Privacy Policy
How GetQRFree collects, uses, and protects your personal information
2026/05/27
Introduction
This Privacy Policy explains how GetQRFree ("we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our QR code generation and management services (the "Service").
GetQRFree offers two types of services with different privacy implications:
- Free Static QR Code Generator: No registration required, data processed locally in your browser
- Paid Dynamic QR Code Service: Requires account registration, data stored on our servers
By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.
Information We Collect
Information for Free Static QR Code Service
When you use our free static QR code generator without an account:
- No Account Information Required: We do not require registration and do not collect account profile information for this free tool
- Local Processing: Your QR code content (URLs, text, WiFi passwords) is processed entirely in your browser
- No Server Storage: Your QR code content is never transmitted to or stored on our servers
- Limited Analytics Data: When analytics is enabled, we collect page views and general product usage events to understand service performance. Your QR code content is still processed locally and is not sent to our analytics provider.
Information for Paid Dynamic QR Code Service
When you create an account and use our paid services, we collect the following categories of information:
Account Information
| Data | Source | Purpose |
|---|---|---|
| Name | Google Account | Account identification |
| Email address | Google Account | Account management, notifications |
| Profile picture | Google Account | Account personalization |
| Account preferences | Your settings | Service customization |
Payment Information
| Data | Processor | Purpose |
|---|---|---|
| Credit/debit card details | Stripe (not stored by us) | Payment processing |
| Billing address | Stripe | Payment verification, invoicing |
| Transaction history | Our servers | Billing records, support |
| Subscription status | Our servers | Service delivery |
Note: We do not store complete credit card numbers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor.
Refund Request Information
| Data | Retention | Purpose |
|---|---|---|
| Refund request details | 2 years | Processing refund requests |
| Supporting documentation | 2 years | Verifying refund eligibility |
| Communication records | 2 years | Customer support and dispute resolution |
When you submit a refund request, we collect your account email, order/invoice numbers, reason for refund, and any supporting documentation you provide. For malicious traffic claims, we may analyze scan logs including IP address patterns, geographic distribution, and temporal patterns to verify your claim.
QR Code Content
| Data | Retention | Purpose |
|---|---|---|
| Target URLs | Account lifetime | QR code functionality |
| LinkPage content | Account lifetime | Multi-link pages |
| vCard information | Account lifetime | Contact QR codes |
| WiFi credentials | Account lifetime | WiFi QR codes |
| Uploaded files (logos, PDFs, images) | Account lifetime | QR code customization |
Scan Analytics Data
When someone scans your dynamic QR codes, we collect:
| Data | Processing | Purpose |
|---|---|---|
| IP address | Hashed for anonymization | Unique visitor counting |
| Geographic location | City-level only | Location analytics |
| Country and region | Stored | Geographic distribution |
| Device type | Stored | Device analytics |
| Operating system | Stored | Technical analytics |
| Browser | Stored | Technical analytics |
| Timestamp | Stored | Time-based analytics |
| Referrer URL | Stored | Traffic source analytics |
Important: Scan analytics are collected from individuals who scan your QR codes (third parties), not just account holders. We do not attempt to identify individual scanners and use IP hashing to prevent identification.
Usage Data
| Data | Retention | Purpose |
|---|---|---|
| Login records | 90 days | Security |
| Product analytics events | Aggregated in Google Analytics | Service improvement, activation analysis, conversion measurement |
| Error logs | 90 days | Technical support |
Product analytics events may include actions such as sign up, login, QR type selection, QR creation, QR download, link copy, analytics view, media actions, custom domain actions, checkout, purchase, subscription changes, settings updates, and marketing form submissions. We use low-cardinality parameters such as QR type, plan name, billing interval, locale, source, status, and normalized error codes. We do not intentionally send Google Analytics email addresses, phone numbers, QR code contents, target URLs, WiFi passwords, file names, raw domain names, Stripe customer or subscription IDs, or account User-ID values. We currently do not enable the GA4 User-ID feature.
