events 365 days, billing records up to 6 years (as required by tax/accounting law in jurisdictions where we may need to defend records).
  • Your rights: access, correction, deletion, portability, restriction, objection, and complaint to your local data-protection supervisory authority — full detail in Section 9.
  • Contact: privacy@capyqr.com for any privacy question or request.

The summary above is for convenience. The legally binding text starts in Section 1.

1. Who is responsible for your personal data

The data controller for the personal data described in this Policy is:

CapyQR Email: privacy@capyqr.com

(the "Company", "CapyQR", "we", "us")

We aim to process personal data in line with the principles of the EU General Data Protection Regulation ("GDPR", Regulation (EU) 2016/679), the UK GDPR and UK Data Protection Act 2018, the ePrivacy Directive 2002/58/EC and its national transpositions, and any other data-protection law applicable to you as a data subject.

We have not appointed a Data Protection Officer (DPO). For any privacy question or request, contact us at privacy@capyqr.com.

2. Scope

This Policy describes how we collect, use, and share personal data when you:

  • visit capyqr.com or any subdomain;
  • create an Account, log in, or use the Service;
  • subscribe to a paid plan;
  • contact us for support, sales, or any other reason;
  • scan a QR code generated through the Service (limited data only — see Section 4.5).

For data we process on behalf of a User who is themselves a controller (for example, scan analytics on Dynamic QRs that User created, or vCard contact data the User encoded), the User is the controller and we act as processor — see Section 13.

This Policy does not cover the destination websites that Dynamic QRs point to. Those are operated by Users or third parties; their own privacy policies apply.

3. The categories of personal data we collect

3.1 Account data

When you create an Account we collect:

  • email address;
  • (optionally) the Google account identifier and basic profile (name, email, profile picture) if you choose to sign in with Google;
  • hashed-and-salted authentication tokens (we never store plaintext passwords or plaintext magic-link tokens);
  • account preferences (locale, time zone, dashboard settings).

3.2 Billing data

If you subscribe to a paid plan, Stripe (our payment processor) handles the payment card and bank-account information directly. We never receive or store your full card number, CVV, or banking credentials. We do receive and store:

  • Stripe customer ID, subscription ID, invoice IDs, and status;
  • the email and name you provided to Stripe for billing;
  • subscription plan, term, currency, amounts, dates, refunds;
  • partial card information (last 4 digits, card brand, expiry) for display.

3.3 Customer Content

You submit Customer Content when you use the Service — URLs, text, vCard fields, designs, custom-domain names, and so on. Customer Content may itself contain personal data (for example, a contact phone number in a vCard QR). You are responsible for the lawfulness of any personal data you include in Customer Content; see Section 13.

3.4 Usage and device data

When you use the Service we automatically collect:

  • IP address (used to derive country, used for security and rate-limiting and then promptly discarded or replaced with a salted hash);
  • browser type, operating system, language, time zone;
  • referring URL, pages visited, features used, error events;
  • timestamps of actions taken in the Service.

3.5 Scan-event data (for Dynamic QRs only)

When a Scanner scans a Dynamic QR you have created, we record a scan event on your behalf:

  • the Dynamic QR slug or custom-domain path that was scanned;
  • timestamp;
  • coarse geographic information (country, sometimes region) derived from the Scanner's IP address;
  • a salted cryptographic hash of the IP address combined with the user agent, used only for scan-deduplication and abuse detection (the raw IP is not stored alongside the hash);
  • generic device/browser type;
  • referrer where the scanner uses a QR app that provides one.

We do not identify individual Scanners. We do not attach a Scanner identity to a scan; the hash is one-way and salted with a non-public key which we rotate periodically.

3.6 Security and abuse-prevention data

For security and abuse prevention we may also collect:

  • Cloudflare Turnstile challenge responses (used to verify you are human, especially at signup and login);
  • failed-login records, suspicious-activity flags, rate-limit-trigger events;
  • abuse reports we receive about your QRs (subject + body of the report, contact details of the reporter);
  • records relating to AUP enforcement, including action taken and the reasons for it.

3.7 Support and communications data

If you contact us we collect:

  • the content of your message and any attachments;
  • the email address or other identifier you used to contact us;
  • the substance of our reply.

4. Purposes and legal bases (Article 13 GDPR)

We process personal data only for the purposes and on the legal bases set out below.

