QR Genie QR Genie
Log in Create QR code
Legal

GDPR Statement

QR Genie is committed to the EU General Data Protection Regulation. This page explains our lawful basis for processing, your rights, and how to exercise them.

Last updated: June 2025

Data Controller

The data controller responsible for your personal data is QR Genie. If you have questions about how we handle your data or wish to exercise a data subject right, contact our Data Protection Officer at:

QR Genie — Data Protection Officer
QR Genie Ltd., EU

Lawful Basis for Processing

Under Article 6 GDPR we rely on the following legal bases to process personal data:

Contract performance

Processing your account details, QR code content, and hosted pages is necessary to deliver the service you have contracted for (Article 6(1)(b)).

Legitimate interests

Aggregating anonymised scan analytics to improve the platform and prevent abuse (Article 6(1)(f)). We have assessed that these interests do not override your rights.

Legal obligation

Retaining billing records as required by EU accounting regulations (Article 6(1)(c)).

Consent

We do not rely on consent as a primary basis for processing. If we ever introduce optional communications or cookies beyond essential ones, we will ask for explicit, granular consent.

Your Data Subject Rights

As a data subject under GDPR you have the following rights. You can exercise most of them directly in the app; for anything else, email privacy@qrgenie.io.

Art. 15
Right of Access

You can request a copy of all personal data we hold about you. Use the Export my data button in Settings for a full machine-readable JSON export, or email us for a human-readable summary.

Art. 16
Right to Rectification

Update your name or email at any time in Settings → Profile. If any other data is inaccurate, contact us and we'll correct it within 30 days.

Art. 17
Right to Erasure ("Right to be Forgotten")

You may delete individual QR codes and landing pages from the dashboard at any time. To delete your entire account and all associated personal data, email us at privacy@qrgenie.io. Erasure is completed within 30 days, except for billing records we must retain by law.

Art. 18
Right to Restriction of Processing

If you contest the accuracy of your data, or object to our processing, you can ask us to restrict processing while we resolve the dispute. Email us to invoke this right.

Art. 20
Right to Data Portability

You have the right to receive your data in a structured, commonly used, machine-readable format (JSON). Use Settings → Export my data to download a complete export of your account, campaigns, landing pages, QR codes, and scan history.

Go to Settings → Export my data to download your JSON export.
Art. 21
Right to Object

You may object to processing based on our legitimate interests (e.g. aggregate analytics). Email us stating your grounds and we will review whether compelling legitimate grounds to continue exist.

Art. 77
Right to Lodge a Complaint

You have the right to lodge a complaint with the supervisory authority in your EU member state. In Ireland this is the Data Protection Commission (dataprotection.ie); in Poland, UODO (uodo.gov.pl).

Data Export — "Export my data"

QR Genie provides a one-click GDPR data export from Settings → Export my data. The export is a JSON file containing:

  • Your account profile (name, email, plan, account creation date)
  • All your campaigns with names, colours, and codes counts
  • All your landing pages including their content data
  • All your QR codes including content, design settings, destination history, and scan counts

This export is available to all users at no additional cost. It is machine-readable (JSON) and human-readable. You can use it to migrate to another platform or simply to keep a local backup of your data.

Export my data

Sub-processors

We use the following third-party sub-processors. Each is bound by a Data Processing Agreement and by EU adequacy decisions or Standard Contractual Clauses where applicable.

Processor Purpose Location Basis
Hetzner / AWS Application hosting & file storage (Active Storage) EU (Germany / Ireland) Adequacy
Stripe Payment processing US / EU SCC
Postmark / SendGrid Transactional email (receipts, account notifications) US SCC
Cloudflare DNS, DDoS protection, CDN edge caching EU / US SCC

We will update this list when we add or remove sub-processors and notify existing users by email with 30 days notice for material additions.

International Data Transfers

Our primary infrastructure is located within the European Economic Area. Where sub-processors are based in third countries (e.g. the United States), transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c), or by an applicable adequacy decision. No personal data is transferred to countries without an appropriate safeguard.

Contact & DPO

For all GDPR-related matters, including data subject rights requests, please contact our Data Protection Officer at privacy@qrgenie.io. We aim to respond within 5 business days and will always meet the 30-day statutory deadline.

For a broader overview of our data practices, see our Privacy Policy.

Privacy Policy Export my data