How We Use Your Information
We use collected information for the following purposes:
Service Delivery
- Creating and managing your account
- Processing payments and subscriptions
- Generating and hosting dynamic QR codes
- Providing scan analytics and reports
- Sending service-related notifications
- Processing refund requests and investigating billing disputes
Service Improvement
- Analyzing usage patterns to improve features
- Measuring product activation, QR creation, feature usage, checkout, and subscription funnels
- Identifying and fixing technical issues
- Developing new features based on user needs
Security and Fraud Prevention
- Protecting against unauthorized access
- Detecting and preventing fraudulent activity
- Enforcing our Terms of Service
Legal Compliance
- Complying with applicable laws and regulations
- Responding to legal requests and court orders
- Protecting our legal rights
Communications
- Sending account and billing notifications
- Responding to your inquiries and support requests
- Sending product updates (with your consent, where required)
Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), UK, and Switzerland, we process your personal data based on the following legal grounds:
| Processing Activity | Legal Basis |
|---|---|
| Account management | Contract performance |
| Payment processing | Contract performance |
| QR code hosting | Contract performance |
| Refund request processing | Contract performance |
| Website and product analytics | Legitimate interests |
| Scan analytics | Legitimate interests |
| Security measures | Legitimate interests |
| Billing dispute investigation | Legitimate interests |
| Marketing emails | Consent |
| Legal compliance | Legal obligation |
Legitimate Interests: We have conducted balancing tests to ensure our legitimate interests do not override your fundamental rights. You may object to processing based on legitimate interests by contacting us.
Data Retention
We retain your information for the following periods:
Account Data
| Data Type | Retention Period | Trigger for Deletion |
|---|---|---|
| Account information | Account lifetime + 30 days | Account deletion |
| QR codes and content | Account lifetime | User deletion or account closure |
| Uploaded files | Account lifetime | User deletion or account closure |
Analytics Data (varies by subscription plan)
| Plan | Retention Period |
|---|---|
| Free | 7 days |
| Solo | 3 months |
| Micro | 12 months |
| Pro | 24 months |
Analytics data older than your plan's retention period is automatically and permanently deleted.
Other Data
| Data Type | Retention Period |
|---|---|
| Payment records | 7 years (tax compliance) |
| Server logs | 90 days |
| Support communications | 2 years |
Data After Account Deletion
When you delete your account:
- Account data is deleted within 30 days
- Analytics data is deleted within 90 days
- Payment records are retained for 7 years as required by law
- Backups are purged within 90 days
Information Sharing and Disclosure
We share your information only in the following circumstances:
Service Providers
We use trusted third-party service providers to operate our Service:
| Provider | Data Shared | Purpose | Privacy Policy |
|---|---|---|---|
| OAuth authentication data | User authentication | Google Privacy Policy | |
| Google Analytics | Page views, session identifiers, product event names, low-cardinality event parameters | Website and product analytics | Google Privacy Policy |
| Stripe | Payment information | Payment processing | Stripe Privacy Policy |
| Cloudflare | IP addresses, request data | CDN, security, DNS | Cloudflare Privacy Policy |
| Resend | Email addresses | Transactional emails | Resend Privacy Policy |
| Database provider | All stored data | Data hosting | Available upon request |
All service providers are contractually bound to protect your data and use it only for the specified purposes.
Legal Requirements
We may disclose your information if required to:
- Comply with applicable laws or regulations
- Respond to valid legal process (subpoenas, court orders)
- Protect our rights, property, or safety
- Protect the rights, property, or safety of others
Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.
With Your Consent
We may share your information for other purposes with your explicit consent.
Information We Do NOT Sell
We do not sell your personal information. We do not share your personal information with third parties for their direct marketing purposes.
Your Privacy Rights
Rights for All Users
Regardless of your location, you have the right to:
- Access: Request a copy of your personal information
- Correction: Request correction of inaccurate information
- Deletion: Request deletion of your personal information
- Data Export: Export your QR codes and analytics data
- Objection: Object to certain processing activities
Additional Rights for EEA/UK Users (GDPR)
If you are located in the EEA or UK, you also have the right to:
- Restriction: Request restriction of processing
- Portability: Receive your data in a machine-readable format
- Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
- Lodge Complaint: File a complaint with your local data protection authority
Additional Rights for California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: What personal information we collect, use, and disclose
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information
- Right to Limit Use of Sensitive Personal Information: Limit use of sensitive categories
- Right to Non-Discrimination: We will not discriminate against you for exercising these rights
Categories of Personal Information Collected (per CCPA):
- Identifiers (name, email, IP address)
- Commercial information (transaction history, subscription)
- Internet activity (usage data, scan analytics)
- Geolocation data (city-level from scans)
- Inferences (derived analytics)
Sensitive Personal Information: We collect precise geolocation data only at the city level for scan analytics purposes.
