Privacy policy
Last updated: March 6, 2026
1. Introduction
Welcome to QRsona ("we," "our," or "us"). This Privacy Policy describes how we collect, use, and disclose your personal information across all QRsona services, including:
- QRsona Store (qrsona.com) — Our Shopify-powered e-commerce store where you can purchase physical QR code products.
- QRsona Platform (app.qrsona.com) — Our web application for creating, managing, and tracking QR codes, vCard business cards, forms, and split links.
QRsona — Smart Fashion operates these services to provide you with a complete QR code solution, from purchasing physical products to managing digital QR codes. By using any of our services, you acknowledge that you have read this Privacy Policy and understand the collection, use, and disclosure of your information as described herein.
If you do not agree with our policies and practices, please do not use our services.
For the purpose of applicable data protection laws, we are the data controller of your personal information.
2. What data we collect
2.1 Store Purchase Information (qrsona.com)
- Contact details — name, email address, phone number.
- Shipping information — delivery address.
- Billing information — billing address.
- Financial information — credit/debit card details (processed securely through payment processors).
- Transaction information — items viewed, added to cart, purchased, order history.
2.2 QR Code Platform Information (app.qrsona.com)
- Account information — email address, name, password (encrypted), profile avatar.
- QR code data — aliases, target URLs, visual preferences, background style.
- vCard business cards — name, job title, company, phone, email, address, vCard avatar.
- Forms — field configuration, collected responses, webhook URL (Business plan).
- Split links — link variants, percentage rules.
- Schedules — time-based rules for changing target links.
- Saved links and messages — text content and URLs saved in the dashboard.
- Subscriptions — plan tier (Starter/Pro/Business), billing period, Stripe data (customer ID, subscription ID).
2.3 QR Code Scan Analytics
When someone scans your QR codes, we collect minimal data for analytics purposes only:
- Scan timestamp — date and time of the scan.
- Country code — derived from the scanner's IP address (e.g., PL, US, DE).
- City — approximate city-level location (e.g., Warsaw, New York).
We do NOT store: full IP addresses of QR scanners, exact GPS coordinates, street addresses, or personal identifying information about scanners.
2.4 Push Notifications
If you enable push notifications, we store your Firebase subscription token (endpoint + keys) to deliver real-time scan notifications.
2.5 Automatically Collected Information
- Device information — browser type, operating system.
- Usage information — pages visited, features used.
- IP address — for logged-in users (not for QR code scanners).
- Cookies — as described in Section 9.
3. How we use your data
- Service delivery — account management, order fulfillment, QR code handling, vCard business cards, forms, split links, and scan analytics delivery.
- Payment processing — handling subscriptions via Stripe, invoicing.
- Communication — sending push notifications about scans, order confirmations, shipping updates, security alerts.
- Product improvement — analyzing usage patterns to develop new features.
- Security — detecting and preventing fraud and unauthorized access.
- Legal obligations — meeting tax, accounting and regulatory requirements.
4. Data sharing
We do not sell your personal data to third parties. We may share data only with trusted service providers who perform tasks on our behalf:
- Shopify — e-commerce platform, order processing, checkout.
- Supabase — database, authentication, file storage (QR codes, avatars).
- Vercel — application hosting and deployment.
- Stripe — subscription payment processing.
- Printful — order fulfillment (printing and shipping products).
- Firebase (Google) — push notification delivery.
These service providers have access to your personal information only to perform specific tasks on our behalf and are obligated to protect your information.
People scanning your QR codes never have access to your dashboard, personal data, or analytics.
5. Plans and payments
QRsona offers plans: Starter (free), Pro, and Business. Pricing details are available on the homepage in the Plans section. Payments for paid plans are processed by Stripe and charged monthly or annually in advance.
We store: Stripe customer ID, subscription ID, selected plan, billing period, and invoice history. We do NOT store full payment card details — these are processed exclusively by Stripe (PCI-DSS certified).