# Purpose Categories Legal basis (GDPR Art. 6)
A Create and maintain your Account; let you log in; identify you across sessions. Account data, usage data Contract performance (Art. 6(1)(b))
B Provide the Service: generate QRs, run the Dynamic QR redirector, store your Customer Content, save library entries, expose your analytics dashboard. Account, Customer Content, scan-event, usage Contract performance (Art. 6(1)(b))
C Process payments, manage Subscriptions, send invoices and receipts. Account, billing Contract performance (Art. 6(1)(b))
D Operate dedup, rate-limiting, fraud detection, abuse prevention; defend against attacks; protect the integrity of the Service. Scan-event, security data, hashed IP+UA, Turnstile responses Legitimate interests (Art. 6(1)(f)) — keeping the Service safe and reliable for our Users
E Communicate with you about your Account, Subscription, security, billing, the Service, and required updates to legal documents. Account, billing Contract performance (Art. 6(1)(b)) and/or legal obligation (Art. 6(1)(c)) for any mandatory notice
F Send you optional product news, tips, and marketing communications about CapyQR features and offers. Account contact data Consent (Art. 6(1)(a)) — you can withdraw at any time
G Comply with our legal obligations (tax, accounting, AML, court orders, supervisory-authority requests, mandatory retention). All categories as required Legal obligation (Art. 6(1)(c))
H Establish, exercise, or defend legal claims; enforce our Terms, AUP, and rights; investigate suspected violations. All categories as required Legitimate interests (Art. 6(1)(f))
I Produce anonymized statistics about overall use of the Service (e.g., total monthly scans, popular QR types, server load) and use them to improve and market the Service. Aggregated, anonymized only Legitimate interests (Art. 6(1)(f)) — improvement and analytics
J Provide you with support when you contact us. Communications, Account Contract performance and/or legitimate interests (Art. 6(1)(b)/(f))

We will not process your personal data for purposes incompatible with those listed above without first obtaining a new legal basis.

5. Who we share personal data with

We share personal data only with the categories of recipient set out below, and only to the extent strictly necessary for the relevant purpose.

5.1 Sub-processors / infrastructure providers

Recipient Role Location Transfer safeguard
Cloudflare, Inc. Hosting, edge compute (Workers), database (D1), KV cache, DNS, CDN, security (WAF, Bot Management), Custom Hostnames US-headquartered; data processed primarily on Cloudflare's EU edge EU Standard Contractual Clauses (Module 3) and Cloudflare's Data Processing Addendum
Stripe Payments Europe, Ltd. Payment processing, subscription billing, invoicing Ireland (EU); some US affiliate processing Stripe DPA, EU SCCs where applicable
Resend, Inc. Transactional email delivery (magic-link, billing, notifications) US EU SCCs (Module 2), Resend DPA
Google LLC Google OAuth sign-in (only if you choose Google as your login method) US/EU EU-US Data Privacy Framework (Google is certified)
Cloudflare Turnstile Bot-protection challenge on auth flows (part of Cloudflare) Cloudflare global edge Covered by Cloudflare DPA above
GitHub, Inc. CI/CD deployment pipeline (no end-user personal data sent here — code and config only) US EU SCCs / Microsoft DPA

We maintain an up-to-date list of sub-processors. We may add or change sub-processors from time to time; material changes will be reflected here, and User-facing notice will be given where required.

5.2 Professional advisers

Lawyers, accountants, auditors, and similar professional advisers, bound by professional confidentiality, on a need-to-know basis.

5.3 Authorities

Courts, regulators (including any competent data-protection supervisory authority), tax authorities, law-enforcement agencies, and other public bodies — where required by law, court order, or properly authenticated regulatory request, including:

  • court orders and judicial procedures in any jurisdiction with competence over us or the data subject;
  • tax-authority requests in jurisdictions where we are required to retain billing or transactional records;
  • GDPR and UK GDPR supervisory-authority cooperation;
  • DSA Articles 9–10 (orders to act on illegal content or provide information).

5.4 Acquirers in a corporate transaction

If we are involved in a merger, acquisition, asset sale, financing, restructuring, or similar transaction, personal data may be transferred to the acquiring party (or to a prospective party under a confidentiality agreement for diligence). Any acquirer will be required to honour this Policy or to provide equivalent protection.

5.5 At your direction

To any other party with your explicit instruction or explicit consent — including any third-party application you connect to your Account.

We do not sell personal data, and we do not share it for cross-context behavioral advertising.

