Privacy Policy

Last updated: 2026-04-21

1. Who we are

QRDrobe (“we”, “us”, “our”) operates the web application at https://qrdrobe.com, which lets you create and manage dynamic QR cards. We are based in Ontario, Canada.

For any privacy question or to exercise your rights, contact us at legal@qrdrobe.com.

2. Scope

This policy covers personal data we process when you visit our website, create an account, use the service, or when someone scans a QR card you published. It applies under the EU General Data Protection Regulation (GDPR), the UK GDPR, and Canadian PIPEDA where applicable.

3. What we collect

3.1 Account data

  • Email address (used to sign in and contact you)
  • Full name (optional, shown in the app and in transactional emails)
  • Hashed password and MFA status
  • Timestamps of account creation, terms acceptance, and last activity
  • Session security metadata — the IP address and user-agent of the device you sign in from, used to maintain your session and detect suspicious activity

3.2 Content you create

  • QR card content (titles, descriptions, contact details, links, menu items, etc. — whatever you type in)
  • Images you upload (logos, cover photos, galleries)
  • A unique public URL for each card you publish

You control what goes into your cards. Do not publish personal data about other people without a lawful basis.

Public cards are accessible to anyone with the link and may be discovered and indexed by search engines (such as Google). Information you put in a card — including names, phone numbers, addresses, and images — may therefore appear in public search results. Only include information you are comfortable making publicly searchable.

3.3 Scan analytics (when a card is scanned)

  • Timestamp of the scan
  • Approximate geographic location derived from IP (country, region, city — never the raw IP)
  • Device type (mobile / desktop / tablet) and user-agent string
  • Referring URL, if any

We do not set tracking cookies on scanner devices, do not build cross-site profiles of scanners, and do not share scan data with advertisers.

3.4 Strictly-necessary cookies

We use a small number of first-party cookies strictly required to keep you signed in and to prevent request forgery. See our Cookie Disclosure for the full list. We do not use advertising, marketing, or third-party analytics cookies.

4. Why we process it (legal bases)

  • Contract (GDPR Art. 6(1)(b)) — to create your account, run the service, and deliver the cards you publish.
  • Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent abuse, and measure aggregate scan activity for your own dashboards.
  • Legal obligation (Art. 6(1)(c)) — to respond to lawful requests and to retain records when required.
  • Consent (Art. 6(1)(a)) — where you explicitly opt in. Today this covers product update emails: at signup we offer an unchecked "Keep me in the loop on new features, tips, and occasional offers" checkbox; you can also toggle this any time at Settings → Notifications. We do not send marketing email without that opt-in, and we record the timestamp of each grant or revocation.

5. Who we share with

We do not sell personal data. We share it only with vetted infrastructure providers strictly needed to run the service — covering hosting, content delivery, databases, authentication, email delivery, object storage, and privacy-preserving analytics. Data resides in regions we select; the primary region today is Canada.

All providers act as processors under signed Data Processing Addenda (DPAs) and offer the Standard Contractual Clauses for any cross-border transfers. A current list of sub-processors is available on request to legal@qrdrobe.com.

6. International transfers

Your data may be processed outside your country (for example, an EU user's data may be processed in Canada). Where this happens, we rely on the EU Commission's adequacy decision for Canada (commercial organizations) and/or Standard Contractual Clauses with our processors.

7. How long we keep it

  • Account data — for as long as your account exists. Deleted immediately on account deletion (see section 9).
  • Cards and uploaded images — until you delete them or delete your account.
  • Scan analytics — retained for up to 90 days in detailed form, then aggregated.
  • Session security metadata — kept for the lifetime of the active session (up to 7 days), then deleted when the session expires or you sign out.
  • Security logs — up to 90 days.
  • Legal / tax records — currently none (no payments at launch); this section will be updated when billing is introduced.

8. Security

Passwords are hashed using industry-standard methods (Argon2id) and are never visible to us. Sessions use httpOnly, Secure cookies. All traffic is served over HTTPS. Access to production data is restricted and audited. Personal data is encrypted at rest.

No system is perfectly secure; if a breach affects your data, we will notify you and the relevant supervisory authority as required by law.

9. Your rights

Under GDPR, UK GDPR, and PIPEDA you have the right to:

  • Access — download a copy of your data from Settings → Privacy, or by emailing us.
  • Rectification — edit your profile and cards directly, or ask us.
  • Erasure — delete your account from Settings → Danger Zone. This irreversibly removes your account, cards, images, and personal data. A short residual period may apply to backups (up to 35 days) and anti-abuse logs (up to 90 days).
  • Restriction and objection to processing based on legitimate interests.
  • Portability — the export includes your data in a machine-readable format (JSON).
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local supervisory authority (e.g., your EU national DPA, the UK ICO, or the Office of the Privacy Commissioner of Canada).

To exercise any of these rights, email legal@qrdrobe.com. We respond within 30 days.

10. Children

The service is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

11. Automated decision-making

We do not make automated decisions that produce legal or similarly significant effects on you.

12. Changes to this policy

We may update this policy. Material changes will be announced by email or in-app notice before they take effect. The “Last updated” date at the top reflects the most recent revision.

13. Contact

Questions, requests, or complaints: legal@qrdrobe.com.