Privacy Policy for CreateQR.app

Last updated: 4 March 2026

This Privacy Policy explains how PAYDOTCOM SRL ("CreateQR", "we", "us", or "our") collects, uses, stores, and shares personal data when you use CreateQR.app, our website, member area, QR creation tools, public QR landing pages, and related services, including our API.

1. Scope

This Privacy Policy applies to:

  • our public website and marketing pages;
  • user accounts and the member area;
  • QR code creation, hosting, redirects, analytics, feedback pages, and public landing pages;
  • billing and subscription management;
  • Google sign-in and account authentication;
  • our API and related usage monitoring;
  • support communications and contact forms.

It does not apply to third-party websites, apps, or services that you access through links, QR destinations, payment pages, or integrations that we do not control.

2. Personal data we collect

Depending on how you use CreateQR, we may collect the following categories of personal data.

A. Account and profile data

  • name;
  • email address;
  • password hash;
  • account verification status;
  • profile settings and preferences;
  • plan or subscription status.

B. Authentication data

  • login activity;
  • password reset and email verification tokens;
  • Google account information used for sign-in, such as your name, email address, and basic profile details you authorize Google to share with us.

C. QR and service content

  • QR titles, types, settings, colors, logos, files, templates, destination URLs, landing page content, and public tokens;
  • folders, saved designs, and account-level project organization;
  • API keys, key metadata, usage counters, allowlists, and request metadata.

D. Scan, usage, and analytics data

When dynamic QR codes or hosted public pages are used, we may collect:

  • timestamp of the visit or scan;
  • IP address;
  • approximate location information such as country or city when available;
  • browser, device, operating system, and referring page when available;
  • event and usage data related to scans, redirects, reviews, and dashboard analytics.

E. Payments and billing data

Payments are processed by Stripe. We do not store full payment card numbers. We may store billing-related data such as:

  • Stripe customer ID;
  • subscription ID;
  • plan name;
  • status;
  • invoice references;
  • billing country;
  • trial, renewal, cancellation, and payment status.

F. Communications and support data

  • messages you send through our contact or support forms;
  • support request history;
  • attached details you provide to help us resolve an issue.

G. Cookies and technical data

  • IP address;
  • browser type;
  • device identifiers;
  • pages visited;
  • session information;
  • cookie and similar technology preferences.

3. How we use personal data

We use personal data to:

  • create and manage your account;
  • authenticate you and keep your account secure;
  • provide QR generation, hosting, public landing pages, downloads, analytics, and API access;
  • process payments, subscriptions, renewals, cancellations, and legally required refund rights or verified billing error corrections;
  • operate the 7-day trial and paid plans;
  • provide customer support;
  • monitor performance, diagnose issues, and improve the service;
  • detect abuse, spam, fraud, phishing, malware, and other harmful or unlawful activity;
  • enforce our Terms and Conditions;
  • comply with legal, tax, accounting, and regulatory obligations;
  • communicate important service, billing, and policy updates.

4. Legal bases for processing

Where the GDPR applies, we usually rely on one or more of these legal bases:

  • Contract: to provide the service you requested, including account access, QR creation, subscriptions, redirects, analytics, and support related to the service.
  • Legitimate interests: to secure, monitor, improve, and defend our services, prevent abuse, and manage business operations.
  • Consent: where we ask for it, for example for certain cookies or optional communications.
  • Legal obligation: where we must process data to comply with applicable law, regulation, or lawful requests.

5. Public QR pages and user responsibilities

Some CreateQR features allow you to publish content publicly, including landing pages, feedback pages, profile pages, public links, and redirects.

If you publish content publicly:

  • that content may be visible to anyone with the link or QR code;
  • you should not include sensitive personal data unless you are sure you are allowed to publish it;
  • you are responsible for making sure you have the rights and permissions to use the content, files, logos, and personal data you upload or publish;
  • if you use CreateQR to collect data from your own visitors, customers, or end users, you are responsible for providing any notices and obtaining any consents required by law.

6. Cookies and similar technologies

We may use:

  • essential cookies to keep the website and member area working;
  • analytics cookies to understand usage and improve performance;
  • marketing cookies where enabled to measure campaigns and related activity.

We currently use or may use tools and providers such as:

  • Google Analytics
  • Cloudflare
  • authentication, session, and security cookies necessary for account access

If a cookie banner or preference manager is available, you can use it to manage your preferences. Some cookies remain necessary for core site functionality and security.

7. When we share personal data

We do not sell your personal data.

We may share personal data with trusted service providers that help us operate CreateQR, including:

  • Stripe for billing, subscriptions, invoicing, and payment processing;
  • Google for authentication and analytics;
  • DigitalOcean for hosting and infrastructure;
  • SendGrid for email delivery;
  • Cloudflare for security, performance, and traffic protection.

We may also disclose data:

  • if required by law or legal process;
  • to protect our rights, users, systems, or the public;
  • in connection with a merger, acquisition, restructuring, financing, or sale of assets, subject to appropriate safeguards.

8. International data transfers

Some of our service providers may process personal data outside Romania or the European Economic Area. When that happens, we take reasonable steps to use appropriate safeguards required by applicable law, such as contractual protections or other lawful transfer mechanisms.

9. Data retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law.

Our current retention approach is:

  • Account and QR content data: kept while your account is active. If you delete your account, we begin deleting your QR data and account content promptly.
  • Scan analytics logs: up to 3 months after collection, unless we need to keep them longer for security, fraud prevention, dispute handling, or legal obligations.
  • Support and contact messages: up to 3 months after resolution, unless a longer retention period is needed for an active issue, dispute, or legal obligation.
  • Billing and subscription records: at least 3 months and longer where needed for tax, accounting, fraud prevention, chargeback handling, or legal obligations.
  • Backups: secure backups may remain for a limited period before automatic deletion.

10. Account deletion

If self-service account deletion is available in your member settings, you can request deletion there. You may also contact us to request deletion.

After deletion:

  • access to your account ends;
  • hosted QR content and account data are scheduled for deletion promptly;
  • some limited records may be retained for the periods described above or where required by law.

11. Your rights

Depending on your location and applicable law, you may have rights to:

  • access your personal data;
  • correct inaccurate data;
  • delete your data;
  • restrict certain processing;
  • object to certain processing;
  • receive a portable copy of certain data;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with your local supervisory authority.

If you are in Romania or the EU, you may also contact the competent data protection authority, including the Romanian supervisory authority, if you believe your rights have been infringed.

To exercise your rights, use our Contact page.

12. Security

We use reasonable technical and organizational measures designed to protect personal data, including access controls, authentication controls, infrastructure protections, and monitoring.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

13. Prohibited or harmful content

We may monitor, review, remove, disable, or restrict content, accounts, QR destinations, API access, or public pages where we reasonably believe they involve:

  • illegal activity;
  • phishing;
  • malware;
  • spam;
  • copyright infringement;
  • deceptive or abusive activity;
  • hateful or abusive content;
  • adult content that violates our rules or applicable law.

14. Children's privacy

CreateQR is not intended for children. We do not knowingly target children with our services. If you believe a child has provided personal data to us, please contact us so we can review and take appropriate action.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we may notify you by updating this page, emailing you, showing a notice in the app, or using another reasonable method.

The "Last updated" date at the top shows the latest version.

16. Contact

For privacy requests or questions, contact:

PAYDOTCOM SRL

22 Decembrie 35A

Baia Mare, MM 430314

Romania

Registration number: J24/945/2007

VAT / Tax number: RO 21749140

For privacy, legal, support, or billing matters, use our Contact page.