6. International transfers (Chapter V GDPR)

Some of our sub-processors are located outside the European Economic Area ("EEA"), principally in the United States. When personal data is transferred outside the EEA, we rely on one or more of the safeguards permitted by Chapter V GDPR:

  • the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914) with each sub-processor;
  • the EU–US Data Privacy Framework (Implementing Decision 2023/1795) where the recipient is certified;
  • additional supplementary measures appropriate to the risk (encryption in transit, encryption at rest, access controls, key management) as recommended by the European Data Protection Board guidance.

A copy of the relevant safeguard is available on request to privacy@capyqr.com.

7. How long we keep personal data

We keep personal data no longer than necessary for the purpose for which it was collected, subject to legal-obligation retention. Concrete retention periods:

Data Retention
Active Account data (email, settings, login records) For as long as the Account is active.
Customer Content (designs, library, Dynamic QR config) For as long as the Account is active, plus a backup window of up to 90 days for routine system backups.
Soft-deleted Account The Account remains recoverable for 30 days after deletion request; after 30 days, personal data is permanently deleted (subject to billing-records retention below).
Scan-event data (hashed IP+UA, country, city, OS, device class, timestamp) Up to 365 days rolling, tier-dependent: 7 days for Free-Tier Users, 30 days for Starter-Plan Subscribers, 365 days for Pro-Plan Subscribers. Older events are automatically deleted by daily cron.
Stripe billing records and invoices Up to 6 years from the end of the relevant fiscal year, in line with the longest typical tax-record retention period across jurisdictions we may need to defend records in (e.g., UK CT records 6 years, Ireland 6 years, France 10 years, US IRS records 7 years). Adjustable down to 3 years if a single-jurisdiction setup is later adopted.
Support communications Up to 3 years from the last interaction.
Audit logs (security events, AUP enforcement actions) Up to 2 years, longer where required for a specific legal claim or regulatory matter.
Abuse reports received under the AUP / DSA Up to 2 years, longer if relevant to an open matter.
Backups Routine system backups are overwritten on rolling cycles of up to 90 days.
Records of consent / legal-basis documentation For the duration of the relevant processing, plus 3 years.
Anonymized aggregate analytics Indefinitely (no longer personal data).

If we are subject to a court order, regulatory hold, or open legal claim that requires us to keep certain data longer, we will retain that data for the duration of the obligation.

8. How we protect personal data

We apply technical and organizational measures appropriate to the risk:

  • Encryption in transit (TLS 1.2+) for all connections;
  • Encryption at rest for the database and backups, via the underlying infrastructure provider's keys (Cloudflare D1);
  • Cryptographic hashing with secret peppers for authentication tokens, IP+UA fingerprints, and other sensitive identifiers — keys rotated periodically;
  • Access controls that limit personal-data access to the minimum necessary;
  • Network controls including WAF, bot management, rate-limiting, and abuse-detection at the edge;
  • Logging and monitoring of access and security events;
  • Regular updates of software dependencies;
  • Incident-response procedures for suspected breaches.

No system is perfectly secure. We do not warrant that personal data will never be lost, stolen, or accessed without authorization. If we become aware of a personal-data breach likely to result in a risk to the rights and freedoms of EU/UK data subjects, we will notify the competent supervisory authority within 72 hours of becoming aware (as required by GDPR Art. 33 and UK GDPR Art. 33), and notify affected individuals without undue delay where the GDPR or applicable law requires it.

9. Your rights under the GDPR

You have the following rights with respect to personal data we hold about you:

  • Right of access (Art. 15) — to obtain confirmation of whether we process personal data about you and, if so, a copy of that data.
  • Right to rectification (Art. 16) — to have inaccurate or incomplete personal data corrected.
  • Right to erasure (Art. 17) — the "right to be forgotten", subject to the exceptions in Art. 17(3) (including our retention of billing data for legal compliance).
  • Right to restriction of processing (Art. 18) in the circumstances set out in that Article.
  • Right to data portability (Art. 20) — to receive personal data you have provided to us in a structured, commonly used, machine-readable format. We provide a CSV export of your Customer Content within the Service; for other data, contact privacy@capyqr.com.
  • Right to object (Art. 21) — including to processing based on legitimate interests, on grounds relating to your particular situation, and (absolute right) to direct marketing.
  • Right to withdraw consent (Art. 7(3)) at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Right not to be subject to a decision based solely on automated processing (Art. 22). We do not engage in any solely automated decision-making that produces legal or similarly significant effects on you.
  • Right to lodge a complaint with a supervisory authority, namely the data-protection authority of your country of habitual residence, place of work, or place of the alleged infringement. EU data subjects can find their national authority via the European Data Protection Board at www.edpb.europa.eu/about-edpb/board/members_en. UK data subjects: the Information Commissioner's Office (ICO) at ico.org.uk.