Subscription cancellation is possible at any time. After cancellation, access to paid plan features remains active until the end of the paid billing period.
6. Data retention
- Account data — retained while your account is active, plus 30 days after deletion request.
- Order history — 7 years for accounting and legal purposes.
- QR scan data — indefinitely on Pro and Business plans; Starter plan retains analytics within the scan limit (3,000/month).
- vCard business cards and forms — for the duration of account activity.
- Subscription and invoice data — 7 years as required by law.
- Marketing data — until you unsubscribe.
You can request an export of your data (PDF/CSV on Pro and Business plans) or its permanent deletion at any time — in accordance with GDPR regulations.
7. Your rights (GDPR)
As a user from the European Economic Area (EEA) and United Kingdom, you have the following rights:
- Right of access — you can request a copy of your personal data.
- Right to rectification — you can request correction of inaccurate data.
- Right to erasure — you can request deletion of your data ("right to be forgotten").
- Right to portability — you can receive your data in a structured format.
- Right to object — you can object to processing for marketing purposes.
- Right to restriction — you can request restriction of processing in certain situations.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
Legal basis for processing (GDPR):
- Contractual necessity — processing necessary to provide our services.
- Legitimate interest — QR scan analytics (country, city, timestamp) and service improvement.
- Consent — for marketing communications and optional features.
- Legal obligation — where required by law.
To exercise these rights, contact us at: info@qrsona.com. We will process your request within 30 days.
8. Data security
We implement industry-standard security measures to protect your personal information:
- Encryption of data in transit (SSL/TLS) and at rest.
- Secure authentication protocols (Supabase Auth).
- Row Level Security (RLS) at the database level — each user can only access their own data.
- Secure payment processing through Stripe (PCI-DSS certified).
- HMAC verification of Shopify webhooks.
- Access controls and monitoring.
No security measures are perfect — we cannot guarantee absolute security. In the event of a breach, we will notify affected users within 72 hours in accordance with GDPR.
9. Cookies and tracking technologies
We use cookies and similar technologies to:
- Maintain your login session.
- Remember your preferences (language, settings).
- Cache CMS data in localStorage for faster loading.
- Analyze usage and performance.
Types of cookies:
- Essential — required for the services to function (session, authentication).
- Functional — remember your preferences and settings.
- Analytics — help us understand how you use our services.
You can control cookies through your browser settings. Disabling certain cookies may affect functionality.
10. Relationship with Shopify
Our e-commerce store is powered by Shopify. QRsona product purchases are processed through Shopify's native checkout (Cart API). Shopify collects and processes personal information related to your purchases.
Information you submit during purchase is transmitted to Shopify, which may store data in countries other than your country of residence.
Learn more:
- Shopify Consumer Privacy Policy: https://www.shopify.com/legal/privacy
- Exercise your rights: https://privacy.shopify.com/en
11. International data transfers
Your information may be transferred to, stored, and processed in countries other than your country of residence, including the United States and Poland.
Our service providers (Supabase, Vercel, Stripe, Firebase, Printful) may process data in various locations. For transfers of personal data out of the EEA or UK, we rely on recognized transfer mechanisms such as European Commission's Standard Contractual Clauses.
12. Children's privacy
Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe we have collected information about a child, please contact us immediately, and we will delete it.
13. Changes to this Privacy Policy
We may periodically update this Privacy Policy. We will inform you of significant changes via email or through a visible notification on our platform at least 14 days before they take effect. Your continued use of our services after changes become effective constitutes acceptance of the updated policy.
14. Contact information
If you have questions, concerns, or requests regarding this Privacy Policy:
Email: info@qrsona.com
Mail:
QRsona — Smart Fashion
Suwalska 56A
Ełk, 19-300
Poland
Website: https://qrsona.com
Platform: https://app.qrsona.com
If you have complaints about how we process your personal information, contact us first. If unsatisfied with our response, you may lodge a complaint with your local data protection supervisory authority (for EEA: https://edpb.europa.eu/about-edpb/board/members_en).