GDPR & Privacy

Privacy by Design

qr3.app is built GDPR-compliant from the ground up:

• IP anonymisation — IP addresses are immediately converted to SHA-256 hashes (with daily rotating salt) in the edge worker. The original IP never reaches the database.
• Retention policies — Scan data is automatically deleted after a plan-dependent period (Free: 7 days, Pro: 90 days, Business: 1 year).
• Data minimisation — Only data necessary for operation is collected.

---

Privacy API

Data Summary (Art. 15 GDPR)

GET /v1/account/privacy — Returns an overview of all stored data.

curl https://qr3.app/v1/account/privacy \
  -H "Authorization: Bearer qr3_sk_..."

Response:

{
  "data": {
    "workspace_id": "ws_xxx",
    "stored_data": {
      "qr_codes": { "count": 42, "oldest_at": "2026-03-01T..." },
      "scan_records": { "count": 15000, "oldest_at": "2026-03-01T..." },
      "api_keys": { "count": 2 },
      "webhooks": { "count": 1 }
    },
    "your_rights": {
      "access": "GET /v1/account/export",
      "erasure": "DELETE /v1/account",
      "contact": "[email protected]"
    },
    "data_processing": {
      "legal_basis": "Contract performance (Art. 6(1)(b) GDPR)",
      "sub_processors": [
        { "name": "Cloudflare, Inc.", "purpose": "CDN, edge computing, database" }
      ]
    }
  }
}

Data Export (Art. 20 GDPR)

GET /v1/account/export — Downloads all your data as a JSON file.

curl https://qr3.app/v1/account/export \
  -H "Authorization: Bearer qr3_sk_..." \
  -o my-data.json

Consent Management

GET /v1/account/privacy/consents — Get current consent preferences.

POST /v1/account/privacy/consents — Update consent preferences.

{
  "analytics": true,
  "marketing": false,
  "third_party_integrations": false
}

Account Deletion (Art. 17 GDPR)

DELETE /v1/account — Immediately and irrevocably deletes the account.

Danger

This action is irreversible. All QR codes will be soft-deleted, all scan data will be permanently deleted, and all API keys will be revoked.

---

Scan Data & Anonymisation

Data point	Treatment
IP address	SHA-256 hash + daily salt, never stored in plain text
Country / Region	Derived from Cloudflare geo data, stored directly
User-Agent	Parsed to OS/Browser/Device type, raw string discarded
Referer	Stored as-is (no PII in standard referers)
Accept-Language	Only primary language tag stored

---

Contact

• Data Protection: [email protected]
• Privacy Policy: qr3.app/en/legal/privacy