Privacy Policy

1. Controller & Contact

The data controller responsible for processing on this website is:

If you have questions about privacy or want to exercise your rights, contact us at the email above.

2. Product Areas & Privacy Architecture

Fair-QR has two separate product flows with different data processing:

• Offline QR (public, client-side): In the public generator, QR codes are created in your browser. Without login, data stays local on your device (for example local history).
• Smart QR (dashboard, account required): For Smart QR, we process account data, managed QR content, configuration, and usage data on Supabase so codes can be managed, updated, and analyzed.
• Privacy-by-design tracking: We do not use cross-site profiling or fingerprinting. Offline QR content is not uploaded to our servers when you use the generator without login. For website and product analytics, we use privacy-conscious methods; Smart QR scan analytics remain limited to SaaS functionality and use pseudonymized attributes (for example hashed visitor identifiers).
• Cookies & session technologies: We use strictly necessary cookies for authentication, session security, and language/feature state. Without these cookies, login and dashboard features do not work.

3. Local Storage (Browser History)

In the public Offline generator, Fair-QR uses your browser localStorage to keep local QR history. This data:

• Is primarily stored only on your device
• Is accessible only in your browser profile
• Can be removed at any time by clearing browser data or using the "Clear history" button
• May include QR content, colors, size, error-correction level, and timestamps

4. Hosting, Authentication & Technical Delivery

To deliver and run Fair-QR, we primarily use Vercel (hosting) and Supabase (database, authentication, storage). Technical connection and usage data may be processed.

• IP address and connection metadata
• Browser type, operating system, and device data
• Timestamp, requested URL, and HTTP metadata
• Authentication and session information
• Security and error logs
• Abuse and bot-protection signals (for example unusual request patterns, failed login attempts, and rate-limit events)

Processing is based on contract performance and service delivery (GDPR Art. 6(1)(b)) and our legitimate interest in secure, reliable operation (GDPR Art. 6(1)(f)).

Learn more: Vercel Privacy Policy

5. Analytics, Scan Statistics & Product Improvement

We process analytics data to operate Fair-QR, detect abuse, and improve features. Processing differs between website analytics and Smart QR scan analytics and may include bot/abuse detection in Smart QR and API features.

• Data-minimizing website analytics: For website statistics, we use data-minimizing methods (for example Vercel Analytics) and avoid unnecessary personal detail.
• No cross-site profiling: We do not build user profiles across third-party websites.
• Pseudonymized Smart QR events: For Smart QR scans, we may process device type, browser/OS, language, referrer domain, and coarse geo data; IP addresses are not stored in clear text in scan tracking and are processed only in minimized/pseudonymized form.
• Retention with limits: Analytics and operational data are not retained indefinitely and are reduced, aggregated, or deleted under defined retention periods.
• Security-oriented processing: Technical logs and abuse signals may be generated for security, bot protection, and stability; access is limited to authorized personnel.

Possible processed data categories:

• Page views, URL paths, and referrers
• Device, browser, and operating-system information
• Country/region/city based on technical geo resolution
• Language settings and technical header metadata
• Smart QR scan events (including pseudonymized visitor identifiers)
• Security events (for example login failures, blocked requests, rate-limit hits, and abuse flags)
• API key metadata and request logs when using Smart QR API features
• Optional: tracked query parameters from scan URLs when query-parameter tracking is enabled in the Smart QR dashboard (for example UTM parameters; in "all" mode, additional URL parameters may be captured)

Depending on purpose, processing is based on GDPR Art. 6(1)(b) (contract), Art. 6(1)(f) (legitimate interests in secure operations, abuse prevention, and product improvement), and where legally required Art. 6(1)(a) (consent). Smart QR account owners are responsible for tracking only lawful parameters and for not transmitting sensitive data via URL query parameters.

Learn more: Vercel Analytics Privacy

6. SSL/TLS Encryption

This website uses SSL/TLS encryption to protect data transmission. You can identify encrypted connections by the "https://" prefix and lock icon in your browser.

7. Your GDPR Rights

Subject to legal requirements, you have the following rights:

• Right of access: Request information about personal data we process about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your data unless statutory retention obligations apply
• Right to data portability: Receive your data in a structured, commonly used format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent at any time for future processing
• Right to complain: Lodge a complaint with a supervisory authority

Note: To protect against unauthorized access, we may request proof of identity before fulfilling data-rights requests.

8. Data Retention & Deletion

We keep personal data only for as long as needed for the relevant purpose or as required by law. Typical retention criteria/windows include: account master data and Smart QR configurations until account/object deletion (followed by limited technical backup retention), Smart QR scan analytics according to plan retention (currently typically 7/30/90/365 days), security and abuse logs generally short-term and only as long as required for incident analysis and legal enforcement/defense, and billing-relevant records according to statutory accounting/tax retention duties. Data no longer required is deleted or anonymized.

9. Third Parties, Transfers & External Links

To operate Fair-QR, we use external service providers (including hosting, database/auth/storage, payments, error monitoring, and website analytics). Processing may occur outside the EU/EEA. In such cases, we use appropriate safeguards (for example adequacy decisions or Standard Contractual Clauses). External websites are governed by their own privacy policies.

10. Service Providers in Use (Examples)

Depending on how you use Fair-QR, the following categories of providers may be involved:

• Hosting/Delivery: Vercel for web app delivery and technical infrastructure.
• Database/Auth/Storage: Supabase for user accounts, Smart QR data, API features, and logo uploads.
• Payment processing: Stripe for checkout, subscriptions, invoices, and payment events. Payment data is processed directly by Stripe.
• Error monitoring: Sentry for detecting and analyzing technical errors in relevant SaaS areas.
• Legal basis & contracts: Where required, we execute data processing agreements with processors and review their documentation regularly.

The active provider set may change over time. What matters is the actual set of services in use when you use Fair-QR.

11. Changes to This Privacy Policy

We may update this privacy policy, especially when introducing new features, changing providers, or due to legal requirements. The current version is always available at this URL.

Last updated: February 2026

12. Supervisory Authority

You have the right to file a complaint with a data protection supervisory authority. The competent authority in Austria is: