Privacy Policy

Version 1.0 · Effective from 13 May 2026

This policy describes how QR Studio (the Service) processes personal data in accordance with Regulation (EU) 2016/679 (GDPR) and related laws. We recommend reading it in full before creating an account.

1. Data Controller

The data controller is the operator of the QR Studio service, available at qrstudio.cz. Contact: info@qrstudio.cz.

To exercise your rights, simply email the address above. We respond without undue delay, no later than 30 days.

2. What Data We Process

2.1. Account Data

Email address (for login and account-related communication).
Password (stored only as a secure hash, never in plaintext).
Account creation date, last sign-in date.
Record of consent (time, terms version, browser used at the time of consent).

2.2. Content You Upload

QR code content you save (URLs, text, contact cards, Wi-Fi credentials, payment data SPD/EPC, etc.). You enter this data knowingly and determine its nature yourself.
Design of the saved QR code (colors, template, logo).
Folder names and structure.

Notice: If you include personal data in a QR code (e.g. a Wi-Fi password, a third party's phone number), you are the controller of that data for GDPR purposes.

2.3. Scan Statistics (Dynamic QR Codes Only)

If you use dynamic QR codes (with a short URL qrstudio.cz/r/...), each scan records the following:

Scan time and the code that was scanned.
Device type (mobile / tablet / desktop) and browser type - from the User-Agent header.
Country and approximate location (city) derived from the IP address. The IP address itself is not stored - only the derived country and city.

This data is used solely to display statistics to the owner of the QR code. We never link it to the scanner identity and never share it with third parties.

2.4. Operational Cookies and Analytics

Browser functional storage (localStorage): language, theme (light/dark), consent state. The service still works without it, but settings will be lost.
Supabase authentication cookies: only for signed-in users, required to keep the session active.
Google Analytics 4 (G-ZBZK60ZG56): anonymized IP, website traffic tracking. Optional - enabled only with your explicit consent in the cookie banner or during sign-up.

3. Purposes and Legal Bases

Purpose	Data	Legal Basis
Account operation and QR code storage	Email, password hash, QR content, folders	Contract performance - Art. 6(1)(b) GDPR
Scan statistics for dynamic QR codes	Time, device type, country/city (from IP, IP not retained)	Legitimate interest - Art. 6(1)(f) GDPR (provide stats to code owner)
Google Analytics	Anonymized IP, site visit data	Consent - Art. 6(1)(a) GDPR
Record of consent and terms	Time, version, browser	Legal obligation - Art. 6(1)(c) GDPR
Security and abuse prevention	Access logs (server logs, temporary)	Legitimate interest - Art. 6(1)(f) GDPR

4. Recipients and Processors

We do not sell data. The following parties may have access:

Hetzner Online GmbH (DE) - virtual server provider hosting the app. Privacy policy.
Supabase (Supabase Inc., USA, EU-region data center) - authentication and database. Privacy policy.
Google Ireland Ltd. - Google Analytics (only if you consent). Privacy policy.

All processors are bound by a Data Processing Agreement (DPA) under Art. 28 GDPR. Servers are located in the EU.

5. Transfers Outside the EU

Supabase Inc. is based in the USA, but the service infrastructure runs in an EU data center. Any transatlantic access uses Standard Contractual Clauses (SCC) under Art. 46 GDPR. Google Analytics is provided by Google Ireland Ltd.; transfers to the USA are covered by SCC and the EU-US Data Privacy Framework.

6. Retention Periods

Account data and QR codes: for the entire account lifetime. After account deletion, data is irreversibly removed within 30 days.
Scan statistics: aggregated data is kept for the lifetime of the code owner account.
Consent records: 3 years after consent withdrawal (legal obligation to demonstrate consent).
Server logs: maximum 30 days, security purposes only.
Google Analytics: 14 months (GA4 default data retention setting).

7. Your Rights

Under GDPR you have the following rights, which you can exercise by emailing info@qrstudio.cz or in your account settings:

Right of access (Art. 15) - obtain a copy of your data.
Right to rectification (Art. 16) - correct inaccurate data.
Right to erasure (Art. 17, right to be forgotten) - delete the account and all data.
Right to restriction (Art. 18).
Right to data portability (Art. 20) - export your data in a structured format (JSON).
Right to object (Art. 21) to processing based on legitimate interest.
Right to withdraw consent (Art. 7(3)) - any time, without affecting prior processing. For Google Analytics: Cookies button in the footer or in account settings.
Right to lodge a complaint with a supervisory authority - in the Czech Republic, the Office for Personal Data Protection (uoou.cz).

8. Security

All communication is encrypted via HTTPS (TLS 1.2+).
Passwords are stored only as secure hashes (bcrypt).
The database uses Row-Level Security (RLS) - each user can only access their own data.
The server sends CSP, X-Frame-Options and other headers to protect against XSS and clickjacking.

9. Children

The service is not intended for persons under 16 years of age. We do not knowingly process children personal data. If you believe a child has provided personal data without parental consent, contact us and we will remove the data.

10. Changes to This Policy

We may update this policy. We will notify you of material changes by email or via an in-service notice and require fresh consent to the updated version. The version date appears in the header of this document.

11. Contact

For any data protection questions or requests, contact: info@qrstudio.cz