Privacy Policy
Last updated: 2026-01-21
Data Controller#
QRKEEPER ("we", "our", or "us") is the data controller responsible for your personal data. For privacy-related inquiries, contact us at:
Email: support@qrkeeper.com
Information We Collect#
Information You Provide#
- Account Information: Email address and optional name when you sign up
- OAuth Profile Data: If you sign in with Google or Apple, we receive your name and email from those services
- Business Information: Business name, logo, category, and description when registering a business
- Loyalty Card Data: Card designs and settings you create
Information Collected Automatically#
- Visit Records: Timestamps when customers check in at businesses using their loyalty cards
- Referral Relationships: Connections between customers who share and save loyalty cards (we track who referred whom, not personal details)
- Analytics Data: Aggregated visit patterns, UTM campaign tracking for marketing link attribution
- IP Addresses: Collected for security, rate limiting, and geographic analytics
- Device Information: Browser type, operating system, and device identifiers for service optimization
- Cookies: Session cookies for authentication and locale preference cookies
Payment Information#
We use Stripe to process payments. We do not store your credit card numbers or full payment details. Stripe handles all payment processing in compliance with PCI-DSS standards. We only receive:
- Last 4 digits of your card
- Card brand (Visa, Mastercard, etc.)
- Billing address (if provided)
- Payment status and transaction IDs
Legal Basis for Processing#
We process your data based on:
- Contract Performance: To provide the services you requested (loyalty card management, visit tracking)
- Legitimate Interest: To improve our services, prevent fraud, and ensure security
- Consent: For optional marketing communications (you can opt out anytime)
- Legal Obligation: To comply with applicable laws and regulations
How We Use Your Information#
We use collected information to:
- Provide and maintain our loyalty card and referral tracking services
- Process business subscriptions and payments via Stripe
- Track visit history and referral chains for analytics
- Send service-related communications (password resets, visit confirmations)
- Improve and personalize your experience
- Prevent fraud and ensure platform security
- Generate aggregated analytics for businesses (without exposing individual customer data)
- Comply with legal obligations
Data Sharing#
We do not sell your personal information.
We may share data with:
Service Providers#
- Stripe: Payment processing (Stripe Privacy Policy)
- Resend: Transactional email delivery
Business Partners#
When you use a business's loyalty program:
- The business can see your visit history with them
- The business can see if you referred other customers (anonymous IDs only, not personal details)
- The business never sees your email address, phone number, or personal information
Legal Requirements#
We may disclose data when required by law, legal process, or to protect our rights and the safety of our users.
Data Retention#
We retain your personal data for as long as:
- Your account is active
- Needed to provide our services
- Required by law (e.g., financial records)
After account deletion:
- Account data is deleted within 30 days
- Anonymized analytics data may be retained indefinitely
- Financial records are retained for 7 years as required by law
Your Rights (GDPR)#
You have the right to:
Access#
Request a copy of all personal data we hold about you.
Rectification#
Correct inaccurate personal data.
Erasure ("Right to be Forgotten")#
Request deletion of your personal data, subject to legal retention requirements.
Data Portability#
Receive your data in a structured, commonly used, machine-readable format.
Restriction of Processing#
Request that we limit how we use your data.
Object to Processing#
Object to processing based on legitimate interests or for direct marketing.
Withdraw Consent#
Withdraw consent at any time for processing based on consent.
To exercise these rights, contact us at support@qrkeeper.com. We will respond within 30 days.
International Data Transfers#
Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure adequate protection through:
- Standard contractual clauses approved by the European Commission
- Only using service providers with appropriate data protection measures
Cookies and Tracking#
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication | Browser session |
| NEXT_LOCALE | Language preference | 1 year |
| Stripe cookies | Payment processing | As per Stripe policy |
We do not use advertising or third-party tracking cookies.
Children's Privacy#
Our services are not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us immediately.
Security#
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of QR code payloads (ChaCha20-Poly1305)
- Secure password hashing (bcrypt)
- Rate limiting on sensitive operations
- Regular security reviews
Changes to This Policy#
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For significant changes, we will notify you via email or a prominent notice on our service.
Contact Us#
If you have questions about this Privacy Policy or want to exercise your rights, please contact us:
Email: support@qrkeeper.com
For complaints about our data practices, you may also contact your local data protection authority.