How to exercise these rights

Email privacy@capyqr.com with your request. We may ask you to verify your identity before responding. We will respond within one (1) month of receiving a valid request, with the possibility of extending this period by a further two months in complex cases (with notice to you within the first month), as Article 12(3) GDPR permits.

We will not charge a fee for processing your request, except where it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, as permitted by Article 12(5) GDPR.

10. Cookies and similar technologies

We use a minimal set of cookies and similar technologies. We aim to avoid non-essential tracking.

10.1 Strictly necessary

These cookies are required for the Service to function and are not subject to consent under Article 5(3) of the ePrivacy Directive (and Regulation 6 of the UK PECR):

  • Session cookie (__capyqr_session or similar) — keeps you logged in.
  • CSRF token — protects against cross-site request forgery.
  • Locale preference — remembers your language.
  • Cloudflare security cookies (__cf_bm, cf_clearance and similar) — set by Cloudflare for bot management and security; necessary for the Service to operate.
  • Stripe checkout cookies — set by Stripe during checkout; necessary to process payment.

10.2 Analytics

10.3 Marketing

We do not use marketing, advertising, or cross-context behavioral tracking cookies.

10.4 Managing cookies

You can disable cookies in your browser. Disabling strictly necessary cookies may prevent the Service from working.

11. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you become aware that we hold such data, please contact us at privacy@capyqr.com and we will delete it.

If you encode the personal data of a third party (including a child) in Customer Content (for example, a vCard for a family member), you are responsible for ensuring you have the legal basis to do so.

12. Automated decision-making and profiling

We do not engage in solely automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

Some of our security and abuse-prevention systems are automated (e.g., rate limits, bot challenges, hash-based deduplication), but they do not produce legal or similarly significant effects, and they are reviewed by a human where they result in enforcement action against an Account.

13. Personal data you process via the Service (Article 28 GDPR)

When you use the Service to process personal data of third parties (for example, by creating a vCard QR with someone's contact details, or by viewing scan analytics that include personal data), you act as data controller under the GDPR with respect to that data, and we act as data processor on your behalf.

In that role:

  • we process the personal data only on your documented instructions (which, for the Service, are constituted by your use of the relevant features);
  • we apply the security measures described in Section 8;
  • we engage sub-processors as described in Section 5.1;
  • we will assist you, to the extent reasonable, in responding to data- subject requests and complying with your own obligations under Articles 32–36 GDPR;
  • we will, at your choice, delete or return your personal data on termination of the Service, save where retention is required by law;
  • the full set of Article 28 processor obligations is set out in our Data Processing Addendum (DPA), available on request from privacy@capyqr.com.

You are responsible for ensuring that, in your capacity as controller, you have a valid legal basis under Article 6 GDPR for any personal data you process through the Service; that you have provided required notices to and (where applicable) obtained consent from your own data subjects; and that the personal data you submit is lawful, accurate, and current.

You agree to indemnify us in respect of any third-party claims, fines, or losses arising from your processing of personal data through the Service as a controller — as set out in Section 18 of the Terms of Service.

14. Changes to this Policy

We may update this Policy from time to time.

  • Material changes (changes to legal basis, categories of data collected, recipients, retention periods, or your rights) will be notified to active Users at least thirty (30) days before they take effect, by email and/or in-app banner.
  • Non-material changes (clarifications, formatting, contact updates) take effect when posted.

A "Last updated" date appears at the top of this Policy. We keep an archive of prior versions and can provide a copy on request.

15. Contact and complaints

For any privacy question, request, or complaint:

CapyQR privacy@capyqr.com

If you are not satisfied with our response, you have the right to lodge a complaint with the data-protection supervisory authority of your country of habitual residence, your place of work, or the place of the alleged infringement.

  • EU data subjects can find their national authority via the European Data Protection Board: www.edpb.europa.eu/about-edpb/board/members_en
  • UK data subjects: the Information Commissioner's Office (ICO), ico.org.uk, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Last updated: May 16, 2026.