Do Not Sell or Share: We do not sell or share your personal information as defined under CCPA/CPRA.
Exercising Your Rights
To exercise any of these rights:
- Account Settings: Many options are available in your account dashboard
- Email Request: Contact us at privacy@getqrfree.com
- Verification: We may need to verify your identity before processing requests
We will respond to valid requests within 30 days (or 45 days for complex requests, with notice).
Data Security
We implement appropriate technical and organizational measures to protect your information:
Technical Measures
- Encryption in Transit: All data transmitted using TLS 1.2 or higher
- Encryption at Rest: Sensitive data encrypted in our databases
- Access Controls: Role-based access to production systems
- IP Hashing: Scanner IP addresses are hashed to prevent identification
- Secure Authentication: OAuth 2.0 via Google
Organizational Measures
- Limited employee access to personal data
- Security training for personnel with data access
- Incident response procedures
- Regular security assessments
Data Breach Response
In the event of a data breach affecting your personal information, we will:
- Notify you within 72 hours of discovery (where required by law)
- Provide details about the breach and affected data
- Describe steps we are taking to address the breach
- Offer guidance on protective measures you can take
International Data Transfers
GetQRFree is based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.
For EEA/UK Users
We transfer data from the EEA/UK to the United States using:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Additional safeguards where required
By using our Service, you consent to the transfer of your information to the United States.
Children's Privacy
Free Static QR Code Service
The free static QR code generator does not require registration and does not store QR content on our servers. Limited website analytics may still be collected as described above.
Paid Dynamic QR Code Service
The paid service requires account registration and is intended for users who are at least 18 years old. We do not knowingly collect personal information from children under 18 for paid services.
If we learn that we have collected personal information from a child under 18 for paid services, we will promptly delete that information. If you believe we have collected information from a child, please contact us at privacy@getqrfree.com.
Cookies and Tracking Technologies
Essential Cookies
We use essential cookies for:
- User authentication and session management
- Security and fraud prevention
- Remembering your preferences
Analytics
We use Google Analytics for website and product analytics. Google Analytics may store a client ID in first-party cookies such as _ga to distinguish users and sessions. We use analytics to measure page views, QR creation and usage funnels, checkout and purchase events, subscription changes, and other product interactions.
We do not currently enable GA4 User-ID, and we do not send account User-ID values to Google Analytics. We also do not intentionally send personal contact details, QR contents, target URLs, WiFi passwords, file names, raw domain names, or Stripe customer/subscription IDs as analytics event parameters.
Third-Party Cookies
Third-party services (Google Analytics, Google OAuth, Stripe) may set or read their own cookies or related identifiers. Please refer to their respective privacy policies.
For more details, please see our Cookie Policy.
Third-Party Links
Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to read the privacy policies of any third-party sites you visit.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will notify you by email (for account holders)
- We will post a prominent notice on our website
- We will update the "Last Updated" date at the bottom of this policy
Changes take effect when posted unless otherwise specified. Your continued use of the Service after changes constitutes acceptance of the updated policy.
We encourage you to review this Privacy Policy periodically.
Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
For General Privacy Inquiries:
- Email: privacy@getqrfree.com
- Contact Form: Contact Page
For Data Subject Rights Requests:
- Email: privacy@getqrfree.com
- Response Time: Within 30 days
For EEA Users: While we do not have a physical presence in the EEA, you may contact us at the above addresses for any GDPR-related inquiries.
Summary of Key Points
| Topic | Key Information |
|---|---|
| Data Controller | GetQRFree |
| Free Service | No account data or QR content collected; limited website analytics may be collected |
| Paid Service | Account, payment, content, scan analytics, and product analytics collected |
| Data Sharing | Service providers only, no selling |
| Retention | Varies by data type and plan (7 days - 7 years) |
| Your Rights | Access, correction, deletion, portability |
| Security | Encryption, access controls, hashing |
| International | US-based with appropriate safeguards |
Last Updated: May 27, 2026
Previous Version: November 30, 2025