Privacy Policy

This Privacy Policy explains how we process personal data in connection with the website, the product, and the related support, security, and integration processes of QR Vello.

1. Data Controller

Niclas Pilz IT Dienstleistungen
Niclas Pilz IT Dienstleistungen
Große Bleiche 27
55116 Mainz
Email: [email protected]
Phone: +4917657914455
Website: https://qr-vello.com

Where we process personal data on behalf of business customers and exclusively under their instructions, we act as a data processor. In such cases, the nature and scope of processing are additionally governed by the respective agreements with the customer, in particular a data processing agreement (Art. 28 GDPR).

2. Categories of Data

Depending on how you use our service, we process in particular the following categories of data:

Master and contact data, such as name, company, email address, phone number, and role information.
Sign-in and authentication data, such as login timestamps, session data, and OAuth metadata.
Contract, billing, and product-usage data (plan, workspace membership, API usage).
QR code data: target URLs you provide, code content (e.g. vCard fields, Wi-Fi credentials), branding assets (logos, colors), and campaign metadata.
Scan data of end users scanning your QR codes: timestamp, truncated IP address, derived geo region, device type, browser, and referrer. This data is processed on behalf of the QR Vello customer (Art. 28 GDPR).
Communication data from support, onboarding, and security processes.
Technical log and device data, such as IP address, browser information, timestamps, and audit logs.

3. Purposes and Legal Bases of Processing

3.1 Website provision and baseline security

When you access our website, we process technical access data to deliver content, ensure the stability and security of our systems, and detect attacks or abuse. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest is in providing our service securely and reliably.

3.2 Product account, sign-in, and access control

We process data necessary for registration, sign-in, session management, multi-factor security, permission management, and account recovery. The legal basis is Art. 6(1)(b) GDPR; additionally Art. 6(1)(f) GDPR for abuse prevention, security monitoring, and forensic traceability.

3.3 Google Sign-In

If you sign in via Google, we receive from Google the data required for authentication and account association, in particular the Google user ID, name, email address, language preference, and where applicable a profile picture. The legal basis is Art. 6(1)(b) GDPR. Where Google processes data outside the European Economic Area, the notes in section 8 apply additionally.

3.4 Product use and QR code management

When you or your authorized team members use the QR Vello platform, we process the data you enter or generate via the API, in particular target URLs, QR code content (e.g. vCard fields, Wi-Fi credentials, campaign labels), uploaded branding assets, and workspace configurations. Processing takes place for the performance of the contract under Art. 6(1)(b) GDPR or, where we act on behalf of a business customer, under Art. 28 GDPR.

3.4a Scan tracking for dynamic QR codes

For dynamic QR codes, every scan is routed through the QR Vello redirect infrastructure. In doing so we process technical metadata of the scan: truncated IP address (for country/region-level geo derivation, then discarded), timestamp, user agent (device type, OS, browser), and referrer information where transmitted. This processing takes place on behalf of the respective QR Vello customer (Art. 28 GDPR). The legal basis is Art. 6(1)(f) GDPR with the legitimate interest of measuring QR code campaign performance, together with Art. 6(1)(b) GDPR for performance of the contract with the QR Vello customer. We do not use third-party tracking cookies, browser fingerprints, or cross-device identifiers. Scan logs are retention-capped per plan tier and are automatically aggregated or deleted after the retention period expires.

3.5 API, webhook, and custom domain usage

When you integrate our REST API into your own systems, receive webhooks on your own endpoints, or attach custom domains for short links, we process the related technical data: API token IDs, endpoint calls, rate-limit counters, webhook delivery logs (including response status), DNS configuration of your custom domain, and TLS certificate status. This processing serves the provision, error analysis, security, and traceability of the service. The legal basis is Art. 6(1)(b) GDPR as well as Art. 6(1)(f) GDPR for security and support purposes.

To handle paid plans, we use payment service providers (in particular Stripe). Contract, billing, and payment data are transmitted to the provider to the extent required for processing the transaction. The legal basis is Art. 6(1)(b) GDPR.

3.6 Support, onboarding, and communication

We process inquiries, support cases, questions about QR codes or plans, security reports, and other communications in order to handle your request, resolve issues, and enable use of the product. The legal basis is Art. 6(1)(b) GDPR and, where there is no direct contractual relationship, Art. 6(1)(f) GDPR.

3.7 Security, abuse, and audit logs

We process log and audit data to track access, detect unauthorized use, investigate security incidents, meet regulatory requirements, and demonstrate the integrity of QR code and account data. The legal basis is Art. 6(1)(f) GDPR and, where statutory obligations apply, Art. 6(1)(c) GDPR.

