Privacy Policy
Last updated: 12 June 2026
This Privacy Policy explains what personal data Digitonica SRL ("QRKIT", "we", "us") collects when you use our website and services, why we collect it, the legal basis for processing, how long we keep it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR and the Swiss FADP.
1. Data Controller
- Digitonica SRL
- Str. Dr. Victor Gomoiu nr. 11, bl. S26, sc. 1, ap. 5, Craiova, Dolj, Romania
- Romania
- Represented by: Marius Claudiu Limban
- CUI (fiscal code): 46142569
- Trade Register No.: J18/1195/2022
- VAT ID: Not VAT-registered (neplătitor de TVA)
- Phone: +40 756 029 780
- Privacy contact: [email protected]
We are not legally required to appoint a Data Protection Officer under Art. 37 GDPR. For any privacy question you can reach us at the address above. As we are established in Romania (an EU member state), no Art. 27 EU representative is required.
2. What Data We Collect
- Data you provide: first and last name, email address, password (stored only as a secure hash by our authentication provider), company name, and the content you enter into your QR codes.
- Payment data: handled by Stripe. We store a customer reference and subscription status; we never see or store your full card number.
- Scan data: when someone scans one of your dynamic QR codes we record the IP address (kept only in a shortened, anonymized form — we never store the full IP), approximate location (country, region, city), device, operating system, browser, referrer and timestamp, so we can show you scan analytics.
- Usage & technical data: server logs, pages visited, and the marketing source (UTM parameters, referrer) that brought you to us.
- Cookies: see the Cookies section.
QRKIT is a business tool and is not directed at children. You must be at least 16 years old to create an account, and we do not knowingly collect personal data from children under 16.
3. If You Scanned a QR Code
QR codes created with QRKIT are set up by our customers, who decide where each code points and are responsible for the destination content. When you scan one, we record the scan so the code's creator can see analytics: your IP address in a shortened, anonymized form (never the full IP), approximate location (country, region, city), device type, operating system, browser, referrer and timestamp. This is processed under Art. 6(1)(f) GDPR (legitimate interest in providing scan analytics) and deleted automatically after 24 months.
Scan data is not linked to your name or identity, and in most cases we cannot identify you from it. Where that is the case, Art. 11 GDPR applies: to exercise rights such as access or erasure for scan data, you may need to provide additional information that allows us to locate your data. For any question about scan data, contact [email protected].
4. How and Why We Use Your Data
- To create and operate your account and provide the service — Art. 6(1)(b).
- To process payments and meet accounting obligations — Art. 6(1)(b) and 6(1)(c).
- To generate the scan analytics that are a core feature of QRKIT — Art. 6(1)(b)/(f).
- To secure the service and prevent abuse — Art. 6(1)(f).
- To send you product and marketing emails where you have not opted out, or where you have consented — Art. 6(1)(f)/(a). You can unsubscribe at any time.
- To run analytics cookies (Google Analytics, PostHog, Ahrefs) and load the Help Scout support chat — only with your consent, Art. 6(1)(a).
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects (Art. 22 GDPR).
5. How Long We Keep Your Data (Retention Periods)
We keep personal data only for as long as we need it for the purpose it was collected, after which it is automatically deleted by a scheduled process. The table below sets out the storage duration for each category of data.
