QR2GO
navigation.getStartedFree

Privacy Policy

Last updated: January 7, 2026

At QR2Go, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal data when you scan our QR codes, in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

Table of Contents

  1. Data Controller
  2. What Data We Collect
  3. Legal Basis for Processing
  4. How We Use Your Data
  5. Data Retention
  6. Your Rights Under GDPR
  7. Cookies and Tracking
  8. Data Security
  9. Third-Party Services
  10. Contact Us

1. Data Controller

The data controller responsible for your personal data is:

QR2Go
Email: privacy@qr2go.eu
Data Protection Officer: dpo@qr2go.eu

2. What Data We Collect

When you scan a QR code, we collect the following categories of data:

2.1 QR Code & Target Information

  • QR Code ID: Unique identifier for the scanned QR code
  • Target URL: Destination URL you are redirected to
  • Scan Timestamp: Date and time of the scan
  • Scan ID: Unique identifier for your scan session

Why we collect this: To provide QR code functionality, track usage statistics, and improve our service.

2.2 Cookie Consent Status

  • Consent Status: Whether you have accepted, declined, or partially accepted cookies
  • Consent Timestamp: When you provided consent
  • Cookie Preferences: Your granular cookie preferences (functional, analytics, marketing)

Why we collect this: To comply with GDPR cookie consent requirements and respect your privacy preferences.

2.3 Redirect Outcome

  • Redirect Type: Whether you were redirected automatically, manually, or cancelled
  • Time on Page: How long you viewed the intermediate page
  • User Actions: Which buttons you clicked (proceed, cancel)

Why we collect this: To understand user behavior and optimize the redirect experience.

2.4 Device & Browser Information

  • Device Type: Mobile, desktop, or tablet
  • Device Brand & Model: E.g., iPhone 14, Samsung Galaxy
  • Operating System: E.g., iOS 17, Android 14, Windows 11
  • Browser: E.g., Chrome, Safari, Firefox
  • Screen Resolution: Width, height, pixel ratio, orientation
  • Language & Timezone: Browser language and timezone settings
  • User Agent: Technical identifier string sent by your browser

Why we collect this: To ensure compatibility, provide responsive design, detect bots, and analyze usage patterns across different devices.

2.5 Network & Geography (GDPR-Compliant)

  • IP Address Hash: SHA-256 hashed IP address (NOT raw IP) - irreversible pseudonymization
  • Connection Type: WiFi, cellular, ethernet, or unknown
  • Approximate Location: Country, region, city (city-level accuracy only)
  • Coordinates: Latitude/longitude rounded to 2 decimal places (~1km accuracy)
  • ISP: Internet Service Provider name (if available)

🔒 GDPR Compliance: We do NOT store raw IP addresses. Your IP is hashed with SHA-256 + salt, making it impossible to reverse. Geographic data is approximate (city-level) and does not pinpoint your exact location.

2.6 Referrer & Campaign Parameters

  • Referrer URL: The website you came from (if any)
  • Referrer Type: Search engine, social media, email, or direct visit
  • UTM Parameters: Campaign tracking parameters (source, medium, campaign, term, content)
  • Custom Parameters: Any additional query parameters in the URL

Why we collect this: To understand where our traffic comes from and measure marketing campaign effectiveness.

2.7 Performance & Errors

  • Performance Metrics: Page load time, time to interactive, API latency
  • Error Logs: Technical errors that occur during your session (if any)
  • Error Recovery: How errors were resolved

Why we collect this: To detect and fix technical issues, monitor performance, and improve reliability.

4. How We Use Your Data

We use your data for:

  • Service Delivery: Redirecting you to the correct destination URL
  • Analytics: Understanding usage patterns, optimizing performance, and improving user experience (only with your consent)
  • Security: Detecting bots, preventing fraud, and monitoring for malicious activity
  • Debugging: Identifying and fixing technical errors
  • Compliance: Meeting legal obligations under GDPR and other regulations
  • Marketing: Campaign attribution and measuring marketing effectiveness (only with your consent)

5. Data Retention

We retain your data only for as long as necessary:

  • Analytics Data: 365 days (1 year) from the scan date
  • Aggregated Statistics: Indefinitely (no personal data, anonymized)
  • Error Logs: 90 days (for debugging purposes)
  • Cookie Consent Records: 2 years (to demonstrate GDPR compliance)
  • Security Logs: 180 days (for fraud prevention)

After the retention period, all personal data is automatically deleted. Aggregated, anonymized statistics may be retained indefinitely for business intelligence purposes.

6. Your Rights Under GDPR

You have the following rights:

✓ Right to Access (Article 15)

Request a copy of all personal data we have collected about you.

✓ Right to Erasure (Article 17)

Request deletion of your personal data ("Right to be Forgotten").

✓ Right to Data Portability (Article 20)

Receive your data in a machine-readable format (JSON or CSV).

✓ Right to Object (Article 21)

Opt-out of analytics tracking entirely. We will no longer collect your data.

✓ Right to Rectification (Article 16)

Request correction of inaccurate personal data.

✓ Right to Withdraw Consent

Withdraw your cookie consent at any time through our cookie banner settings.

How to exercise your rights: Visit our GDPR Data Request Form or email us at privacy@qr2go.eu. We will respond within 30 days as required by GDPR.

7. Cookies and Tracking

We use the following cookies:

Essential Cookies (Always Active)

  • qr_cookie_consent: Stores your cookie consent preferences (1 year)
  • qr_scan_session: Tracks your scan session to prevent duplicate tracking (session)

Analytics Cookies (Optional - Requires Consent)

  • Matomo Analytics: Self-hosted, EU-based, GDPR-compliant analytics
  • No third-party cookies (no Google Analytics)
  • No cross-site tracking
  • IP addresses are pseudonymized (hashed)

Marketing Cookies (Optional - Requires Consent)

  • Campaign attribution (UTM parameters)
  • Referrer tracking for marketing effectiveness

You can manage your cookie preferences at any time by clicking the cookie settings button on our intermediate scan page.

8. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption: HTTPS/TLS encryption for all data in transit
  • Pseudonymization: SHA-256 hashing of IP addresses with salt
  • Access Controls: Strict access controls and role-based permissions
  • EU Hosting: All data is stored on EU-based servers (GDPR-compliant)
  • Regular Audits: Periodic security audits and vulnerability assessments
  • Incident Response: 72-hour breach notification procedure as required by GDPR

9. Third-Party Services

We use the following third-party services:

  • Matomo Analytics: Self-hosted, EU-based analytics platform. Data is NOT shared with third parties. Privacy policy: matomo.org/privacy
  • MaxMind GeoLite2: IP-based geolocation database (self-hosted, no external API calls). Data is pseudonymized.

We do NOT use Google Analytics, Facebook Pixel, or other intrusive third-party trackers.

10. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your GDPR rights:

Email: privacy@qr2go.eu

Data Protection Officer: dpo@qr2go.eu

GDPR Data Requests: Submit a GDPR Request Form

We will respond to all requests within 30 days as required by GDPR Article 12(3).

Supervisory Authority: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

This privacy policy is effective as of January 7, 2026 and will remain in effect except with respect to any changes in its provisions in the future, which will be effective immediately after being posted on this page.