3.8 Compliance with legal obligations

Where we are legally required to do so, we process personal data to fulfill commercial, tax, supervisory, or security-related obligations. The legal basis is Art. 6(1)(c) GDPR.

4. Source of Data

We receive personal data primarily directly from you or from authorized users of your company.

In addition, data may come from the following sources:

third-party providers you knowingly connect, such as Google (sign-in), Stripe (payment), or webhook recipients you configure,
authorized team administrators or contacts at your company,
technical systems, log sources, and security mechanisms of our product.

5. Recipients and Categories of Recipients

We disclose personal data only where necessary for the purposes described, where required by law, or where you have consented. Recipients may include in particular:

hosting, infrastructure, storage, and delivery providers,
authentication and communication providers,
connected payment, banking, and financial integration providers, where you actively connect them,
advisors, auditors, authorities, or courts, where there is a legal basis for disclosure,
business customers or their authorized users, where we process data on their behalf.

6. Cookies, Local Storage, and Similar Technologies

We use cookies, local storage mechanisms, and comparable technologies to the extent technically necessary to provide the explicitly requested digital service, maintain sessions, implement security functions, or store user preferences. The data protection legal basis is Art. 6(1)(b) or (f) GDPR. Where consent is required for the use of a particular technology, it is obtained based on Art. 6(1)(a) GDPR. For access to information on terminal devices, § 25 of the German TDDDG applies additionally.

We only use non-essential technologies if a valid consent has been obtained.

7. Retention

We store personal data only for as long as necessary for the relevant purposes or as required by law. Key criteria are the duration of the contractual relationship, the necessity for support, security, and proof, as well as statutory retention obligations.

Concrete retention windows (live from our backend, as of 2026-05-25):

Note: the raw-log windows below describe the internal lifecycle of individual scan events. The scan analytics history shown on the pricing page describes the visible dashboard and export history.

Raw scan logs (per-event rows with timestamp, IP hash, user-agent, derived geo-region — table qr_scan_events): free — 30 days (30 d); pro — 12 months (365 d); business — 60 months (1825 d); enterprise — 60 months (extendable per contract) (1825 d). Fallback for workspaces without a plan match: 30 d. After expiry the raw rows are irreversibly deleted.
Aggregated analytics (anonymous daily counters with no user, geo or device link — table qr_scan_daily): retained indefinitely because no personal data is involved. Charts and campaign comparisons stay available far beyond the raw-log window.
Account deletion: 30-day grace period (deletion can be revoked via POST /me/account/restore), then irreversible hard-delete via the nightly qr-account-purge cron.
Backups: rolling 90 days, AES-256 at rest / TLS 1.3 in transit, separate AWS S3 account in eu-central-1.
Admin audit log: 365 days, pseudonymised (user ID instead of PII).
GDPR data-export ZIPs: 14 days on encrypted object storage, per-request signed download URLs (15-minute TTL). Cleaned up by qr-retention-cleanup afterwards.

These figures are sourced live from our backend single source of truth and mirror the values shown in our Trust Center. If both pages ever differ, the Trust Center wins.

Account master and profile data is retained for the duration of the contractual relationship.
Connection data for third-party integrations is retained while the connection is active, until you disconnect it, or until technical, contractual, or legal reasons require earlier deletion.
Security, error, and audit logs are retained for a limited time and are deleted or anonymized as soon as they are no longer required for security, support, or evidentiary purposes, unless statutory or incident-related reasons require longer retention.
Commercially or tax-relevant documents (invoices, billing records, and proofs related to paid plans) are retained for the statutory retention periods, typically 8 or 10 years depending on document type.

Account deletion therefore does not necessarily result in immediate full removal of all data where statutory retention obligations or overriding legitimate interests apply.

8. International Transfers

Where we use service providers or integration partners outside the European Economic Area, or where features from providers processing data in third countries are used, we ensure an adequate level of data protection. Transfers take place in particular on the basis of an adequacy decision, standard contractual clauses, or other legally provided safeguards.

9. Your Rights

Subject to statutory requirements, you have in particular the following rights:

right of access, Art. 15 GDPR,
right to rectification, Art. 16 GDPR,
right to erasure, Art. 17 GDPR,
right to restriction of processing, Art. 18 GDPR,
right to data portability, Art. 20 GDPR,
right to object, Art. 21 GDPR,
right to withdraw consent with effect for the future, Art. 7(3) GDPR.

To exercise your rights, a message to [email protected] is sufficient.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority, in particular at your usual place of residence, your place of work, or the place of the alleged infringement.

11. Automated Decision-Making

We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you, unless we inform you separately.

12. Changes to This Privacy Policy

We may update this Privacy Policy if our processes, integrations, statutory requirements, or the product change materially. The version published on this page applies.

Last updated: 25. May 2026