| Data category | Retention period | Legal basis |
|---|---|---|
| Account data (name, email, authentication provider) | Until you delete your account, then up to 30 days in encrypted backups | Art. 6(1)(b) — performance of contract |
| QR codes and the content you put in them | Until you delete them or close your account | Art. 6(1)(b) — performance of contract |
| Email suppression list (addresses that hard-bounced, complained, or opted out) | Kept after account deletion so we never email you again | Art. 6(1)(f) — legitimate interest |
| Scan analytics (anonymized IP, approximate location, device, browser) | 24 months from the scan, then automatically deleted | Art. 6(1)(b) / 6(1)(f) — service delivery & legitimate interest |
| Temporary (unclaimed) QR codes created before sign-up | 30 days | Art. 6(1)(f) — legitimate interest |
| Logo images uploaded before sign-up that were never claimed | 31 days | Art. 6(1)(f) — legitimate interest |
| Password-protected QR access attempts | 90 days | Art. 6(1)(f) — security / abuse prevention |
| Marketing & UTM attribution (sessions and conversion events) | 12 months | Art. 6(1)(a) / 6(1)(f) — consent & legitimate interest |
| Onboarding funnel analytics | 12 months | Art. 6(1)(f) — legitimate interest |
| Error and not-found (404) diagnostic logs | 6 months | Art. 6(1)(f) — legitimate interest (security & reliability) |
| Developer API request logs (caller IP, endpoint, status) | 90 days | Art. 6(1)(f) — legitimate interest (security & abuse prevention) |
| On-site search queries | 6 months | Art. 6(1)(f) — legitimate interest (product improvement) |
| Support conversations (Help Scout) | 24 months after last contact | Art. 6(1)(b) / 6(1)(f) — support & legitimate interest |
| Billing records and invoices (Stripe) | 10 years (Romanian fiscal/accounting law) | Art. 6(1)(c) — legal obligation |
| Cookie-consent record | 12 months | Art. 6(1)(c) / 6(1)(a) — legal obligation & consent |
6. Who We Share Data With (Sub-processors)
We do not sell your personal data. We share it only with the service providers below, who process it on our behalf under a Data Processing Agreement and only as needed to run QRKIT.
| Provider | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Clerk | Authentication & account management | USA | SCCs / EU-US DPF |
| Stripe | Payments & billing | USA / Ireland | SCCs / EU-US DPF |
| PostHog | Product analytics & error tracking | EU (Germany) | Within EU/EEA |
| Resend | Transactional & marketing email | USA | SCCs / EU-US DPF |
| Google Analytics | Website analytics (consent-gated) | USA | SCCs / EU-US DPF |
| Ahrefs Analytics | Website analytics (consent-gated) | EU / USA | SCCs |
| Help Scout | Customer support | USA | SCCs / EU-US DPF |
| Sanity | Blog / content management | USA / EU | SCCs |
| Cloudflare R2 | File & image storage / CDN | EU / USA | SCCs / EU-US DPF |
| Hetzner | Hosting infrastructure | Germany (EU) | Within EU/EEA |
7. International Data Transfers
Some of our sub-processors are located outside the EU/EEA (primarily in the United States). Where data is transferred outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where the provider is certified, the EU-US Data Privacy Framework, to ensure an adequate level of protection. You can request a copy of the relevant safeguards from [email protected].
8. Cookies
We use essential cookies to run the site and, only with your consent, analytics cookies. In the EU/EEA, UK and Switzerland we show a consent banner before any non-essential cookie is set, and you can change your choice at any time via the "Choose Preferences" option in the banner.
| Cookie | Category | Purpose | Duration |
|---|---|---|---|
| qrkit_region | Essential | Detects whether cookie consent is required for your region | 30 days |
| qrkit_cookie_consent | Essential | Stores your cookie choices (browser localStorage) | 12 months |
| Clerk session cookies (e.g. __session) | Essential | Keeps you securely signed in | Session / set by Clerk |
| _ga, _ga_* | Analytics | Google Analytics — measures website usage | Up to 24 months |
| ph_* (PostHog) | Analytics | Product analytics & error tracking | Up to 12 months |
| Help Scout Beacon | Functional (consent-gated) | Powers the support chat widget — loaded only after you consent via the cookie banner | Set by Help Scout |
9. Your Rights
Under the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Have inaccurate data corrected (Art. 16).
- Have your data erased — the "right to be forgotten" (Art. 17).
- Restrict or object to processing (Art. 18 and 21).
- Receive your data in a portable, machine-readable format (Art. 20).
- Withdraw consent at any time, without affecting prior processing (Art. 7(3)).
- Lodge a complaint with a supervisory authority (Art. 77).
To exercise any of these rights, email [email protected]. You can delete your account and the associated data at any time from your account settings. We respond to requests within one month.
Our lead supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP). If you are in the EU/EEA, the UK or Switzerland, you may also contact your local data protection authority — for example, in Germany this is the data protection authority of your federal state (Landesdatenschutzbehörde).
10. How We Protect Your Data
We use encryption in transit (TLS/SSL), restricted and password-protected access, and trusted infrastructure providers. No system is completely secure, but we maintain appropriate technical and organisational measures and review them regularly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes we will post a prominent notice on this page and update the "Last updated" date above, or contact you directly where required.