Generate dynamic QR codes in seconds & track scans in real time.Generate dynamic QR codes in seconds & track scans in real time.Generate dynamic QR codes in seconds & track scans in real time.Generate dynamic QR codes in seconds & track scans in real time.Generate dynamic QR codes in seconds & track scans in real time.Generate dynamic QR codes in seconds & track scans in real time.

Legal

Privacy Policy

Last updated: June 25, 2026

This Privacy Policy explains what personal information we collect when you use Qre.gg, why we collect it, how we protect it, who we share it with, and the rights you have. We’ve tried to write it in plain language. Privacy is part of how Qre.gg is built — not a checkbox.
Qre.gg is operated by Leon Prashud, an individual sole operator based in Toronto, Ontario, Canada (the “Operator,” “we,” “us,” or “our”). You can reach us about anything in this policy at hello@qre.gg.

1. Who we are & how to contact us

The data controller (and, under PIPEDA, the organization) responsible for your personal information is the Operator identified above. For any privacy question or to exercise your rights, contact us at hello@qre.gg.

2. Scope & the laws we follow

We serve users in the United Kingdom, the European Economic Area (EEA), the United States and Canada. Depending on where you are, your personal data is protected by laws including:

  • the EU General Data Protection Regulation (GDPR);
  • the UK GDPR and Data Protection Act 2018 (UK GDPR);
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA);
  • the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and comparable US state privacy laws; and
  • the ePrivacy rules governing cookies and similar technologies.

Where these laws give you stronger rights than this policy describes, those rights apply.

3. Information we collect

Information you give us

  • Account data — your name, email address, and a securely hashed password (we never store your password in readable form). If you sign in with Google, we receive your name, email and profile image from Google.
  • Content you create — your QR codes, their destinations and payloads, titles, folders, custom slugs, design settings, and any logos, images or landing-page content you upload.
  • Billing data — when you subscribe, payments are processed by Stripe. We do not receive or store your full card number. We store your plan, subscription status, billing period, and Stripe customer/subscription identifiers.
  • Support & feedback — messages you send us, support-chat content, and feature requests.
  • Team data — if you invite collaborators, the email addresses you invite and the roles/permissions you assign.

Information we collect automatically

  • Scan analytics — when someone scans one of your dynamic QR codes, we record the time of the scan, an approximate location (country, region, city), and the device, operating system, browser and referrer derived from the request. We may also record a coarse network/ISP descriptor and whether the scan appears to come from a datacenter or anonymizing network.
  • Security & service logs — limited technical logs used to keep the service running, prevent abuse and debug problems.
  • Cookies — strictly-necessary cookies described in Section 11.
We do not store raw IP addresses. To produce scan analytics we read the scanner’s IP address momentarily in memory to derive an approximate location (using an offline geolocation database — the IP is never sent to a third party) and to create an irreversible, salted hash used only to tell repeat scans apart. The raw IP is then discarded. We never write raw IP addresses to our database.

What we don’t do

We don’t use advertising cookies or third-party marketing/analytics trackers in the app, we don’t build cross-site advertising profiles, and we don’t sell or rent your personal information.

4. How we use your information & our legal bases

Under the GDPR/UK GDPR we rely on the following legal bases:

  • To provide the service (performance of a contract) — creating your account, generating and resolving QR codes, processing payments, and delivering analytics to you.
  • Legitimate interests — securing the platform and preventing abuse, fraud and spam; producing aggregate, privacy-preserving scan analytics for code owners; and improving our products. We balance these against your rights.
  • Consent — where required, for example any optional marketing communications (you can withdraw consent at any time).
  • Legal obligation — keeping tax, accounting and transaction records, and responding to lawful requests.

5. People who scan your codes

When you create dynamic QR codes, the people who scan them generate the scan analytics described above. For that audience data, you (the code owner) determine the purpose, and we act as your service provider/processor, handling it on your behalf and in line with this policy. We apply privacy-by-design measures — most importantly, never storing raw IP addresses — so the analytics we surface are approximate and aggregate rather than identifying individual scanners. You are responsible for telling your own audience, where required, that scanning may collect this data.

6. Who we share information with (sub-processors)

We share personal data only with the service providers we need to run Qre.gg, under contracts that require them to protect it. We do not sell your data. Our key sub-processors are:

  • Stripe — payment processing and subscription billing (privacy).
  • Google — optional “Sign in with Google” authentication (privacy).
  • Resend — transactional email delivery, e.g. verification, password reset and notifications (privacy).
  • Hostinger — virtual private server hosting for our application and database (privacy).
  • Cloudflare — content delivery, TLS and DDoS protection at the network edge, where enabled (privacy).
  • Offline geolocation data — we use a locally-stored MaxMind GeoLite2 / DB-IP database to derive approximate location. No scan data is sent to them.

We may also disclose information if required by law, to protect our rights or users’ safety, or in connection with a merger, acquisition or sale of assets (you will be notified of any such change).

7. International data transfers

We are based in Canada and some of our sub-processors are in the United States and elsewhere, so your information may be transferred outside the UK/EEA. Where we transfer personal data of UK/EEA users, we rely on appropriate safeguards — such as the European Commission’s adequacy decision for Canada (PIPEDA-regulated commercial activity), Standard Contractual Clauses, the UK International Data Transfer Addendum, or our providers’ certified transfer mechanisms — to ensure your data remains protected.

8. How long we keep it

  • Account & content — kept while your account is active. When you delete your account from your dashboard, we permanently delete your account record, the QR codes you created, and their scan events from our systems.
  • Scan analytics — detailed scan events are kept while the related code and your account exist, so you can view historical analytics, and are deleted when you delete the code or your account. We may also keep aggregate, non-identifying summary statistics. The salted hash used to tell repeat scans apart is irreversible, and the raw IP address is never stored.
  • Billing records — when you delete your account, our copy of your subscription data is deleted with it. Payment and invoice records held by our payment processor, Stripe, are retained by Stripe for the period required by tax and accounting law (generally up to 6–7 years).
  • Backups & logs — retained for a limited period for security and disaster recovery, then deleted.

9. Your privacy rights

Subject to the law that applies to you, you have the right to:

  • Access a copy of the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase your data (“right to be forgotten”);
  • Restrict or object to certain processing, including processing based on legitimate interests;
  • Port your data to another service in a structured, machine-readable format;
  • Withdraw consent at any time, where we rely on consent; and
  • Not be discriminated against for exercising your rights.

California (CCPA/CPRA)

California residents have the right to know what personal information we collect and how we use and disclose it, to delete and correct it, and to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined, and we do not use sensitive personal information for purposes that require an opt-out. We will not discriminate against you for exercising these rights.

How to exercise your rights

You can update much of your information, and permanently delete your account and associated data, directly from your dashboard settings. For any other request, email hello@qre.gg and we will respond within the time required by law (generally within 30 days). We may need to verify your identity first. You may use an authorized agent where the law allows.

If you are in the UK/EEA and believe we have mishandled your data, you may lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner’s Office). In Canada, you may contact the Office of the Privacy Commissioner of Canada. We’d appreciate the chance to address your concern first.

10. How we protect your data

We use technical and organizational measures appropriate to the risk, including encryption in transit (HTTPS/TLS), securely hashed passwords, salted and irreversible hashing of scan identifiers (and no storage of raw IPs), strict access controls, parameterized database queries to prevent injection, and ongoing monitoring. No method of transmission or storage is 100% secure, so we cannot guarantee absolute security, but we work hard to protect your information and will notify you and the relevant authorities of a data breach where required by law.

11. Children

Qre.gg is not directed to children. We do not knowingly collect personal data from children under 16 (or the minimum age in your jurisdiction). If you believe a child has provided us personal data, contact us and we will delete it.

12. Cookies & similar technologies

We use only strictly-necessary cookies — the kind that are required to operate the service and that, under ePrivacy rules, do not require consent. We do not use advertising or cross-site tracking cookies. The cookies and similar storage we use include:

  • Session / authentication — to keep you securely signed in.
  • Security — to protect against cross-site request forgery and abuse.
  • Preferences — to remember your selected workspace and similar choices, and to remember that you’ve seen our cookie notice.
  • Access control — short-lived cookies that record that you’ve unlocked a password-protected code.

13. Automated decision-making

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing.

14. EU & UK representatives

The Operator is based in Canada. Where we are required under Article 27 of the GDPR or the UK GDPR to designate a representative in the EEA or the United Kingdom, we will do so and publish their contact details here. In the meantime, individuals in the EEA and the UK can contact us directly about their personal data at hello@qre.gg.

15. Changes to this policy

We may update this policy from time to time. When we make material changes, we’ll update the “Last updated” date above and, where appropriate, notify you. Your continued use of Qre.gg after an update means you accept the revised policy.

16. Contact us

Questions about this policy or your data? Email hello@qre.gg. See also our Terms of Service.